Hi Oliver,
I am not responsible for BookingService(.NET). The other guys who
implemented it using WIF. You know that Microsoft created WIF and tested
with ADFS, so it it doesn't work, I would be surprised.
>Which Servlet container do you use?
I am using Tomcat7.
>In your current setup, how does the samlp:Response look like?
I sent you decoded SAML response token in seperate email. I am sretrieving
based64 encoded saml response token using following code.
String encodedSamlResponseTokenStr = request.getParameter("SAMLResponse");
I don't mind giving up existing implementation as long as I find better
solution. I was hoping that Fediz project uses only Apache CXF instead of
introducing another FrameWork - OpenSAML.
I loaded
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ to
the Eclipse today.
Basically I need following three URL for ADFS(STS). First two is for active
profile and third one is for passive profile(SP initiated Redirect POST
bindings). If I only consider passive profile at this moment, what changes
are need to Fediz project to point to ADFS(STS) intead of Apach CXF STS?
Where did you define your stsActionURL? I like to start with passive
profile since it is easier to start with. I can use your sample
application. It doesn't matter if I use Airline or not since it is a just
prototype.
*private* *static* *final* String *stsEndpoint* = "
https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";;
*private* *static* *final* String *stsMEXAddress* =
https://strts01.ams.dev/adfs/services/trust/mex;
private static final String stsActionURL = https://strts01.ams.dev/adfs/ls/;
Thanks again for your guidance.
Gina
On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <[email protected]> wrote:
> Hi Gina
>
>
>
> The fediz project is used to protect your web application where the client
> is a browser. Right now, Fediz supports WS-Federation Passive Requestor
> Profile which is supported by ADFS and usually used in the .NET world as a
> the default mechanism. You don't have to implement that in your application
> - that's done by the Fediz plugin. Fediz uses opensaml for SAML processing.
>
>
>
> The original URL is stored in the wreply parameter. .NET uses a
> combination of the wtrealm and wctx parameter.
>
>
>
> Your Airline application can use CXF for the web services communication
> (for the REST communication also, if you like). The built-in support in CXF
> for the IssuedToken assertion (WS-SecurityPolicy) supports to get a token
> from ADFS using actas. In my example, just use actas instead of onbehalfof
> property.
>
>
>
> >>>
>
> ADFS generate SAMLtoken and this SAML token is sent back to
> Airline(Airline does all validation work) and cached in the session. - This
> part is implemented.
>
> >>>
>
> The validation work is already done by Fediz. Session management is then
> done by the JEE container. Your application is called after the SAML token
> issued by ADFS is successfully validated. The container will create the
> session and check every incoming request whether the used token is still
> valid - otherwise, the browser is redirected again to ADFS. You could also
> configure some roles in ADFS to protect your web application as the fediz
> plugin tells the container the userid as well as its roles. You could even
> use claims if you like.
>
>
>
> Which Servlet container do you use?
>
>
>
> In your current setup, how does the samlp:Response look like?
>
>
>
> Thanks
>
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
> ------------------------------
> *From:* Gina Choi [[email protected]]
> *Sent:* 07 May 2012 20:24
> *To:* [email protected]
> *Cc:* Oliver Wulff
> *Subject:* Re: CXF supporting scope
>
> Hi Oliver,
>
> I did notice that your sample application used both opensaml and openws
> libraries. Are they used by Apache CXF or just by Frediz project?
>
> I need to clarify my environment further to give you better picture.
>
> 1. All web services in my application are REST. The only reason that I use
> SOAP is to create a soap client to call .NET SOAP web service which resides
> on another application. I am working with a .NET guy to prove some
> prototypes. His sample application is BookingService which I provided you
> wsdl. I am working on Airline.
>
> BookingService: .NET4.0 SOAP
> Airline: Java with REST
>
> 2. Both BookingService and Airline use same ADFS as STS. We have set up
> relying parties for BookingService and Airline in ADFS.
>
> 3. SSO: A user will be using both Airline and BookingService. So, she/he
> should be able to log on once for both applications. In Airline(my
> application), I used SP initialed POST redirect bindings. So, when a user
> make a request to Airline at first time, the user will be redirected to
> ADFS and asked credentials. After user provide username/password, ADFS
> generate SAMLtoken and this SAML token is sent back to Airline(Airline does
> all validation work) and cached in the session. - This part is implemented.
>
> 4. Now a user call BookingService which is claim aware. So, I need to
> inject Assertion token get from previous step inside actas element to call
> STS(ADFS2.0) to get a new token. With that new token, I will be calling
> Booking service.
>
> So, I don't think that I am able to use Apach CXF STS part since my STS
> will be ADFS. So, I am hoping that Apache CXF can work with ADFS(STS) to
> support my prototypes.
>
>
> Thanks.
>
> Gina
>
>
>
>
>
>
> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <[email protected]> wrote:
>
>> Hi Gina
>>
>> >>>
>> So, what I need is after user log on using Web SSO, the SAML token should
>> be cached in web context and being used as actas token when making a call
>> to .NET web service.
>> >>>
>> This is supported by CXF without writing any single line of code. I do
>> have a sample web application here:
>>
>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/
>>
>> This example illustrates:
>> - fediz is configured for web sso
>> - SAML token is cached in the session and used to request a new token
>> from the STS
>>
>> The code to call the web service is in FederationServlet.doPost():
>> ...
>> Greeter service =
>> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
>> String reply = service.greetMe();
>> ...
>>
>> The magic is in the configuration I used here:
>>
>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup
>>
>> The following property registers a callback handler to provide the
>> STSClient the token of the Web Login:
>> <property name="onBehalfOf" ref="delegationCallbackHandler" />
>>
>> (There is also a property for actAs)
>>
>> The above example should exactly do what you need. You just have to
>> change the above property to use ActAs instead of OnBehalfOf. The details
>> for this example are described here:
>>
>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>>
>>
>> To test this easily, you can use the Mock IDP as part of Fediz for the
>> authentication. You could also attach Active Directory in the Mock if you
>> like. See here:
>>
>> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html
>>
>> I use that within a customer set up to connect the CXF STS to Active
>> Directory.
>>
>> >>>
>> What is Spring role in CXF?
>> >>>
>> You can use Spring to configure your services. The above example is
>> based on spring. As you see, all security related stuff is enabled by
>> configuration (Convention of Configuration). You can also write an
>> application without spring but I wouldn't write an application without
>> spring nowadays but this is up to you.
>>
>> >>>
>> I don't know much LDAP, but it should be used as an attribute store. I
>> consider it as an alternative of Active Directory. Please correct me if I
>> am wrong.
>> >>>
>> Active Directory provides different interfaces. One of them is LDAP. You
>> can use the LDAPLoginModule of the JDK for authentication. But you don't
>> have to care that much as ADFS (and maybe the Fediz Mock for testing) will
>> access ActiveDirectory to read the claims to add them to the SAML token.
>>
>> Could you zip the wsdl before attaching?
>>
>> Thanks
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>> Solution Architect
>> http://coders.talend.com
>>
>> <http://coders.talend.com>Talend Application Integration Division
>> http://www.talend.com
>>
>> ________________________________
>> Von: Gina Choi [[email protected]]
>> Gesendet: Freitag, 4. Mai 2012 20:54
>> Bis: [email protected]
>> Betreff: Re: CXF supporting scope
>>
>> Hi Oliver,
>>
>> Thanks for your response.
>>
>> >You mean that WIF is deployed in the ASP.NET<http://asp.net/> web
>> service using the Active Requestor Profile?
>> >The SAML token should contain the claims as an AttributeStatement?
>> >Can you share with us the WS-SecurityPolicy of this Web Service?
>> I have attached two wsdl file. BookingService.wsdl and
>> BookingService_imported.wsdl. BookingService.wsdl is importing
>> BookingService_imported.wsdl and if you open BookingService.wsdl, in line
>> 10 there is a importing statement like bellow. This .NET4.0 service is not
>> owned by me and I don't know if separating wsdl file is common practice. Is
>> there anyway to combin them into one when generate artifact using wsimport?
>> I will be calling CheckIn operation.
>>
>> <wsdl:import location="
>> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0";
>> namespace="http://tempuri.org/"/>
>>
>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric
>> and Asymmetric binding.
>> >What roles does ADFS 2.0 play?
>> >Once as the IDP for the Web application SSO and once to let issue a
>> token onbehalfof/actas the original token >from the Web SSO? (this is
>> supported by CXF-Fediz)
>> >
>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>> I am using Active Directory as an attribute store. So, I could say ADFS
>> role should be IDP. So, what I need is after user log on using Web SSO, the
>> SAML token should be cached in web context and being used as actas token
>> when making a call to .NET web service.
>>
>> > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In
>> which application server is your web >application deployed?
>> ADFS is IDP and my Java web application is Service Provider.
>>
>> >What do you mean exactly? Is LDAP used for authentication by the STS? Or
>> should the service provider retrieve >the claims/roles from LDAP?
>> I don't know much LDAP, but it should be used as an attribute store. I
>> consider it as an alternative of Active Directory. Please correct me if I
>> am wrong. I have been reading many specifications, but I am still having
>> hard time to straiten up correct terms.
>>
>> >No, Spring is not a requirement.
>> What is Spring role in CXF?
>>
>> Thanks.
>>
>> Gina
>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <[email protected]<mailto:
>> [email protected]>> wrote:
>> >>>
>> 1. I have to create a client for .NET4.0 web service which claim aware.
>> So,
>> how is CXF interoperability with .NET?
>> >>>
>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web
>> service using the Active Requestor Profile?
>> The SAML token should contain the claims as an AttributeStatement?
>> Can you share with us the WS-SecurityPolicy of this Web Service?
>>
>> >>>
>> 2. If CXF support ADFS2.0 as STS.
>> >>>
>> I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric
>> and Asymmetric binding.
>> What roles does ADFS 2.0 play?
>> Once as the IDP for the Web application SSO and once to let issue a token
>> onbehalfof/actas the original token from the Web SSO? (this is supported by
>> CXF-Fediz)
>>
>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>>
>> >>>
>> 3. If CXF support passive profile. Especially SP initiated Redirect ->
>> POST
>> binding.
>> >>>
>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which
>> application server is your web application deployed?
>>
>> >>>
>> 4. If CXF can work with LDAP.
>> >>>
>> What do you mean exactly? Is LDAP used for authentication by the STS? Or
>> should the service provider retrieve the claims/roles from LDAP?
>>
>> >>>>
>> 5. My application doesn't use Spring frame work. Do I have to use Spring
>> Frame work to use CXF.
>> >>>
>> No, Spring is not a requirement.
>>
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com
>> Solution Architect
>> http://coders.talend.com
>>
>> Talend Application Integration Division http://www.talend.com
>>
>> ________________________________________
>> Von: gchoi [[email protected]<mailto:[email protected]>]
>> Gesendet: Mittwoch, 2. Mai 2012 17:29
>> Bis: [email protected]<mailto:[email protected]>
>> Betreff: CXF supporting scope
>>
>> Hi All,
>>
>> So far, I evaluated several frame works, but they seem don't do what I
>> expect. Several people suggested me that I should consider CXF. Before I
>> dig
>> into CXF, I would like know if CXF support following things. By the way, I
>> just joined this user group.
>>
>>
>> 1. I have to create a client for .NET4.0 web service which claim aware.
>> So,
>> how is CXF interoperability with .NET?
>>
>> 2. If CXF support ADFS2.0 as STS.
>>
>> 3. If CXF support passive profile. Especially SP initiated Redirect ->
>> POST
>> binding.
>>
>> 4. If CXF can work with LDAP.
>>
>> 5. My application doesn't use Spring frame work. Do I have to use Spring
>> Frame work to use CXF.
>>
>>
>>
>> Thank in advance.
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>>
>
