Hi Gina
I'll send you and checkin the fediz_config.xml as soon as I can - I'm on the way right now. This STS URL is fine, the Mock IDP uses the CXF STS. When the application works you will change in your application (fediz_config.xml) the issuerUrl of ADFS. Have you configured HTTPS for the IDP Tomcat instance and your application Tomcat instance? I recommend to use a separate instance of the IDP and your application. Do you use the port 9443? Thanks ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [[email protected]] Sent: 08 May 2012 20:20 To: Oliver Wulff Cc: [email protected] Subject: Re: CXF supporting scope Hi Oliver >I'd recommend to successfully deploy the wsclientWebapp sample and the IDP. >When this works, rip&replace >one piece after the other. I'd recommend to >choose the following approach. >1) Replace the Fediz IDP by ADFS > + configure the ADFS issuerUrl (context.xml) > + ensure that ADFS supports WS-Federation Passive Requestor Profile > + configure the certificate used by ADFS to sign the SAML token > >(the most recent version of fediz uses a separate xml file for the >configuration) Somehow I couldn't deploy both fediz\trunk\services and fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed them on Tomcat 7.0.21. I checked tomcat user name and Maven's settings file all, but couldn't find reason. It just said that can't involke Tomcat Manager. But since I was able to deploy it on tomcat 7.0.21, I decided to figure it out later. In the context.xml, I have following content. So, It lookis like that issuerURL defined inside fediz_config.xml, but I searched all directories, but couldn't find a file called fediz_config.xml. <Context> <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" configFile="conf/fediz_config.xml" /> <!--<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" issuerURL="https://localhost:9443/fedizidp/"; truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" />--> <!--Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler" truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" />--> </Context> In the web.xml file of the idp, you have following content. ADFS has mex address. so, I assume that I need to replace value of sts.wsdl.url with ADFS mex address. <servlet> <servlet-name>FederationServlet</servlet-name> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class> <init-param> <param-name>sts.wsdl.url</param-name> <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl</param-value> </init-param> <init-param> <param-name>sts.wsdl.service</param-name> <param-value>SecurityTokenService</param-value> </init-param> Thanks. Gina On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <[email protected]<mailto:[email protected]>> wrote: Hi Gina >>> I don't mind giving up existing implementation as long as I find better solution. I was hoping that Fediz project uses only Apache CXF instead of introducing another FrameWork - OpenSAML. >>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and REST based service communication. OpenSAML is widely used and bundled into other frameworks like CXF and Fediz. >>> If I only consider passive profile at this moment, what changes are need to Fediz project to point to ADFS(STS) intead of Apach CXF STS? Where did you define your stsActionURL? I like to start with passive profile since it is easier to start with. I can use your sample application. It doesn't matter if I use Airline or not since it is a just prototype >>> I'd recommend to successfully deploy the wsclientWebapp sample and the IDP. When this works, rip&replace one piece after the other. I'd recommend to choose the following approach. 1) Replace the Fediz IDP by ADFS + configure the ADFS issuerUrl (context.xml) + ensure that ADFS supports WS-Federation Passive Requestor Profile + configure the certificate used by ADFS to sign the SAML token (the most recent version of fediz uses a separate xml file for the configuration) 2) Update the webapp to generate and use the stubs of the BookingService in the FederationServlet (just a test - call the simplest method). Configure the ASP.NET<http://ASP.NET> wsdl location (usually url?wsdl). Configure the ADFS STS url in the STSClient bean in the beans.xml configuration. Change the property onbehalfof to actas. HTH ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [[email protected]<mailto:[email protected]>] Sent: 08 May 2012 01:05 To: Oliver Wulff Cc: [email protected]<mailto:[email protected]> Subject: Re: CXF supporting scope Hi Oliver, I am not responsible for BookingService(.NET). The other guys who implemented it using WIF. You know that Microsoft created WIF and tested with ADFS, so it it doesn't work, I would be surprised. >Which Servlet container do you use? I am using Tomcat7. >In your current setup, how does the samlp:Response look like? I sent you decoded SAML response token in seperate email. I am sretrieving based64 encoded saml response token using following code. String encodedSamlResponseTokenStr = request.getParameter("SAMLResponse"); I don't mind giving up existing implementation as long as I find better solution. I was hoping that Fediz project uses only Apache CXF instead of introducing another FrameWork - OpenSAML. I loaded http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ to the Eclipse today. Basically I need following three URL for ADFS(STS). First two is for active profile and third one is for passive profile(SP initiated Redirect POST bindings). If I only consider passive profile at this moment, what changes are need to Fediz project to point to ADFS(STS) intead of Apach CXF STS? Where did you define your stsActionURL? I like to start with passive profile since it is easier to start with. I can use your sample application. It doesn't matter if I use Airline or not since it is a just prototype. private static final String stsEndpoint = "https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";; private static final String stsMEXAddress = https://strts01.ams.dev/adfs/services/trust/mex; private static final String stsActionURL = https://strts01.ams.dev/adfs/ls/; Thanks again for your guidance. Gina On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <[email protected]<mailto:[email protected]>> wrote: Hi Gina The fediz project is used to protect your web application where the client is a browser. Right now, Fediz supports WS-Federation Passive Requestor Profile which is supported by ADFS and usually used in the .NET world as a the default mechanism. You don't have to implement that in your application - that's done by the Fediz plugin. Fediz uses opensaml for SAML processing. The original URL is stored in the wreply parameter. .NET uses a combination of the wtrealm and wctx parameter. Your Airline application can use CXF for the web services communication (for the REST communication also, if you like). The built-in support in CXF for the IssuedToken assertion (WS-SecurityPolicy) supports to get a token from ADFS using actas. In my example, just use actas instead of onbehalfof property. >>> ADFS generate SAMLtoken and this SAML token is sent back to Airline(Airline does all validation work) and cached in the session. - This part is implemented. >>> The validation work is already done by Fediz. Session management is then done by the JEE container. Your application is called after the SAML token issued by ADFS is successfully validated. The container will create the session and check every incoming request whether the used token is still valid - otherwise, the browser is redirected again to ADFS. You could also configure some roles in ADFS to protect your web application as the fediz plugin tells the container the userid as well as its roles. You could even use claims if you like. Which Servlet container do you use? In your current setup, how does the samlp:Response look like? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [[email protected]<mailto:[email protected]>] Sent: 07 May 2012 20:24 To: [email protected]<mailto:[email protected]> Cc: Oliver Wulff Subject: Re: CXF supporting scope Hi Oliver, I did notice that your sample application used both opensaml and openws libraries. Are they used by Apache CXF or just by Frediz project? I need to clarify my environment further to give you better picture. 1. All web services in my application are REST. The only reason that I use SOAP is to create a soap client to call .NET SOAP web service which resides on another application. I am working with a .NET guy to prove some prototypes. His sample application is BookingService which I provided you wsdl. I am working on Airline. BookingService: .NET4.0 SOAP Airline: Java with REST 2. Both BookingService and Airline use same ADFS as STS. We have set up relying parties for BookingService and Airline in ADFS. 3. SSO: A user will be using both Airline and BookingService. So, she/he should be able to log on once for both applications. In Airline(my application), I used SP initialed POST redirect bindings. So, when a user make a request to Airline at first time, the user will be redirected to ADFS and asked credentials. After user provide username/password, ADFS generate SAMLtoken and this SAML token is sent back to Airline(Airline does all validation work) and cached in the session. - This part is implemented. 4. Now a user call BookingService which is claim aware. So, I need to inject Assertion token get from previous step inside actas element to call STS(ADFS2.0) to get a new token. With that new token, I will be calling Booking service. So, I don't think that I am able to use Apach CXF STS part since my STS will be ADFS. So, I am hoping that Apache CXF can work with ADFS(STS) to support my prototypes. Thanks. Gina On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <[email protected]<mailto:[email protected]>> wrote: Hi Gina >>> So, what I need is after user log on using Web SSO, the SAML token should be cached in web context and being used as actas token when making a call to .NET web service. >>> This is supported by CXF without writing any single line of code. I do have a sample web application here: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ This example illustrates: - fediz is configured for web sso - SAML token is cached in the session and used to request a new token from the STS The code to call the web service is in FederationServlet.doPost(): ... Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); String reply = service.greetMe(); ... The magic is in the configuration I used here: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup The following property registers a callback handler to provide the STSClient the token of the Web Login: <property name="onBehalfOf" ref="delegationCallbackHandler" /> (There is also a property for actAs) The above example should exactly do what you need. You just have to change the above property to use ActAs instead of OnBehalfOf. The details for this example are described here: http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html To test this easily, you can use the Mock IDP as part of Fediz for the authentication. You could also attach Active Directory in the Mock if you like. See here: http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html I use that within a customer set up to connect the CXF STS to Active Directory. >>> What is Spring role in CXF? >>> You can use Spring to configure your services. The above example is based on spring. As you see, all security related stuff is enabled by configuration (Convention of Configuration). You can also write an application without spring but I wouldn't write an application without spring nowadays but this is up to you. >>> I don't know much LDAP, but it should be used as an attribute store. I consider it as an alternative of Active Directory. Please correct me if I am wrong. >>> Active Directory provides different interfaces. One of them is LDAP. You can use the LDAPLoginModule of the JDK for authentication. But you don't have to care that much as ADFS (and maybe the Fediz Mock for testing) will access ActiveDirectory to read the claims to add them to the SAML token. Could you zip the wsdl before attaching? Thanks ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ Von: Gina Choi [[email protected]<mailto:[email protected]>] Gesendet: Freitag, 4. Mai 2012 20:54 Bis: [email protected]<mailto:[email protected]> Betreff: Re: CXF supporting scope Hi Oliver, Thanks for your response. >You mean that WIF is deployed in the ASP.NET<http://ASP.NET><http://asp.net/> >web service using the Active Requestor Profile? >The SAML token should contain the claims as an AttributeStatement? >Can you share with us the WS-SecurityPolicy of this Web Service? I have attached two wsdl file. BookingService.wsdl and BookingService_imported.wsdl. BookingService.wsdl is importing BookingService_imported.wsdl and if you open BookingService.wsdl, in line 10 there is a importing statement like bellow. This .NET4.0 service is not owned by me and I don't know if separating wsdl file is common practice. Is there anyway to combin them into one when generate artifact using wsimport? I will be calling CheckIn operation. <wsdl:import location="http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0"; namespace="http://tempuri.org/"/> >I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric and >Asymmetric binding. >What roles does ADFS 2.0 play? >Once as the IDP for the Web application SSO and once to let issue a token >onbehalfof/actas the original token >from the Web SSO? (this is supported by >CXF-Fediz) >http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html I am using Active Directory as an attribute store. So, I could say ADFS role should be IDP. So, what I need is after user log on using Web SSO, the SAML token should be cached in web context and being used as actas token when making a call to .NET web service. > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which > application server is your web >application deployed? ADFS is IDP and my Java web application is Service Provider. >What do you mean exactly? Is LDAP used for authentication by the STS? Or >should the service provider retrieve >the claims/roles from LDAP? I don't know much LDAP, but it should be used as an attribute store. I consider it as an alternative of Active Directory. Please correct me if I am wrong. I have been reading many specifications, but I am still having hard time to straiten up correct terms. >No, Spring is not a requirement. What is Spring role in CXF? Thanks. Gina On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: >>> 1. I have to create a client for .NET4.0 web service which claim aware. So, how is CXF interoperability with .NET? >>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET><http://ASP.NET> web service using the Active Requestor Profile? The SAML token should contain the claims as an AttributeStatement? Can you share with us the WS-SecurityPolicy of this Web Service? >>> 2. If CXF support ADFS2.0 as STS. >>> I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric and Asymmetric binding. What roles does ADFS 2.0 play? Once as the IDP for the Web application SSO and once to let issue a token onbehalfof/actas the original token from the Web SSO? (this is supported by CXF-Fediz) http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>> 3. If CXF support passive profile. Especially SP initiated Redirect -> POST binding. >>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which application server is your web application deployed? >>> 4. If CXF can work with LDAP. >>> What do you mean exactly? Is LDAP used for authentication by the STS? Or should the service provider retrieve the claims/roles from LDAP? >>>> 5. My application doesn't use Spring frame work. Do I have to use Spring Frame work to use CXF. >>> No, Spring is not a requirement. ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ Von: gchoi [[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] Gesendet: Mittwoch, 2. Mai 2012 17:29 Bis: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Betreff: CXF supporting scope Hi All, So far, I evaluated several frame works, but they seem don't do what I expect. Several people suggested me that I should consider CXF. Before I dig into CXF, I would like know if CXF support following things. By the way, I just joined this user group. 1. I have to create a client for .NET4.0 web service which claim aware. So, how is CXF interoperability with .NET? 2. If CXF support ADFS2.0 as STS. 3. If CXF support passive profile. Especially SP initiated Redirect -> POST binding. 4. If CXF can work with LDAP. 5. My application doesn't use Spring frame work. Do I have to use Spring Frame work to use CXF. Thank in advance. -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html Sent from the cxf-user mailing list archive at Nabble.com.
