Hi Oliver, >You're right - this is confusing. The STS signs the SAML token with the private which correlates to >the STS certificate. The RP requires the CA certificates and the STS certificate (if self-signed as in >this demo case) to validate the SAML token.
Thanks for response. I looked request and response message between RP and STS. It looks like that you don't encrypt RST and RSTR, but you said that both RST and RSTR are signed. I need to import signing cert from ADFS to stsstore.jks keystore. Which one is key alias for RP? You have clientkey, myservicekey and mystskey. Vise versa, I need to export signing cert from RP to import it to ADFS. Do you have signing cert somewhere or I have to export it myself? Thanks. Gina On Mon, May 14, 2012 at 2:19 PM, Oliver Wulff <owu...@talend.com> wrote: > Hi Gina > > >>> > But I still don't understand why I have to copy stsstore.jks file into RP. > stsstore.jks is the keystore file of STS and it should be sitting on > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's own > keystore file, for example clientstore.jks. > When client issue AuthnRequest to STS, it will sign AuthnRequest with STS > signing certificate. Vise versa, when STS issue Assertion token, it will be > signed by client signing certificate. > In fediz project senario, RP will be the client and it will never have > keystore file of STS. > I just looked at content of stsstore.jks and it looks like that you > combined sts, client and service keystore file into one - stsstore.jks. In > other words, stsstore.jks is being used as a keystore file for all three - > client, service and sts. Is that correct? I think that they should be > separated. Kind of confusing until list content of stsstore.jks. > >>> > You're right - this is confusing. The STS signs the SAML token with the > private which correlates to the STS certificate. The RP requires the CA > certificates and the STS certificate (if self-signed as in this demo case) > to validate the SAML token. > > I was too lazy in creating two keystores (I just copied the keystore used > by the CXF STS distribution). In a production environment, one keystore > contains the private key and the certificate for the STS and the other > contains the certificate only for the RP. > > I've started documentating fediz here: > http://cxf.apache.org/fediz.html > > It would make sense to add a section what to consider for production > implementation. I'll add that. > > Thanks > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > From: Gina Choi [ginacho...@gmail.com] > Sent: 14 May 2012 18:00 > To: Oliver Wulff > Cc: users@cxf.apache.org > Subject: Re: CXF supporting scope > > Hi Oliver, > > Thanks for your response. I copied over stsstore.jks into tomcat rp and I > am seeing saml token now. > > >The SAML token issued by the IDP/STS is signed and the used certificate > must be referenced to >validate the signature: > > ><trustedIssuerItem provider=".*CN=www.sts.com.*"> > >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" > password="stsspass" type="file" /> > >< /trustedIssuerItem> > > >In this example, I used a self-signed certificate and I was too lazy in > separating the keystore into >one with the private key and into one > without. > > >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. > > But I still don't understand why I have to copy stsstore.jks file into RP. > stsstore.jks is the keystore file of STS and it should be sitting on > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's own > keystore file, for example clientstore.jks. > > When client issue AuthnRequest to STS, it will sign AuthnRequest with STS > signing certificate. Vise versa, when STS issue Assertion token, it will be > signed by client signing certificate. > > In fediz project senario, RP will be the client and it will never have > keystore file of STS. > > I just looked at content of stsstore.jks and it looks like that you > combined sts, client and service keystore file into one - stsstore.jks. In > other words, stsstore.jks is being used as a keystore file for all three - > client, service and sts. Is that correct? I think that they should be > separated. Kind of confusing until list content of stsstore.jks. > > Thanks. > > Gina > > > On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <owu...@talend.com> wrote: > > > Hi Gina > > > > > > > > The SAML token issued by the IDP/STS is signed and the used certificate > > must be referenced to validate the signature: > > > > > > > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" > > password="stsspass" type="file" /> > > </trustedIssuerItem> > > > > In this example, I used a self-signed certificate and I was too lazy in > > separating the keystore into one with the private key and into one > without. > > > > > > > > You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. > > > > > > > > In your scenario with ADFS. You must import the CA certs which signed the > > ADFS cert into a keystore and configure the CN name as a regular > expression > > in the attribute "provider". (The name provider is misleaing, will fix > that) > > > > > > > > Thanks > > > > > > > > > > > > ------ > > > > Oliver Wulff > > > > Blog: http://owulff.blogspot.com > > Solution Architect > > http://coders.talend.com > > > > <http://coders.talend.com>Talend Application Integration Division > > http://www.talend.com > > ------------------------------ > > *From:* Gina Choi [ginacho...@gmail.com] > > *Sent:* 11 May 2012 00:44 > > > > *To:* Oliver Wulff > > *Cc:* users@cxf.apache.org > > *Subject:* Re: CXF supporting scope > > > > Hi Oliver, > > > > Until this afternoon, I didn't have time to work with Fediz. Finally I > > have successfully deployed idp, sts and simpleWebapp on Tomcat7.0.27. > > Everything went well. I guess that on the other day, I thought doing some > > thing, but I probably did something else. :) > > After type https://localhost:8443/fedizhelloworld/secureservlet/fed on > > the browser, I inputed test user name and password, but it failed. > > > > > > org.apache.ws.security.components.crypto.CredentialException: Proxy file > (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found. > > > > > > In your fediz_config.xml, you have following lines. Why do we put sts key > > store file on RP server? Does web application need to know where is sts > > keystore file? > > > > <trustedIssuers> > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" > > password="stsspass" type="file" /> > > </trustedIssuerItem> > > </trustedIssuers> > > > > > > Thanks. > > > > Gina > > > > On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <owu...@talend.com> wrote: > > > >> Hi Gina > >> > >> The steps are absolutely correct. Not sure about the failing deployment > >> step for the application. Have you also updated tomcat-users.xml of the > >> second tomcat instance? Or was the application already deployed once and > >> you must run "mvn clean install tomcat:redeploy"? Is anything logged on > >> catalina.out? > >> Otherwise, just copy the war manually from target/fedizhelloworld.war to > >> <tomcat-dir>/webapps. > >> > >> I've checked in fediz_config.xml in > examples/simpleWebapp/src/main/config > >> (sorry for that). Please manually copy it to the location you've > configured > >> in the context.xml. Ensure that the IDP url (later ADFS): > >> <issuer>https://localhost:9443/fedizidp/</issuer> > >> and the location of the trusted keystore is updated: > >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" > >> password="stsspass" type="file" /> > >> > >> It will be supported in the next days to also configure a relative > >> location to catalina.home. > >> > >> > >> Thanks > >> Oli > >> > >> > >> > >> ------ > >> > >> Oliver Wulff > >> > >> Blog: http://owulff.blogspot.com > >> Solution Architect > >> http://coders.talend.com > >> > >> <http://coders.talend.com>Talend Application Integration Division > >> http://www.talend.com > >> ------------------------------ > >> *From:* Gina Choi [ginacho...@gmail.com] > >> *Sent:* 09 May 2012 00:55 > >> > >> *To:* Oliver Wulff > >> *Cc:* users@cxf.apache.org > >> *Subject:* Re: CXF supporting scope > >> > >> By the way I checked out head version fediz project from SVN. > >> > >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <ginacho...@gmail.com> wrote: > >> > >>> Hi Oliver, > >>> > >>> I am using seperate Tomcat instance for IDP and application and I set > up > >>> https. Following is what I did. > >>> > >>> I checked out Fediz project into my local machine. As you explained on > >>> your post > >>> > http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html > , > >>> I run mvn clean install in plugins/core, pligins/tomcat and > >>> examples/simpleWebapp/. I configued maven's settings.xml and updated > >>> tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins, > and I > >>> am seeing both IDP and STS are deployed. > >>> > >>> I am just having problem with deloying sample application in another > >>> Tomcat instance. > >>> > >>> 1. I created sub-directory fediz in ${catalina.home}/lib of the > >>> tomcat-rp. > >>> 2. I have following line in the calatina.properties in > >>> ${catalina.home}/conf. > >>> > >>> > common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar > >>> 3. I deployed the built libraries and dependencies to the directory > >>> created in (1) > >>> I got the built libraries from > fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip. > >>> After this, I am getting error messages when start Tomcat. This > preventing > >>> me step5 for deploying applicaitons properly. > >>> If I replace generated lib/fediz jar files with old jar files that I > >>> downloaded from your post, I am able to start tomcat without error and > able > >>> to deploy application, but couldn't run properly. > >>> 4. since I can't find fediz_config.xml, so I configured > *META-INF/context.xml > >>> as follow. > >>> > >>> * <Context> > >>> <Valve className="org.apache< > http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html# > > > >>> .cxf.fediz.tomcat.FederationAuthenticator" > >>> issuerURL="https://localhost:9443/fedizidp/"; > >>> truststoreFile="conf/stsstore.jks" > >>> truststorePassword="stsspass" > >>> trustedIssuer=".*CN=www.sts.com.*" /> > >>> </Context> > >>> 5. If I run mvn tomcat:deploy under fediz\trunk\examples\simpleWebapp, > I > >>> am getting following error message. > >>> > >>> Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy > >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat manager: > FAIL - > >>> Failed to deploy application at context path /fedizhelloworld -> [Help > 1] > >>> > >>> So, I couldn't get your application run. I hope that all these problem > >>> caused because of missing fediz_config.xml. > >>> > >>> Thanks. > >>> > >>> Gina > >>> On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <owu...@talend.com > >wrote: > >>> > >>>> Hi Gina > >>>> > >>>> > >>>> > >>>> I'll send you and checkin the fediz_config.xml as soon as I can - I'm > >>>> on the way right now. > >>>> > >>>> > >>>> > >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the > >>>> application works you will change in your application > (fediz_config.xml) > >>>> the issuerUrl of ADFS. > >>>> > >>>> > >>>> > >>>> Have you configured HTTPS for the IDP Tomcat instance and your > >>>> application Tomcat instance? > >>>> > >>>> I recommend to use a separate instance of the IDP and your > application. > >>>> > >>>> Do you use the port 9443? > >>>> > >>>> > >>>> > >>>> Thanks > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> ------ > >>>> > >>>> Oliver Wulff > >>>> > >>>> Blog: http://owulff.blogspot.com > >>>> Solution Architect > >>>> http://coders.talend.com > >>>> > >>>> <http://coders.talend.com>Talend Application Integration Division > >>>> http://www.talend.com > >>>> ------------------------------ > >>>> *From:* Gina Choi [ginacho...@gmail.com] > >>>> *Sent:* 08 May 2012 20:20 > >>>> > >>>> *To:* Oliver Wulff > >>>> *Cc:* users@cxf.apache.org > >>>> *Subject:* Re: CXF supporting scope > >>>> > >>>> Hi Oliver > >>>> > >>>> >I'd recommend to successfully deploy the wsclientWebapp sample and > the > >>>> IDP. When this works, rip&replace >one piece after the other. I'd > recommend > >>>> to choose the following approach. > >>>> > >>>> >1) Replace the Fediz IDP by ADFS > >>>> > + configure the ADFS issuerUrl (context.xml) > >>>> > + ensure that ADFS supports WS-Federation Passive Requestor > >>>> Profile > >>>> > + configure the certificate used by ADFS to sign the SAML token > >>>> > > >>>> >(the most recent version of fediz uses a separate xml file for the > >>>> configuration) > >>>> > >>>> Somehow I couldn't deploy both fediz\trunk\services and > >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed > them on > >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings file > all, > >>>> but couldn't find reason. It just said that can't involke Tomcat > Manager. > >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to > figure it > >>>> out later. > >>>> > >>>> In the context.xml, I have following content. So, It lookis like that > >>>> issuerURL defined inside fediz_config.xml, but I searched all > directories, > >>>> but couldn't find a file called fediz_config.xml. > >>>> > >>>> <Context> > >>>> <Valve > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" > >>>> configFile="conf/fediz_config.xml" /> > >>>> <!--<Valve > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" > issuerURL=" > >>>> https://localhost:9443/fedizidp/"; truststoreFile="conf/stsstore.jks" > >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" />--> > >>>> <!--Valve > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" > >>>> > issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler" > >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" > >>>> />--> > >>>> </Context> > >>>> > >>>> In the web.xml file of the idp, you have following content. ADFS has > >>>> mex address. so, I assume that I need to replace value of > sts.wsdl.url with > >>>> ADFS mex address. > >>>> > >>>> > >>>> <servlet> > >>>> <servlet-name>FederationServlet</servlet-name> > >>>> > >>>> > <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class> > >>>> <init-param> > >>>> <param-name>sts.wsdl.url</param-name> > >>>> <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl > >>>> </param-value> > >>>> </init-param> > >>>> <init-param> > >>>> <param-name>sts.wsdl.service</param-name> > >>>> <param-value>SecurityTokenService</param-value> > >>>> </init-param> > >>>> > >>>> Thanks. > >>>> > >>>> Gina > >>>> On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <owu...@talend.com > >wrote: > >>>> > >>>>> Hi Gina > >>>>> > >>>>> > >>>>> > >>>>> >>> > >>>>> > >>>>> I don't mind giving up existing implementation as long as I find > >>>>> better solution. I was hoping that Fediz project > >>>>> > >>>>> uses only Apache CXF instead of introducing another FrameWork - > >>>>> OpenSAML. > >>>>> > >>>>> >>> > >>>>> > >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and > REST > >>>>> based service communication. OpenSAML is widely used and bundled > into other > >>>>> frameworks like CXF and Fediz. > >>>>> > >>>>> > >>>>> > >>>>> >>> > >>>>> > >>>>> If I only consider passive profile at this moment, what changes are > >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF STS? > Where > >>>>> did you define your stsActionURL? I like to start with passive > profile > >>>>> since it is easier to start with. I can use your sample application. > It > >>>>> doesn't matter if I use Airline or not since it is a just prototype > >>>>> > >>>>> >>> > >>>>> > >>>>> I'd recommend to successfully deploy the wsclientWebapp sample and > the > >>>>> IDP. When this works, rip&replace one piece after the other. I'd > recommend > >>>>> to choose the following approach. > >>>>> > >>>>> > >>>>> > >>>>> 1) Replace the Fediz IDP by ADFS > >>>>> > >>>>> + configure the ADFS issuerUrl (context.xml) > >>>>> > >>>>> + ensure that ADFS supports WS-Federation Passive Requestor > >>>>> Profile > >>>>> > >>>>> + configure the certificate used by ADFS to sign the SAML token > >>>>> > >>>>> > >>>>> > >>>>> (the most recent version of fediz uses a separate xml file for the > >>>>> configuration) > >>>>> > >>>>> > >>>>> > >>>>> 2) Update the webapp to generate and use the stubs of the > >>>>> BookingService in the FederationServlet (just a test - call the > simplest > >>>>> method). Configure the ASP.NET wsdl location (usually url?wsdl). > >>>>> Configure the ADFS STS url in the STSClient bean in the beans.xml > >>>>> configuration. Change the property onbehalfof to actas. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> HTH > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ------ > >>>>> > >>>>> Oliver Wulff > >>>>> > >>>>> Blog: http://owulff.blogspot.com > >>>>> Solution Architect > >>>>> http://coders.talend.com > >>>>> > >>>>> <http://coders.talend.com>Talend Application Integration Division > >>>>> http://www.talend.com > >>>>> ------------------------------ > >>>>> *From:* Gina Choi [ginacho...@gmail.com] > >>>>> *Sent:* 08 May 2012 01:05 > >>>>> *To:* Oliver Wulff > >>>>> *Cc:* users@cxf.apache.org > >>>>> > >>>>> *Subject:* Re: CXF supporting scope > >>>>> > >>>>> Hi Oliver, > >>>>> > >>>>> I am not responsible for BookingService(.NET). The other guys who > >>>>> implemented it using WIF. You know that Microsoft created WIF and > tested > >>>>> with ADFS, so it it doesn't work, I would be surprised. > >>>>> >Which Servlet container do you use? > >>>>> I am using Tomcat7. > >>>>> > >>>>> > >>>>> >In your current setup, how does the samlp:Response look like? > >>>>> I sent you decoded SAML response token in seperate email. I am > >>>>> sretrieving based64 encoded saml response token using following code. > >>>>> > >>>>> > >>>>> String encodedSamlResponseTokenStr = > >>>>> request.getParameter("SAMLResponse"); > >>>>> > >>>>> I don't mind giving up existing implementation as long as I find > >>>>> better solution. I was hoping that Fediz project uses only Apache CXF > >>>>> instead of introducing another FrameWork - OpenSAML. > >>>>> > >>>>> I loaded > >>>>> > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/to > >>>>> the Eclipse today. > >>>>> > >>>>> > >>>>> > >>>>> Basically I need following three URL for ADFS(STS). First two is for > >>>>> active profile and third one is for passive profile(SP initiated > Redirect > >>>>> POST bindings). If I only consider passive profile at this moment, > what > >>>>> changes are need to Fediz project to point to ADFS(STS) intead of > Apach CXF > >>>>> STS? Where did you define your stsActionURL? I like to start with > passive > >>>>> profile since it is easier to start with. I can use your sample > >>>>> application. It doesn't matter if I use Airline or not since it is a > just > >>>>> prototype. > >>>>> > >>>>> *private* *static* *final* String *stsEndpoint* = " > >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";; > >>>>> > >>>>> *private* *static* *final* String *stsMEXAddress* = > >>>>> https://strts01.ams.dev/adfs/services/trust/mex; > >>>>> > >>>>> private static final String stsActionURL = > >>>>> https://strts01.ams.dev/adfs/ls/; > >>>>> > >>>>> > >>>>> Thanks again for your guidance. > >>>>> > >>>>> Gina > >>>>> > >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <owu...@talend.com > >wrote: > >>>>> > >>>>>> Hi Gina > >>>>>> > >>>>>> > >>>>>> > >>>>>> The fediz project is used to protect your web application where the > >>>>>> client is a browser. Right now, Fediz supports WS-Federation Passive > >>>>>> Requestor Profile which is supported by ADFS and usually used in > the .NET > >>>>>> world as a the default mechanism. You don't have to implement that > in > >>>>>> your application - that's done by the Fediz plugin. Fediz uses > opensaml for > >>>>>> SAML processing. > >>>>>> > >>>>>> > >>>>>> > >>>>>> The original URL is stored in the wreply parameter. .NET uses a > >>>>>> combination of the wtrealm and wctx parameter. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Your Airline application can use CXF for the web services > >>>>>> communication (for the REST communication also, if you like). The > built-in > >>>>>> support in CXF for the IssuedToken assertion (WS-SecurityPolicy) > supports > >>>>>> to get a token from ADFS using actas. In my example, just use actas > instead > >>>>>> of onbehalfof property. > >>>>>> > >>>>>> > >>>>>> > >>>>>> >>> > >>>>>> > >>>>>> ADFS generate SAMLtoken and this SAML token is sent back to > >>>>>> Airline(Airline does all validation work) and cached in the > session. - This > >>>>>> part is implemented. > >>>>>> > >>>>>> >>> > >>>>>> > >>>>>> The validation work is already done by Fediz. Session management is > >>>>>> then done by the JEE container. Your application is called after > the SAML > >>>>>> token issued by ADFS is successfully validated. The container will > create > >>>>>> the session and check every incoming request whether the used token > is > >>>>>> still valid - otherwise, the browser is redirected again to ADFS. > You could > >>>>>> also configure some roles in ADFS to protect your web application > as the > >>>>>> fediz plugin tells the container the userid as well as its roles. > You could > >>>>>> even use claims if you like. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Which Servlet container do you use? > >>>>>> > >>>>>> > >>>>>> > >>>>>> In your current setup, how does the samlp:Response look like? > >>>>>> > >>>>>> > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>>> Oli > >>>>>> > >>>>>> > >>>>>> > >>>>>> ------ > >>>>>> > >>>>>> Oliver Wulff > >>>>>> > >>>>>> Blog: http://owulff.blogspot.com > >>>>>> Solution Architect > >>>>>> http://coders.talend.com > >>>>>> > >>>>>> <http://coders.talend.com>Talend Application Integration Division > >>>>>> http://www.talend.com > >>>>>> ------------------------------ > >>>>>> *From:* Gina Choi [ginacho...@gmail.com] > >>>>>> *Sent:* 07 May 2012 20:24 > >>>>>> *To:* users@cxf.apache.org > >>>>>> *Cc:* Oliver Wulff > >>>>>> *Subject:* Re: CXF supporting scope > >>>>>> > >>>>>> Hi Oliver, > >>>>>> > >>>>>> I did notice that your sample application used both opensaml and > >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz > project? > >>>>>> > >>>>>> I need to clarify my environment further to give you better picture. > >>>>>> > >>>>>> 1. All web services in my application are REST. The only reason that > >>>>>> I use SOAP is to create a soap client to call .NET SOAP web service > which > >>>>>> resides on another application. I am working with a .NET guy to > prove some > >>>>>> prototypes. His sample application is BookingService which I > provided you > >>>>>> wsdl. I am working on Airline. > >>>>>> > >>>>>> BookingService: .NET4.0 SOAP > >>>>>> Airline: Java with REST > >>>>>> > >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We have set > >>>>>> up relying parties for BookingService and Airline in ADFS. > >>>>>> > >>>>>> 3. SSO: A user will be using both Airline and BookingService. So, > >>>>>> she/he should be able to log on once for both applications. In > Airline(my > >>>>>> application), I used SP initialed POST redirect bindings. So, when > a user > >>>>>> make a request to Airline at first time, the user will be > redirected to > >>>>>> ADFS and asked credentials. After user provide username/password, > ADFS > >>>>>> generate SAMLtoken and this SAML token is sent back to > Airline(Airline does > >>>>>> all validation work) and cached in the session. - This part is > implemented. > >>>>>> > >>>>>> 4. Now a user call BookingService which is claim aware. So, I need > to > >>>>>> inject Assertion token get from previous step inside actas element > to call > >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be > calling > >>>>>> Booking service. > >>>>>> > >>>>>> So, I don't think that I am able to use Apach CXF STS part since my > >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with > ADFS(STS) > >>>>>> to support my prototypes. > >>>>>> > >>>>>> > >>>>>> Thanks. > >>>>>> > >>>>>> Gina > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <owu...@talend.com > >wrote: > >>>>>> > >>>>>>> Hi Gina > >>>>>>> > >>>>>>> >>> > >>>>>>> So, what I need is after user log on using Web SSO, the SAML token > >>>>>>> should be cached in web context and being used as actas token when > making a > >>>>>>> call to .NET web service. > >>>>>>> >>> > >>>>>>> This is supported by CXF without writing any single line of code. > I > >>>>>>> do have a sample web application here: > >>>>>>> > >>>>>>> > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ > >>>>>>> > >>>>>>> This example illustrates: > >>>>>>> - fediz is configured for web sso > >>>>>>> - SAML token is cached in the session and used to request a new > >>>>>>> token from the STS > >>>>>>> > >>>>>>> The code to call the web service is in FederationServlet.doPost(): > >>>>>>> ... > >>>>>>> Greeter service = > >>>>>>> > (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); > >>>>>>> String reply = service.greetMe(); > >>>>>>> ... > >>>>>>> > >>>>>>> The magic is in the configuration I used here: > >>>>>>> > >>>>>>> > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup > >>>>>>> > >>>>>>> The following property registers a callback handler to provide the > >>>>>>> STSClient the token of the Web Login: > >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" /> > >>>>>>> > >>>>>>> (There is also a property for actAs) > >>>>>>> > >>>>>>> The above example should exactly do what you need. You just have to > >>>>>>> change the above property to use ActAs instead of OnBehalfOf. The > details > >>>>>>> for this example are described here: > >>>>>>> > >>>>>>> > http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html > >>>>>>> > >>>>>>> > >>>>>>> To test this easily, you can use the Mock IDP as part of Fediz for > >>>>>>> the authentication. You could also attach Active Directory in the > Mock if > >>>>>>> you like. See here: > >>>>>>> > >>>>>>> > http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html > >>>>>>> > >>>>>>> I use that within a customer set up to connect the CXF STS to > Active > >>>>>>> Directory. > >>>>>>> > >>>>>>> >>> > >>>>>>> What is Spring role in CXF? > >>>>>>> >>> > >>>>>>> You can use Spring to configure your services. The above example > is > >>>>>>> based on spring. As you see, all security related stuff is enabled > by > >>>>>>> configuration (Convention of Configuration). You can also write an > >>>>>>> application without spring but I wouldn't write an application > without > >>>>>>> spring nowadays but this is up to you. > >>>>>>> > >>>>>>> >>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute > store. > >>>>>>> I consider it as an alternative of Active Directory. Please > correct me if I > >>>>>>> am wrong. > >>>>>>> >>> > >>>>>>> Active Directory provides different interfaces. One of them is > >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for > authentication. But > >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz Mock > for > >>>>>>> testing) will access ActiveDirectory to read the claims to add > them to the > >>>>>>> SAML token. > >>>>>>> > >>>>>>> Could you zip the wsdl before attaching? > >>>>>>> > >>>>>>> Thanks > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> ------ > >>>>>>> > >>>>>>> Oliver Wulff > >>>>>>> > >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > >>>>>>> Solution Architect > >>>>>>> http://coders.talend.com > >>>>>>> > >>>>>>> <http://coders.talend.com>Talend Application Integration Division > >>>>>>> http://www.talend.com > >>>>>>> > >>>>>>> ________________________________ > >>>>>>> Von: Gina Choi [ginacho...@gmail.com] > >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54 > >>>>>>> Bis: users@cxf.apache.org > >>>>>>> Betreff: Re: CXF supporting scope > >>>>>>> > >>>>>>> Hi Oliver, > >>>>>>> > >>>>>>> Thanks for your response. > >>>>>>> > >>>>>>> >You mean that WIF is deployed in the ASP.NET<http://asp.net/> > web > >>>>>>> service using the Active Requestor Profile? > >>>>>>> >The SAML token should contain the claims as an AttributeStatement? > >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web Service? > >>>>>>> I have attached two wsdl file. BookingService.wsdl and > >>>>>>> BookingService_imported.wsdl. BookingService.wsdl is importing > >>>>>>> BookingService_imported.wsdl and if you open BookingService.wsdl, > in line > >>>>>>> 10 there is a importing statement like bellow. This .NET4.0 > service is not > >>>>>>> owned by me and I don't know if separating wsdl file is common > practice. Is > >>>>>>> there anyway to combin them into one when generate artifact using > wsimport? > >>>>>>> I will be calling CheckIn operation. > >>>>>>> > >>>>>>> <wsdl:import location=" > >>>>>>> > http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0 > " > >>>>>>> namespace="http://tempuri.org/"/> > >>>>>>> > >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a > >>>>>>> Symmetric and Asymmetric binding. > >>>>>>> >What roles does ADFS 2.0 play? > >>>>>>> >Once as the IDP for the Web application SSO and once to let issue > a > >>>>>>> token onbehalfof/actas the original token >from the Web SSO? (this > is > >>>>>>> supported by CXF-Fediz) > >>>>>>> > > >>>>>>> > http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html > >>>>>>> I am using Active Directory as an attribute store. So, I could say > >>>>>>> ADFS role should be IDP. So, what I need is after user log on > using Web > >>>>>>> SSO, the SAML token should be cached in web context and being used > as actas > >>>>>>> token when making a call to .NET web service. > >>>>>>> > >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? > >>>>>>> In which application server is your web >application deployed? > >>>>>>> ADFS is IDP and my Java web application is Service Provider. > >>>>>>> > >>>>>>> >What do you mean exactly? Is LDAP used for authentication by the > >>>>>>> STS? Or should the service provider retrieve >the claims/roles > from LDAP? > >>>>>>> I don't know much LDAP, but it should be used as an attribute > store. > >>>>>>> I consider it as an alternative of Active Directory. Please > correct me if I > >>>>>>> am wrong. I have been reading many specifications, but I am still > having > >>>>>>> hard time to straiten up correct terms. > >>>>>>> > >>>>>>> >No, Spring is not a requirement. > >>>>>>> What is Spring role in CXF? > >>>>>>> > >>>>>>> Thanks. > >>>>>>> > >>>>>>> Gina > >>>>>>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <owu...@talend.com > >>>>>>> <mailto:owu...@talend.com>> wrote: > >>>>>>> >>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which claim > >>>>>>> aware. So, > >>>>>>> how is CXF interoperability with .NET? > >>>>>>> >>> > >>>>>>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web > >>>>>>> service using the Active Requestor Profile? > >>>>>>> The SAML token should contain the claims as an AttributeStatement? > >>>>>>> Can you share with us the WS-SecurityPolicy of this Web Service? > >>>>>>> > >>>>>>> >>> > >>>>>>> 2. If CXF support ADFS2.0 as STS. > >>>>>>> >>> > >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a > >>>>>>> Symmetric and Asymmetric binding. > >>>>>>> What roles does ADFS 2.0 play? > >>>>>>> Once as the IDP for the Web application SSO and once to let issue a > >>>>>>> token onbehalfof/actas the original token from the Web SSO? (this > is > >>>>>>> supported by CXF-Fediz) > >>>>>>> > >>>>>>> > http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html > >>>>>>> > >>>>>>> >>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated Redirect > >>>>>>> -> POST > >>>>>>> binding. > >>>>>>> >>> > >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In > >>>>>>> which application server is your web application deployed? > >>>>>>> > >>>>>>> >>> > >>>>>>> 4. If CXF can work with LDAP. > >>>>>>> >>> > >>>>>>> What do you mean exactly? Is LDAP used for authentication by the > >>>>>>> STS? Or should the service provider retrieve the claims/roles from > LDAP? > >>>>>>> > >>>>>>> >>>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to use > >>>>>>> Spring > >>>>>>> Frame work to use CXF. > >>>>>>> >>> > >>>>>>> No, Spring is not a requirement. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> ------ > >>>>>>> > >>>>>>> Oliver Wulff > >>>>>>> > >>>>>>> Blog: http://owulff.blogspot.com > >>>>>>> Solution Architect > >>>>>>> http://coders.talend.com > >>>>>>> > >>>>>>> Talend Application Integration Division http://www.talend.com > >>>>>>> > >>>>>>> ________________________________________ > >>>>>>> Von: gchoi [gc...@sdl.com<mailto:gc...@sdl.com>] > >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29 > >>>>>>> Bis: users@cxf.apache.org<mailto:users@cxf.apache.org> > >>>>>>> Betreff: CXF supporting scope > >>>>>>> > >>>>>>> Hi All, > >>>>>>> > >>>>>>> So far, I evaluated several frame works, but they seem don't do > what > >>>>>>> I > >>>>>>> expect. Several people suggested me that I should consider CXF. > >>>>>>> Before I dig > >>>>>>> into CXF, I would like know if CXF support following things. By the > >>>>>>> way, I > >>>>>>> just joined this user group. > >>>>>>> > >>>>>>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which claim > >>>>>>> aware. So, > >>>>>>> how is CXF interoperability with .NET? > >>>>>>> > >>>>>>> 2. If CXF support ADFS2.0 as STS. > >>>>>>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated Redirect > >>>>>>> -> POST > >>>>>>> binding. > >>>>>>> > >>>>>>> 4. If CXF can work with LDAP. > >>>>>>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to use > >>>>>>> Spring > >>>>>>> Frame work to use CXF. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> Thank in advance. > >>>>>>> > >>>>>>> -- > >>>>>>> View this message in context: > >>>>>>> > http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html > >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com. > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > > >
