Hi Oliver, ADFS2.0 have many end points and depends on request or profile that we use, we have to use different end points. When I test helloworld, I see username token sent to STS as a security header, so I used *adfs/services/trust/13/usernamemixed endpoint of ADFS, but when I see URL on the browser, it looks like SP initiated redirect post bindings, but I don't see base 64 encoded SAMLRequest. That's why I am confused.*
** Gina On Mon, May 14, 2012 at 4:27 PM, Gina Choi <ginacho...@gmail.com> wrote: > > >Neither the RST nor the RSTR are encrypted. It's planned for the next > release of the Fediz plugin >to support encrypted token which are embedded > in RSTR. > Ok. Just verifying with you. > > >Is it required to support encrypted tokens initially? I should have this > functionality by end of may. > encryption doesn't matter at this time. > > >You have to export the signing cert from ADFS and import into a java > keystore. Don't import it into >stsstore.jks as this should be used for > this demo IDP only. > when I import ADFS signing cert to java keystore, what alias name should I > use? You must reference alias name from somewhere. > > I also need to import Service Provider signing cert to ADFS. How do I > export it? > > I was trying to poing helloworld to ADFS, but it seems not simple. *wreply > vs *RelayState. What is *wa=wsignin1.0 and wtrealm? Without deep change, > it wouldn't work with ADFS.* > Based on following url, I couldn't tell what kind of profile do you use? I > couldn't really tell. Please see oasis link. > > http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf > . > > Fediz > > > https://strts01.ams.dev/adfs/services/trust/13/usernamemixed?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecureservlet%2Ffed&wtrealm=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2F > > SP initiated redirect post bindig: > > GET > /adfs/ls/?SAMLRequest=pZJPa9wwEMXv%2FRRG99U%2F73ptsXbYNoQGUrpknRR6KbI9TtTKkquR3Xz8Opss5FQKOQ7MvPd4v9ldPA02mSGg8a4kgnKSgGt9Z9xDSe7qq1VOLqoPO9SDHdV%2Bio%2FuFn5PgDHZI0KIy9kn73AaIBwhzKaFu9ubkjzGOKJi7M8vcDjzlGf0wfpGW4qdpa0Po8rX65TtTbDGAVscgX0D2%2FoB6E8cSXK5eBin4ynXWQ5jiMgF1QPSDmamux6ZRUaSKx9aOOUrSQwTkOT6siQ%2F0qLXfSZyyLs0K%2Fi24SKVXd%2B1hWw2a5GKrMi2siv6LMubPFuu8KARzQwl6bXFZx3ECa4dRu1iSSQXcsU3K7GuJVciVxtJt7n4TpJD8NG33n407qW9KTjlNRpUTg%2BAKrbquP9yoyTlqnlZQvW5rg%2Brw9djTZL7MwX5TGHh4lCdev%2B31PjqS6pXSqfA4f8F9Bkkqd6LbcfeRqjO49u%2Fqf4C&RelayState= > https://wkensv0306.global.sdl.corp:8443/Airline/code/Welcome.jsp HTTP/1.1 > > > On Mon, May 14, 2012 at 3:51 PM, Oliver Wulff <owu...@talend.com> wrote: > >> Hi Gina >> >> >>> >> It looks like that you don't encrypt RST and RSTR, but you said that >> both RST and RSTR are signed. I need to import signing cert from ADFS to >> stsstore.jks keystore. Which one is key alias for RP? You have clientkey, >> myservicekey and mystskey. Vise versa, I need to export signing cert from >> RP to import it to ADFS. Do you have signing cert somewhere or I have to >> export it myself? >> >>> >> Neither the RST nor the RSTR are encrypted. It's planned for the next >> release of the Fediz plugin to support encrypted token which are embedded >> in RSTR. >> >> Is it required to support encrypted tokens initially? I should have this >> functionality by end of may. >> >> You have to export the signing cert from ADFS and import into a java >> keystore. Don't import it into stsstore.jks as this should be used for this >> demo IDP only. >> >> Thanks >> Oli >> >> >> >> ------ >> >> Oliver Wulff >> >> Blog: http://owulff.blogspot.com >> Solution Architect >> http://coders.talend.com >> >> Talend Application Integration Division http://www.talend.com >> >> ________________________________________ >> From: Gina Choi [ginacho...@gmail.com] >> Sent: 14 May 2012 21:23 >> To: users@cxf.apache.org >> Subject: Re: CXF supporting scope >> >> Hi Oliver, >> >> >You're right - this is confusing. The STS signs the SAML token with the >> private which correlates to >the STS certificate. The RP requires the CA >> certificates and the STS certificate (if self-signed as in >this demo >> case) >> to validate the SAML token. >> >> Thanks for response. I looked request and response message between RP and >> STS. It looks like that you don't encrypt RST and RSTR, but you said that >> both RST and RSTR are signed. I need to import signing cert from ADFS to >> stsstore.jks keystore. Which one is key alias for RP? You have clientkey, >> myservicekey and mystskey. Vise versa, I need to export signing cert from >> RP to import it to ADFS. Do you have signing cert somewhere or I have to >> export it myself? >> >> Thanks. >> >> Gina >> >> >> On Mon, May 14, 2012 at 2:19 PM, Oliver Wulff <owu...@talend.com> wrote: >> >> > Hi Gina >> > >> > >>> >> > But I still don't understand why I have to copy stsstore.jks file into >> RP. >> > stsstore.jks is the keystore file of STS and it should be sitting on >> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's >> own >> > keystore file, for example clientstore.jks. >> > When client issue AuthnRequest to STS, it will sign AuthnRequest with >> STS >> > signing certificate. Vise versa, when STS issue Assertion token, it >> will be >> > signed by client signing certificate. >> > In fediz project senario, RP will be the client and it will never have >> > keystore file of STS. >> > I just looked at content of stsstore.jks and it looks like that you >> > combined sts, client and service keystore file into one - stsstore.jks. >> In >> > other words, stsstore.jks is being used as a keystore file for all >> three - >> > client, service and sts. Is that correct? I think that they should be >> > separated. Kind of confusing until list content of stsstore.jks. >> > >>> >> > You're right - this is confusing. The STS signs the SAML token with the >> > private which correlates to the STS certificate. The RP requires the CA >> > certificates and the STS certificate (if self-signed as in this demo >> case) >> > to validate the SAML token. >> > >> > I was too lazy in creating two keystores (I just copied the keystore >> used >> > by the CXF STS distribution). In a production environment, one keystore >> > contains the private key and the certificate for the STS and the other >> > contains the certificate only for the RP. >> > >> > I've started documentating fediz here: >> > http://cxf.apache.org/fediz.html >> > >> > It would make sense to add a section what to consider for production >> > implementation. I'll add that. >> > >> > Thanks >> > >> > ------ >> > >> > Oliver Wulff >> > >> > Blog: http://owulff.blogspot.com >> > Solution Architect >> > http://coders.talend.com >> > >> > Talend Application Integration Division http://www.talend.com >> > >> > ________________________________________ >> > From: Gina Choi [ginacho...@gmail.com] >> > Sent: 14 May 2012 18:00 >> > To: Oliver Wulff >> > Cc: users@cxf.apache.org >> > Subject: Re: CXF supporting scope >> > >> > Hi Oliver, >> > >> > Thanks for your response. I copied over stsstore.jks into tomcat rp and >> I >> > am seeing saml token now. >> > >> > >The SAML token issued by the IDP/STS is signed and the used certificate >> > must be referenced to >validate the signature: >> > >> > ><trustedIssuerItem provider=".*CN=www.sts.com.*"> >> > >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >> > password="stsspass" type="file" /> >> > >< /trustedIssuerItem> >> > >> > >In this example, I used a self-signed certificate and I was too lazy in >> > separating the keystore into >one with the private key and into one >> > without. >> > >> > >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. >> > >> > But I still don't understand why I have to copy stsstore.jks file into >> RP. >> > stsstore.jks is the keystore file of STS and it should be sitting on >> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's >> own >> > keystore file, for example clientstore.jks. >> > >> > When client issue AuthnRequest to STS, it will sign AuthnRequest with >> STS >> > signing certificate. Vise versa, when STS issue Assertion token, it >> will be >> > signed by client signing certificate. >> > >> > In fediz project senario, RP will be the client and it will never have >> > keystore file of STS. >> > >> > I just looked at content of stsstore.jks and it looks like that you >> > combined sts, client and service keystore file into one - stsstore.jks. >> In >> > other words, stsstore.jks is being used as a keystore file for all >> three - >> > client, service and sts. Is that correct? I think that they should be >> > separated. Kind of confusing until list content of stsstore.jks. >> > >> > Thanks. >> > >> > Gina >> > >> > >> > On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <owu...@talend.com> >> wrote: >> > >> > > Hi Gina >> > > >> > > >> > > >> > > The SAML token issued by the IDP/STS is signed and the used >> certificate >> > > must be referenced to validate the signature: >> > > >> > > >> > > >> > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> >> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >> > > password="stsspass" type="file" /> >> > > </trustedIssuerItem> >> > > >> > > In this example, I used a self-signed certificate and I was too lazy >> in >> > > separating the keystore into one with the private key and into one >> > without. >> > > >> > > >> > > >> > > You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. >> > > >> > > >> > > >> > > In your scenario with ADFS. You must import the CA certs which signed >> the >> > > ADFS cert into a keystore and configure the CN name as a regular >> > expression >> > > in the attribute "provider". (The name provider is misleaing, will fix >> > that) >> > > >> > > >> > > >> > > Thanks >> > > >> > > >> > > >> > > >> > > >> > > ------ >> > > >> > > Oliver Wulff >> > > >> > > Blog: http://owulff.blogspot.com >> > > Solution Architect >> > > http://coders.talend.com >> > > >> > > <http://coders.talend.com>Talend Application Integration Division >> > > http://www.talend.com >> > > ------------------------------ >> > > *From:* Gina Choi [ginacho...@gmail.com] >> > > *Sent:* 11 May 2012 00:44 >> > > >> > > *To:* Oliver Wulff >> > > *Cc:* users@cxf.apache.org >> > > *Subject:* Re: CXF supporting scope >> > > >> > > Hi Oliver, >> > > >> > > Until this afternoon, I didn't have time to work with Fediz. Finally I >> > > have successfully deployed idp, sts and simpleWebapp on Tomcat7.0.27. >> > > Everything went well. I guess that on the other day, I thought doing >> some >> > > thing, but I probably did something else. :) >> > > After type https://localhost:8443/fedizhelloworld/secureservlet/fedon >> > > the browser, I inputed test user name and password, but it failed. >> > > >> > > >> > > org.apache.ws.security.components.crypto.CredentialException: Proxy >> file >> > (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found. >> > > >> > > >> > > In your fediz_config.xml, you have following lines. Why do we put sts >> key >> > > store file on RP server? Does web application need to know where is >> sts >> > > keystore file? >> > > >> > > <trustedIssuers> >> > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> >> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >> > > password="stsspass" type="file" /> >> > > </trustedIssuerItem> >> > > </trustedIssuers> >> > > >> > > >> > > Thanks. >> > > >> > > Gina >> > > >> > > On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <owu...@talend.com> >> wrote: >> > > >> > >> Hi Gina >> > >> >> > >> The steps are absolutely correct. Not sure about the failing >> deployment >> > >> step for the application. Have you also updated tomcat-users.xml of >> the >> > >> second tomcat instance? Or was the application already deployed once >> and >> > >> you must run "mvn clean install tomcat:redeploy"? Is anything logged >> on >> > >> catalina.out? >> > >> Otherwise, just copy the war manually from >> target/fedizhelloworld.war to >> > >> <tomcat-dir>/webapps. >> > >> >> > >> I've checked in fediz_config.xml in >> > examples/simpleWebapp/src/main/config >> > >> (sorry for that). Please manually copy it to the location you've >> > configured >> > >> in the context.xml. Ensure that the IDP url (later ADFS): >> > >> <issuer>https://localhost:9443/fedizidp/</issuer> >> > >> and the location of the trusted keystore is updated: >> > >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >> > >> password="stsspass" type="file" /> >> > >> >> > >> It will be supported in the next days to also configure a relative >> > >> location to catalina.home. >> > >> >> > >> >> > >> Thanks >> > >> Oli >> > >> >> > >> >> > >> >> > >> ------ >> > >> >> > >> Oliver Wulff >> > >> >> > >> Blog: http://owulff.blogspot.com >> > >> Solution Architect >> > >> http://coders.talend.com >> > >> >> > >> <http://coders.talend.com>Talend Application Integration Division >> > >> http://www.talend.com >> > >> ------------------------------ >> > >> *From:* Gina Choi [ginacho...@gmail.com] >> > >> *Sent:* 09 May 2012 00:55 >> > >> >> > >> *To:* Oliver Wulff >> > >> *Cc:* users@cxf.apache.org >> > >> *Subject:* Re: CXF supporting scope >> > >> >> > >> By the way I checked out head version fediz project from SVN. >> > >> >> > >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <ginacho...@gmail.com> >> wrote: >> > >> >> > >>> Hi Oliver, >> > >>> >> > >>> I am using seperate Tomcat instance for IDP and application and I >> set >> > up >> > >>> https. Following is what I did. >> > >>> >> > >>> I checked out Fediz project into my local machine. As you explained >> on >> > >>> your post >> > >>> >> > >> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html >> > , >> > >>> I run mvn clean install in plugins/core, pligins/tomcat and >> > >>> examples/simpleWebapp/. I configued maven's settings.xml and updated >> > >>> tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins, >> > and I >> > >>> am seeing both IDP and STS are deployed. >> > >>> >> > >>> I am just having problem with deloying sample application in another >> > >>> Tomcat instance. >> > >>> >> > >>> 1. I created sub-directory fediz in ${catalina.home}/lib of the >> > >>> tomcat-rp. >> > >>> 2. I have following line in the calatina.properties in >> > >>> ${catalina.home}/conf. >> > >>> >> > >>> >> > >> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar >> > >>> 3. I deployed the built libraries and dependencies to the directory >> > >>> created in (1) >> > >>> I got the built libraries from >> > fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip. >> > >>> After this, I am getting error messages when start Tomcat. This >> > preventing >> > >>> me step5 for deploying applicaitons properly. >> > >>> If I replace generated lib/fediz jar files with old jar files that >> I >> > >>> downloaded from your post, I am able to start tomcat without error >> and >> > able >> > >>> to deploy application, but couldn't run properly. >> > >>> 4. since I can't find fediz_config.xml, so I configured >> > *META-INF/context.xml >> > >>> as follow. >> > >>> >> > >>> * <Context> >> > >>> <Valve className="org.apache< >> > >> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html# >> > > >> > >>> .cxf.fediz.tomcat.FederationAuthenticator" >> > >>> issuerURL="https://localhost:9443/fedizidp/"; >> > >>> truststoreFile="conf/stsstore.jks" >> > >>> truststorePassword="stsspass" >> > >>> trustedIssuer=".*CN=www.sts.com.*" /> >> > >>> </Context> >> > >>> 5. If I run mvn tomcat:deploy under >> fediz\trunk\examples\simpleWebapp, >> > I >> > >>> am getting following error message. >> > >>> >> > >>> Failed to execute goal >> org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy >> > >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat manager: >> > FAIL - >> > >>> Failed to deploy application at context path /fedizhelloworld -> >> [Help >> > 1] >> > >>> >> > >>> So, I couldn't get your application run. I hope that all these >> problem >> > >>> caused because of missing fediz_config.xml. >> > >>> >> > >>> Thanks. >> > >>> >> > >>> Gina >> > >>> On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <owu...@talend.com >> > >wrote: >> > >>> >> > >>>> Hi Gina >> > >>>> >> > >>>> >> > >>>> >> > >>>> I'll send you and checkin the fediz_config.xml as soon as I can - >> I'm >> > >>>> on the way right now. >> > >>>> >> > >>>> >> > >>>> >> > >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the >> > >>>> application works you will change in your application >> > (fediz_config.xml) >> > >>>> the issuerUrl of ADFS. >> > >>>> >> > >>>> >> > >>>> >> > >>>> Have you configured HTTPS for the IDP Tomcat instance and your >> > >>>> application Tomcat instance? >> > >>>> >> > >>>> I recommend to use a separate instance of the IDP and your >> > application. >> > >>>> >> > >>>> Do you use the port 9443? >> > >>>> >> > >>>> >> > >>>> >> > >>>> Thanks >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> ------ >> > >>>> >> > >>>> Oliver Wulff >> > >>>> >> > >>>> Blog: http://owulff.blogspot.com >> > >>>> Solution Architect >> > >>>> http://coders.talend.com >> > >>>> >> > >>>> <http://coders.talend.com>Talend Application Integration Division >> > >>>> http://www.talend.com >> > >>>> ------------------------------ >> > >>>> *From:* Gina Choi [ginacho...@gmail.com] >> > >>>> *Sent:* 08 May 2012 20:20 >> > >>>> >> > >>>> *To:* Oliver Wulff >> > >>>> *Cc:* users@cxf.apache.org >> > >>>> *Subject:* Re: CXF supporting scope >> > >>>> >> > >>>> Hi Oliver >> > >>>> >> > >>>> >I'd recommend to successfully deploy the wsclientWebapp sample and >> > the >> > >>>> IDP. When this works, rip&replace >one piece after the other. I'd >> > recommend >> > >>>> to choose the following approach. >> > >>>> >> > >>>> >1) Replace the Fediz IDP by ADFS >> > >>>> > + configure the ADFS issuerUrl (context.xml) >> > >>>> > + ensure that ADFS supports WS-Federation Passive Requestor >> > >>>> Profile >> > >>>> > + configure the certificate used by ADFS to sign the SAML >> token >> > >>>> > >> > >>>> >(the most recent version of fediz uses a separate xml file for the >> > >>>> configuration) >> > >>>> >> > >>>> Somehow I couldn't deploy both fediz\trunk\services and >> > >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed >> > them on >> > >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings file >> > all, >> > >>>> but couldn't find reason. It just said that can't involke Tomcat >> > Manager. >> > >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to >> > figure it >> > >>>> out later. >> > >>>> >> > >>>> In the context.xml, I have following content. So, It lookis like >> that >> > >>>> issuerURL defined inside fediz_config.xml, but I searched all >> > directories, >> > >>>> but couldn't find a file called fediz_config.xml. >> > >>>> >> > >>>> <Context> >> > >>>> <Valve >> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >> > >>>> configFile="conf/fediz_config.xml" /> >> > >>>> <!--<Valve >> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >> > issuerURL=" >> > >>>> https://localhost:9443/fedizidp/"; >> truststoreFile="conf/stsstore.jks" >> > >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" >> />--> >> > >>>> <!--Valve >> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >> > >>>> >> > >> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler" >> > >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" >> > >>>> />--> >> > >>>> </Context> >> > >>>> >> > >>>> In the web.xml file of the idp, you have following content. ADFS >> has >> > >>>> mex address. so, I assume that I need to replace value of >> > sts.wsdl.url with >> > >>>> ADFS mex address. >> > >>>> >> > >>>> >> > >>>> <servlet> >> > >>>> <servlet-name>FederationServlet</servlet-name> >> > >>>> >> > >>>> >> > >> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class> >> > >>>> <init-param> >> > >>>> <param-name>sts.wsdl.url</param-name> >> > >>>> <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl >> > >>>> </param-value> >> > >>>> </init-param> >> > >>>> <init-param> >> > >>>> <param-name>sts.wsdl.service</param-name> >> > >>>> <param-value>SecurityTokenService</param-value> >> > >>>> </init-param> >> > >>>> >> > >>>> Thanks. >> > >>>> >> > >>>> Gina >> > >>>> On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <owu...@talend.com >> > >wrote: >> > >>>> >> > >>>>> Hi Gina >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >>> >> > >>>>> >> > >>>>> I don't mind giving up existing implementation as long as I find >> > >>>>> better solution. I was hoping that Fediz project >> > >>>>> >> > >>>>> uses only Apache CXF instead of introducing another FrameWork - >> > >>>>> OpenSAML. >> > >>>>> >> > >>>>> >>> >> > >>>>> >> > >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and >> > REST >> > >>>>> based service communication. OpenSAML is widely used and bundled >> > into other >> > >>>>> frameworks like CXF and Fediz. >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >>> >> > >>>>> >> > >>>>> If I only consider passive profile at this moment, what changes >> are >> > >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF >> STS? >> > Where >> > >>>>> did you define your stsActionURL? I like to start with passive >> > profile >> > >>>>> since it is easier to start with. I can use your sample >> application. >> > It >> > >>>>> doesn't matter if I use Airline or not since it is a just >> prototype >> > >>>>> >> > >>>>> >>> >> > >>>>> >> > >>>>> I'd recommend to successfully deploy the wsclientWebapp sample and >> > the >> > >>>>> IDP. When this works, rip&replace one piece after the other. I'd >> > recommend >> > >>>>> to choose the following approach. >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> 1) Replace the Fediz IDP by ADFS >> > >>>>> >> > >>>>> + configure the ADFS issuerUrl (context.xml) >> > >>>>> >> > >>>>> + ensure that ADFS supports WS-Federation Passive Requestor >> > >>>>> Profile >> > >>>>> >> > >>>>> + configure the certificate used by ADFS to sign the SAML >> token >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> (the most recent version of fediz uses a separate xml file for the >> > >>>>> configuration) >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> 2) Update the webapp to generate and use the stubs of the >> > >>>>> BookingService in the FederationServlet (just a test - call the >> > simplest >> > >>>>> method). Configure the ASP.NET wsdl location (usually url?wsdl). >> > >>>>> Configure the ADFS STS url in the STSClient bean in the beans.xml >> > >>>>> configuration. Change the property onbehalfof to actas. >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> HTH >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> ------ >> > >>>>> >> > >>>>> Oliver Wulff >> > >>>>> >> > >>>>> Blog: http://owulff.blogspot.com >> > >>>>> Solution Architect >> > >>>>> http://coders.talend.com >> > >>>>> >> > >>>>> <http://coders.talend.com>Talend Application Integration Division >> > >>>>> http://www.talend.com >> > >>>>> ------------------------------ >> > >>>>> *From:* Gina Choi [ginacho...@gmail.com] >> > >>>>> *Sent:* 08 May 2012 01:05 >> > >>>>> *To:* Oliver Wulff >> > >>>>> *Cc:* users@cxf.apache.org >> > >>>>> >> > >>>>> *Subject:* Re: CXF supporting scope >> > >>>>> >> > >>>>> Hi Oliver, >> > >>>>> >> > >>>>> I am not responsible for BookingService(.NET). The other guys who >> > >>>>> implemented it using WIF. You know that Microsoft created WIF and >> > tested >> > >>>>> with ADFS, so it it doesn't work, I would be surprised. >> > >>>>> >Which Servlet container do you use? >> > >>>>> I am using Tomcat7. >> > >>>>> >> > >>>>> >> > >>>>> >In your current setup, how does the samlp:Response look like? >> > >>>>> I sent you decoded SAML response token in seperate email. I am >> > >>>>> sretrieving based64 encoded saml response token using following >> code. >> > >>>>> >> > >>>>> >> > >>>>> String encodedSamlResponseTokenStr = >> > >>>>> request.getParameter("SAMLResponse"); >> > >>>>> >> > >>>>> I don't mind giving up existing implementation as long as I find >> > >>>>> better solution. I was hoping that Fediz project uses only Apache >> CXF >> > >>>>> instead of introducing another FrameWork - OpenSAML. >> > >>>>> >> > >>>>> I loaded >> > >>>>> >> > >> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/to >> > >>>>> the Eclipse today. >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> Basically I need following three URL for ADFS(STS). First two is >> for >> > >>>>> active profile and third one is for passive profile(SP initiated >> > Redirect >> > >>>>> POST bindings). If I only consider passive profile at this moment, >> > what >> > >>>>> changes are need to Fediz project to point to ADFS(STS) intead of >> > Apach CXF >> > >>>>> STS? Where did you define your stsActionURL? I like to start with >> > passive >> > >>>>> profile since it is easier to start with. I can use your sample >> > >>>>> application. It doesn't matter if I use Airline or not since it >> is a >> > just >> > >>>>> prototype. >> > >>>>> >> > >>>>> *private* *static* *final* String *stsEndpoint* = " >> > >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";; >> > >>>>> >> > >>>>> *private* *static* *final* String *stsMEXAddress* = >> > >>>>> https://strts01.ams.dev/adfs/services/trust/mex; >> > >>>>> >> > >>>>> private static final String stsActionURL = >> > >>>>> https://strts01.ams.dev/adfs/ls/; >> > >>>>> >> > >>>>> >> > >>>>> Thanks again for your guidance. >> > >>>>> >> > >>>>> Gina >> > >>>>> >> > >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <owu...@talend.com >> > >wrote: >> > >>>>> >> > >>>>>> Hi Gina >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> The fediz project is used to protect your web application where >> the >> > >>>>>> client is a browser. Right now, Fediz supports WS-Federation >> Passive >> > >>>>>> Requestor Profile which is supported by ADFS and usually used in >> > the .NET >> > >>>>>> world as a the default mechanism. You don't have to implement >> that >> > in >> > >>>>>> your application - that's done by the Fediz plugin. Fediz uses >> > opensaml for >> > >>>>>> SAML processing. >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> The original URL is stored in the wreply parameter. .NET uses a >> > >>>>>> combination of the wtrealm and wctx parameter. >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> Your Airline application can use CXF for the web services >> > >>>>>> communication (for the REST communication also, if you like). The >> > built-in >> > >>>>>> support in CXF for the IssuedToken assertion (WS-SecurityPolicy) >> > supports >> > >>>>>> to get a token from ADFS using actas. In my example, just use >> actas >> > instead >> > >>>>>> of onbehalfof property. >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> >>> >> > >>>>>> >> > >>>>>> ADFS generate SAMLtoken and this SAML token is sent back to >> > >>>>>> Airline(Airline does all validation work) and cached in the >> > session. - This >> > >>>>>> part is implemented. >> > >>>>>> >> > >>>>>> >>> >> > >>>>>> >> > >>>>>> The validation work is already done by Fediz. Session management >> is >> > >>>>>> then done by the JEE container. Your application is called after >> > the SAML >> > >>>>>> token issued by ADFS is successfully validated. The container >> will >> > create >> > >>>>>> the session and check every incoming request whether the used >> token >> > is >> > >>>>>> still valid - otherwise, the browser is redirected again to ADFS. >> > You could >> > >>>>>> also configure some roles in ADFS to protect your web application >> > as the >> > >>>>>> fediz plugin tells the container the userid as well as its roles. >> > You could >> > >>>>>> even use claims if you like. >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> Which Servlet container do you use? >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> In your current setup, how does the samlp:Response look like? >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> Thanks >> > >>>>>> >> > >>>>>> Oli >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> ------ >> > >>>>>> >> > >>>>>> Oliver Wulff >> > >>>>>> >> > >>>>>> Blog: http://owulff.blogspot.com >> > >>>>>> Solution Architect >> > >>>>>> http://coders.talend.com >> > >>>>>> >> > >>>>>> <http://coders.talend.com>Talend Application Integration >> Division >> > >>>>>> http://www.talend.com >> > >>>>>> ------------------------------ >> > >>>>>> *From:* Gina Choi [ginacho...@gmail.com] >> > >>>>>> *Sent:* 07 May 2012 20:24 >> > >>>>>> *To:* users@cxf.apache.org >> > >>>>>> *Cc:* Oliver Wulff >> > >>>>>> *Subject:* Re: CXF supporting scope >> > >>>>>> >> > >>>>>> Hi Oliver, >> > >>>>>> >> > >>>>>> I did notice that your sample application used both opensaml and >> > >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz >> > project? >> > >>>>>> >> > >>>>>> I need to clarify my environment further to give you better >> picture. >> > >>>>>> >> > >>>>>> 1. All web services in my application are REST. The only reason >> that >> > >>>>>> I use SOAP is to create a soap client to call .NET SOAP web >> service >> > which >> > >>>>>> resides on another application. I am working with a .NET guy to >> > prove some >> > >>>>>> prototypes. His sample application is BookingService which I >> > provided you >> > >>>>>> wsdl. I am working on Airline. >> > >>>>>> >> > >>>>>> BookingService: .NET4.0 SOAP >> > >>>>>> Airline: Java with REST >> > >>>>>> >> > >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We have >> set >> > >>>>>> up relying parties for BookingService and Airline in ADFS. >> > >>>>>> >> > >>>>>> 3. SSO: A user will be using both Airline and BookingService. >> So, >> > >>>>>> she/he should be able to log on once for both applications. In >> > Airline(my >> > >>>>>> application), I used SP initialed POST redirect bindings. So, >> when >> > a user >> > >>>>>> make a request to Airline at first time, the user will be >> > redirected to >> > >>>>>> ADFS and asked credentials. After user provide username/password, >> > ADFS >> > >>>>>> generate SAMLtoken and this SAML token is sent back to >> > Airline(Airline does >> > >>>>>> all validation work) and cached in the session. - This part is >> > implemented. >> > >>>>>> >> > >>>>>> 4. Now a user call BookingService which is claim aware. So, I >> need >> > to >> > >>>>>> inject Assertion token get from previous step inside actas >> element >> > to call >> > >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be >> > calling >> > >>>>>> Booking service. >> > >>>>>> >> > >>>>>> So, I don't think that I am able to use Apach CXF STS part since >> my >> > >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with >> > ADFS(STS) >> > >>>>>> to support my prototypes. >> > >>>>>> >> > >>>>>> >> > >>>>>> Thanks. >> > >>>>>> >> > >>>>>> Gina >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <owu...@talend.com >> > >wrote: >> > >>>>>> >> > >>>>>>> Hi Gina >> > >>>>>>> >> > >>>>>>> >>> >> > >>>>>>> So, what I need is after user log on using Web SSO, the SAML >> token >> > >>>>>>> should be cached in web context and being used as actas token >> when >> > making a >> > >>>>>>> call to .NET web service. >> > >>>>>>> >>> >> > >>>>>>> This is supported by CXF without writing any single line of >> code. >> > I >> > >>>>>>> do have a sample web application here: >> > >>>>>>> >> > >>>>>>> >> > >> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ >> > >>>>>>> >> > >>>>>>> This example illustrates: >> > >>>>>>> - fediz is configured for web sso >> > >>>>>>> - SAML token is cached in the session and used to request a new >> > >>>>>>> token from the STS >> > >>>>>>> >> > >>>>>>> The code to call the web service is in >> FederationServlet.doPost(): >> > >>>>>>> ... >> > >>>>>>> Greeter service = >> > >>>>>>> >> > >> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); >> > >>>>>>> String reply = service.greetMe(); >> > >>>>>>> ... >> > >>>>>>> >> > >>>>>>> The magic is in the configuration I used here: >> > >>>>>>> >> > >>>>>>> >> > >> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup >> > >>>>>>> >> > >>>>>>> The following property registers a callback handler to provide >> the >> > >>>>>>> STSClient the token of the Web Login: >> > >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" /> >> > >>>>>>> >> > >>>>>>> (There is also a property for actAs) >> > >>>>>>> >> > >>>>>>> The above example should exactly do what you need. You just >> have to >> > >>>>>>> change the above property to use ActAs instead of OnBehalfOf. >> The >> > details >> > >>>>>>> for this example are described here: >> > >>>>>>> >> > >>>>>>> >> > >> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> To test this easily, you can use the Mock IDP as part of Fediz >> for >> > >>>>>>> the authentication. You could also attach Active Directory in >> the >> > Mock if >> > >>>>>>> you like. See here: >> > >>>>>>> >> > >>>>>>> >> > >> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html >> > >>>>>>> >> > >>>>>>> I use that within a customer set up to connect the CXF STS to >> > Active >> > >>>>>>> Directory. >> > >>>>>>> >> > >>>>>>> >>> >> > >>>>>>> What is Spring role in CXF? >> > >>>>>>> >>> >> > >>>>>>> You can use Spring to configure your services. The above >> example >> > is >> > >>>>>>> based on spring. As you see, all security related stuff is >> enabled >> > by >> > >>>>>>> configuration (Convention of Configuration). You can also write >> an >> > >>>>>>> application without spring but I wouldn't write an application >> > without >> > >>>>>>> spring nowadays but this is up to you. >> > >>>>>>> >> > >>>>>>> >>> >> > >>>>>>> I don't know much LDAP, but it should be used as an attribute >> > store. >> > >>>>>>> I consider it as an alternative of Active Directory. Please >> > correct me if I >> > >>>>>>> am wrong. >> > >>>>>>> >>> >> > >>>>>>> Active Directory provides different interfaces. One of them is >> > >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for >> > authentication. But >> > >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz >> Mock >> > for >> > >>>>>>> testing) will access ActiveDirectory to read the claims to add >> > them to the >> > >>>>>>> SAML token. >> > >>>>>>> >> > >>>>>>> Could you zip the wsdl before attaching? >> > >>>>>>> >> > >>>>>>> Thanks >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> ------ >> > >>>>>>> >> > >>>>>>> Oliver Wulff >> > >>>>>>> >> > >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> >> > >>>>>>> Solution Architect >> > >>>>>>> http://coders.talend.com >> > >>>>>>> >> > >>>>>>> <http://coders.talend.com>Talend Application Integration >> Division >> > >>>>>>> http://www.talend.com >> > >>>>>>> >> > >>>>>>> ________________________________ >> > >>>>>>> Von: Gina Choi [ginacho...@gmail.com] >> > >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54 >> > >>>>>>> Bis: users@cxf.apache.org >> > >>>>>>> Betreff: Re: CXF supporting scope >> > >>>>>>> >> > >>>>>>> Hi Oliver, >> > >>>>>>> >> > >>>>>>> Thanks for your response. >> > >>>>>>> >> > >>>>>>> >You mean that WIF is deployed in the ASP.NET<http://asp.net/> >> > web >> > >>>>>>> service using the Active Requestor Profile? >> > >>>>>>> >The SAML token should contain the claims as an >> AttributeStatement? >> > >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web >> Service? >> > >>>>>>> I have attached two wsdl file. BookingService.wsdl and >> > >>>>>>> BookingService_imported.wsdl. BookingService.wsdl is importing >> > >>>>>>> BookingService_imported.wsdl and if you open >> BookingService.wsdl, >> > in line >> > >>>>>>> 10 there is a importing statement like bellow. This .NET4.0 >> > service is not >> > >>>>>>> owned by me and I don't know if separating wsdl file is common >> > practice. Is >> > >>>>>>> there anyway to combin them into one when generate artifact >> using >> > wsimport? >> > >>>>>>> I will be calling CheckIn operation. >> > >>>>>>> >> > >>>>>>> <wsdl:import location=" >> > >>>>>>> >> > >> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0 >> > " >> > >>>>>>> namespace="http://tempuri.org/"/> >> > >>>>>>> >> > >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a >> > >>>>>>> Symmetric and Asymmetric binding. >> > >>>>>>> >What roles does ADFS 2.0 play? >> > >>>>>>> >Once as the IDP for the Web application SSO and once to let >> issue >> > a >> > >>>>>>> token onbehalfof/actas the original token >from the Web SSO? >> (this >> > is >> > >>>>>>> supported by CXF-Fediz) >> > >>>>>>> > >> > >>>>>>> >> > >> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >> > >>>>>>> I am using Active Directory as an attribute store. So, I could >> say >> > >>>>>>> ADFS role should be IDP. So, what I need is after user log on >> > using Web >> > >>>>>>> SSO, the SAML token should be cached in web context and being >> used >> > as actas >> > >>>>>>> token when making a call to .NET web service. >> > >>>>>>> >> > >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the >> IDP? >> > >>>>>>> In which application server is your web >application deployed? >> > >>>>>>> ADFS is IDP and my Java web application is Service Provider. >> > >>>>>>> >> > >>>>>>> >What do you mean exactly? Is LDAP used for authentication by >> the >> > >>>>>>> STS? Or should the service provider retrieve >the claims/roles >> > from LDAP? >> > >>>>>>> I don't know much LDAP, but it should be used as an attribute >> > store. >> > >>>>>>> I consider it as an alternative of Active Directory. Please >> > correct me if I >> > >>>>>>> am wrong. I have been reading many specifications, but I am >> still >> > having >> > >>>>>>> hard time to straiten up correct terms. >> > >>>>>>> >> > >>>>>>> >No, Spring is not a requirement. >> > >>>>>>> What is Spring role in CXF? >> > >>>>>>> >> > >>>>>>> Thanks. >> > >>>>>>> >> > >>>>>>> Gina >> > >>>>>>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff < >> owu...@talend.com >> > >>>>>>> <mailto:owu...@talend.com>> wrote: >> > >>>>>>> >>> >> > >>>>>>> 1. I have to create a client for .NET4.0 web service which claim >> > >>>>>>> aware. So, >> > >>>>>>> how is CXF interoperability with .NET? >> > >>>>>>> >>> >> > >>>>>>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET> >> web >> > >>>>>>> service using the Active Requestor Profile? >> > >>>>>>> The SAML token should contain the claims as an >> AttributeStatement? >> > >>>>>>> Can you share with us the WS-SecurityPolicy of this Web Service? >> > >>>>>>> >> > >>>>>>> >>> >> > >>>>>>> 2. If CXF support ADFS2.0 as STS. >> > >>>>>>> >>> >> > >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a >> > >>>>>>> Symmetric and Asymmetric binding. >> > >>>>>>> What roles does ADFS 2.0 play? >> > >>>>>>> Once as the IDP for the Web application SSO and once to let >> issue a >> > >>>>>>> token onbehalfof/actas the original token from the Web SSO? >> (this >> > is >> > >>>>>>> supported by CXF-Fediz) >> > >>>>>>> >> > >>>>>>> >> > >> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >> > >>>>>>> >> > >>>>>>> >>> >> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated >> Redirect >> > >>>>>>> -> POST >> > >>>>>>> binding. >> > >>>>>>> >>> >> > >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the >> IDP? In >> > >>>>>>> which application server is your web application deployed? >> > >>>>>>> >> > >>>>>>> >>> >> > >>>>>>> 4. If CXF can work with LDAP. >> > >>>>>>> >>> >> > >>>>>>> What do you mean exactly? Is LDAP used for authentication by the >> > >>>>>>> STS? Or should the service provider retrieve the claims/roles >> from >> > LDAP? >> > >>>>>>> >> > >>>>>>> >>>> >> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to >> use >> > >>>>>>> Spring >> > >>>>>>> Frame work to use CXF. >> > >>>>>>> >>> >> > >>>>>>> No, Spring is not a requirement. >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> ------ >> > >>>>>>> >> > >>>>>>> Oliver Wulff >> > >>>>>>> >> > >>>>>>> Blog: http://owulff.blogspot.com >> > >>>>>>> Solution Architect >> > >>>>>>> http://coders.talend.com >> > >>>>>>> >> > >>>>>>> Talend Application Integration Division http://www.talend.com >> > >>>>>>> >> > >>>>>>> ________________________________________ >> > >>>>>>> Von: gchoi [gc...@sdl.com<mailto:gc...@sdl.com>] >> > >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29 >> > >>>>>>> Bis: users@cxf.apache.org<mailto:users@cxf.apache.org> >> > >>>>>>> Betreff: CXF supporting scope >> > >>>>>>> >> > >>>>>>> Hi All, >> > >>>>>>> >> > >>>>>>> So far, I evaluated several frame works, but they seem don't do >> > what >> > >>>>>>> I >> > >>>>>>> expect. Several people suggested me that I should consider CXF. >> > >>>>>>> Before I dig >> > >>>>>>> into CXF, I would like know if CXF support following things. By >> the >> > >>>>>>> way, I >> > >>>>>>> just joined this user group. >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> 1. I have to create a client for .NET4.0 web service which claim >> > >>>>>>> aware. So, >> > >>>>>>> how is CXF interoperability with .NET? >> > >>>>>>> >> > >>>>>>> 2. If CXF support ADFS2.0 as STS. >> > >>>>>>> >> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated >> Redirect >> > >>>>>>> -> POST >> > >>>>>>> binding. >> > >>>>>>> >> > >>>>>>> 4. If CXF can work with LDAP. >> > >>>>>>> >> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to >> use >> > >>>>>>> Spring >> > >>>>>>> Frame work to use CXF. >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> Thank in advance. >> > >>>>>>> >> > >>>>>>> -- >> > >>>>>>> View this message in context: >> > >>>>>>> >> > http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html >> > >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com. >> > >>>>>>> >> > >>>>>>> >> > >>>>>> >> > >>>>> >> > >>>> >> > >>> >> > >> >> > > >> > >> > >
