Hi Oliver, >Ask the ADFS administrator to provide you the url for the WS-Fed PRP endpoint in ADFS. This >URL must be configured in Fediz.
ADFS2.0 support both WS-Federation and SAML2.0 Web SSO protocol and and the URLs are the same. I used SAML2.0 Web SSO while Fediz is using WS-Federation. That's why I couldn't recognize URL parameters of the WS-Federation. You must have some reason choose WS-Federation over SAML2.0 Web SSO. I have heard that WS-Federation is limited to SAML1.1 token. >Step 4 in the following links describes how to configure the relying party in ADFS: I know how to configure relying parties in ADFS2.0. Thanks. Gina On Mon, May 14, 2012 at 5:29 PM, Oliver Wulff <owu...@talend.com> wrote: > Hi Gina > > > > Ask the ADFS administrator to provide you the url for the WS-Fed PRP > endpoint in ADFS. This URL must be configured in Fediz. > > > > >>> > > > https://strts01.ams.dev/adfs/services/trust/13/usernamemixed?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecureservlet%2Ffed&wtrealm=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2F > > >>> > > This is the SignIn request of WS-Fed PRP which is supported by ADFS. > > > > Do you have the url of the Metadata document? If yes, there you should see > the PassiveRequestorUrl. > > > > Step 4 in the following links describes how to configure the relying party > in ADFS: > > > http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(v=ws.10).aspx > > > > HTH > > > > Oli > > > > > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > <http://coders.talend.com>Talend Application Integration Division > http://www.talend.com > ------------------------------ > *From:* Gina Choi [ginacho...@gmail.com] > *Sent:* 14 May 2012 22:44 > > *To:* users@cxf.apache.org > *Cc:* Oliver Wulff > *Subject:* Re: CXF supporting scope > > Hi Oliver, > > ADFS2.0 have many end points and depends on request or profile that we > use, we have to use different end points. When I test helloworld, I see > username token sent to STS as a security header, so I used > *adfs/services/trust/13/usernamemixed > endpoint of ADFS, but when I see URL on the browser, it looks like SP > initiated redirect post bindings, but I don't see base 64 encoded > SAMLRequest. That's why I am confused.* > > ** > Gina > > > On Mon, May 14, 2012 at 4:27 PM, Gina Choi <ginacho...@gmail.com> wrote: > >> >> >Neither the RST nor the RSTR are encrypted. It's planned for the next >> release of the Fediz plugin >to support encrypted token which are embedded >> in RSTR. >> Ok. Just verifying with you. >> >> >Is it required to support encrypted tokens initially? I should have this >> functionality by end of may. >> encryption doesn't matter at this time. >> >> >You have to export the signing cert from ADFS and import into a java >> keystore. Don't import it into >stsstore.jks as this should be used for >> this demo IDP only. >> when I import ADFS signing cert to java keystore, what alias name should >> I use? You must reference alias name from somewhere. >> >> I also need to import Service Provider signing cert to ADFS. How do I >> export it? >> >> I was trying to poing helloworld to ADFS, but it seems not simple. *wreply >> vs *RelayState. What is *wa=wsignin1.0 and wtrealm? Without deep change, >> it wouldn't work with ADFS.* >> Based on following url, I couldn't tell what kind of profile do you use? >> I couldn't really tell. Please see oasis link. >> >> http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf >> . >> >> Fediz >> >> >> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecureservlet%2Ffed&wtrealm=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2F >> >> SP initiated redirect post bindig: >> >> GET >> /adfs/ls/?SAMLRequest=pZJPa9wwEMXv%2FRRG99U%2F73ptsXbYNoQGUrpknRR6KbI9TtTKkquR3Xz8Opss5FQKOQ7MvPd4v9ldPA02mSGg8a4kgnKSgGt9Z9xDSe7qq1VOLqoPO9SDHdV%2Bio%2FuFn5PgDHZI0KIy9kn73AaIBwhzKaFu9ubkjzGOKJi7M8vcDjzlGf0wfpGW4qdpa0Po8rX65TtTbDGAVscgX0D2%2FoB6E8cSXK5eBin4ynXWQ5jiMgF1QPSDmamux6ZRUaSKx9aOOUrSQwTkOT6siQ%2F0qLXfSZyyLs0K%2Fi24SKVXd%2B1hWw2a5GKrMi2siv6LMubPFuu8KARzQwl6bXFZx3ECa4dRu1iSSQXcsU3K7GuJVciVxtJt7n4TpJD8NG33n407qW9KTjlNRpUTg%2BAKrbquP9yoyTlqnlZQvW5rg%2Brw9djTZL7MwX5TGHh4lCdev%2B31PjqS6pXSqfA4f8F9Bkkqd6LbcfeRqjO49u%2Fqf4C&RelayState= >> https://wkensv0306.global.sdl.corp:8443/Airline/code/Welcome.jsp HTTP/1.1 >> >> >> On Mon, May 14, 2012 at 3:51 PM, Oliver Wulff <owu...@talend.com> wrote: >> >>> Hi Gina >>> >>> >>> >>> It looks like that you don't encrypt RST and RSTR, but you said that >>> both RST and RSTR are signed. I need to import signing cert from ADFS to >>> stsstore.jks keystore. Which one is key alias for RP? You have clientkey, >>> myservicekey and mystskey. Vise versa, I need to export signing cert from >>> RP to import it to ADFS. Do you have signing cert somewhere or I have to >>> export it myself? >>> >>> >>> Neither the RST nor the RSTR are encrypted. It's planned for the next >>> release of the Fediz plugin to support encrypted token which are embedded >>> in RSTR. >>> >>> Is it required to support encrypted tokens initially? I should have this >>> functionality by end of may. >>> >>> You have to export the signing cert from ADFS and import into a java >>> keystore. Don't import it into stsstore.jks as this should be used for this >>> demo IDP only. >>> >>> Thanks >>> Oli >>> >>> >>> >>> ------ >>> >>> Oliver Wulff >>> >>> Blog: http://owulff.blogspot.com >>> Solution Architect >>> http://coders.talend.com >>> >>> Talend Application Integration Division http://www.talend.com >>> >>> ________________________________________ >>> From: Gina Choi [ginacho...@gmail.com] >>> Sent: 14 May 2012 21:23 >>> To: users@cxf.apache.org >>> Subject: Re: CXF supporting scope >>> >>> Hi Oliver, >>> >>> >You're right - this is confusing. The STS signs the SAML token with the >>> private which correlates to >the STS certificate. The RP requires the CA >>> certificates and the STS certificate (if self-signed as in >this demo >>> case) >>> to validate the SAML token. >>> >>> Thanks for response. I looked request and response message between RP and >>> STS. It looks like that you don't encrypt RST and RSTR, but you said that >>> both RST and RSTR are signed. I need to import signing cert from ADFS to >>> stsstore.jks keystore. Which one is key alias for RP? You have clientkey, >>> myservicekey and mystskey. Vise versa, I need to export signing cert from >>> RP to import it to ADFS. Do you have signing cert somewhere or I have to >>> export it myself? >>> >>> Thanks. >>> >>> Gina >>> >>> >>> On Mon, May 14, 2012 at 2:19 PM, Oliver Wulff <owu...@talend.com> wrote: >>> >>> > Hi Gina >>> > >>> > >>> >>> > But I still don't understand why I have to copy stsstore.jks file into >>> RP. >>> > stsstore.jks is the keystore file of STS and it should be sitting on >>> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's >>> own >>> > keystore file, for example clientstore.jks. >>> > When client issue AuthnRequest to STS, it will sign AuthnRequest with >>> STS >>> > signing certificate. Vise versa, when STS issue Assertion token, it >>> will be >>> > signed by client signing certificate. >>> > In fediz project senario, RP will be the client and it will never have >>> > keystore file of STS. >>> > I just looked at content of stsstore.jks and it looks like that you >>> > combined sts, client and service keystore file into one - >>> stsstore.jks. In >>> > other words, stsstore.jks is being used as a keystore file for all >>> three - >>> > client, service and sts. Is that correct? I think that they should be >>> > separated. Kind of confusing until list content of stsstore.jks. >>> > >>> >>> > You're right - this is confusing. The STS signs the SAML token with the >>> > private which correlates to the STS certificate. The RP requires the CA >>> > certificates and the STS certificate (if self-signed as in this demo >>> case) >>> > to validate the SAML token. >>> > >>> > I was too lazy in creating two keystores (I just copied the keystore >>> used >>> > by the CXF STS distribution). In a production environment, one keystore >>> > contains the private key and the certificate for the STS and the other >>> > contains the certificate only for the RP. >>> > >>> > I've started documentating fediz here: >>> > http://cxf.apache.org/fediz.html >>> > >>> > It would make sense to add a section what to consider for production >>> > implementation. I'll add that. >>> > >>> > Thanks >>> > >>> > ------ >>> > >>> > Oliver Wulff >>> > >>> > Blog: http://owulff.blogspot.com >>> > Solution Architect >>> > http://coders.talend.com >>> > >>> > Talend Application Integration Division http://www.talend.com >>> > >>> > ________________________________________ >>> > From: Gina Choi [ginacho...@gmail.com] >>> > Sent: 14 May 2012 18:00 >>> > To: Oliver Wulff >>> > Cc: users@cxf.apache.org >>> > Subject: Re: CXF supporting scope >>> > >>> > Hi Oliver, >>> > >>> > Thanks for your response. I copied over stsstore.jks into tomcat rp >>> and I >>> > am seeing saml token now. >>> > >>> > >The SAML token issued by the IDP/STS is signed and the used >>> certificate >>> > must be referenced to >validate the signature: >>> > >>> > ><trustedIssuerItem provider=".*CN=www.sts.com.*"> >>> > >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >>> > password="stsspass" type="file" /> >>> > >< /trustedIssuerItem> >>> > >>> > >In this example, I used a self-signed certificate and I was too lazy >>> in >>> > separating the keystore into >one with the private key and into one >>> > without. >>> > >>> > >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. >>> > >>> > But I still don't understand why I have to copy stsstore.jks file into >>> RP. >>> > stsstore.jks is the keystore file of STS and it should be sitting on >>> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's >>> own >>> > keystore file, for example clientstore.jks. >>> > >>> > When client issue AuthnRequest to STS, it will sign AuthnRequest with >>> STS >>> > signing certificate. Vise versa, when STS issue Assertion token, it >>> will be >>> > signed by client signing certificate. >>> > >>> > In fediz project senario, RP will be the client and it will never have >>> > keystore file of STS. >>> > >>> > I just looked at content of stsstore.jks and it looks like that you >>> > combined sts, client and service keystore file into one - >>> stsstore.jks. In >>> > other words, stsstore.jks is being used as a keystore file for all >>> three - >>> > client, service and sts. Is that correct? I think that they should be >>> > separated. Kind of confusing until list content of stsstore.jks. >>> > >>> > Thanks. >>> > >>> > Gina >>> > >>> > >>> > On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <owu...@talend.com> >>> wrote: >>> > >>> > > Hi Gina >>> > > >>> > > >>> > > >>> > > The SAML token issued by the IDP/STS is signed and the used >>> certificate >>> > > must be referenced to validate the signature: >>> > > >>> > > >>> > > >>> > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> >>> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >>> > > password="stsspass" type="file" /> >>> > > </trustedIssuerItem> >>> > > >>> > > In this example, I used a self-signed certificate and I was too lazy >>> in >>> > > separating the keystore into one with the private key and into one >>> > without. >>> > > >>> > > >>> > > >>> > > You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. >>> > > >>> > > >>> > > >>> > > In your scenario with ADFS. You must import the CA certs which >>> signed the >>> > > ADFS cert into a keystore and configure the CN name as a regular >>> > expression >>> > > in the attribute "provider". (The name provider is misleaing, will >>> fix >>> > that) >>> > > >>> > > >>> > > >>> > > Thanks >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > ------ >>> > > >>> > > Oliver Wulff >>> > > >>> > > Blog: http://owulff.blogspot.com >>> > > Solution Architect >>> > > http://coders.talend.com >>> > > >>> > > <http://coders.talend.com>Talend Application Integration Division >>> > > http://www.talend.com >>> > > ------------------------------ >>> > > *From:* Gina Choi [ginacho...@gmail.com] >>> > > *Sent:* 11 May 2012 00:44 >>> > > >>> > > *To:* Oliver Wulff >>> > > *Cc:* users@cxf.apache.org >>> > > *Subject:* Re: CXF supporting scope >>> > > >>> > > Hi Oliver, >>> > > >>> > > Until this afternoon, I didn't have time to work with Fediz. Finally >>> I >>> > > have successfully deployed idp, sts and simpleWebapp on Tomcat7.0.27. >>> > > Everything went well. I guess that on the other day, I thought doing >>> some >>> > > thing, but I probably did something else. :) >>> > > After type https://localhost:8443/fedizhelloworld/secureservlet/fedon >>> > > the browser, I inputed test user name and password, but it failed. >>> > > >>> > > >>> > > org.apache.ws.security.components.crypto.CredentialException: Proxy >>> file >>> > (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found. >>> > > >>> > > >>> > > In your fediz_config.xml, you have following lines. Why do we put >>> sts key >>> > > store file on RP server? Does web application need to know where is >>> sts >>> > > keystore file? >>> > > >>> > > <trustedIssuers> >>> > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> >>> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >>> > > password="stsspass" type="file" /> >>> > > </trustedIssuerItem> >>> > > </trustedIssuers> >>> > > >>> > > >>> > > Thanks. >>> > > >>> > > Gina >>> > > >>> > > On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <owu...@talend.com> >>> wrote: >>> > > >>> > >> Hi Gina >>> > >> >>> > >> The steps are absolutely correct. Not sure about the failing >>> deployment >>> > >> step for the application. Have you also updated tomcat-users.xml of >>> the >>> > >> second tomcat instance? Or was the application already deployed >>> once and >>> > >> you must run "mvn clean install tomcat:redeploy"? Is anything >>> logged on >>> > >> catalina.out? >>> > >> Otherwise, just copy the war manually from >>> target/fedizhelloworld.war to >>> > >> <tomcat-dir>/webapps. >>> > >> >>> > >> I've checked in fediz_config.xml in >>> > examples/simpleWebapp/src/main/config >>> > >> (sorry for that). Please manually copy it to the location you've >>> > configured >>> > >> in the context.xml. Ensure that the IDP url (later ADFS): >>> > >> <issuer>https://localhost:9443/fedizidp/</issuer> >>> > >> and the location of the trusted keystore is updated: >>> > >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >>> > >> password="stsspass" type="file" /> >>> > >> >>> > >> It will be supported in the next days to also configure a relative >>> > >> location to catalina.home. >>> > >> >>> > >> >>> > >> Thanks >>> > >> Oli >>> > >> >>> > >> >>> > >> >>> > >> ------ >>> > >> >>> > >> Oliver Wulff >>> > >> >>> > >> Blog: http://owulff.blogspot.com >>> > >> Solution Architect >>> > >> http://coders.talend.com >>> > >> >>> > >> <http://coders.talend.com>Talend Application Integration Division >>> > >> http://www.talend.com >>> > >> ------------------------------ >>> > >> *From:* Gina Choi [ginacho...@gmail.com] >>> > >> *Sent:* 09 May 2012 00:55 >>> > >> >>> > >> *To:* Oliver Wulff >>> > >> *Cc:* users@cxf.apache.org >>> > >> *Subject:* Re: CXF supporting scope >>> > >> >>> > >> By the way I checked out head version fediz project from SVN. >>> > >> >>> > >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <ginacho...@gmail.com> >>> wrote: >>> > >> >>> > >>> Hi Oliver, >>> > >>> >>> > >>> I am using seperate Tomcat instance for IDP and application and I >>> set >>> > up >>> > >>> https. Following is what I did. >>> > >>> >>> > >>> I checked out Fediz project into my local machine. As you >>> explained on >>> > >>> your post >>> > >>> >>> > >>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html >>> > , >>> > >>> I run mvn clean install in plugins/core, pligins/tomcat and >>> > >>> examples/simpleWebapp/. I configued maven's settings.xml and >>> updated >>> > >>> tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins, >>> > and I >>> > >>> am seeing both IDP and STS are deployed. >>> > >>> >>> > >>> I am just having problem with deloying sample application in >>> another >>> > >>> Tomcat instance. >>> > >>> >>> > >>> 1. I created sub-directory fediz in ${catalina.home}/lib of the >>> > >>> tomcat-rp. >>> > >>> 2. I have following line in the calatina.properties in >>> > >>> ${catalina.home}/conf. >>> > >>> >>> > >>> >>> > >>> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar >>> > >>> 3. I deployed the built libraries and dependencies to the directory >>> > >>> created in (1) >>> > >>> I got the built libraries from >>> > >>> fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip. >>> > >>> After this, I am getting error messages when start Tomcat. This >>> > preventing >>> > >>> me step5 for deploying applicaitons properly. >>> > >>> If I replace generated lib/fediz jar files with old jar files >>> that I >>> > >>> downloaded from your post, I am able to start tomcat without error >>> and >>> > able >>> > >>> to deploy application, but couldn't run properly. >>> > >>> 4. since I can't find fediz_config.xml, so I configured >>> > *META-INF/context.xml >>> > >>> as follow. >>> > >>> >>> > >>> * <Context> >>> > >>> <Valve className="org.apache< >>> > >>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html# >>> > > >>> > >>> .cxf.fediz.tomcat.FederationAuthenticator" >>> > >>> issuerURL="https://localhost:9443/fedizidp/"; >>> > >>> truststoreFile="conf/stsstore.jks" >>> > >>> truststorePassword="stsspass" >>> > >>> trustedIssuer=".*CN=www.sts.com.*" /> >>> > >>> </Context> >>> > >>> 5. If I run mvn tomcat:deploy under >>> fediz\trunk\examples\simpleWebapp, >>> > I >>> > >>> am getting following error message. >>> > >>> >>> > >>> Failed to execute goal >>> org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy >>> > >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat >>> manager: >>> > FAIL - >>> > >>> Failed to deploy application at context path /fedizhelloworld -> >>> [Help >>> > 1] >>> > >>> >>> > >>> So, I couldn't get your application run. I hope that all these >>> problem >>> > >>> caused because of missing fediz_config.xml. >>> > >>> >>> > >>> Thanks. >>> > >>> >>> > >>> Gina >>> > >>> On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <owu...@talend.com >>> > >wrote: >>> > >>> >>> > >>>> Hi Gina >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> I'll send you and checkin the fediz_config.xml as soon as I can - >>> I'm >>> > >>>> on the way right now. >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the >>> > >>>> application works you will change in your application >>> > (fediz_config.xml) >>> > >>>> the issuerUrl of ADFS. >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> Have you configured HTTPS for the IDP Tomcat instance and your >>> > >>>> application Tomcat instance? >>> > >>>> >>> > >>>> I recommend to use a separate instance of the IDP and your >>> > application. >>> > >>>> >>> > >>>> Do you use the port 9443? >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> Thanks >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> ------ >>> > >>>> >>> > >>>> Oliver Wulff >>> > >>>> >>> > >>>> Blog: http://owulff.blogspot.com >>> > >>>> Solution Architect >>> > >>>> http://coders.talend.com >>> > >>>> >>> > >>>> <http://coders.talend.com>Talend Application Integration Division >>> > >>>> http://www.talend.com >>> > >>>> ------------------------------ >>> > >>>> *From:* Gina Choi [ginacho...@gmail.com] >>> > >>>> *Sent:* 08 May 2012 20:20 >>> > >>>> >>> > >>>> *To:* Oliver Wulff >>> > >>>> *Cc:* users@cxf.apache.org >>> > >>>> *Subject:* Re: CXF supporting scope >>> > >>>> >>> > >>>> Hi Oliver >>> > >>>> >>> > >>>> >I'd recommend to successfully deploy the wsclientWebapp sample >>> and >>> > the >>> > >>>> IDP. When this works, rip&replace >one piece after the other. I'd >>> > recommend >>> > >>>> to choose the following approach. >>> > >>>> >>> > >>>> >1) Replace the Fediz IDP by ADFS >>> > >>>> > + configure the ADFS issuerUrl (context.xml) >>> > >>>> > + ensure that ADFS supports WS-Federation Passive Requestor >>> > >>>> Profile >>> > >>>> > + configure the certificate used by ADFS to sign the SAML >>> token >>> > >>>> > >>> > >>>> >(the most recent version of fediz uses a separate xml file for >>> the >>> > >>>> configuration) >>> > >>>> >>> > >>>> Somehow I couldn't deploy both fediz\trunk\services and >>> > >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed >>> > them on >>> > >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings >>> file >>> > all, >>> > >>>> but couldn't find reason. It just said that can't involke Tomcat >>> > Manager. >>> > >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to >>> > figure it >>> > >>>> out later. >>> > >>>> >>> > >>>> In the context.xml, I have following content. So, It lookis like >>> that >>> > >>>> issuerURL defined inside fediz_config.xml, but I searched all >>> > directories, >>> > >>>> but couldn't find a file called fediz_config.xml. >>> > >>>> >>> > >>>> <Context> >>> > >>>> <Valve >>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >>> > >>>> configFile="conf/fediz_config.xml" /> >>> > >>>> <!--<Valve >>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >>> > issuerURL=" >>> > >>>> https://localhost:9443/fedizidp/"; >>> truststoreFile="conf/stsstore.jks" >>> > >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" >>> />--> >>> > >>>> <!--Valve >>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >>> > >>>> >>> > >>> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler" >>> > >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" >>> > >>>> />--> >>> > >>>> </Context> >>> > >>>> >>> > >>>> In the web.xml file of the idp, you have following content. ADFS >>> has >>> > >>>> mex address. so, I assume that I need to replace value of >>> > sts.wsdl.url with >>> > >>>> ADFS mex address. >>> > >>>> >>> > >>>> >>> > >>>> <servlet> >>> > >>>> <servlet-name>FederationServlet</servlet-name> >>> > >>>> >>> > >>>> >>> > >>> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class> >>> > >>>> <init-param> >>> > >>>> <param-name>sts.wsdl.url</param-name> >>> > >>>> <param-value> >>> https://localhost:9443/fedizidpsts/STSService?wsdl >>> > >>>> </param-value> >>> > >>>> </init-param> >>> > >>>> <init-param> >>> > >>>> <param-name>sts.wsdl.service</param-name> >>> > >>>> <param-value>SecurityTokenService</param-value> >>> > >>>> </init-param> >>> > >>>> >>> > >>>> Thanks. >>> > >>>> >>> > >>>> Gina >>> > >>>> On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <owu...@talend.com >>> > >wrote: >>> > >>>> >>> > >>>>> Hi Gina >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> >>> > >>>>> >>> > >>>>> I don't mind giving up existing implementation as long as I find >>> > >>>>> better solution. I was hoping that Fediz project >>> > >>>>> >>> > >>>>> uses only Apache CXF instead of introducing another FrameWork - >>> > >>>>> OpenSAML. >>> > >>>>> >>> > >>>>> >>> >>> > >>>>> >>> > >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and >>> > REST >>> > >>>>> based service communication. OpenSAML is widely used and bundled >>> > into other >>> > >>>>> frameworks like CXF and Fediz. >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> >>> > >>>>> >>> > >>>>> If I only consider passive profile at this moment, what changes >>> are >>> > >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF >>> STS? >>> > Where >>> > >>>>> did you define your stsActionURL? I like to start with passive >>> > profile >>> > >>>>> since it is easier to start with. I can use your sample >>> application. >>> > It >>> > >>>>> doesn't matter if I use Airline or not since it is a just >>> prototype >>> > >>>>> >>> > >>>>> >>> >>> > >>>>> >>> > >>>>> I'd recommend to successfully deploy the wsclientWebapp sample >>> and >>> > the >>> > >>>>> IDP. When this works, rip&replace one piece after the other. I'd >>> > recommend >>> > >>>>> to choose the following approach. >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> 1) Replace the Fediz IDP by ADFS >>> > >>>>> >>> > >>>>> + configure the ADFS issuerUrl (context.xml) >>> > >>>>> >>> > >>>>> + ensure that ADFS supports WS-Federation Passive Requestor >>> > >>>>> Profile >>> > >>>>> >>> > >>>>> + configure the certificate used by ADFS to sign the SAML >>> token >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> (the most recent version of fediz uses a separate xml file for >>> the >>> > >>>>> configuration) >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> 2) Update the webapp to generate and use the stubs of the >>> > >>>>> BookingService in the FederationServlet (just a test - call the >>> > simplest >>> > >>>>> method). Configure the ASP.NET wsdl location (usually url?wsdl). >>> > >>>>> Configure the ADFS STS url in the STSClient bean in the beans.xml >>> > >>>>> configuration. Change the property onbehalfof to actas. >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> HTH >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> ------ >>> > >>>>> >>> > >>>>> Oliver Wulff >>> > >>>>> >>> > >>>>> Blog: http://owulff.blogspot.com >>> > >>>>> Solution Architect >>> > >>>>> http://coders.talend.com >>> > >>>>> >>> > >>>>> <http://coders.talend.com>Talend Application Integration >>> Division >>> > >>>>> http://www.talend.com >>> > >>>>> ------------------------------ >>> > >>>>> *From:* Gina Choi [ginacho...@gmail.com] >>> > >>>>> *Sent:* 08 May 2012 01:05 >>> > >>>>> *To:* Oliver Wulff >>> > >>>>> *Cc:* users@cxf.apache.org >>> > >>>>> >>> > >>>>> *Subject:* Re: CXF supporting scope >>> > >>>>> >>> > >>>>> Hi Oliver, >>> > >>>>> >>> > >>>>> I am not responsible for BookingService(.NET). The other guys who >>> > >>>>> implemented it using WIF. You know that Microsoft created WIF and >>> > tested >>> > >>>>> with ADFS, so it it doesn't work, I would be surprised. >>> > >>>>> >Which Servlet container do you use? >>> > >>>>> I am using Tomcat7. >>> > >>>>> >>> > >>>>> >>> > >>>>> >In your current setup, how does the samlp:Response look like? >>> > >>>>> I sent you decoded SAML response token in seperate email. I am >>> > >>>>> sretrieving based64 encoded saml response token using following >>> code. >>> > >>>>> >>> > >>>>> >>> > >>>>> String encodedSamlResponseTokenStr = >>> > >>>>> request.getParameter("SAMLResponse"); >>> > >>>>> >>> > >>>>> I don't mind giving up existing implementation as long as I find >>> > >>>>> better solution. I was hoping that Fediz project uses only >>> Apache CXF >>> > >>>>> instead of introducing another FrameWork - OpenSAML. >>> > >>>>> >>> > >>>>> I loaded >>> > >>>>> >>> > >>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/to >>> > >>>>> the Eclipse today. >>> > >>>>> >>> > >>>>> >>> > >>>>> >>> > >>>>> Basically I need following three URL for ADFS(STS). First two is >>> for >>> > >>>>> active profile and third one is for passive profile(SP initiated >>> > Redirect >>> > >>>>> POST bindings). If I only consider passive profile at this >>> moment, >>> > what >>> > >>>>> changes are need to Fediz project to point to ADFS(STS) intead of >>> > Apach CXF >>> > >>>>> STS? Where did you define your stsActionURL? I like to start with >>> > passive >>> > >>>>> profile since it is easier to start with. I can use your sample >>> > >>>>> application. It doesn't matter if I use Airline or not since it >>> is a >>> > just >>> > >>>>> prototype. >>> > >>>>> >>> > >>>>> *private* *static* *final* String *stsEndpoint* = " >>> > >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";; >>> > >>>>> >>> > >>>>> *private* *static* *final* String *stsMEXAddress* = >>> > >>>>> https://strts01.ams.dev/adfs/services/trust/mex; >>> > >>>>> >>> > >>>>> private static final String stsActionURL = >>> > >>>>> https://strts01.ams.dev/adfs/ls/; >>> > >>>>> >>> > >>>>> >>> > >>>>> Thanks again for your guidance. >>> > >>>>> >>> > >>>>> Gina >>> > >>>>> >>> > >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <owu...@talend.com >>> > >wrote: >>> > >>>>> >>> > >>>>>> Hi Gina >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> The fediz project is used to protect your web application where >>> the >>> > >>>>>> client is a browser. Right now, Fediz supports WS-Federation >>> Passive >>> > >>>>>> Requestor Profile which is supported by ADFS and usually used in >>> > the .NET >>> > >>>>>> world as a the default mechanism. You don't have to implement >>> that >>> > in >>> > >>>>>> your application - that's done by the Fediz plugin. Fediz uses >>> > opensaml for >>> > >>>>>> SAML processing. >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> The original URL is stored in the wreply parameter. .NET uses a >>> > >>>>>> combination of the wtrealm and wctx parameter. >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> Your Airline application can use CXF for the web services >>> > >>>>>> communication (for the REST communication also, if you like). >>> The >>> > built-in >>> > >>>>>> support in CXF for the IssuedToken assertion (WS-SecurityPolicy) >>> > supports >>> > >>>>>> to get a token from ADFS using actas. In my example, just use >>> actas >>> > instead >>> > >>>>>> of onbehalfof property. >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> >>> > >>>>>> >>> > >>>>>> ADFS generate SAMLtoken and this SAML token is sent back to >>> > >>>>>> Airline(Airline does all validation work) and cached in the >>> > session. - This >>> > >>>>>> part is implemented. >>> > >>>>>> >>> > >>>>>> >>> >>> > >>>>>> >>> > >>>>>> The validation work is already done by Fediz. Session >>> management is >>> > >>>>>> then done by the JEE container. Your application is called after >>> > the SAML >>> > >>>>>> token issued by ADFS is successfully validated. The container >>> will >>> > create >>> > >>>>>> the session and check every incoming request whether the used >>> token >>> > is >>> > >>>>>> still valid - otherwise, the browser is redirected again to >>> ADFS. >>> > You could >>> > >>>>>> also configure some roles in ADFS to protect your web >>> application >>> > as the >>> > >>>>>> fediz plugin tells the container the userid as well as its >>> roles. >>> > You could >>> > >>>>>> even use claims if you like. >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> Which Servlet container do you use? >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> In your current setup, how does the samlp:Response look like? >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> Thanks >>> > >>>>>> >>> > >>>>>> Oli >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> ------ >>> > >>>>>> >>> > >>>>>> Oliver Wulff >>> > >>>>>> >>> > >>>>>> Blog: http://owulff.blogspot.com >>> > >>>>>> Solution Architect >>> > >>>>>> http://coders.talend.com >>> > >>>>>> >>> > >>>>>> <http://coders.talend.com>Talend Application Integration >>> Division >>> > >>>>>> http://www.talend.com >>> > >>>>>> ------------------------------ >>> > >>>>>> *From:* Gina Choi [ginacho...@gmail.com] >>> > >>>>>> *Sent:* 07 May 2012 20:24 >>> > >>>>>> *To:* users@cxf.apache.org >>> > >>>>>> *Cc:* Oliver Wulff >>> > >>>>>> *Subject:* Re: CXF supporting scope >>> > >>>>>> >>> > >>>>>> Hi Oliver, >>> > >>>>>> >>> > >>>>>> I did notice that your sample application used both opensaml and >>> > >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz >>> > project? >>> > >>>>>> >>> > >>>>>> I need to clarify my environment further to give you better >>> picture. >>> > >>>>>> >>> > >>>>>> 1. All web services in my application are REST. The only reason >>> that >>> > >>>>>> I use SOAP is to create a soap client to call .NET SOAP web >>> service >>> > which >>> > >>>>>> resides on another application. I am working with a .NET guy to >>> > prove some >>> > >>>>>> prototypes. His sample application is BookingService which I >>> > provided you >>> > >>>>>> wsdl. I am working on Airline. >>> > >>>>>> >>> > >>>>>> BookingService: .NET4.0 SOAP >>> > >>>>>> Airline: Java with REST >>> > >>>>>> >>> > >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We >>> have set >>> > >>>>>> up relying parties for BookingService and Airline in ADFS. >>> > >>>>>> >>> > >>>>>> 3. SSO: A user will be using both Airline and BookingService. >>> So, >>> > >>>>>> she/he should be able to log on once for both applications. In >>> > Airline(my >>> > >>>>>> application), I used SP initialed POST redirect bindings. So, >>> when >>> > a user >>> > >>>>>> make a request to Airline at first time, the user will be >>> > redirected to >>> > >>>>>> ADFS and asked credentials. After user provide >>> username/password, >>> > ADFS >>> > >>>>>> generate SAMLtoken and this SAML token is sent back to >>> > Airline(Airline does >>> > >>>>>> all validation work) and cached in the session. - This part is >>> > implemented. >>> > >>>>>> >>> > >>>>>> 4. Now a user call BookingService which is claim aware. So, I >>> need >>> > to >>> > >>>>>> inject Assertion token get from previous step inside actas >>> element >>> > to call >>> > >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be >>> > calling >>> > >>>>>> Booking service. >>> > >>>>>> >>> > >>>>>> So, I don't think that I am able to use Apach CXF STS part >>> since my >>> > >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with >>> > ADFS(STS) >>> > >>>>>> to support my prototypes. >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> Thanks. >>> > >>>>>> >>> > >>>>>> Gina >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <owu...@talend.com >>> > >wrote: >>> > >>>>>> >>> > >>>>>>> Hi Gina >>> > >>>>>>> >>> > >>>>>>> >>> >>> > >>>>>>> So, what I need is after user log on using Web SSO, the SAML >>> token >>> > >>>>>>> should be cached in web context and being used as actas token >>> when >>> > making a >>> > >>>>>>> call to .NET web service. >>> > >>>>>>> >>> >>> > >>>>>>> This is supported by CXF without writing any single line of >>> code. >>> > I >>> > >>>>>>> do have a sample web application here: >>> > >>>>>>> >>> > >>>>>>> >>> > >>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ >>> > >>>>>>> >>> > >>>>>>> This example illustrates: >>> > >>>>>>> - fediz is configured for web sso >>> > >>>>>>> - SAML token is cached in the session and used to request a new >>> > >>>>>>> token from the STS >>> > >>>>>>> >>> > >>>>>>> The code to call the web service is in >>> FederationServlet.doPost(): >>> > >>>>>>> ... >>> > >>>>>>> Greeter service = >>> > >>>>>>> >>> > >>> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); >>> > >>>>>>> String reply = service.greetMe(); >>> > >>>>>>> ... >>> > >>>>>>> >>> > >>>>>>> The magic is in the configuration I used here: >>> > >>>>>>> >>> > >>>>>>> >>> > >>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup >>> > >>>>>>> >>> > >>>>>>> The following property registers a callback handler to provide >>> the >>> > >>>>>>> STSClient the token of the Web Login: >>> > >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" /> >>> > >>>>>>> >>> > >>>>>>> (There is also a property for actAs) >>> > >>>>>>> >>> > >>>>>>> The above example should exactly do what you need. You just >>> have to >>> > >>>>>>> change the above property to use ActAs instead of OnBehalfOf. >>> The >>> > details >>> > >>>>>>> for this example are described here: >>> > >>>>>>> >>> > >>>>>>> >>> > >>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> To test this easily, you can use the Mock IDP as part of Fediz >>> for >>> > >>>>>>> the authentication. You could also attach Active Directory in >>> the >>> > Mock if >>> > >>>>>>> you like. See here: >>> > >>>>>>> >>> > >>>>>>> >>> > >>> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html >>> > >>>>>>> >>> > >>>>>>> I use that within a customer set up to connect the CXF STS to >>> > Active >>> > >>>>>>> Directory. >>> > >>>>>>> >>> > >>>>>>> >>> >>> > >>>>>>> What is Spring role in CXF? >>> > >>>>>>> >>> >>> > >>>>>>> You can use Spring to configure your services. The above >>> example >>> > is >>> > >>>>>>> based on spring. As you see, all security related stuff is >>> enabled >>> > by >>> > >>>>>>> configuration (Convention of Configuration). You can also >>> write an >>> > >>>>>>> application without spring but I wouldn't write an application >>> > without >>> > >>>>>>> spring nowadays but this is up to you. >>> > >>>>>>> >>> > >>>>>>> >>> >>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute >>> > store. >>> > >>>>>>> I consider it as an alternative of Active Directory. Please >>> > correct me if I >>> > >>>>>>> am wrong. >>> > >>>>>>> >>> >>> > >>>>>>> Active Directory provides different interfaces. One of them is >>> > >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for >>> > authentication. But >>> > >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz >>> Mock >>> > for >>> > >>>>>>> testing) will access ActiveDirectory to read the claims to add >>> > them to the >>> > >>>>>>> SAML token. >>> > >>>>>>> >>> > >>>>>>> Could you zip the wsdl before attaching? >>> > >>>>>>> >>> > >>>>>>> Thanks >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> ------ >>> > >>>>>>> >>> > >>>>>>> Oliver Wulff >>> > >>>>>>> >>> > >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> >>> > >>>>>>> Solution Architect >>> > >>>>>>> http://coders.talend.com >>> > >>>>>>> >>> > >>>>>>> <http://coders.talend.com>Talend Application Integration >>> Division >>> > >>>>>>> http://www.talend.com >>> > >>>>>>> >>> > >>>>>>> ________________________________ >>> > >>>>>>> Von: Gina Choi [ginacho...@gmail.com] >>> > >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54 >>> > >>>>>>> Bis: users@cxf.apache.org >>> > >>>>>>> Betreff: Re: CXF supporting scope >>> > >>>>>>> >>> > >>>>>>> Hi Oliver, >>> > >>>>>>> >>> > >>>>>>> Thanks for your response. >>> > >>>>>>> >>> > >>>>>>> >You mean that WIF is deployed in the ASP.NET<http://asp.net/ >>> > >>> > web >>> > >>>>>>> service using the Active Requestor Profile? >>> > >>>>>>> >The SAML token should contain the claims as an >>> AttributeStatement? >>> > >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web >>> Service? >>> > >>>>>>> I have attached two wsdl file. BookingService.wsdl and >>> > >>>>>>> BookingService_imported.wsdl. BookingService.wsdl is importing >>> > >>>>>>> BookingService_imported.wsdl and if you open >>> BookingService.wsdl, >>> > in line >>> > >>>>>>> 10 there is a importing statement like bellow. This .NET4.0 >>> > service is not >>> > >>>>>>> owned by me and I don't know if separating wsdl file is common >>> > practice. Is >>> > >>>>>>> there anyway to combin them into one when generate artifact >>> using >>> > wsimport? >>> > >>>>>>> I will be calling CheckIn operation. >>> > >>>>>>> >>> > >>>>>>> <wsdl:import location=" >>> > >>>>>>> >>> > >>> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0 >>> > " >>> > >>>>>>> namespace="http://tempuri.org/"/> >>> > >>>>>>> >>> > >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a >>> > >>>>>>> Symmetric and Asymmetric binding. >>> > >>>>>>> >What roles does ADFS 2.0 play? >>> > >>>>>>> >Once as the IDP for the Web application SSO and once to let >>> issue >>> > a >>> > >>>>>>> token onbehalfof/actas the original token >from the Web SSO? >>> (this >>> > is >>> > >>>>>>> supported by CXF-Fediz) >>> > >>>>>>> > >>> > >>>>>>> >>> > >>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>> > >>>>>>> I am using Active Directory as an attribute store. So, I could >>> say >>> > >>>>>>> ADFS role should be IDP. So, what I need is after user log on >>> > using Web >>> > >>>>>>> SSO, the SAML token should be cached in web context and being >>> used >>> > as actas >>> > >>>>>>> token when making a call to .NET web service. >>> > >>>>>>> >>> > >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the >>> IDP? >>> > >>>>>>> In which application server is your web >application deployed? >>> > >>>>>>> ADFS is IDP and my Java web application is Service Provider. >>> > >>>>>>> >>> > >>>>>>> >What do you mean exactly? Is LDAP used for authentication by >>> the >>> > >>>>>>> STS? Or should the service provider retrieve >the claims/roles >>> > from LDAP? >>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute >>> > store. >>> > >>>>>>> I consider it as an alternative of Active Directory. Please >>> > correct me if I >>> > >>>>>>> am wrong. I have been reading many specifications, but I am >>> still >>> > having >>> > >>>>>>> hard time to straiten up correct terms. >>> > >>>>>>> >>> > >>>>>>> >No, Spring is not a requirement. >>> > >>>>>>> What is Spring role in CXF? >>> > >>>>>>> >>> > >>>>>>> Thanks. >>> > >>>>>>> >>> > >>>>>>> Gina >>> > >>>>>>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff < >>> owu...@talend.com >>> > >>>>>>> <mailto:owu...@talend.com>> wrote: >>> > >>>>>>> >>> >>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which >>> claim >>> > >>>>>>> aware. So, >>> > >>>>>>> how is CXF interoperability with .NET? >>> > >>>>>>> >>> >>> > >>>>>>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET> >>> web >>> > >>>>>>> service using the Active Requestor Profile? >>> > >>>>>>> The SAML token should contain the claims as an >>> AttributeStatement? >>> > >>>>>>> Can you share with us the WS-SecurityPolicy of this Web >>> Service? >>> > >>>>>>> >>> > >>>>>>> >>> >>> > >>>>>>> 2. If CXF support ADFS2.0 as STS. >>> > >>>>>>> >>> >>> > >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a >>> > >>>>>>> Symmetric and Asymmetric binding. >>> > >>>>>>> What roles does ADFS 2.0 play? >>> > >>>>>>> Once as the IDP for the Web application SSO and once to let >>> issue a >>> > >>>>>>> token onbehalfof/actas the original token from the Web SSO? >>> (this >>> > is >>> > >>>>>>> supported by CXF-Fediz) >>> > >>>>>>> >>> > >>>>>>> >>> > >>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>> > >>>>>>> >>> > >>>>>>> >>> >>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated >>> Redirect >>> > >>>>>>> -> POST >>> > >>>>>>> binding. >>> > >>>>>>> >>> >>> > >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the >>> IDP? In >>> > >>>>>>> which application server is your web application deployed? >>> > >>>>>>> >>> > >>>>>>> >>> >>> > >>>>>>> 4. If CXF can work with LDAP. >>> > >>>>>>> >>> >>> > >>>>>>> What do you mean exactly? Is LDAP used for authentication by >>> the >>> > >>>>>>> STS? Or should the service provider retrieve the claims/roles >>> from >>> > LDAP? >>> > >>>>>>> >>> > >>>>>>> >>>> >>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to >>> use >>> > >>>>>>> Spring >>> > >>>>>>> Frame work to use CXF. >>> > >>>>>>> >>> >>> > >>>>>>> No, Spring is not a requirement. >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> ------ >>> > >>>>>>> >>> > >>>>>>> Oliver Wulff >>> > >>>>>>> >>> > >>>>>>> Blog: http://owulff.blogspot.com >>> > >>>>>>> Solution Architect >>> > >>>>>>> http://coders.talend.com >>> > >>>>>>> >>> > >>>>>>> Talend Application Integration Division http://www.talend.com >>> > >>>>>>> >>> > >>>>>>> ________________________________________ >>> > >>>>>>> Von: gchoi [gc...@sdl.com<mailto:gc...@sdl.com>] >>> > >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29 >>> > >>>>>>> Bis: users@cxf.apache.org<mailto:users@cxf.apache.org> >>> > >>>>>>> Betreff: CXF supporting scope >>> > >>>>>>> >>> > >>>>>>> Hi All, >>> > >>>>>>> >>> > >>>>>>> So far, I evaluated several frame works, but they seem don't do >>> > what >>> > >>>>>>> I >>> > >>>>>>> expect. Several people suggested me that I should consider CXF. >>> > >>>>>>> Before I dig >>> > >>>>>>> into CXF, I would like know if CXF support following things. >>> By the >>> > >>>>>>> way, I >>> > >>>>>>> just joined this user group. >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which >>> claim >>> > >>>>>>> aware. So, >>> > >>>>>>> how is CXF interoperability with .NET? >>> > >>>>>>> >>> > >>>>>>> 2. If CXF support ADFS2.0 as STS. >>> > >>>>>>> >>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated >>> Redirect >>> > >>>>>>> -> POST >>> > >>>>>>> binding. >>> > >>>>>>> >>> > >>>>>>> 4. If CXF can work with LDAP. >>> > >>>>>>> >>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to >>> use >>> > >>>>>>> Spring >>> > >>>>>>> Frame work to use CXF. >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> Thank in advance. >>> > >>>>>>> >>> > >>>>>>> -- >>> > >>>>>>> View this message in context: >>> > >>>>>>> >>> > http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html >>> > >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com. >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>> >>> > >>>>> >>> > >>>> >>> > >>> >>> > >> >>> > > >>> > >>> >> >> >
