Hi Oliver,
Thanks for your response.
>OK, didn't know that the URL is the same in ADFS. The reason for
WS-Federation is that it's >security token agnostic (like the STS). This
means that you can use SAML 1.1, SAML 2.0 or any >other security token
format. The Fediz Plugin component provides extension points add support
for >other token types. SAML 1.1 and 2.0 are supported out-of-the-box.
Do you have any place to configure to request either SAML1.1 or SAML2.0
token format?
I am looking at FederationProcessorImpl.java class and you have following
lines. I don't see you caching URL parameters. My application is REST
based, and I have URL parameters. requestUrl from following code is only
include URL, not parameters.
String contextPath = request.getContextPath();
String requestUrl = request.getRequestURL().toString();
String requestPath = new URL(requestUrl).getPath();
// Cut request path of request url and add context path if not
ROOT
if (requestPath != null && requestPath.length() > 0) {
int lastIndex = requestUrl.lastIndexOf(requestPath);
realm = requestUrl.substring(0, lastIndex);
} else {
realm = requestUrl;
}
if (contextPath != null && contextPath.length() > 0) {
// contextPath contains starting slash
realm = realm + contextPath + "/";
} else {
realm = realm + "/";
}
LOG.debug("wtrealm=" + realm);
On Tue, May 15, 2012 at 12:17 PM, Oliver Wulff <owu...@talend.com> wrote:
> Hi Gina
>
> OK, didn't know that the URL is the same in ADFS. The reason for
> WS-Federation is that it's security token agnostic (like the STS). This
> means that you can use SAML 1.1, SAML 2.0 or any other security token
> format. The Fediz Plugin component provides extension points add support
> for other token types. SAML 1.1 and 2.0 are supported out-of-the-box.
>
> The other issue is the SAML-P based solutions usually sign the SAML
> response but not the SAML token itself which makes it more difficult to
> request a token "OnBehalfOf" or "ActAs" as in your case as the STS is not
> able to validate this token.
>
>
> Thanks
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
> ------------------------------
> *From:* Gina Choi [ginacho...@gmail.com]
> *Sent:* 15 May 2012 17:02
>
> *To:* Oliver Wulff
> *Cc:* users@cxf.apache.org
> *Subject:* Re: CXF supporting scope
>
> Hi Oliver,
>
> >Ask the ADFS administrator to provide you the url for the WS-Fed PRP
> endpoint in ADFS. This >URL must be configured in Fediz.
>
> ADFS2.0 support both WS-Federation and SAML2.0 Web SSO protocol and and
> the URLs are the same. I used SAML2.0 Web SSO while Fediz is using
> WS-Federation. That's why I couldn't recognize URL parameters of the
> WS-Federation. You must have some reason choose WS-Federation over SAML2.0
> Web SSO. I have heard that WS-Federation is limited to SAML1.1 token.
>
> >Step 4 in the following links describes how to configure the relying
> party in ADFS:
> I know how to configure relying parties in ADFS2.0.
>
> Thanks.
>
> Gina
>
> On Mon, May 14, 2012 at 5:29 PM, Oliver Wulff <owu...@talend.com> wrote:
>
>> Hi Gina
>>
>>
>>
>> Ask the ADFS administrator to provide you the url for the WS-Fed PRP
>> endpoint in ADFS. This URL must be configured in Fediz.
>>
>>
>>
>> >>>
>>
>>
>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecureservlet%2Ffed&wtrealm=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2F
>>
>> >>>
>>
>> This is the SignIn request of WS-Fed PRP which is supported by ADFS.
>>
>>
>>
>> Do you have the url of the Metadata document? If yes, there you should
>> see the PassiveRequestorUrl.
>>
>>
>>
>> Step 4 in the following links describes how to configure the relying
>> party in ADFS:
>>
>>
>> http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(v=ws.10).aspx
>>
>>
>>
>> HTH
>>
>>
>>
>> Oli
>>
>>
>>
>>
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com
>> Solution Architect
>> http://coders.talend.com
>>
>> <http://coders.talend.com>Talend Application Integration Division
>> http://www.talend.com
>> ------------------------------
>> *From:* Gina Choi [ginacho...@gmail.com]
>> *Sent:* 14 May 2012 22:44
>>
>> *To:* users@cxf.apache.org
>> *Cc:* Oliver Wulff
>> *Subject:* Re: CXF supporting scope
>>
>> Hi Oliver,
>>
>> ADFS2.0 have many end points and depends on request or profile that we
>> use, we have to use different end points. When I test helloworld, I see
>> username token sent to STS as a security header, so I used
>> *adfs/services/trust/13/usernamemixed
>> endpoint of ADFS, but when I see URL on the browser, it looks like SP
>> initiated redirect post bindings, but I don't see base 64 encoded
>> SAMLRequest. That's why I am confused.*
>>
>> **
>> Gina
>>
>>
>> On Mon, May 14, 2012 at 4:27 PM, Gina Choi <ginacho...@gmail.com> wrote:
>>
>>>
>>> >Neither the RST nor the RSTR are encrypted. It's planned for the next
>>> release of the Fediz plugin >to support encrypted token which are embedded
>>> in RSTR.
>>> Ok. Just verifying with you.
>>>
>>> >Is it required to support encrypted tokens initially? I should have
>>> this functionality by end of may.
>>> encryption doesn't matter at this time.
>>>
>>> >You have to export the signing cert from ADFS and import into a java
>>> keystore. Don't import it into >stsstore.jks as this should be used for
>>> this demo IDP only.
>>> when I import ADFS signing cert to java keystore, what alias name
>>> should I use? You must reference alias name from somewhere.
>>>
>>> I also need to import Service Provider signing cert to ADFS. How do I
>>> export it?
>>>
>>> I was trying to poing helloworld to ADFS, but it seems not simple. *wreply
>>> vs *RelayState. What is *wa=wsignin1.0 and wtrealm? Without deep
>>> change, it wouldn't work with ADFS.*
>>> Based on following url, I couldn't tell what kind of profile do you use?
>>> I couldn't really tell. Please see oasis link.
>>>
>>> http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
>>> .
>>>
>>> Fediz
>>>
>>>
>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecureservlet%2Ffed&wtrealm=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2F
>>>
>>> SP initiated redirect post bindig:
>>>
>>> GET
>>> /adfs/ls/?SAMLRequest=pZJPa9wwEMXv%2FRRG99U%2F73ptsXbYNoQGUrpknRR6KbI9TtTKkquR3Xz8Opss5FQKOQ7MvPd4v9ldPA02mSGg8a4kgnKSgGt9Z9xDSe7qq1VOLqoPO9SDHdV%2Bio%2FuFn5PgDHZI0KIy9kn73AaIBwhzKaFu9ubkjzGOKJi7M8vcDjzlGf0wfpGW4qdpa0Po8rX65TtTbDGAVscgX0D2%2FoB6E8cSXK5eBin4ynXWQ5jiMgF1QPSDmamux6ZRUaSKx9aOOUrSQwTkOT6siQ%2F0qLXfSZyyLs0K%2Fi24SKVXd%2B1hWw2a5GKrMi2siv6LMubPFuu8KARzQwl6bXFZx3ECa4dRu1iSSQXcsU3K7GuJVciVxtJt7n4TpJD8NG33n407qW9KTjlNRpUTg%2BAKrbquP9yoyTlqnlZQvW5rg%2Brw9djTZL7MwX5TGHh4lCdev%2B31PjqS6pXSqfA4f8F9Bkkqd6LbcfeRqjO49u%2Fqf4C&RelayState=
>>> https://wkensv0306.global.sdl.corp:8443/Airline/code/Welcome.jspHTTP/1.1
>>>
>>>
>>> On Mon, May 14, 2012 at 3:51 PM, Oliver Wulff <owu...@talend.com> wrote:
>>>
>>>> Hi Gina
>>>>
>>>> >>>
>>>> It looks like that you don't encrypt RST and RSTR, but you said that
>>>> both RST and RSTR are signed. I need to import signing cert from ADFS to
>>>> stsstore.jks keystore. Which one is key alias for RP? You have
>>>> clientkey,
>>>> myservicekey and mystskey. Vise versa, I need to export signing cert
>>>> from
>>>> RP to import it to ADFS. Do you have signing cert somewhere or I have to
>>>> export it myself?
>>>> >>>
>>>> Neither the RST nor the RSTR are encrypted. It's planned for the next
>>>> release of the Fediz plugin to support encrypted token which are embedded
>>>> in RSTR.
>>>>
>>>> Is it required to support encrypted tokens initially? I should have
>>>> this functionality by end of may.
>>>>
>>>> You have to export the signing cert from ADFS and import into a java
>>>> keystore. Don't import it into stsstore.jks as this should be used for this
>>>> demo IDP only.
>>>>
>>>> Thanks
>>>> Oli
>>>>
>>>>
>>>>
>>>> ------
>>>>
>>>> Oliver Wulff
>>>>
>>>> Blog: http://owulff.blogspot.com
>>>> Solution Architect
>>>> http://coders.talend.com
>>>>
>>>> Talend Application Integration Division http://www.talend.com
>>>>
>>>> ________________________________________
>>>> From: Gina Choi [ginacho...@gmail.com]
>>>> Sent: 14 May 2012 21:23
>>>> To: users@cxf.apache.org
>>>> Subject: Re: CXF supporting scope
>>>>
>>>> Hi Oliver,
>>>>
>>>> >You're right - this is confusing. The STS signs the SAML token with the
>>>> private which correlates to >the STS certificate. The RP requires the CA
>>>> certificates and the STS certificate (if self-signed as in >this demo
>>>> case)
>>>> to validate the SAML token.
>>>>
>>>> Thanks for response. I looked request and response message between RP
>>>> and
>>>> STS. It looks like that you don't encrypt RST and RSTR, but you said
>>>> that
>>>> both RST and RSTR are signed. I need to import signing cert from ADFS to
>>>> stsstore.jks keystore. Which one is key alias for RP? You have
>>>> clientkey,
>>>> myservicekey and mystskey. Vise versa, I need to export signing cert
>>>> from
>>>> RP to import it to ADFS. Do you have signing cert somewhere or I have to
>>>> export it myself?
>>>>
>>>> Thanks.
>>>>
>>>> Gina
>>>>
>>>>
>>>> On Mon, May 14, 2012 at 2:19 PM, Oliver Wulff <owu...@talend.com>
>>>> wrote:
>>>>
>>>> > Hi Gina
>>>> >
>>>> > >>>
>>>> > But I still don't understand why I have to copy stsstore.jks file
>>>> into RP.
>>>> > stsstore.jks is the keystore file of STS and it should be sitting on
>>>> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have
>>>> it's own
>>>> > keystore file, for example clientstore.jks.
>>>> > When client issue AuthnRequest to STS, it will sign AuthnRequest with
>>>> STS
>>>> > signing certificate. Vise versa, when STS issue Assertion token, it
>>>> will be
>>>> > signed by client signing certificate.
>>>> > In fediz project senario, RP will be the client and it will never have
>>>> > keystore file of STS.
>>>> > I just looked at content of stsstore.jks and it looks like that you
>>>> > combined sts, client and service keystore file into one -
>>>> stsstore.jks. In
>>>> > other words, stsstore.jks is being used as a keystore file for all
>>>> three -
>>>> > client, service and sts. Is that correct? I think that they should be
>>>> > separated. Kind of confusing until list content of stsstore.jks.
>>>> > >>>
>>>> > You're right - this is confusing. The STS signs the SAML token with
>>>> the
>>>> > private which correlates to the STS certificate. The RP requires the
>>>> CA
>>>> > certificates and the STS certificate (if self-signed as in this demo
>>>> case)
>>>> > to validate the SAML token.
>>>> >
>>>> > I was too lazy in creating two keystores (I just copied the keystore
>>>> used
>>>> > by the CXF STS distribution). In a production environment, one
>>>> keystore
>>>> > contains the private key and the certificate for the STS and the other
>>>> > contains the certificate only for the RP.
>>>> >
>>>> > I've started documentating fediz here:
>>>> > http://cxf.apache.org/fediz.html
>>>> >
>>>> > It would make sense to add a section what to consider for production
>>>> > implementation. I'll add that.
>>>> >
>>>> > Thanks
>>>> >
>>>> > ------
>>>> >
>>>> > Oliver Wulff
>>>> >
>>>> > Blog: http://owulff.blogspot.com
>>>> > Solution Architect
>>>> > http://coders.talend.com
>>>> >
>>>> > Talend Application Integration Division http://www.talend.com
>>>> >
>>>> > ________________________________________
>>>> > From: Gina Choi [ginacho...@gmail.com]
>>>> > Sent: 14 May 2012 18:00
>>>> > To: Oliver Wulff
>>>> > Cc: users@cxf.apache.org
>>>> > Subject: Re: CXF supporting scope
>>>> >
>>>> > Hi Oliver,
>>>> >
>>>> > Thanks for your response. I copied over stsstore.jks into tomcat rp
>>>> and I
>>>> > am seeing saml token now.
>>>> >
>>>> > >The SAML token issued by the IDP/STS is signed and the used
>>>> certificate
>>>> > must be referenced to >validate the signature:
>>>> >
>>>> > ><trustedIssuerItem provider=".*CN=www.sts.com.*">
>>>> > >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>>>> > password="stsspass" type="file" />
>>>> > >< /trustedIssuerItem>
>>>> >
>>>> > >In this example, I used a self-signed certificate and I was too lazy
>>>> in
>>>> > separating the keystore into >one with the private key and into one
>>>> > without.
>>>> >
>>>> > >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP.
>>>> >
>>>> > But I still don't understand why I have to copy stsstore.jks file
>>>> into RP.
>>>> > stsstore.jks is the keystore file of STS and it should be sitting on
>>>> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have
>>>> it's own
>>>> > keystore file, for example clientstore.jks.
>>>> >
>>>> > When client issue AuthnRequest to STS, it will sign AuthnRequest with
>>>> STS
>>>> > signing certificate. Vise versa, when STS issue Assertion token, it
>>>> will be
>>>> > signed by client signing certificate.
>>>> >
>>>> > In fediz project senario, RP will be the client and it will never have
>>>> > keystore file of STS.
>>>> >
>>>> > I just looked at content of stsstore.jks and it looks like that you
>>>> > combined sts, client and service keystore file into one -
>>>> stsstore.jks. In
>>>> > other words, stsstore.jks is being used as a keystore file for all
>>>> three -
>>>> > client, service and sts. Is that correct? I think that they should be
>>>> > separated. Kind of confusing until list content of stsstore.jks.
>>>> >
>>>> > Thanks.
>>>> >
>>>> > Gina
>>>> >
>>>> >
>>>> > On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <owu...@talend.com>
>>>> wrote:
>>>> >
>>>> > > Hi Gina
>>>> > >
>>>> > >
>>>> > >
>>>> > > The SAML token issued by the IDP/STS is signed and the used
>>>> certificate
>>>> > > must be referenced to validate the signature:
>>>> > >
>>>> > >
>>>> > >
>>>> > > <trustedIssuerItem provider=".*CN=www.sts.com.*">
>>>> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>>>> > > password="stsspass" type="file" />
>>>> > > </trustedIssuerItem>
>>>> > >
>>>> > > In this example, I used a self-signed certificate and I was too
>>>> lazy in
>>>> > > separating the keystore into one with the private key and into one
>>>> > without.
>>>> > >
>>>> > >
>>>> > >
>>>> > > You find the stsstore.jks in fedizidpsts.war. Just copy it to the
>>>> RP.
>>>> > >
>>>> > >
>>>> > >
>>>> > > In your scenario with ADFS. You must import the CA certs which
>>>> signed the
>>>> > > ADFS cert into a keystore and configure the CN name as a regular
>>>> > expression
>>>> > > in the attribute "provider". (The name provider is misleaing, will
>>>> fix
>>>> > that)
>>>> > >
>>>> > >
>>>> > >
>>>> > > Thanks
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > ------
>>>> > >
>>>> > > Oliver Wulff
>>>> > >
>>>> > > Blog: http://owulff.blogspot.com
>>>> > > Solution Architect
>>>> > > http://coders.talend.com
>>>> > >
>>>> > > <http://coders.talend.com>Talend Application Integration Division
>>>> > > http://www.talend.com
>>>> > > ------------------------------
>>>> > > *From:* Gina Choi [ginacho...@gmail.com]
>>>> > > *Sent:* 11 May 2012 00:44
>>>> > >
>>>> > > *To:* Oliver Wulff
>>>> > > *Cc:* users@cxf.apache.org
>>>> > > *Subject:* Re: CXF supporting scope
>>>> > >
>>>> > > Hi Oliver,
>>>> > >
>>>> > > Until this afternoon, I didn't have time to work with Fediz.
>>>> Finally I
>>>> > > have successfully deployed idp, sts and simpleWebapp on
>>>> Tomcat7.0.27.
>>>> > > Everything went well. I guess that on the other day, I thought
>>>> doing some
>>>> > > thing, but I probably did something else. :)
>>>> > > After type https://localhost:8443/fedizhelloworld/secureservlet/fedon
>>>> > > the browser, I inputed test user name and password, but it failed.
>>>> > >
>>>> > >
>>>> > > org.apache.ws.security.components.crypto.CredentialException: Proxy
>>>> file
>>>> > (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found.
>>>> > >
>>>> > >
>>>> > > In your fediz_config.xml, you have following lines. Why do we put
>>>> sts key
>>>> > > store file on RP server? Does web application need to know where is
>>>> sts
>>>> > > keystore file?
>>>> > >
>>>> > > <trustedIssuers>
>>>> > > <trustedIssuerItem provider=".*CN=www.sts.com.*">
>>>> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>>>> > > password="stsspass" type="file" />
>>>> > > </trustedIssuerItem>
>>>> > > </trustedIssuers>
>>>> > >
>>>> > >
>>>> > > Thanks.
>>>> > >
>>>> > > Gina
>>>> > >
>>>> > > On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <owu...@talend.com>
>>>> wrote:
>>>> > >
>>>> > >> Hi Gina
>>>> > >>
>>>> > >> The steps are absolutely correct. Not sure about the failing
>>>> deployment
>>>> > >> step for the application. Have you also updated tomcat-users.xml
>>>> of the
>>>> > >> second tomcat instance? Or was the application already deployed
>>>> once and
>>>> > >> you must run "mvn clean install tomcat:redeploy"? Is anything
>>>> logged on
>>>> > >> catalina.out?
>>>> > >> Otherwise, just copy the war manually from
>>>> target/fedizhelloworld.war to
>>>> > >> <tomcat-dir>/webapps.
>>>> > >>
>>>> > >> I've checked in fediz_config.xml in
>>>> > examples/simpleWebapp/src/main/config
>>>> > >> (sorry for that). Please manually copy it to the location you've
>>>> > configured
>>>> > >> in the context.xml. Ensure that the IDP url (later ADFS):
>>>> > >> <issuer>https://localhost:9443/fedizidp/</issuer>
>>>> > >> and the location of the trusted keystore is updated:
>>>> > >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>>>> > >> password="stsspass" type="file" />
>>>> > >>
>>>> > >> It will be supported in the next days to also configure a relative
>>>> > >> location to catalina.home.
>>>> > >>
>>>> > >>
>>>> > >> Thanks
>>>> > >> Oli
>>>> > >>
>>>> > >>
>>>> > >>
>>>> > >> ------
>>>> > >>
>>>> > >> Oliver Wulff
>>>> > >>
>>>> > >> Blog: http://owulff.blogspot.com
>>>> > >> Solution Architect
>>>> > >> http://coders.talend.com
>>>> > >>
>>>> > >> <http://coders.talend.com>Talend Application Integration Division
>>>> > >> http://www.talend.com
>>>> > >> ------------------------------
>>>> > >> *From:* Gina Choi [ginacho...@gmail.com]
>>>> > >> *Sent:* 09 May 2012 00:55
>>>> > >>
>>>> > >> *To:* Oliver Wulff
>>>> > >> *Cc:* users@cxf.apache.org
>>>> > >> *Subject:* Re: CXF supporting scope
>>>> > >>
>>>> > >> By the way I checked out head version fediz project from SVN.
>>>> > >>
>>>> > >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <ginacho...@gmail.com>
>>>> wrote:
>>>> > >>
>>>> > >>> Hi Oliver,
>>>> > >>>
>>>> > >>> I am using seperate Tomcat instance for IDP and application and I
>>>> set
>>>> > up
>>>> > >>> https. Following is what I did.
>>>> > >>>
>>>> > >>> I checked out Fediz project into my local machine. As you
>>>> explained on
>>>> > >>> your post
>>>> > >>>
>>>> >
>>>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html
>>>> > ,
>>>> > >>> I run mvn clean install in plugins/core, pligins/tomcat and
>>>> > >>> examples/simpleWebapp/. I configued maven's settings.xml and
>>>> updated
>>>> > >>> tomca-users.xml. I ran mvn tomcat:deploy under
>>>> fediz\trunk\plugins,
>>>> > and I
>>>> > >>> am seeing both IDP and STS are deployed.
>>>> > >>>
>>>> > >>> I am just having problem with deloying sample application in
>>>> another
>>>> > >>> Tomcat instance.
>>>> > >>>
>>>> > >>> 1. I created sub-directory fediz in ${catalina.home}/lib of the
>>>> > >>> tomcat-rp.
>>>> > >>> 2. I have following line in the calatina.properties in
>>>> > >>> ${catalina.home}/conf.
>>>> > >>>
>>>> > >>>
>>>> >
>>>> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar
>>>> > >>> 3. I deployed the built libraries and dependencies to the
>>>> directory
>>>> > >>> created in (1)
>>>> > >>> I got the built libraries from
>>>> >
>>>> fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip.
>>>> > >>> After this, I am getting error messages when start Tomcat. This
>>>> > preventing
>>>> > >>> me step5 for deploying applicaitons properly.
>>>> > >>> If I replace generated lib/fediz jar files with old jar files
>>>> that I
>>>> > >>> downloaded from your post, I am able to start tomcat without
>>>> error and
>>>> > able
>>>> > >>> to deploy application, but couldn't run properly.
>>>> > >>> 4. since I can't find fediz_config.xml, so I configured
>>>> > *META-INF/context.xml
>>>> > >>> as follow.
>>>> > >>>
>>>> > >>> * <Context>
>>>> > >>> <Valve className="org.apache<
>>>> >
>>>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html#
>>>> > >
>>>> > >>> .cxf.fediz.tomcat.FederationAuthenticator"
>>>> > >>> issuerURL="https://localhost:9443/fedizidp/";
>>>> > >>> truststoreFile="conf/stsstore.jks"
>>>> > >>> truststorePassword="stsspass"
>>>> > >>> trustedIssuer=".*CN=www.sts.com.*" />
>>>> > >>> </Context>
>>>> > >>> 5. If I run mvn tomcat:deploy under
>>>> fediz\trunk\examples\simpleWebapp,
>>>> > I
>>>> > >>> am getting following error message.
>>>> > >>>
>>>> > >>> Failed to execute goal
>>>> org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy
>>>> > >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat
>>>> manager:
>>>> > FAIL -
>>>> > >>> Failed to deploy application at context path /fedizhelloworld ->
>>>> [Help
>>>> > 1]
>>>> > >>>
>>>> > >>> So, I couldn't get your application run. I hope that all these
>>>> problem
>>>> > >>> caused because of missing fediz_config.xml.
>>>> > >>>
>>>> > >>> Thanks.
>>>> > >>>
>>>> > >>> Gina
>>>> > >>> On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <owu...@talend.com
>>>> > >wrote:
>>>> > >>>
>>>> > >>>> Hi Gina
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>> I'll send you and checkin the fediz_config.xml as soon as I can
>>>> - I'm
>>>> > >>>> on the way right now.
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the
>>>> > >>>> application works you will change in your application
>>>> > (fediz_config.xml)
>>>> > >>>> the issuerUrl of ADFS.
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>> Have you configured HTTPS for the IDP Tomcat instance and your
>>>> > >>>> application Tomcat instance?
>>>> > >>>>
>>>> > >>>> I recommend to use a separate instance of the IDP and your
>>>> > application.
>>>> > >>>>
>>>> > >>>> Do you use the port 9443?
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>> Thanks
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>>
>>>> > >>>> ------
>>>> > >>>>
>>>> > >>>> Oliver Wulff
>>>> > >>>>
>>>> > >>>> Blog: http://owulff.blogspot.com
>>>> > >>>> Solution Architect
>>>> > >>>> http://coders.talend.com
>>>> > >>>>
>>>> > >>>> <http://coders.talend.com>Talend Application Integration
>>>> Division
>>>> > >>>> http://www.talend.com
>>>> > >>>> ------------------------------
>>>> > >>>> *From:* Gina Choi [ginacho...@gmail.com]
>>>> > >>>> *Sent:* 08 May 2012 20:20
>>>> > >>>>
>>>> > >>>> *To:* Oliver Wulff
>>>> > >>>> *Cc:* users@cxf.apache.org
>>>> > >>>> *Subject:* Re: CXF supporting scope
>>>> > >>>>
>>>> > >>>> Hi Oliver
>>>> > >>>>
>>>> > >>>> >I'd recommend to successfully deploy the wsclientWebapp sample
>>>> and
>>>> > the
>>>> > >>>> IDP. When this works, rip&replace >one piece after the other. I'd
>>>> > recommend
>>>> > >>>> to choose the following approach.
>>>> > >>>>
>>>> > >>>> >1) Replace the Fediz IDP by ADFS
>>>> > >>>> > + configure the ADFS issuerUrl (context.xml)
>>>> > >>>> > + ensure that ADFS supports WS-Federation Passive
>>>> Requestor
>>>> > >>>> Profile
>>>> > >>>> > + configure the certificate used by ADFS to sign the SAML
>>>> token
>>>> > >>>> >
>>>> > >>>> >(the most recent version of fediz uses a separate xml file for
>>>> the
>>>> > >>>> configuration)
>>>> > >>>>
>>>> > >>>> Somehow I couldn't deploy both fediz\trunk\services and
>>>> > >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I
>>>> deployed
>>>> > them on
>>>> > >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings
>>>> file
>>>> > all,
>>>> > >>>> but couldn't find reason. It just said that can't involke Tomcat
>>>> > Manager.
>>>> > >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to
>>>> > figure it
>>>> > >>>> out later.
>>>> > >>>>
>>>> > >>>> In the context.xml, I have following content. So, It lookis like
>>>> that
>>>> > >>>> issuerURL defined inside fediz_config.xml, but I searched all
>>>> > directories,
>>>> > >>>> but couldn't find a file called fediz_config.xml.
>>>> > >>>>
>>>> > >>>> <Context>
>>>> > >>>> <Valve
>>>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
>>>> > >>>> configFile="conf/fediz_config.xml" />
>>>> > >>>> <!--<Valve
>>>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
>>>> > issuerURL="
>>>> > >>>> https://localhost:9443/fedizidp/";
>>>> truststoreFile="conf/stsstore.jks"
>>>> > >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*"
>>>> />-->
>>>> > >>>> <!--Valve
>>>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
>>>> > >>>>
>>>> >
>>>> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler"
>>>> > >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass"
>>>> > >>>> />-->
>>>> > >>>> </Context>
>>>> > >>>>
>>>> > >>>> In the web.xml file of the idp, you have following content. ADFS
>>>> has
>>>> > >>>> mex address. so, I assume that I need to replace value of
>>>> > sts.wsdl.url with
>>>> > >>>> ADFS mex address.
>>>> > >>>>
>>>> > >>>>
>>>> > >>>> <servlet>
>>>> > >>>> <servlet-name>FederationServlet</servlet-name>
>>>> > >>>>
>>>> > >>>>
>>>> >
>>>> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class>
>>>> > >>>> <init-param>
>>>> > >>>> <param-name>sts.wsdl.url</param-name>
>>>> > >>>> <param-value>
>>>> https://localhost:9443/fedizidpsts/STSService?wsdl
>>>> > >>>> </param-value>
>>>> > >>>> </init-param>
>>>> > >>>> <init-param>
>>>> > >>>> <param-name>sts.wsdl.service</param-name>
>>>> > >>>> <param-value>SecurityTokenService</param-value>
>>>> > >>>> </init-param>
>>>> > >>>>
>>>> > >>>> Thanks.
>>>> > >>>>
>>>> > >>>> Gina
>>>> > >>>> On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <owu...@talend.com
>>>> > >wrote:
>>>> > >>>>
>>>> > >>>>> Hi Gina
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> >>>
>>>> > >>>>>
>>>> > >>>>> I don't mind giving up existing implementation as long as I find
>>>> > >>>>> better solution. I was hoping that Fediz project
>>>> > >>>>>
>>>> > >>>>> uses only Apache CXF instead of introducing another FrameWork -
>>>> > >>>>> OpenSAML.
>>>> > >>>>>
>>>> > >>>>> >>>
>>>> > >>>>>
>>>> > >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP
>>>> and
>>>> > REST
>>>> > >>>>> based service communication. OpenSAML is widely used and bundled
>>>> > into other
>>>> > >>>>> frameworks like CXF and Fediz.
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> >>>
>>>> > >>>>>
>>>> > >>>>> If I only consider passive profile at this moment, what changes
>>>> are
>>>> > >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF
>>>> STS?
>>>> > Where
>>>> > >>>>> did you define your stsActionURL? I like to start with passive
>>>> > profile
>>>> > >>>>> since it is easier to start with. I can use your sample
>>>> application.
>>>> > It
>>>> > >>>>> doesn't matter if I use Airline or not since it is a just
>>>> prototype
>>>> > >>>>>
>>>> > >>>>> >>>
>>>> > >>>>>
>>>> > >>>>> I'd recommend to successfully deploy the wsclientWebapp sample
>>>> and
>>>> > the
>>>> > >>>>> IDP. When this works, rip&replace one piece after the other. I'd
>>>> > recommend
>>>> > >>>>> to choose the following approach.
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> 1) Replace the Fediz IDP by ADFS
>>>> > >>>>>
>>>> > >>>>> + configure the ADFS issuerUrl (context.xml)
>>>> > >>>>>
>>>> > >>>>> + ensure that ADFS supports WS-Federation Passive
>>>> Requestor
>>>> > >>>>> Profile
>>>> > >>>>>
>>>> > >>>>> + configure the certificate used by ADFS to sign the SAML
>>>> token
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> (the most recent version of fediz uses a separate xml file for
>>>> the
>>>> > >>>>> configuration)
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> 2) Update the webapp to generate and use the stubs of the
>>>> > >>>>> BookingService in the FederationServlet (just a test - call the
>>>> > simplest
>>>> > >>>>> method). Configure the ASP.NET wsdl location (usually
>>>> url?wsdl).
>>>> > >>>>> Configure the ADFS STS url in the STSClient bean in the
>>>> beans.xml
>>>> > >>>>> configuration. Change the property onbehalfof to actas.
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> HTH
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> ------
>>>> > >>>>>
>>>> > >>>>> Oliver Wulff
>>>> > >>>>>
>>>> > >>>>> Blog: http://owulff.blogspot.com
>>>> > >>>>> Solution Architect
>>>> > >>>>> http://coders.talend.com
>>>> > >>>>>
>>>> > >>>>> <http://coders.talend.com>Talend Application Integration
>>>> Division
>>>> > >>>>> http://www.talend.com
>>>> > >>>>> ------------------------------
>>>> > >>>>> *From:* Gina Choi [ginacho...@gmail.com]
>>>> > >>>>> *Sent:* 08 May 2012 01:05
>>>> > >>>>> *To:* Oliver Wulff
>>>> > >>>>> *Cc:* users@cxf.apache.org
>>>> > >>>>>
>>>> > >>>>> *Subject:* Re: CXF supporting scope
>>>> > >>>>>
>>>> > >>>>> Hi Oliver,
>>>> > >>>>>
>>>> > >>>>> I am not responsible for BookingService(.NET). The other guys
>>>> who
>>>> > >>>>> implemented it using WIF. You know that Microsoft created WIF
>>>> and
>>>> > tested
>>>> > >>>>> with ADFS, so it it doesn't work, I would be surprised.
>>>> > >>>>> >Which Servlet container do you use?
>>>> > >>>>> I am using Tomcat7.
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> >In your current setup, how does the samlp:Response look like?
>>>> > >>>>> I sent you decoded SAML response token in seperate email. I am
>>>> > >>>>> sretrieving based64 encoded saml response token using following
>>>> code.
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> String encodedSamlResponseTokenStr =
>>>> > >>>>> request.getParameter("SAMLResponse");
>>>> > >>>>>
>>>> > >>>>> I don't mind giving up existing implementation as long as I find
>>>> > >>>>> better solution. I was hoping that Fediz project uses only
>>>> Apache CXF
>>>> > >>>>> instead of introducing another FrameWork - OpenSAML.
>>>> > >>>>>
>>>> > >>>>> I loaded
>>>> > >>>>>
>>>> >
>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/to
>>>> > >>>>> the Eclipse today.
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> Basically I need following three URL for ADFS(STS). First two
>>>> is for
>>>> > >>>>> active profile and third one is for passive profile(SP initiated
>>>> > Redirect
>>>> > >>>>> POST bindings). If I only consider passive profile at this
>>>> moment,
>>>> > what
>>>> > >>>>> changes are need to Fediz project to point to ADFS(STS) intead
>>>> of
>>>> > Apach CXF
>>>> > >>>>> STS? Where did you define your stsActionURL? I like to start
>>>> with
>>>> > passive
>>>> > >>>>> profile since it is easier to start with. I can use your sample
>>>> > >>>>> application. It doesn't matter if I use Airline or not since it
>>>> is a
>>>> > just
>>>> > >>>>> prototype.
>>>> > >>>>>
>>>> > >>>>> *private* *static* *final* String *stsEndpoint* = "
>>>> > >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";;
>>>> > >>>>>
>>>> > >>>>> *private* *static* *final* String *stsMEXAddress* =
>>>> > >>>>> https://strts01.ams.dev/adfs/services/trust/mex;
>>>> > >>>>>
>>>> > >>>>> private static final String stsActionURL =
>>>> > >>>>> https://strts01.ams.dev/adfs/ls/;
>>>> > >>>>>
>>>> > >>>>>
>>>> > >>>>> Thanks again for your guidance.
>>>> > >>>>>
>>>> > >>>>> Gina
>>>> > >>>>>
>>>> > >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <owu...@talend.com
>>>> > >wrote:
>>>> > >>>>>
>>>> > >>>>>> Hi Gina
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> The fediz project is used to protect your web application
>>>> where the
>>>> > >>>>>> client is a browser. Right now, Fediz supports WS-Federation
>>>> Passive
>>>> > >>>>>> Requestor Profile which is supported by ADFS and usually used
>>>> in
>>>> > the .NET
>>>> > >>>>>> world as a the default mechanism. You don't have to implement
>>>> that
>>>> > in
>>>> > >>>>>> your application - that's done by the Fediz plugin. Fediz uses
>>>> > opensaml for
>>>> > >>>>>> SAML processing.
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> The original URL is stored in the wreply parameter. .NET uses a
>>>> > >>>>>> combination of the wtrealm and wctx parameter.
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> Your Airline application can use CXF for the web services
>>>> > >>>>>> communication (for the REST communication also, if you like).
>>>> The
>>>> > built-in
>>>> > >>>>>> support in CXF for the IssuedToken assertion
>>>> (WS-SecurityPolicy)
>>>> > supports
>>>> > >>>>>> to get a token from ADFS using actas. In my example, just use
>>>> actas
>>>> > instead
>>>> > >>>>>> of onbehalfof property.
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> >>>
>>>> > >>>>>>
>>>> > >>>>>> ADFS generate SAMLtoken and this SAML token is sent back to
>>>> > >>>>>> Airline(Airline does all validation work) and cached in the
>>>> > session. - This
>>>> > >>>>>> part is implemented.
>>>> > >>>>>>
>>>> > >>>>>> >>>
>>>> > >>>>>>
>>>> > >>>>>> The validation work is already done by Fediz. Session
>>>> management is
>>>> > >>>>>> then done by the JEE container. Your application is called
>>>> after
>>>> > the SAML
>>>> > >>>>>> token issued by ADFS is successfully validated. The container
>>>> will
>>>> > create
>>>> > >>>>>> the session and check every incoming request whether the used
>>>> token
>>>> > is
>>>> > >>>>>> still valid - otherwise, the browser is redirected again to
>>>> ADFS.
>>>> > You could
>>>> > >>>>>> also configure some roles in ADFS to protect your web
>>>> application
>>>> > as the
>>>> > >>>>>> fediz plugin tells the container the userid as well as its
>>>> roles.
>>>> > You could
>>>> > >>>>>> even use claims if you like.
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> Which Servlet container do you use?
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> In your current setup, how does the samlp:Response look like?
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> Thanks
>>>> > >>>>>>
>>>> > >>>>>> Oli
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> ------
>>>> > >>>>>>
>>>> > >>>>>> Oliver Wulff
>>>> > >>>>>>
>>>> > >>>>>> Blog: http://owulff.blogspot.com
>>>> > >>>>>> Solution Architect
>>>> > >>>>>> http://coders.talend.com
>>>> > >>>>>>
>>>> > >>>>>> <http://coders.talend.com>Talend Application Integration
>>>> Division
>>>> > >>>>>> http://www.talend.com
>>>> > >>>>>> ------------------------------
>>>> > >>>>>> *From:* Gina Choi [ginacho...@gmail.com]
>>>> > >>>>>> *Sent:* 07 May 2012 20:24
>>>> > >>>>>> *To:* users@cxf.apache.org
>>>> > >>>>>> *Cc:* Oliver Wulff
>>>> > >>>>>> *Subject:* Re: CXF supporting scope
>>>> > >>>>>>
>>>> > >>>>>> Hi Oliver,
>>>> > >>>>>>
>>>> > >>>>>> I did notice that your sample application used both opensaml
>>>> and
>>>> > >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz
>>>> > project?
>>>> > >>>>>>
>>>> > >>>>>> I need to clarify my environment further to give you better
>>>> picture.
>>>> > >>>>>>
>>>> > >>>>>> 1. All web services in my application are REST. The only
>>>> reason that
>>>> > >>>>>> I use SOAP is to create a soap client to call .NET SOAP web
>>>> service
>>>> > which
>>>> > >>>>>> resides on another application. I am working with a .NET guy to
>>>> > prove some
>>>> > >>>>>> prototypes. His sample application is BookingService which I
>>>> > provided you
>>>> > >>>>>> wsdl. I am working on Airline.
>>>> > >>>>>>
>>>> > >>>>>> BookingService: .NET4.0 SOAP
>>>> > >>>>>> Airline: Java with REST
>>>> > >>>>>>
>>>> > >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We
>>>> have set
>>>> > >>>>>> up relying parties for BookingService and Airline in ADFS.
>>>> > >>>>>>
>>>> > >>>>>> 3. SSO: A user will be using both Airline and BookingService.
>>>> So,
>>>> > >>>>>> she/he should be able to log on once for both applications. In
>>>> > Airline(my
>>>> > >>>>>> application), I used SP initialed POST redirect bindings. So,
>>>> when
>>>> > a user
>>>> > >>>>>> make a request to Airline at first time, the user will be
>>>> > redirected to
>>>> > >>>>>> ADFS and asked credentials. After user provide
>>>> username/password,
>>>> > ADFS
>>>> > >>>>>> generate SAMLtoken and this SAML token is sent back to
>>>> > Airline(Airline does
>>>> > >>>>>> all validation work) and cached in the session. - This part is
>>>> > implemented.
>>>> > >>>>>>
>>>> > >>>>>> 4. Now a user call BookingService which is claim aware. So, I
>>>> need
>>>> > to
>>>> > >>>>>> inject Assertion token get from previous step inside actas
>>>> element
>>>> > to call
>>>> > >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be
>>>> > calling
>>>> > >>>>>> Booking service.
>>>> > >>>>>>
>>>> > >>>>>> So, I don't think that I am able to use Apach CXF STS part
>>>> since my
>>>> > >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with
>>>> > ADFS(STS)
>>>> > >>>>>> to support my prototypes.
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> Thanks.
>>>> > >>>>>>
>>>> > >>>>>> Gina
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>>
>>>> > >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <
>>>> owu...@talend.com
>>>> > >wrote:
>>>> > >>>>>>
>>>> > >>>>>>> Hi Gina
>>>> > >>>>>>>
>>>> > >>>>>>> >>>
>>>> > >>>>>>> So, what I need is after user log on using Web SSO, the SAML
>>>> token
>>>> > >>>>>>> should be cached in web context and being used as actas token
>>>> when
>>>> > making a
>>>> > >>>>>>> call to .NET web service.
>>>> > >>>>>>> >>>
>>>> > >>>>>>> This is supported by CXF without writing any single line of
>>>> code.
>>>> > I
>>>> > >>>>>>> do have a sample web application here:
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> >
>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/
>>>> > >>>>>>>
>>>> > >>>>>>> This example illustrates:
>>>> > >>>>>>> - fediz is configured for web sso
>>>> > >>>>>>> - SAML token is cached in the session and used to request a
>>>> new
>>>> > >>>>>>> token from the STS
>>>> > >>>>>>>
>>>> > >>>>>>> The code to call the web service is in
>>>> FederationServlet.doPost():
>>>> > >>>>>>> ...
>>>> > >>>>>>> Greeter service =
>>>> > >>>>>>>
>>>> >
>>>> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
>>>> > >>>>>>> String reply = service.greetMe();
>>>> > >>>>>>> ...
>>>> > >>>>>>>
>>>> > >>>>>>> The magic is in the configuration I used here:
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> >
>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup
>>>> > >>>>>>>
>>>> > >>>>>>> The following property registers a callback handler to
>>>> provide the
>>>> > >>>>>>> STSClient the token of the Web Login:
>>>> > >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" />
>>>> > >>>>>>>
>>>> > >>>>>>> (There is also a property for actAs)
>>>> > >>>>>>>
>>>> > >>>>>>> The above example should exactly do what you need. You just
>>>> have to
>>>> > >>>>>>> change the above property to use ActAs instead of OnBehalfOf.
>>>> The
>>>> > details
>>>> > >>>>>>> for this example are described here:
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> >
>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>> To test this easily, you can use the Mock IDP as part of
>>>> Fediz for
>>>> > >>>>>>> the authentication. You could also attach Active Directory in
>>>> the
>>>> > Mock if
>>>> > >>>>>>> you like. See here:
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> >
>>>> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html
>>>> > >>>>>>>
>>>> > >>>>>>> I use that within a customer set up to connect the CXF STS to
>>>> > Active
>>>> > >>>>>>> Directory.
>>>> > >>>>>>>
>>>> > >>>>>>> >>>
>>>> > >>>>>>> What is Spring role in CXF?
>>>> > >>>>>>> >>>
>>>> > >>>>>>> You can use Spring to configure your services. The above
>>>> example
>>>> > is
>>>> > >>>>>>> based on spring. As you see, all security related stuff is
>>>> enabled
>>>> > by
>>>> > >>>>>>> configuration (Convention of Configuration). You can also
>>>> write an
>>>> > >>>>>>> application without spring but I wouldn't write an application
>>>> > without
>>>> > >>>>>>> spring nowadays but this is up to you.
>>>> > >>>>>>>
>>>> > >>>>>>> >>>
>>>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute
>>>> > store.
>>>> > >>>>>>> I consider it as an alternative of Active Directory. Please
>>>> > correct me if I
>>>> > >>>>>>> am wrong.
>>>> > >>>>>>> >>>
>>>> > >>>>>>> Active Directory provides different interfaces. One of them
>>>> is
>>>> > >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for
>>>> > authentication. But
>>>> > >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz
>>>> Mock
>>>> > for
>>>> > >>>>>>> testing) will access ActiveDirectory to read the claims to add
>>>> > them to the
>>>> > >>>>>>> SAML token.
>>>> > >>>>>>>
>>>> > >>>>>>> Could you zip the wsdl before attaching?
>>>> > >>>>>>>
>>>> > >>>>>>> Thanks
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>> ------
>>>> > >>>>>>>
>>>> > >>>>>>> Oliver Wulff
>>>> > >>>>>>>
>>>> > >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>>>> > >>>>>>> Solution Architect
>>>> > >>>>>>> http://coders.talend.com
>>>> > >>>>>>>
>>>> > >>>>>>> <http://coders.talend.com>Talend Application Integration
>>>> Division
>>>> > >>>>>>> http://www.talend.com
>>>> > >>>>>>>
>>>> > >>>>>>> ________________________________
>>>> > >>>>>>> Von: Gina Choi [ginacho...@gmail.com]
>>>> > >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54
>>>> > >>>>>>> Bis: users@cxf.apache.org
>>>> > >>>>>>> Betreff: Re: CXF supporting scope
>>>> > >>>>>>>
>>>> > >>>>>>> Hi Oliver,
>>>> > >>>>>>>
>>>> > >>>>>>> Thanks for your response.
>>>> > >>>>>>>
>>>> > >>>>>>> >You mean that WIF is deployed in the ASP.NET<
>>>> http://asp.net/>
>>>> > web
>>>> > >>>>>>> service using the Active Requestor Profile?
>>>> > >>>>>>> >The SAML token should contain the claims as an
>>>> AttributeStatement?
>>>> > >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web
>>>> Service?
>>>> > >>>>>>> I have attached two wsdl file. BookingService.wsdl and
>>>> > >>>>>>> BookingService_imported.wsdl. BookingService.wsdl is
>>>> importing
>>>> > >>>>>>> BookingService_imported.wsdl and if you open
>>>> BookingService.wsdl,
>>>> > in line
>>>> > >>>>>>> 10 there is a importing statement like bellow. This .NET4.0
>>>> > service is not
>>>> > >>>>>>> owned by me and I don't know if separating wsdl file is common
>>>> > practice. Is
>>>> > >>>>>>> there anyway to combin them into one when generate artifact
>>>> using
>>>> > wsimport?
>>>> > >>>>>>> I will be calling CheckIn operation.
>>>> > >>>>>>>
>>>> > >>>>>>> <wsdl:import location="
>>>> > >>>>>>>
>>>> >
>>>> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0
>>>> > "
>>>> > >>>>>>> namespace="http://tempuri.org/"/>
>>>> > >>>>>>>
>>>> > >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a
>>>> > >>>>>>> Symmetric and Asymmetric binding.
>>>> > >>>>>>> >What roles does ADFS 2.0 play?
>>>> > >>>>>>> >Once as the IDP for the Web application SSO and once to let
>>>> issue
>>>> > a
>>>> > >>>>>>> token onbehalfof/actas the original token >from the Web SSO?
>>>> (this
>>>> > is
>>>> > >>>>>>> supported by CXF-Fediz)
>>>> > >>>>>>> >
>>>> > >>>>>>>
>>>> >
>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>>>> > >>>>>>> I am using Active Directory as an attribute store. So, I
>>>> could say
>>>> > >>>>>>> ADFS role should be IDP. So, what I need is after user log on
>>>> > using Web
>>>> > >>>>>>> SSO, the SAML token should be cached in web context and being
>>>> used
>>>> > as actas
>>>> > >>>>>>> token when making a call to .NET web service.
>>>> > >>>>>>>
>>>> > >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the
>>>> IDP?
>>>> > >>>>>>> In which application server is your web >application deployed?
>>>> > >>>>>>> ADFS is IDP and my Java web application is Service Provider.
>>>> > >>>>>>>
>>>> > >>>>>>> >What do you mean exactly? Is LDAP used for authentication by
>>>> the
>>>> > >>>>>>> STS? Or should the service provider retrieve >the claims/roles
>>>> > from LDAP?
>>>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute
>>>> > store.
>>>> > >>>>>>> I consider it as an alternative of Active Directory. Please
>>>> > correct me if I
>>>> > >>>>>>> am wrong. I have been reading many specifications, but I am
>>>> still
>>>> > having
>>>> > >>>>>>> hard time to straiten up correct terms.
>>>> > >>>>>>>
>>>> > >>>>>>> >No, Spring is not a requirement.
>>>> > >>>>>>> What is Spring role in CXF?
>>>> > >>>>>>>
>>>> > >>>>>>> Thanks.
>>>> > >>>>>>>
>>>> > >>>>>>> Gina
>>>> > >>>>>>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <
>>>> owu...@talend.com
>>>> > >>>>>>> <mailto:owu...@talend.com>> wrote:
>>>> > >>>>>>> >>>
>>>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which
>>>> claim
>>>> > >>>>>>> aware. So,
>>>> > >>>>>>> how is CXF interoperability with .NET?
>>>> > >>>>>>> >>>
>>>> > >>>>>>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET>
>>>> web
>>>> > >>>>>>> service using the Active Requestor Profile?
>>>> > >>>>>>> The SAML token should contain the claims as an
>>>> AttributeStatement?
>>>> > >>>>>>> Can you share with us the WS-SecurityPolicy of this Web
>>>> Service?
>>>> > >>>>>>>
>>>> > >>>>>>> >>>
>>>> > >>>>>>> 2. If CXF support ADFS2.0 as STS.
>>>> > >>>>>>> >>>
>>>> > >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a
>>>> > >>>>>>> Symmetric and Asymmetric binding.
>>>> > >>>>>>> What roles does ADFS 2.0 play?
>>>> > >>>>>>> Once as the IDP for the Web application SSO and once to let
>>>> issue a
>>>> > >>>>>>> token onbehalfof/actas the original token from the Web SSO?
>>>> (this
>>>> > is
>>>> > >>>>>>> supported by CXF-Fediz)
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> >
>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>>>> > >>>>>>>
>>>> > >>>>>>> >>>
>>>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated
>>>> Redirect
>>>> > >>>>>>> -> POST
>>>> > >>>>>>> binding.
>>>> > >>>>>>> >>>
>>>> > >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the
>>>> IDP? In
>>>> > >>>>>>> which application server is your web application deployed?
>>>> > >>>>>>>
>>>> > >>>>>>> >>>
>>>> > >>>>>>> 4. If CXF can work with LDAP.
>>>> > >>>>>>> >>>
>>>> > >>>>>>> What do you mean exactly? Is LDAP used for authentication by
>>>> the
>>>> > >>>>>>> STS? Or should the service provider retrieve the claims/roles
>>>> from
>>>> > LDAP?
>>>> > >>>>>>>
>>>> > >>>>>>> >>>>
>>>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to
>>>> use
>>>> > >>>>>>> Spring
>>>> > >>>>>>> Frame work to use CXF.
>>>> > >>>>>>> >>>
>>>> > >>>>>>> No, Spring is not a requirement.
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>> ------
>>>> > >>>>>>>
>>>> > >>>>>>> Oliver Wulff
>>>> > >>>>>>>
>>>> > >>>>>>> Blog: http://owulff.blogspot.com
>>>> > >>>>>>> Solution Architect
>>>> > >>>>>>> http://coders.talend.com
>>>> > >>>>>>>
>>>> > >>>>>>> Talend Application Integration Division http://www.talend.com
>>>> > >>>>>>>
>>>> > >>>>>>> ________________________________________
>>>> > >>>>>>> Von: gchoi [gc...@sdl.com<mailto:gc...@sdl.com>]
>>>> > >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29
>>>> > >>>>>>> Bis: users@cxf.apache.org<mailto:users@cxf.apache.org>
>>>> > >>>>>>> Betreff: CXF supporting scope
>>>> > >>>>>>>
>>>> > >>>>>>> Hi All,
>>>> > >>>>>>>
>>>> > >>>>>>> So far, I evaluated several frame works, but they seem don't
>>>> do
>>>> > what
>>>> > >>>>>>> I
>>>> > >>>>>>> expect. Several people suggested me that I should consider
>>>> CXF.
>>>> > >>>>>>> Before I dig
>>>> > >>>>>>> into CXF, I would like know if CXF support following things.
>>>> By the
>>>> > >>>>>>> way, I
>>>> > >>>>>>> just joined this user group.
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which
>>>> claim
>>>> > >>>>>>> aware. So,
>>>> > >>>>>>> how is CXF interoperability with .NET?
>>>> > >>>>>>>
>>>> > >>>>>>> 2. If CXF support ADFS2.0 as STS.
>>>> > >>>>>>>
>>>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated
>>>> Redirect
>>>> > >>>>>>> -> POST
>>>> > >>>>>>> binding.
>>>> > >>>>>>>
>>>> > >>>>>>> 4. If CXF can work with LDAP.
>>>> > >>>>>>>
>>>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to
>>>> use
>>>> > >>>>>>> Spring
>>>> > >>>>>>> Frame work to use CXF.
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>> Thank in advance.
>>>> > >>>>>>>
>>>> > >>>>>>> --
>>>> > >>>>>>> View this message in context:
>>>> > >>>>>>>
>>>> > http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html
>>>> > >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>> > >>>>>>>
>>>> > >>>>>>>
>>>> > >>>>>>
>>>> > >>>>>
>>>> > >>>>
>>>> > >>>
>>>> > >>
>>>> > >
>>>> >
>>>>
>>>
>>>
>>
>
