Hi Gina >>> I asked similar question last time, but I haven't received response yet. Is it efficient to add ADFS signing cert to Java keystore since there are many entries in Java keystore >>> I'd recommend to put ADFS into a different java keystore than the one for the Fediz IDP.
>>> Shouldn't we have something like clientstore.jks? For now, I am ok with adding this in Java keystore. Does it matter what alias name do I use when I import ADFS signing cert? I don't know if you reference alias name somewhere in configuration file. The other thing is that I need to export signing cert from client to import it to ADFS2.0. I assume your RST is signed. I am using your helloworld app. Where can I get client signing cert? >>> You only need the alias name when the keystore contains certificates and private keys - thus you pick up the right one. In this case, the SignIn Request is not signed and therefore, you don't have to import a certificate of the application in ADFS. I started putting documentation here: http://cxf.apache.org/fediz.html Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [ginacho...@gmail.com] Sent: 15 May 2012 21:46 To: users@cxf.apache.org Cc: Oliver Wulff Subject: Re: CXF supporting scope Hi Oliver, Neither the RST nor the RSTR are encrypted. It's planned for the next release of the Fediz plugin to support encrypted token which are embedded in RSTR. Is it required to support encrypted tokens initially? I should have this functionality by end of may. You have to export the signing cert from ADFS and import into a java keystore. Don't import it into stsstore.jks as this should be used for this demo IDP only. I asked similar question last time, but I haven't received response yet. Is it efficient to add ADFS signing cert to Java keystore since there are many entries in Java keystore. Shouldn't we have something like clientstore.jks? For now, I am ok with adding this in Java keystore. Does it matter what alias name do I use when I import ADFS signing cert? I don't know if you reference alias name somewhere in configuration file. The other thing is that I need to export signing cert from client to import it to ADFS2.0. I assume your RST is signed. I am using your helloworld app. Where can I get client signing cert? I will be doing something like bellow. So, I need to know alias name, store password and keystore file. keytool -exportcert -alias myservicekey -storepass sspass -keystore servicestore.jks -file service.cer Thanks. Gina
