RE: CXF supporting scope

Wed, 16 May 2012 07:30:57 -0700 

Hi Oliver,


<<<
I'd recommend to put ADFS into a different java keystore than the one for
the Fediz IDP.
>>> 
My ADFS is in a remote machine. So, it is completely isolated with Fediz
IDP. 


<<<
You only need the alias name when the keystore contains certificates and
private keys - thus you pick up the right one. In this case, the SignIn
Request is not signed and therefore, you don't have to import a certificate
of the application in ADFS.
>>> 
Ok. Your SignIn Request is not signed, so I don't need to worry about
application cert. But based on your code, Fediz is expecting Response token
is signed. Following is my fediz_config.xml file. The signing certificate
that my ADFS2.0 has is selfsigned.ADFS2.0 has three certificate available
-encryption cert, signing cert and Service communication certificate. People
usually use self signed certificate for both encryption and signing cert(it
is ADFS2.0 default installation). You have certificateValidation element and
it's value is ChainTrust. CN for my ADFS signing cert is CN = ADFS Signing -
strts01.ams.dev. What changes is need for my fediz_config.xml to make it
correct.


<FedizConfig>
        <contextConfig name="/fedizhelloworld">
                <audienceUris>
                
<audienceItem>https://wkengchoi.global.sdl.corp:8443/fedizhelloworld/</audienceItem>
                </audienceUris>
                <certificateValidation>ChainTrust</certificateValidation>
                <trustedIssuers>
                        <trustedIssuerItem provider=".*CN=www.sts.com.*">
                                <keyStore file="C:/Program Files
(x86)/tomcat/tomcat-rp/conf/stsstore.jks" password="stsspass" type="file" />
                        </trustedIssuerItem>
                </trustedIssuers>
                <maximumClockSkew>1000</maximumClockSkew>
                <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
                        xsi:type="federationProtocolType" version="1.0.0">
                        <issuer>https://strts01.ams.dev/adfs/ls/</issuer>
                        <roleDelimiter>,</roleDelimiter>
                
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
                        <freshness>10000</freshness>
                        <claimTypesRequested>
                                <claimType type="a particular claim type" 
optional="true" />
                        </claimTypesRequested>
                </protocol>
        </contextConfig>
</FedizConfig>

Thanks.

Gina

--
View this message in context: 
http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855p5707970.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to