Hi Gina I'm confused about one fact. The wresult should contain the response of the STS. >>> t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">& >>>
The namespace is very, very old - I guess WS-Trust 1.0. This should be the case. I've worked once with Visual Studio and WIF. Visual Studio provides also some sort of Mock IDP/STS to do local testing before integrating with ADFS. This Mock was using a more recent version. I can't imagine that ADFS only supports that. Do you have an option to configure a different format? Maybe because of that, an old SAML assertion is used which is not compatible with OpenSAML. I've to look into this further... ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Gina Choi [ginacho...@gmail.com] Sent: 16 May 2012 18:05 To: users@cxf.apache.org Cc: Oliver Wulff Subject: Re: CXF supporting scope Hi Oliver, I am going to work on creating keystore and importing ADFS signing cert later today. So, after I input my user name and password, ADFS2.0 send me back saml1.0 token, but it is failed in RP. I mornitored browser trough fiddler. Exception is occured before check signaure of response, that's why I am going to deal with signature later. Following is Exception that I received. java.lang.NullPointerException org.apache.ws.security.saml.ext.OpenSAMLUtil.fromDom(OpenSAMLUtil.java:84) org.apache.ws.security.saml.ext.AssertionWrapper.parseElement(AssertionWrapper.java:678) org.apache.ws.security.saml.ext.AssertionWrapper.<init>(AssertionWrapper.java:152) org.apache.cxf.fediz.core.saml.SAMLTokenValidator.validateAndProcessToken(SAMLTokenValidator.java:98) org.apache.cxf.fediz.core.FederationProcessorImpl.processSignInRequest(FederationProcessorImpl.java:161) org.apache.cxf.fediz.core.FederationProcessorImpl.processRequest(FederationProcessorImpl.java:79) org.apache.cxf.fediz.tomcat.FederationAuthenticator.authenticate(FederationAuthenticator.java:291) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) org.apache.cxf.fediz.tomcat.FederationAuthenticator.invoke(FederationAuthenticator.java:116) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) java.lang.Thread.run(Thread.java:662) Following is SAML1.0 token that ADFS generated. I don't see log file is generated. <html><head><title>Working...</title></head><body><form method="POST" name="hiddenform" action="https://wkengchoi.global.sdl.corp:8443/fedizhelloworld/secureservlet/fed/";><input type="hidden" name="wa" value="wsignin1.0" /><input type="hidden" name="wresult" value="<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-05-16T15:46:55.163Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-05-16T16:46:55.163Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://wkengchoi.global.sdl.corp:8443/fedizhelloworld/</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_a42aef09-be83-4a04-a498-e8318ccc5d87" Issuer="http://strts01.ams.dev/adfs/services/trust" IssueInstant="2012-05-16T15:46:55.288Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2012-05-16T15:46:55.163Z" NotOnOrAfter="2012-05-16T16:46:55.163Z"><saml:AudienceRestrictionCondition><saml:Audience>https://wkengchoi.global.sdl.corp:8443/fedizhelloworld/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier>gc...@global.sdl.corp</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Gina</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Choi</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>gc...@sdl.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims"><saml:AttributeValue>Developer</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:federation:authentication:windows" AuthenticationInstant="2012-05-16T15:46:55.054Z"><saml:Subject><saml:NameIdentifier>gc...@global.sdl.corp</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_a42aef09-be83-4a04-a498-e8318ccc5d87"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>kWfVtgd1oOGYiPzn9GADAJMXTp8IX6yoD7TVu4rYQJo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>e+cwpQuqQdlZzLDS6nwJ4VVPxjB7aI/fnzjVLO/m3vXyYVaR1OrBHup27L1AgH2fZsMKsoXKr7AuTjmeokM8oeCQfd1e1pvyupCoA1GajSa3FrGSkB9nlY4biacCPmwSxa2yUPJSUZSoA1nluJI3G/tCYEDtRpjfzDAFMWeHH1/MCfdIVk9380F3UkVPDoIuGUgJ40LJzXDwFQAhMqaYb5e9cmhCBp8Bxvnx/oYtMsgjHFiZwZczqPD/XT21xD0E8gCaYM+rqtGwq0xcPNq2ZgMxV/Cf+oSAI6OtxEFst/S/LTIfKjH/2au25E12FNmlF0sIRz6/R8xMoyqK6M1psA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC2jCCAcKgAwIBAgIQQDXC1xq8aalK9okcdwq1HjANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBzdHJ0czAxLmFtcy5kZXYwHhcNMTIwMjA1MTExMTMxWhcNMTMwMjA0MTExMTMxWjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBzdHJ0czAxLmFtcy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZlXJeY3JIa58gnIfohWvMZ+BMk06KnfLASR9KdtN2xaVI/rstdwZ3LgEzC4a8myPSNOZkJMemqn5amm2HlLFf/947ixspNH/l+qlECSaqxNFZ4cWFtLgA6Re3E3j21btUHE+K0kIXVpljC8ZCEKU334zXn4jfP9wsb22ohA3PguG5q3wxu933CTiuX5rtjq3gGi7ZsTs89OYx13mVka9mC1qXE/NdZzcElXKQCSa32cdbJgbzeEAqtOkhinKcqeS2TfPEvgVWkkRYFq+X7cqqpSqIuM6RwhaG72vxa/Zu0MIfNsIamG2htRkALQr2z00ItGsbuAXosIJYQYt+8v+/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIJJM5A6J4il0b5Sl8+k1Tu1LL0sU73mbI1iESTmqsmQH83wq0JkrjeDruAKo5DnZKloLutDBfon3fE87nKjsndCMUYj50UuFuday3IlAbyiZYRbhXvejz6ByUF7gH0d/1Lh27mQkmeG/5OnW5YuatdcXMhTCP+FSigesPKLGS4fSMw7k3OZmRRxT0e9akly1aMBnGpWiUsXDQmO5xSdDkgWZJDO0Hy4M+Qv61jb0/zreCvfyiwU2Ok+S67H9pF4MNbenkPlSMaF+y96E+DOa0xMqI8ygvhm7wxTnPkcaSbrRCD6ozErgUXEn9XpLzCZtJQ2oc4RlJeYVpvxur2L074=</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>" /><noscript><p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" /></noscript></form><script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script></body></html> Thanks. Gina
