Hi Gina
>>> So, when you user is redirected to STS, it will issue renew request. I have heard that ADFS2.0 does not support renew request, but I will confirm it with ADFS forum. >>> No, it's not a renew request, just a redirect. As the browser might still have an active session the user is not prompted to enter username/password. I don't know whether ADFS supports the "wreq" parameter. In there, you could put an RST which contains a LifeTime element. If you use kerberos (often called Windows Integrated), the user won't be promted anyway. >>> I have attached mex file for ADFS2.0. I didn't get it which .NET service would you like to have for wsdl file? >>> Yes, please. >>> If I use user name token when I validate client to STS using actas token, where do I configure user name and password? This user name and password can be a service account(not individual user account) to STS. >>> There are a bunch of good examples in the system tests: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup Instead of configuring a callback handler, you can also configure the password with the property "ws-security.password" You want to use symmetric binding for the communication with ADFS and the ASP.NET service? HTH ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [ginacho...@gmail.com] Sent: 22 May 2012 00:28 To: Oliver Wulff Cc: users@cxf.apache.org Subject: Re: CXF supporting scope Hi Oliver, I have last question for you today. If I use user name token when I validate client to STS using actas token, where do I configure user name and password? This user name and password can be a service account(not individual user account) to STS. Thanks. Gina On Mon, May 21, 2012 at 6:14 PM, Gina Choi <ginacho...@gmail.com<mailto:ginacho...@gmail.com>> wrote: <<< No, the user is not kicked out from the session and he might not have to re-enter the credentials as the browser might still have a session with ADFS. If you use kerberos (browser <-> ADFS), you don't have to log in at all. The new token is then cached in the session. <<< So, when you user is redirected to STS, it will issue renew request. I have heard that ADFS2.0 does not support renew request, but I will confirm it with ADFS forum. <<< CXF supports transport binding (my example) as well as asymmetric and symmetric binding. >>> In real world, STS, Web client and Web service are located in different remote machine. So, I have client clientstore.jks, servicestore.jks for web client and web service. Keystore for ADFS2.0 is in the remote manchine. My final goal is using sysmetric bindings, but I can start with transport binding. It looks like that I need to import STS certificate servicestore.jks. Does servicestore.jks need client certificate as well? How about clientstore.jks? Does it need to import web service certificate? How about STS keystore? In Symmetric bindings, it needs import web service certificate. <<< Could you please attach the generated wsdl file of the .NET service and ADFS? >>> I have attached mex file for ADFS2.0. I didn't get it which .NET service would you like to have for wsdl file? Thanks. Gina
