Hi Sarafian I can give you experience I made with WIF and CXF based primarely on the Passive Requestor Profile.
The WS-Federation Passive Requestor Profile is supported by the CXF subproject called Fediz which is described here (hope a release is available next week) http://cxf.apache.org/fediz.html I've tested the Fediz IDP/STS with ASP.NET and WIF which is described on the following blog: http://owulff.blogspot.ch/2012/02/configure-fediz-idp-and-aspnet-using.html The Fediz STS is based on the CXF STS 2.6.1 which configures username/password and the user's claim in a file but you can also attach an LDAP directory or write your custom plugin. You find more information here: http://cxf.apache.org/fediz-idp.html In my case, I haven't used the FedUtil to generate the web.config configuration. I've created the config once and then copy/pasted it into the different ASP.NET projects. Right now, neither the Fediz IDP nor STS support to publish the WS-Federation Metadata document. This is supported only the Fediz Relying Party - committed today morning ;-) Please raise a JIRA with Fediz and CXF to track this request. >>> Does the STS support identity delegation trough the ActAs element? >>> The STS supports identity delegation either with ActAs or OnBehalfOf. Fediz ships an example where a WS-Federation (passive) protected web application calls a web service which is protected by an IssuedToken policy. This example uses OnBehalfOf but ActAs is supported as well. Check the README here for more information: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/ HTH ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Sarafian [[email protected]] Sent: 11 June 2012 16:39 To: [email protected] Subject: Compatibility with Windows Identity Foundation (WIF) Hi, I'm part of a team that is prototyping against moving security from a trusted subsystem architecture towards an STS one. Most of the application is build on top of the .NET stack using the WIF library and the Windows Identity Foundation Federation Utility (FedUtil) for configuration. The STS tested against for now is ADFS. Our test include passive and active profile with and without identity delegation. Now we want to test against another STS, preferably one that doesn't use Active Directory as an Identity Provider. We are thinking about CFX STS and we are wondering how compatible is it. Does CFX STS exposes endpoints for configuration like ADFS does through the FederationMetadata.xml? This would be very useful for the FedUtil. Does the STS support identity delegation trough the ActAs element? Whatever information you can provide will be appreciated. Thank you in advance -- View this message in context: http://cxf.547215.n5.nabble.com/Compatibility-with-Windows-Identity-Foundation-WIF-tp5709520.html Sent from the cxf-user mailing list archive at Nabble.com.
