Hi Colm, Thanks - I am currently checking that I can get FedizIP working as per examples - and as you have pointed out my assertions are not signed currently (but are encrypted) so I will work out why StarterSTS hasn't signed them. For testing purposes is there any way I can tell Fediz not to worry about signatures or should they always be signed (i.e. is this a flaw with the STS I am using, or is it valid to have a response like I have got, but Fediz is stricter than what I need)? Thanks Jonny
From: Colm O hEigeartaigh-3 [via CXF] [mailto:[email protected]] Sent: 19 September 2012 14:18 To: Jonathan Muir Subject: Re: Fediz and signatures The error is thrown because the SAML Assertion returned by the STS is not signed and hence Fediz does not trust it. Colm. On Tue, Sep 18, 2012 at 5:00 PM, Jonny Moo <[hidden email]</user/SendEmail.jtp?type=node&node=5714166&i=0>>wrote: > Hi - I am trying to get Fediz to work with my hello world Java Web App, > using > StarterSTS as my STS/IP (just for dev / learning purposes). > > I'm getting an error stating - Federation processing failed - Security > token > has no signature > > Could someone point me in the general direction of what I should be doing > differently (be gentle - this whole area of ws-trust / federation is rather > confusing - I'm trying to find my way through it). > > Thanks > > Jonny > > The response from the STS is (fediz config below the response) > > <trust:RequestSecurityTokenResponseCollection > xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <trust:RequestSecurityTokenResponse > Context="rm=0&amp;id=passive&amp;ru=%2fClaimsAwareTest%2f"> > <trust:Lifetime> > <wsu:Created > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2012-09-18T15:25:17.517Z</wsu:Created> > <wsu:Expires > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2012-09-18T16:25:17.517Z</wsu:Expires> > </trust:Lifetime> > <wsp:AppliesTo xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy";> > <EndpointReference xmlns=" > http://www.w3.org/2005/08/addressing";> > <Address> > https://dev-ws1-1.dev.local:8482/ClaimsAwareTest/</Address> > </EndpointReference> > </wsp:AppliesTo> > <trust:RequestedSecurityToken> > <xenc:EncryptedData Type=" > http://www.w3.org/2001/04/xmlenc#Element"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#<http://www.w3.org/2001/04/xmlenc>"> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > <KeyInfo xmlns=" > http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>"> > <e:EncryptedKey xmlns:e=" > http://www.w3.org/2001/04/xmlenc#<http://www.w3.org/2001/04/xmlenc>"> > <e:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > </e:EncryptionMethod> > <KeyInfo> > > <o:SecurityTokenReference > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <X509Data> > > <X509IssuerSerial> > > <X509IssuerName>CN=dev-ws1-1.dev.local</X509IssuerName> > > > <X509SerialNumber>139718072306124655679049092796879292434</X509SerialNumber> > > </X509IssuerSerial> > </X509Data> > > </o:SecurityTokenReference> > </KeyInfo> > <e:CipherData> > > <e:CipherValue>Some stuff - i've stripped this out to make the post a > bit shorter</e:CipherValue> > </e:CipherData> > </e:EncryptedKey> > </KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>more > stuff</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </trust:RequestedSecurityToken> > <trust:RequestedAttachedReference> > <o:SecurityTokenReference > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <o:KeyIdentifier > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > ">_bb4531da-6bc5-45ed-81b0-1837436c9546</o:KeyIdentifier> > </o:SecurityTokenReference> > </trust:RequestedAttachedReference> > <trust:RequestedUnattachedReference> > <o:SecurityTokenReference > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <o:KeyIdentifier > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > ">_bb4531da-6bc5-45ed-81b0-1837436c9546</o:KeyIdentifier> > </o:SecurityTokenReference> > </trust:RequestedUnattachedReference> > > <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType> > > <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </trust:RequestType> > > <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer > </trust:KeyType> > </trust:RequestSecurityTokenResponse> > </trust:RequestSecurityTokenResponseCollection> > > > My fediz_config looks like this: > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <FedizConfig> > <contextConfig name="/fedizhelloworld"> > <audienceUris> > > <audienceItem>https:// > /dev-ws1-1.dev.local:8481/fedizhelloworld/</audienceItem> > </audienceUris> > <certificateStores> > <trustManager> > <keyStore file="tomcat-rp.jks" > password="tompass" type="JKS" /> > </trustManager> > </certificateStores> > <trustedIssuers> > <issuer subject=".*CN=dev-ws1-1.dev.local.*" > certificateValidation="ChainTrust" > name="StarterSTSIssuer" /> > </trustedIssuers> > <maximumClockSkew>1000</maximumClockSkew> > <protocol xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="federationProtocolType" version="1.0.0"> > <realm> > https://dev-ws1-1.dev.local:8481/fedizhelloworld/</realm> > > <issuer>https://dev-ws1-1.dev.local:8482/StarterSTS/users/issue.aspx > </issuer> > <roleDelimiter>,</roleDelimiter> > > <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role > </roleURI> > > > <freshness>10000</freshness> > > > <claimTypesRequested> > <claimType type="a particular claim type" > optional="true" /> > </claimTypesRequested> > </protocol> > </contextConfig> > </FedizConfig> > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com Jonathan Muir | | Local Government Tel: 0113 201 0831 | Fax: 0113 244 0835 e-mail: [email protected] | http://www.civica.co.uk/ ■ Civica partners with PCI Security Standards Council... http://www.civica.co.uk/articles/277-Civica-partners-with-PCI-Security-Standards-Council- ■ Civica acquires Gateway Computing... http://www.civica.co.uk/articles/275-Civica-acquires-Gateway-Computing ■ Civica launches GIS unit and a new identity for Innogistic... http://www.civica.co.uk/articles/255-Civica-launches-GIS-unit-and-a-new-identity-for-Innogistic http://www.civica.co.uk/http://www.civica.co.uk/ ________________________________ If you reply to this email, your message will be added to the discussion below: http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092p5714166.html To unsubscribe from Fediz and signatures, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5714092&code=am9uYXRoYW4ubXVpckBjaXZpY2EuY28udWt8NTcxNDA5Mnw2OTAzMTk2MTc=>. NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> ------------------------------------------------------------------------------------------- This e-mail is sent for and on behalf of Civica UK Limited company number 01628868, Civica Services Limited company number 02374268, or Civica Group Limited company number 04968437. All companies are registered in England and Wales and each has its registered office at 2 Burston Road, Putney, London, SW15 6AR. Confidentiality: This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone. If you have received this in error please advise the sender by replying to this e-mail immediately highlighting the error and deleting it from your system. ------------------------------------------------------------------------------------------- [email protected] (9K) <http://cxf.547215.n5.nabble.com/attachment/5714288/0/imageaaa532.jpg%40bb63e5c4.dd92439d> -- View this message in context: http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092p5714288.html Sent from the cxf-user mailing list archive at Nabble.com.
