Fediz insists that the Assertions must be signed - it is not configurable. I guess it is reasonable to allow tokens not to be signed for testing purposes - could you raise a JIRA here?
https://issues.apache.org/jira/browse/FEDIZ Colm. On Thu, Sep 20, 2012 at 12:07 PM, Jonny Moo <[email protected]>wrote: > Hi Colm, > Thanks - I am currently checking that I can get FedizIP working as per > examples - and as you have pointed out my assertions are not signed > currently (but are encrypted) so I will work out why StarterSTS hasn't > signed them. > For testing purposes is there any way I can tell Fediz not to worry about > signatures or should they always be signed (i.e. is this a flaw with the > STS I am using, or is it valid to have a response like I have got, but > Fediz is stricter than what I need)? > Thanks > Jonny > > From: Colm O hEigeartaigh-3 [via CXF] [mailto: > [email protected]] > Sent: 19 September 2012 14:18 > To: Jonathan Muir > Subject: Re: Fediz and signatures > > The error is thrown because the SAML Assertion returned by the STS is not > signed and hence Fediz does not trust it. > > Colm. > > On Tue, Sep 18, 2012 at 5:00 PM, Jonny Moo <[hidden > email]</user/SendEmail.jtp?type=node&node=5714166&i=0>>wrote: > > > Hi - I am trying to get Fediz to work with my hello world Java Web App, > > using > > StarterSTS as my STS/IP (just for dev / learning purposes). > > > > I'm getting an error stating - Federation processing failed - Security > > token > > has no signature > > > > Could someone point me in the general direction of what I should be doing > > differently (be gentle - this whole area of ws-trust / federation is > rather > > confusing - I'm trying to find my way through it). > > > > Thanks > > > > Jonny > > > > The response from the STS is (fediz config below the response) > > > > <trust:RequestSecurityTokenResponseCollection > > xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > <trust:RequestSecurityTokenResponse > > Context="rm=0&amp;id=passive&amp;ru=%2fClaimsAwareTest%2f"> > > <trust:Lifetime> > > <wsu:Created > > xmlns:wsu=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > ">2012-09-18T15:25:17.517Z</wsu:Created> > > <wsu:Expires > > xmlns:wsu=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > ">2012-09-18T16:25:17.517Z</wsu:Expires> > > </trust:Lifetime> > > <wsp:AppliesTo xmlns:wsp=" > > http://schemas.xmlsoap.org/ws/2004/09/policy";> > > <EndpointReference xmlns=" > > http://www.w3.org/2005/08/addressing";> > > <Address> > > https://dev-ws1-1.dev.local:8482/ClaimsAwareTest/</Address> > > </EndpointReference> > > </wsp:AppliesTo> > > <trust:RequestedSecurityToken> > > <xenc:EncryptedData Type=" > > http://www.w3.org/2001/04/xmlenc#Element"; > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#< > http://www.w3.org/2001/04/xmlenc>"> > > <xenc:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > > <KeyInfo xmlns=" > > http://www.w3.org/2000/09/xmldsig#<http://www.w3.org/2000/09/xmldsig>"> > > <e:EncryptedKey xmlns:e=" > > http://www.w3.org/2001/04/xmlenc#<http://www.w3.org/2001/04/xmlenc>"> > > <e:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";> > > <DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> > > </e:EncryptionMethod> > > <KeyInfo> > > > > <o:SecurityTokenReference > > xmlns:o=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > "> > > > <X509Data> > > > > <X509IssuerSerial> > > > > <X509IssuerName>CN=dev-ws1-1.dev.local</X509IssuerName> > > > > > > > <X509SerialNumber>139718072306124655679049092796879292434</X509SerialNumber> > > > > </X509IssuerSerial> > > > </X509Data> > > > > </o:SecurityTokenReference> > > </KeyInfo> > > <e:CipherData> > > > > <e:CipherValue>Some stuff - i've stripped this out to make the post a > > bit shorter</e:CipherValue> > > </e:CipherData> > > </e:EncryptedKey> > > </KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>more > > stuff</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedData> > > </trust:RequestedSecurityToken> > > <trust:RequestedAttachedReference> > > <o:SecurityTokenReference > > xmlns:o=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > "> > > <o:KeyIdentifier > > ValueType=" > > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > > ">_bb4531da-6bc5-45ed-81b0-1837436c9546</o:KeyIdentifier> > > </o:SecurityTokenReference> > > </trust:RequestedAttachedReference> > > <trust:RequestedUnattachedReference> > > <o:SecurityTokenReference > > xmlns:o=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > "> > > <o:KeyIdentifier > > ValueType=" > > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > > ">_bb4531da-6bc5-45ed-81b0-1837436c9546</o:KeyIdentifier> > > </o:SecurityTokenReference> > > </trust:RequestedUnattachedReference> > > > > <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType> > > > > <trust:RequestType> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > > </trust:RequestType> > > > > <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer > > </trust:KeyType> > > </trust:RequestSecurityTokenResponse> > > </trust:RequestSecurityTokenResponseCollection> > > > > > > My fediz_config looks like this: > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > > <FedizConfig> > > <contextConfig name="/fedizhelloworld"> > > <audienceUris> > > > > <audienceItem>https:// > > /dev-ws1-1.dev.local:8481/fedizhelloworld/</audienceItem> > > </audienceUris> > > <certificateStores> > > <trustManager> > > <keyStore file="tomcat-rp.jks" > > password="tompass" type="JKS" /> > > </trustManager> > > </certificateStores> > > <trustedIssuers> > > <issuer subject=".*CN=dev-ws1-1.dev.local.*" > > certificateValidation="ChainTrust" > > name="StarterSTSIssuer" /> > > </trustedIssuers> > > <maximumClockSkew>1000</maximumClockSkew> > > <protocol xmlns:xsi=" > > http://www.w3.org/2001/XMLSchema-instance"; > > xsi:type="federationProtocolType" > version="1.0.0"> > > <realm> > > https://dev-ws1-1.dev.local:8481/fedizhelloworld/</realm> > > > > <issuer>https://dev-ws1-1.dev.local:8482/StarterSTS/users/issue.aspx > > </issuer> > > <roleDelimiter>,</roleDelimiter> > > > > <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role > > </roleURI> > > > > > > <freshness>10000</freshness> > > > > > > <claimTypesRequested> > > <claimType type="a particular claim type" > > optional="true" /> > > </claimTypesRequested> > > </protocol> > > </contextConfig> > > </FedizConfig> > > > > > > > > > > > > > > -- > > View this message in context: > > http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092.html > > Sent from the cxf-user mailing list archive at Nabble.com. > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > Jonathan Muir | | Local Government > Tel: 0113 201 0831 | Fax: 0113 244 0835 > e-mail: [email protected] | http://www.civica.co.uk/ > > ■ Civica partners with PCI Security Standards Council... > http://www.civica.co.uk/articles/277-Civica-partners-with-PCI-Security-Standards-Council- > ■ Civica acquires Gateway Computing... > http://www.civica.co.uk/articles/275-Civica-acquires-Gateway-Computing > ■ Civica launches GIS unit and a new identity for Innogistic... > http://www.civica.co.uk/articles/255-Civica-launches-GIS-unit-and-a-new-identity-for-Innogistic > http://www.civica.co.uk/http://www.civica.co.uk/ > ________________________________ > If you reply to this email, your message will be added to the discussion > below: > http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092p5714166.html > To unsubscribe from Fediz and signatures, click here< > http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5714092&code=am9uYXRoYW4ubXVpckBjaXZpY2EuY28udWt8NTcxNDA5Mnw2OTAzMTk2MTc= > >. > NAML< > http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml > > > > > ------------------------------------------------------------------------------------------- > This e-mail is sent for and on behalf of Civica UK Limited company number > 01628868, > Civica Services Limited company number 02374268, or Civica Group Limited > company number 04968437. > All companies are registered in England and Wales and each has its > registered office at 2 Burston Road, Putney, London, SW15 6AR. > Confidentiality: This e-mail and its attachments are intended for the > above named only and may be confidential. If they have come to you in error > you must take no action based on them, nor must you copy or show them to > anyone. If you have received this in error please advise the sender by > replying to this e-mail immediately highlighting the error and deleting it > from your system. > > > ------------------------------------------------------------------------------------------- > > > > [email protected] (9K) < > http://cxf.547215.n5.nabble.com/attachment/5714288/0/imageaaa532.jpg%40bb63e5c4.dd92439d > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Fediz-and-signatures-tp5714092p5714288.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
