>>> Looking over the code for SAMLTokenValidator it appears that, I can just Add all my trusted issuers to the file and as long as it finds one that matches I'm good to go. >>> That's correct.
>>> However, for the audienceUris/audienceItem check it only looks at the first entry. Is this by design? Does it break the "standard" to check all of them and look for a match? >>> Where do you see that? The check is not (yet) done within the core but within the plugin for the container. See here: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?view=markup I will move it to fediz-core thus it doesn't have to be reimplemented in each container plugin. >>> Which still leaves: realm. >>> Hmmm... interesting... the realm identifies the application. Are you planning to have different applications within one war? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Burton, Tom F (DOR) [[email protected]] Sent: 16 July 2013 21:10 To: [email protected] Subject: RE: Another Programmatic Fediz configuration question Looking over the code for SAMLTokenValidator it appears that, I can just Add all my trusted issuers to the file and as long as it finds one that matches I'm good to go. However, for the audienceUris/audienceItem check it only looks at the first entry. Is this by design? Does it break the "standard" to check all of them and look for a match? Taking another look through everything I found IDPCallBack, which has been there for a while, so issuer is taken care of. Which still leaves: realm. Would I be out of line Filing a JIRA/patch for realm callback support? Thanks again, Tom Burton -----Original Message----- From: Burton, Tom F (DOR) [mailto:[email protected]] Sent: Monday, July 15, 2013 4:55 PM To: [email protected] Subject: Another Programmatic Fediz configuration question So in my fediz_config.xml file the following values all relate to my the Dev system. <audienceUris> <audienceItem> <!-- referred to as: <audienceUris><add value="[goes here]" /></audienceUris> in .NET --> https://cssdappstst.state.ak.us:8443/newhirereporting/ </audienceItem> </audienceUris> <trustedIssuers> <!-- TODO: programmatically change this on deploy --> <issuer subject=".*" certificateValidation="ChainTrust" name="mydev-sign.alaska.gov" /> </trustedIssuers> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="federationProtocolType" version="1.0.0"> <realm>https://cssdappstst.state.ak.us:8443/newhirereporting/</realm> <issuer>https://mydev.alaska.gov/adfs/ls/</issuer> <!-- everything else --> </protocol> I have created a CallBackHandler for SignInQuery to add my per request Customizations. However I don't believe the listed tags have Callbacks. Also for audienceItem, and issuer, would it work to have both the Development values and production values in there normally, since they look like the can hold more than one value. The end goal is to not have to recompile when moving a build that has passed tests into production. Thanks again, Tom Burton Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
