Hi.
I needed to change the
org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class and hardcode
the crypto properties and encryption username (certificate alias) there. No
other configuration option seems possible with the current Fediz code.
------------- org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
--------------------
@Override
public Authentication authenticate(Authentication authentication) throws
AuthenticationException {
...
sts.getProperties().put(SecurityConstants.USERNAME,
authentication.getName());
sts.getProperties().put(SecurityConstants.PASSWORD,
(String)authentication.getCredentials());
// STS certificate needed for symmetric binding
sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
"ws-sec-comm.dirxaccess"); // 1
sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
"stsKeystoreA.properties"); // 2
...
}
---------------------------------
But then I have found that RSTR response cannot be processed in Fediz IDP (and
subsequently in WS-Federation passive profile SP) :-( I have thus removed the
symmetric binding from the WS-Policy used by STS and then all the walkthrough
run well - my issue is solved.
I don't know if it makes sense to make Fediz configurable in this area, I don't
know WS-Federation use cases that well...
Regards,
Stepan.
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[email protected]]
> Sent: Tuesday, February 11, 2014 4:48 PM
> To: [email protected]
> Subject: Re: Error "A encryption username needs to be declared" when using
> Fediz IdP with external WS-Trust STS
>
> Could you create a JIRA + I will look into it? You also need to specify a
> Crypto
> properties file as well as a username.
>
> Colm.
