Hi Colm.
The exception in Fediz IdP log (see attached) is:
----------------------------
2014-02-13 12:47:34,302
[org.apache.cxf.phase.PhaseInterceptorChain@http-nio-9443-exec-6] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Federation#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An invalid security token was provided
(Bad TokenType "")
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:790)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
------------------------------
Kind regards,
Stepan.
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:[email protected]]
> Sent: Thursday, February 13, 2014 10:50 AM
> To: [email protected]
> Subject: Re: Error "A encryption username needs to be declared" when using
> Fediz IdP with external WS-Trust STS
>
> I think it makes sense to allow the user to pass through some Properties to
> the
> STSAuthenticationProvider, I will merge a fix for this. What is the error on
> processing the RSTR?
>
> Colm.
>
>
> On Thu, Feb 13, 2014 at 9:46 AM, Hrbacek, Stepan
> <[email protected]>wrote:
>
> > Hi.
> > I needed to change the
> > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class and
> > hardcode the crypto properties and encryption username (certificate
> > alias) there. No other configuration option seems possible with the
> > current Fediz code.
> > -------------
> > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
> > --------------------
> > @Override
> > public Authentication authenticate(Authentication authentication)
> > throws AuthenticationException {
> > ...
> >
> > sts.getProperties().put(SecurityConstants.USERNAME,
> > authentication.getName());
> > sts.getProperties().put(SecurityConstants.PASSWORD,
> > (String)authentication.getCredentials());
> >
> > // STS certificate needed for symmetric binding
> > sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
> > "ws-sec-comm.dirxaccess"); // 1
> > sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
> > "stsKeystoreA.properties"); // 2
> >
> > ...
> > }
> > ---------------------------------
> >
> > But then I have found that RSTR response cannot be processed in Fediz
> > IDP (and subsequently in WS-Federation passive profile SP) :-( I have
> > thus removed the symmetric binding from the WS-Policy used by STS and
> > then all the walkthrough run well - my issue is solved.
> > I don't know if it makes sense to make Fediz configurable in this
> > area, I don't know WS-Federation use cases that well...
> >
> > Regards,
> > Stepan.
> >
> >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:[email protected]]
> > > Sent: Tuesday, February 11, 2014 4:48 PM
> > > To: [email protected]
> > > Subject: Re: Error "A encryption username needs to be declared" when
> > using
> > > Fediz IdP with external WS-Trust STS
> > >
> > > Could you create a JIRA + I will look into it? You also need to
> > > specify
> > a Crypto
> > > properties file as well as a username.
> > >
> > > Colm.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
