Thanx, Colm, importing the STS certs should work for us. I don't think a shared token cache is an option in our architecture but I'll definitely check it out, thanx for the tip!
Stephen W. Chappell -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Wednesday, May 28, 2014 8:11 AM To: [email protected] Subject: Re: Trust between multiple STS Yes, importing the trusted certs in the various STS instances should work. Another alternative is to use a distributed TokenStore implementation (such as the Hazelcast one in sts-core), which means that the STS instances all share the same cache + should then automatically trust a token issued by another STS that shares the same cache. Colm. On Wed, May 28, 2014 at 12:21 PM, <[email protected]> wrote: > In order to support high availability and domain segregation > requirements, our STS deployment will likely consist of multiple STS > being deployed between two or more domains, each with their own > certificate. In theory, all of the STS should trust each other, i.e., > each STS should accept tokens issued by any of the other STS when > passed in through the RST/ActAs element or when passed into the > Validate interface. Can the CXF STS be configured with this sort of > trust relationship, maybe through importing all the trusted certs into the > STS keystore or trust store? > > Thanx, > > Stephen W. Chappell > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
