Hello all,
I am trying to run the simpleWebApp example in CXF Fediz 1.1.1.
I've downloaded:
apache-fediz-1.1.1.zip and
apache-tomcat-7.0.55.tar.gz
I followed the manual here: http://cxf.apache.org/fediz.html
I've set up a separate Tomcat for the IDP and STS, at port 9443.
See attached server.xml. I've copied idp-ssl-server.jks to Tomcat's
conf dir.
I've checked that the wsdl is available at
http://localhost:9080/fediz-idp-sts/STSService?wsdl
I've found that the wsdl is not availbale there but available at
http://localhost:9080/fediz-idp-sts
I guess that's not a real propblem.
I've set up a separate Tomcat for the Relying Party (simpleWebApp).
See attached server.xml. I've copied rp-ssl-server.jks and
ststrust.jks to Tomcat's conf dir. I've copied
src/main/config/fediz_config.xml to Tomcat's conf dir.
I've set up the CXF Federation Tomcat plugin according to
http://cxf.apache.org/fediz-tomcat.html (copy libs to lib/fediz,
update properties)
I've set up https connector with keystore rp-ssl-server.jks (note
that the manual at http://cxf.apache.org/fediz-tomcat.html uses
"tomcat-rp.jks" in the connector. I think that it was OK to change it
to rp-ssl-server.jks since that was the file in the fediz 1.1.1 zip.
But maybe that's the problem?)
I've set up the valve with context level in server.xml. Note that I
had to change "Fediz_conf.xml" to "fediz_conf.xml". I've effectively
used the fediz_config from the zip, not from the manual at
http://cxf.apache.org/fediz-configuration.html.
I've built the simpleWebapp and copied the resulting war to
Tomcat's webapps.
I've started this Tomcat and visited
https://localhost:8443/fedizhelloworld/secure/fedservlet according to
the README.txt in simpleWebapp.
I've clicked "Select Home Realm" with the selection "IDP of Realm
A". Then I've got 401.
In the Relying Party's log I saw:
Sep 24, 2014 2:05:00 PM
org.apache.cxf.fediz.tomcat.FederationAuthenticator authenticate
SEVERE: Federation processing failed: Security token issuer not trusted
In the IDP / STS's log I saw:
... (see attached file for full log)
2014-09-24 14:04:59,137 [http-bio-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction -
[RP_TOKEN=_D9DB6FA72D6093EFDC14115602981082] successfully created for
realm [urn:org:apache:cxf:fediz:fedizhelloworld] on behalf of
[IDP_TOKEN=_D9DB6FA72D6093EFDC14115602475511]
I've guess I did something wrong but I can't find out what. Could
you please help me with this?
Thank you, best regards, Peter
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="tomcat-rp.jks"
keystorePass="tompass" sslProtocol="TLS" />
-->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/rp-ssl-server.jks"
keystorePass="tompass" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
<Context path="/fedizhelloworld" docBase="fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Context>
</Host>
</Engine>
</Service>
</Server>
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="9005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="9080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="9443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/idp-ssl-server.jks"
keystorePass="tompass" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="9009" protocol="AJP/1.3" redirectPort="9443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
2014-09-24 14:04:05,698 [http-bio-9443-exec-1] INFO
org.apache.cxf.fediz.service.idp.STSPortFilter -
STSAuthenticationProvider.wsdlLocation set to
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
2014-09-24 14:04:05,942 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 1
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-09-24 14:04:06,112 [http-bio-9443-exec-4] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 2
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-09-24 14:04:06,343 [http-bio-9443-exec-1] WARN
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl - No assertion builder
for type {http://www.w3.org/2006/05/addressing/wsdl}UsingAddressing registered.
2014-09-24 14:04:06,485 [http-bio-9443-exec-1] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Outbound
Message
---------------------------
ID: 1
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-96B9DCBE3F2CD832AB14115602464821"><wsse:Username>bob</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bob</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:06,522 [http-bio-9443-exec-6] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 3
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
Content-Length=[1329], content-type=[text/xml; charset=UTF-8],
host=[localhost:9443], pragma=[no-cache],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";],
user-agent=[Apache CXF 2.7.11]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-96B9DCBE3F2CD832AB14115602464821"><wsse:Username>bob</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bob</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:06,760 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-09-24 14:04:06,763 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-09-24 14:04:06,764 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-09-24 14:04:06,764 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:fediz:idp
2014-09-24 14:04:06,764 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.service.StaticService - Address urn:fediz:idp matches with
pattern .*
2014-09-24 14:04:06,764 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-09-24 14:04:06,765 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: bob
2014-09-24 14:04:07,611 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-09-24 14:04:07,612 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is null
so using default alias: realma
2014-09-24 14:04:07,612 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-09-24 14:04:07,612 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-09-24 14:04:07,700 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-09-24 14:04:07,702 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-24T12:04:07.608Z
2014-09-24 14:04:07,702 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-24T12:24:07.608Z
2014-09-24 14:04:07,703 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 9/24/14 2:04:07
PM;SUCCESS;951ms;127.0.0.1;48104;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT;REALMA;bob;<null>;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:fediz:idp;<null>;<null>;<null>;<null>;
2014-09-24 14:04:07,746 [http-bio-9443-exec-6] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Outbound
Message
---------------------------
ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:ns4="http://www.w3.org/2005/08/addressing";
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802";><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_D9DB6FA72D6093EFDC14115602475511" IssueInstant="2014-09-24T12:04:07.579Z"
Version="2.0" xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_D9DB6FA72D6093EFDC14115602475511"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>tKsNsNXXFNiHHf1+qXLV+MAdD1Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nBgqdzH/qqLaMkEwFxsY+RaCDUj+/tK2YVIAcrc5A+ru/MpWvFf4BdFqebTIA30Lxmqn/zoP7b1c4QOnB9TM5PETDJWb0saK7UoJ1vWyW8toIVV4c1cES4ZUv+ULRrSw1gP2t04apeUsPNpduCZqb7LH3SJBnflLzBRo5N6+CaEo5qxTvUBZiNvqg0KIt7IOvHZ4Q/xQ1e7Z6zGLQc3Pz0yJyvWua2FzK5h+PlevM8mheLkskMynkuJOD4nOokwfAvpMxrkAeHdqps3XRli+STwRV611RJ/6sjf9dqnuTK3yjZnUHFTIPFy2u4nVbDPvxmW7E5ummCKml0Wcu1bhSw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>bob</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-24T12:04:07.608Z"
NotOnOrAfter="2014-09-24T12:24:07.608Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602475511</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602475511</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns2:Created>2014-09-24T12:04:07.608Z</ns2:Created><ns2:Expires>2014-09-24T12:24:07.608Z</ns2:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:07,753 [http-bio-9443-exec-1] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {content-type=[text/xml;charset=UTF-8], Date=[Wed, 24 Sep 2014
12:04:07 GMT], Server=[Apache-Coyote/1.1], transfer-encoding=[chunked]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:ns4="http://www.w3.org/2005/08/addressing";
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802";><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_D9DB6FA72D6093EFDC14115602475511" IssueInstant="2014-09-24T12:04:07.579Z"
Version="2.0" xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_D9DB6FA72D6093EFDC14115602475511"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>tKsNsNXXFNiHHf1+qXLV+MAdD1Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nBgqdzH/qqLaMkEwFxsY+RaCDUj+/tK2YVIAcrc5A+ru/MpWvFf4BdFqebTIA30Lxmqn/zoP7b1c4QOnB9TM5PETDJWb0saK7UoJ1vWyW8toIVV4c1cES4ZUv+ULRrSw1gP2t04apeUsPNpduCZqb7LH3SJBnflLzBRo5N6+CaEo5qxTvUBZiNvqg0KIt7IOvHZ4Q/xQ1e7Z6zGLQc3Pz0yJyvWua2FzK5h+PlevM8mheLkskMynkuJOD4nOokwfAvpMxrkAeHdqps3XRli+STwRV611RJ/6sjf9dqnuTK3yjZnUHFTIPFy2u4nVbDPvxmW7E5ummCKml0Wcu1bhSw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>bob</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-24T12:04:07.608Z"
NotOnOrAfter="2014-09-24T12:24:07.608Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602475511</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602475511</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns2:Created>2014-09-24T12:04:07.608Z</ns2:Created><ns2:Expires>2014-09-24T12:24:07.608Z</ns2:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:07,846 [http-bio-9443-exec-1] INFO
org.springframework.web.context.support.GenericWebApplicationContext -
Refreshing Flow ApplicationContext [federation]: startup date [Wed Sep 24
14:04:07 CEST 2014]; parent: WebApplicationContext for namespace 'idp-servlet'
2014-09-24 14:04:07,849 [http-bio-9443-exec-1] INFO
org.springframework.beans.factory.support.DefaultListableBeanFactory -
Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@1970e44b:
defining beans
[org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@2a3709d7
2014-09-24 14:04:07,981 [http-bio-9443-exec-1] INFO
org.springframework.web.context.support.GenericWebApplicationContext -
Refreshing Flow ApplicationContext [signinRequest]: startup date [Wed Sep 24
14:04:07 CEST 2014]; parent: WebApplicationContext for namespace 'idp-servlet'
2014-09-24 14:04:07,984 [http-bio-9443-exec-1] INFO
org.springframework.beans.factory.support.DefaultListableBeanFactory -
Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@4ac28ba1:
defining beans
[org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@2a3709d7
2014-09-24 14:04:08,001 [http-bio-9443-exec-1] INFO
org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS is
null (Mock).
Sep 24, 2014 2:04:08 PM org.apache.jasper.compiler.TldLocationsCache tldScanJar
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug
logging for this logger for a complete list of JARs that were scanned but no
TLDs were found in them. Skipping unneeded JARs during scanning can improve
startup time and JSP compilation time.
2014-09-24 14:04:57,820 [http-bio-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction - Token
[IDP_TOKEN=_D9DB6FA72D6093EFDC14115602475511] for realm
[urn:org:apache:cxf:fediz:idp:realm-A] successfully cached.
2014-09-24 14:04:57,824 [http-bio-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction - STS WSDL URL updated
to https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
2014-09-24 14:04:57,868 [http-bio-9443-exec-9] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 4
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-09-24 14:04:57,978 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 5
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl=ws-trust-1.4.wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-09-24 14:04:58,032 [http-bio-9443-exec-8] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Outbound
Message
---------------------------
ID: 2
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:org:apache:cxf:fediz:fedizhelloworld</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="true"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/></wst:Claims><wst:OnBehalfOf><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_D9DB6FA72D6093EFDC14115602475511" IssueInstant="2014-09-24T12:04:07.579Z"
Version="2.0" xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_D9DB6FA72D6093EFDC14115602475511"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>tKsNsNXXFNiHHf1+qXLV+MAdD1Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nBgqdzH/qqLaMkEwFxsY+RaCDUj+/tK2YVIAcrc5A+ru/MpWvFf4BdFqebTIA30Lxmqn/zoP7b1c4QOnB9TM5PETDJWb0saK7UoJ1vWyW8toIVV4c1cES4ZUv+ULRrSw1gP2t04apeUsPNpduCZqb7LH3SJBnflLzBRo5N6+CaEo5qxTvUBZiNvqg0KIt7IOvHZ4Q/xQ1e7Z6zGLQc3Pz0yJyvWua2FzK5h+PlevM8mheLkskMynkuJOD4nOokwfAvpMxrkAeHdqps3XRli+STwRV611RJ/6sjf9dqnuTK3yjZnUHFTIPFy2u4nVbDPvxmW7E5ummCKml0Wcu1bhSw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>bob</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-24T12:04:07.608Z"
NotOnOrAfter="2014-09-24T12:24:07.608Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></wst:OnBehalfOf><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsu:Created>2014-09-24T12:04:58.010Z</wsu:Created><wsu:Expires>2014-09-24T13:04:58.010Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:58,034 [http-bio-9443-exec-6] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 6
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml; charset=UTF-8], host=[localhost:9443],
pragma=[no-cache],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";],
transfer-encoding=[chunked], user-agent=[Apache CXF 2.7.11]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:org:apache:cxf:fediz:fedizhelloworld</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; Optional="true"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/></wst:Claims><wst:OnBehalfOf><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_D9DB6FA72D6093EFDC14115602475511" IssueInstant="2014-09-24T12:04:07.579Z"
Version="2.0" xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_D9DB6FA72D6093EFDC14115602475511"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>tKsNsNXXFNiHHf1+qXLV+MAdD1Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nBgqdzH/qqLaMkEwFxsY+RaCDUj+/tK2YVIAcrc5A+ru/MpWvFf4BdFqebTIA30Lxmqn/zoP7b1c4QOnB9TM5PETDJWb0saK7UoJ1vWyW8toIVV4c1cES4ZUv+ULRrSw1gP2t04apeUsPNpduCZqb7LH3SJBnflLzBRo5N6+CaEo5qxTvUBZiNvqg0KIt7IOvHZ4Q/xQ1e7Z6zGLQc3Pz0yJyvWua2FzK5h+PlevM8mheLkskMynkuJOD4nOokwfAvpMxrkAeHdqps3XRli+STwRV611RJ/6sjf9dqnuTK3yjZnUHFTIPFy2u4nVbDPvxmW7E5ummCKml0Wcu1bhSw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>bob</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-24T12:04:07.608Z"
NotOnOrAfter="2014-09-24T12:24:07.608Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></wst:OnBehalfOf><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsu:Created>2014-09-24T12:04:58.010Z</wsu:Created><wsu:Expires>2014-09-24T13:04:58.010Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:58,051 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-09-24 14:04:58,052 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-09-24 14:04:58,054 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Primary Claims token
2014-09-24 14:04:58,055 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.ReceivedToken - Found ValidateTarget element:
Assertion
2014-09-24 14:04:58,055 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found OnBehalfOf token
2014-09-24 14:04:58,055 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-09-24 14:04:58,055 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.Lifetime - Found created value:
2014-09-24T12:04:58.010Z
2014-09-24 14:04:58,055 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.Lifetime - Found expires value:
2014-09-24T13:04:58.010Z
2014-09-24 14:04:58,055 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Lifetime element
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:org:apache:cxf:fediz:fedizhelloworld
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.service.StaticService - Address
urn:org:apache:cxf:fediz:fedizhelloworld matches with pattern .*
2014-09-24 14:04:58,056 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.validator.SAMLTokenValidator - Validating SAML Token
2014-09-24 14:04:58,099 [http-bio-9443-exec-6] WARN
org.apache.ws.security.validate.SignatureTrustValidator - No Subject DN
Certificate Constraints were defined. This could be a security issue
2014-09-24 14:04:58,102 [http-bio-9443-exec-6] INFO
org.apache.cxf.fediz.service.sts.realms.SamlRealmCodec - Realm parsed in
certificate: REALMA
2014-09-24 14:04:58,103 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-09-24 14:04:58,103 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-09-24 14:04:58,103 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-09-24 14:04:58,105 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-09-24 14:04:58,105 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.fediz.service.sts.realms.RealmFileClaimsHandler - Claims found
for principal 'bob'
2014-09-24 14:04:58,106 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.fediz.service.sts.realms.RealmFileClaimsHandler - Realm
'REALMA' doesn't match with configured realm 'REALMB'
2014-09-24 14:04:58,107 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider -
AttributeStatementsorg.apache.ws.security.saml.ext.bean.AttributeStatementBean@aa541a0breturned
by AttributeStatementProvider
org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider
2014-09-24 14:04:58,107 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: bob
2014-09-24 14:04:58,113 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-09-24 14:04:58,113 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is null
so using default alias: realma
2014-09-24 14:04:58,113 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-09-24 14:04:58,113 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-09-24 14:04:58,132 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-09-24 14:04:58,132 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-24T12:04:58.010Z
2014-09-24 14:04:58,132 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-24T13:04:58.010Z
2014-09-24 14:04:58,133 [http-bio-9443-exec-6] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 9/24/14 2:04:58
PM;SUCCESS;81ms;127.0.0.1;48108;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport;REALMA;<null>;bob;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:org:apache:cxf:fediz:fedizhelloworld;[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role];<null>;<null>;<null>;
2014-09-24 14:04:58,142 [http-bio-9443-exec-6] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Outbound
Message
---------------------------
ID: 6
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:ns4="http://www.w3.org/2005/08/addressing";
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802";><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_D9DB6FA72D6093EFDC14115602981082" IssueInstant="2014-09-24T12:04:58.108Z"
Version="2.0" xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_D9DB6FA72D6093EFDC14115602981082"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>NvaHP8axdjMCJVTCLb0zrskl25E=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>NnVJ9lE08zOyUdPHv1keK6H9KcJks4rzcZrP4zw0IMGoFtCASCRpD46+cDapqoiVAVtmm/m0WKydo0aVQpaIw/efkizCEMfXWKCPGwW4MmWOZBxwDML4HJz/pfxFmJ4jv3g47P27CHpLNansSC1Ki+g3X2Q4zcF8euNT+zrLZwSLKX1R6uutqIiWpFGhO9XS8nU+GFsf0+cf44i9jb//B6zDbc93cHGgGzzQPMRnhrI+q/aR1uLZPFN9RLwE0oZzke8MAHXAW3ht9dDA0HbGYcANib54QkX3TvWJ8dNQoc03yxlJ+eByU6ZaXsefq5TPhpYuFDLC9IeH5pF1Zu4dJQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>bob</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-24T12:04:58.010Z"
NotOnOrAfter="2014-09-24T13:04:58.010Z"><saml2:AudienceRestriction><saml2:Audience>urn:org:apache:cxf:fediz:fedizhelloworld</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">Bob</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">Windsor</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">User,Manager,Admin</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602981082</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602981082</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:org:apache:cxf:fediz:fedizhelloworld</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns2:Created>2014-09-24T12:04:58.010Z</ns2:Created><ns2:Expires>2014-09-24T13:04:58.010Z</ns2:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:58,146 [http-bio-9443-exec-8] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 2
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {content-type=[text/xml;charset=UTF-8], Date=[Wed, 24 Sep 2014
12:04:57 GMT], Server=[Apache-Coyote/1.1], transfer-encoding=[chunked]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:ns4="http://www.w3.org/2005/08/addressing";
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802";><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_D9DB6FA72D6093EFDC14115602981082" IssueInstant="2014-09-24T12:04:58.108Z"
Version="2.0" xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_D9DB6FA72D6093EFDC14115602981082"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>NvaHP8axdjMCJVTCLb0zrskl25E=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>NnVJ9lE08zOyUdPHv1keK6H9KcJks4rzcZrP4zw0IMGoFtCASCRpD46+cDapqoiVAVtmm/m0WKydo0aVQpaIw/efkizCEMfXWKCPGwW4MmWOZBxwDML4HJz/pfxFmJ4jv3g47P27CHpLNansSC1Ki+g3X2Q4zcF8euNT+zrLZwSLKX1R6uutqIiWpFGhO9XS8nU+GFsf0+cf44i9jb//B6zDbc93cHGgGzzQPMRnhrI+q/aR1uLZPFN9RLwE0oZzke8MAHXAW3ht9dDA0HbGYcANib54QkX3TvWJ8dNQoc03yxlJ+eByU6ZaXsefq5TPhpYuFDLC9IeH5pF1Zu4dJQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts";>bob</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-24T12:04:58.010Z"
NotOnOrAfter="2014-09-24T13:04:58.010Z"><saml2:AudienceRestriction><saml2:Audience>urn:org:apache:cxf:fediz:fedizhelloworld</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">Bob</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">Windsor</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">User,Manager,Admin</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602981082</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns3:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_D9DB6FA72D6093EFDC14115602981082</ns3:KeyIdentifier></ns3:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";><wsa:Address>urn:org:apache:cxf:fediz:fedizhelloworld</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns2:Created>2014-09-24T12:04:58.010Z</ns2:Created><ns2:Expires>2014-09-24T13:04:58.010Z</ns2:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-09-24 14:04:59,137 [http-bio-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction -
[RP_TOKEN=_D9DB6FA72D6093EFDC14115602981082] successfully created for realm
[urn:org:apache:cxf:fediz:fedizhelloworld] on behalf of
[IDP_TOKEN=_D9DB6FA72D6093EFDC14115602475511]
