Hi Peter, See my responses inline.
I've checked that the wsdl is available at > http://localhost:9080/fediz-idp-sts/STSService?wsdl > > I've found that the wsdl is not availbale there but available at > http://localhost:9080/fediz-idp-sts > > I guess that's not a real propblem. > Right. With Fediz 1.1, the WSDL is available under different realms. So for example: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl I'll update the documentation. I've set up a separate Tomcat for the Relying Party (simpleWebApp). See > attached server.xml. I've copied rp-ssl-server.jks and ststrust.jks to > Tomcat's conf dir. I've copied src/main/config/fediz_config.xml to Tomcat's > conf dir. > This is the problem. "ststrust.jks" must go in the Tomcat base directory. Or else update conf/fediz_config.xml to point to 'conf/ststrust.jks'. What's happening in your set up is that the IdP is issuing the token correctly, but the RP can't verify the signature on the IdP response as it can't find "ststrust.jks". > I've set up https connector with keystore rp-ssl-server.jks (note that > the manual at http://cxf.apache.org/fediz-tomcat.html uses > "tomcat-rp.jks" in the connector. I think that it was OK to change it to > rp-ssl-server.jks since that was the file in the fediz 1.1.1 zip. But maybe > that's the problem?) > Nope that's fine. Again I'll update the doc... > > I've set up the valve with context level in server.xml. Note that I had to > change "Fediz_conf.xml" to "fediz_conf.xml". > Fixed as well. Thanks, Colm. > I've effectively used the fediz_config from the zip, not from the manual > at http://cxf.apache.org/fediz-configuration.html. > > I've built the simpleWebapp and copied the resulting war to Tomcat's > webapps. > > I've started this Tomcat and visited https://localhost:8443/ > fedizhelloworld/secure/fedservlet according to the README.txt in > simpleWebapp. > > I've clicked "Select Home Realm" with the selection "IDP of Realm A". > Then I've got 401. > > In the Relying Party's log I saw: > Sep 24, 2014 2:05:00 PM org.apache.cxf.fediz.tomcat.FederationAuthenticator > authenticate > SEVERE: Federation processing failed: Security token issuer not trusted > > In the IDP / STS's log I saw: > ... (see attached file for full log) > 2014-09-24 14:04:59,137 [http-bio-9443-exec-8] INFO > org.apache.cxf.fediz.service.idp.beans.STSClientAction - [RP_TOKEN=_ > D9DB6FA72D6093EFDC14115602981082] successfully created for realm > [urn:org:apache:cxf:fediz:fedizhelloworld] on behalf of [IDP_TOKEN=_ > D9DB6FA72D6093EFDC14115602475511] > > I've guess I did something wrong but I can't find out what. Could you > please help me with this? > > Thank you, best regards, Peter > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
