Hi Jason,
I would recommend Fiddler to you to monitor all redirects from your browser.
Did you disable to token encryption at your ADFS? I think by default ADFS
encrypts the SAML Token, which makes it harder to analyze any issues. So if it
is still enabled, please disable the token encryption.
Then next you should check (with fiddler for example) if the certificate
included within the SAML token (which is sent to the RP) is the same as in your
ststrust.jks. Maybe you picked the wrong certificate from the metadata
document.
I would also recommend to use "PeerTrust". In this case you do not need the
complete certificate chain in your keystore but the STS certificate only.
I would also recommend to you to use the following configuration at your RP
(completely without issuersubject name)
<certificateStores>
<trustManager>
<keyStore file="ststrust.jks" password="storepass" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
Kind regards
Jan
--
Jan Bernhardt
Talend Community Coder
http://coders.talend.com
Visit my Blog
https://janbernhardt.blogspot.de
> -----Ursprüngliche Nachricht-----
> Von: jasonlbetz [mailto:[email protected]]
> Gesendet: Dienstag, 18. August 2015 17:05
> An: [email protected]
> Betreff: CXF Fediz and ADFS Configuration Help
>
> I’m trying to use Fediz to tie into my organization’s ADFS environment. I have
> successfully setup my app as a RP to the sample Fediz IDP/STS. However,
> when I try and switch the fediz_config to use the ADFS STS, I get the
> following error.
>
> 2015-08-17 11:28:52,951 [http-bio-8443-exec-4] WARN
> org.apache.cxf.fediz.core.s aml.SAMLTokenValidator - Issuer
> 'http://dev.login.mayo.edu/adfs/services/trust'
> not trusted
> 2015-08-17 11:28:52,954 [http-bio-8443-exec-4] ERROR
> org.apache.cxf.fediz.spring
> .authentication.FederationAuthenticationProvider - Failed to validate SignIn
> re quest
> org.apache.cxf.fediz.core.exception.ProcessingException: Security token
> issuer n ot trusted
>
> I have extracted the signing key from the ADFS Federation Metadata and
> added it to my ststrust.jks keystore.
> I have also modified the fediz_config as follows.
>
> <trustedIssuers>
> <issuer subject=".*CN=MFAD ADFS Token Signing Certificate -
> dev.login.mayo.edu.*" certificateValidation="ChainTrust" name=" MFAD
> ADFS Token Signing Certificate - dev.login.mayo.edu" /> </trustedIssuers>
>
> I have tried both ChainTrust and PeerTrust and receive the error under both.
> I wasn’t sure what the Name attribute was supposed to contain, but I’ve
> tried various strings to no avail.
>
> Any guidance on this config would be much appreciated. I’d love to get my
> Tomcat environment participating in our ADFS federation environment.
>
> Thanks,
> Jason Betz
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-
> and-ADFS-Configuration-Help-tp5760244.html
> Sent from the cxf-user mailing list archive at Nabble.com.
