Jan, Thank you so much for the guidance.
I made the config change as you suggested and inspected the token coming back from ADFS. It was the same token I had already imported into my ststrust keystore. That got me thinking if fediz was validating against a different keystore. Sure enough, there was another keystore in my app called ststrust. After deleting the app specific ststrust keystore, federation worked perfectly. I then moved my server ststrust keystore into my app and it still worked perfectly. Everything is now working! Thank you for the quick reply. Jason From: janb [via CXF] [mailto:[email protected]] Sent: Tuesday, August 18, 2015 10:42 AM To: Betz, Jason L. <[email protected]> Subject: AW: CXF Fediz and ADFS Configuration Help Hi Jason, I would recommend Fiddler to you to monitor all redirects from your browser. Did you disable to token encryption at your ADFS? I think by default ADFS encrypts the SAML Token, which makes it harder to analyze any issues. So if it is still enabled, please disable the token encryption. Then next you should check (with fiddler for example) if the certificate included within the SAML token (which is sent to the RP) is the same as in your ststrust.jks. Maybe you picked the wrong certificate from the metadata document. I would also recommend to use "PeerTrust". In this case you do not need the complete certificate chain in your keystore but the STS certificate only. I would also recommend to you to use the following configuration at your RP (completely without issuersubject name) <certificateStores> <trustManager> <keyStore file="ststrust.jks" password="storepass" type="JKS" /> </trustManager> </certificateStores> <trustedIssuers> <issuer certificateValidation="PeerTrust" /> </trustedIssuers> Kind regards Jan -- Jan Bernhardt Talend Community Coder http://coders.talend.com Visit my Blog https://janbernhardt.blogspot.de > -----Ursprüngliche Nachricht----- > Von: jasonlbetz [mailto:[hidden > email]</user/SendEmail.jtp?type=node&node=5760247&i=0>] > Gesendet: Dienstag, 18. August 2015 17:05 > An: [hidden email]</user/SendEmail.jtp?type=node&node=5760247&i=1> > Betreff: CXF Fediz and ADFS Configuration Help > > I’m trying to use Fediz to tie into my organization’s ADFS environment. I have > successfully setup my app as a RP to the sample Fediz IDP/STS. However, > when I try and switch the fediz_config to use the ADFS STS, I get the > following error. > > 2015-08-17 11:28:52,951 [http-bio-8443-exec-4] WARN > org.apache.cxf.fediz.core.s aml.SAMLTokenValidator - Issuer > 'http://dev.login.mayo.edu/adfs/services/trust' > not trusted > 2015-08-17 11:28:52,954 [http-bio-8443-exec-4] ERROR > org.apache.cxf.fediz.spring > .authentication.FederationAuthenticationProvider - Failed to validate SignIn > re quest > org.apache.cxf.fediz.core.exception.ProcessingException: Security token > issuer n ot trusted > > I have extracted the signing key from the ADFS Federation Metadata and > added it to my ststrust.jks keystore. > I have also modified the fediz_config as follows. > > <trustedIssuers> > <issuer subject=".*CN=MFAD ADFS Token Signing Certificate - > dev.login.mayo.edu.*" certificateValidation="ChainTrust" name=" MFAD > ADFS Token Signing Certificate - dev.login.mayo.edu" /> </trustedIssuers> > > I have tried both ChainTrust and PeerTrust and receive the error under both. > I wasn’t sure what the Name attribute was supposed to contain, but I’ve > tried various strings to no avail. > > Any guidance on this config would be much appreciated. I’d love to get my > Tomcat environment participating in our ADFS federation environment. > > Thanks, > Jason Betz > > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz- > and-ADFS-Configuration-Help-tp5760244.html > Sent from the cxf-user mailing list archive at Nabble.com. ________________________________ If you reply to this email, your message will be added to the discussion below: http://cxf.547215.n5.nabble.com/CXF-Fediz-and-ADFS-Configuration-Help-tp5760244p5760247.html To unsubscribe from CXF Fediz and ADFS Configuration Help, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5760244&code=YmV0ei5qYXNvbkBtYXlvLmVkdXw1NzYwMjQ0fC0yNDQyMDE0NDA=>. NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-and-ADFS-Configuration-Help-tp5760244p5760261.html Sent from the cxf-user mailing list archive at Nabble.com.
