Hi Colm,
thanks for your answer.
Currently, I am quite stuck into the following.
I have configured CAS 5.2.4 as SP, and Fediz 1.4.3 as IdP according to
your instructions from the post below.
The problem seems to be that CAS (via Pac4J) generates an AuthnRequest
as follows:
https://localhost:8443/fediz-ip/saml?SAMLRequest=fVJdb5swFH3fr0B%2BrQgOYVNqBSLaKlqlbosaWk19qRxzCW7BBl%2FD2vz6GUi19mF9tHXPuefjrtYvdeX1YFBqFZP5jBIPlNC5VIeY3GUbf0nWyZcV8roKG5Z2tlS30HaA1ksRwViHu9QKuxrMDkwvBdzd3sSktLZBFgSVFrwqNVq2jKJFIDi6r4NUa1FJUPZR8RritOGihLPL35uzDeTySLzUWiP3nYWJ26k5kV%2BrHF5i4mReOQ1ScTsK%2F8%2B6YmDzZd4EgwHibbQRMJqIScErBOJdX8XksaP41P8RQI%2BF%2BWqr47HteVmU%2B0OPvLfPr%2Fy5bUVbuGncckTZwz88YudUoeXKxiSk86VPI39BszllEWXhYvbtfPlAvK3RVgtdXUg1hdsZxTRHiWzIAJkVbJf%2BuGHhjLL9NITse5Zt%2Fe2vXTYS9DIH83NIjLjEoid%2FcnX%2FVl841OcKVcimwj7f0pwkkWTql41ezHuGzwn42wWQZBiruYARxkZ1M20Oq%2BA9c3J6fjyk5C8%3D&RelayState=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DApache%2BCXF%2BFediz&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=hs%2BIpn0wqNKaAR2qCpqbdDSVMMiuB998iRI3teAx7b68WRwcrGynHy8CVCWqX70jXcrYd7VuiMz2I1TPPIm23%2BfyYXpWM5XjUTVYB%2BV4SJLssodBdtIh0U9GCmVQ6FBNlIjgiI4E%2FvaPZyjAAT246cP%2FB8nrLUxv7bt3EtwmCwRT%2BrbWiTOK08u0S%2Fuh9frZnjy%2FFqoGEn4GoMacVjMnPomqZaU2xgcLvlRQy%2BKd2BXftLC6QGU7nKozRXJNRsyGexRhUxeedtttUWeHV8PKgib3UCzAbXKHWP%2By94pzBdyDT0BrE46bxOLX8QoZOZsNbsLLEgdmMu%2BAnf4QEFcfMg%3D%3D
where, as you can see, the request itself is not signed, but the
signature is provided as query parameter, with
SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Now, I see that this causes an error in
https://github.com/apache/cxf-fediz/blob/fediz-1.4.3/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java#L263
as, just few lines above, SignAlg is statically set to
http://www.w3.org/2000/09/xmldsig#rsa-sha1
Since I am building such a setup only for running integration tests, I
could anyway skip signature validation, but I cannot find an obvious way
to configure AuthnRequestParser#setRequireSignature
Am I missing something?
Regards.
On 27/04/2018 18:45, Colm O hEigeartaigh wrote:
Hi Francesco,
It's not (currently) possible to register a service provider in Fediz using
metadata. You have to do it manually by editing the config files instead,
e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here for
how to do it (interop demo with Syncope):
http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apache-syncope-web.html
For OIDC there's a test-case here:
http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache-cxf-fediz-130.html
The instructions are probably not very clear though...I should write a blog
post explaining how to set it up from scratch.
Colm.
On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccò <ilgro...@apache.org
wrote:
Hi there,
are there instructions around to run
<dependency>
<groupId>org.apache.cxf.fediz</groupId>
<artifactId>fediz-idp</artifactId>
<version>1.4.3</version>
<type>war</type>
</dependency>
as standalone "general purpose" SAML 2.0 IdP? I am able to run it ("
https://localhost:8443/fediz-idp/metadata" responds fine), but I would
like to register my own SAML 2.0 Service Provider's metadata: is that
possible?
Same question for
<dependency>
<groupId>org.apache.cxf.fediz</groupId>
<artifactId>fediz-oidc</artifactId>
<version>1.4.3</version>
<type>war</type>
</dependency>
where I would like to add my own OpenID Connect Client.
TIA
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/