Hi Francesco, I fixed this in Fediz. Could you rebuild 1.4.4-SNAPSHOT (and also CXF 3.1.x-SNAPSHOT) and try again with it?
Colm. On Mon, Apr 30, 2018 at 1:00 PM, Francesco Chicchiriccò <[email protected] > wrote: > Hi Colm, > thanks for your answer. > > Currently, I am quite stuck into the following. > > I have configured CAS 5.2.4 as SP, and Fediz 1.4.3 as IdP according to > your instructions from the post below. > > The problem seems to be that CAS (via Pac4J) generates an AuthnRequest as > follows: > > https://localhost:8443/fediz-ip/saml?SAMLRequest=fVJdb5swFH3 > fr0B%2BrQgOYVNqBSLaKlqlbosaWk19qRxzCW7BBl%2FD2vz6GUi19mF9tHX > PuefjrtYvdeX1YFBqFZP5jBIPlNC5VIeY3GUbf0nWyZcV8roKG5Z2tlS30Ha > A1ksRwViHu9QKuxrMDkwvBdzd3sSktLZBFgSVFrwqNVq2jKJFIDi6r4NUa1F > JUPZR8RritOGihLPL35uzDeTySLzUWiP3nYWJ26k5kV%2BrHF5i4mReOQ1ScTsK%2F8%2B6YmD > zZd4EgwHibbQRMJqIScErBOJdX8XksaP41P8RQI%2BF%2BWqr47HteVmU% > 2B0OPvLfPr%2Fy5bUVbuGncckTZwz88YudUoeXKxiSk86VPI39BszllEWXhY > vbtfPlAvK3RVgtdXUg1hdsZxTRHiWzIAJkVbJf%2BuGHhjLL9NITse5Zt%2F > e2vXTYS9DIH83NIjLjEoid%2FcnX%2FVl841OcKVcimwj7f0pwkkWTql41ez > HuGzwn42wWQZBiruYARxkZ1M20Oq%2BA9c3J6fjyk5C8%3D&RelayState=h > ttps%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name% > 3DApache%2BCXF%2BFediz&SigAlg=http%3A%2F%2Fwww.w3.org% > 2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=hs%2BIp > n0wqNKaAR2qCpqbdDSVMMiuB998iRI3teAx7b68WRwcrGynHy8CVCWqX70jX > crYd7VuiMz2I1TPPIm23%2BfyYXpWM5XjUTVYB%2BV4SJLssodBdtIh0U9GC > mVQ6FBNlIjgiI4E%2FvaPZyjAAT246cP%2FB8nrLUxv7bt3EtwmCwRT%2BrbWiTOK08u0S% > 2Fuh9frZnjy%2FFqoGEn4GoMacVjMnPomqZaU2xgcLvlRQy%2BKd2BXftLC6 > QGU7nKozRXJNRsyGexRhUxeedtttUWeHV8PKgib3UCzAbXKHWP%2By94pzBd > yDT0BrE46bxOLX8QoZOZsNbsLLEgdmMu%2BAnf4QEFcfMg%3D%3D > > where, as you can see, the request itself is not signed, but the signature > is provided as query parameter, with SigAlg=http://www.w3.org/2001/ > 04/xmldsig-more#rsa-sha256 > > Now, I see that this causes an error in > > https://github.com/apache/cxf-fediz/blob/fediz-1.4.3/service > s/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/ > beans/samlsso/AuthnRequestParser.java#L263 > > as, just few lines above, SignAlg is statically set to > http://www.w3.org/2000/09/xmldsig#rsa-sha1 > > Since I am building such a setup only for running integration tests, I > could anyway skip signature validation, but I cannot find an obvious way to > configure AuthnRequestParser#setRequireSignature > > Am I missing something? > > Regards. > > On 27/04/2018 18:45, Colm O hEigeartaigh wrote: > >> Hi Francesco, >> >> It's not (currently) possible to register a service provider in Fediz >> using >> metadata. You have to do it manually by editing the config files instead, >> e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here >> for >> how to do it (interop demo with Syncope): >> >> http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apa >> che-syncope-web.html >> >> For OIDC there's a test-case here: >> >> http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache >> -cxf-fediz-130.html >> >> The instructions are probably not very clear though...I should write a >> blog >> post explaining how to set it up from scratch. >> >> Colm. >> >> On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccò < >> [email protected] >> >>> wrote: >>> Hi there, >>> are there instructions around to run >>> >>> <dependency> >>> <groupId>org.apache.cxf.fediz</groupId> >>> <artifactId>fediz-idp</artifactId> >>> <version>1.4.3</version> >>> <type>war</type> >>> </dependency> >>> >>> as standalone "general purpose" SAML 2.0 IdP? I am able to run it (" >>> https://localhost:8443/fediz-idp/metadata"; responds fine), but I would >>> like to register my own SAML 2.0 Service Provider's metadata: is that >>> possible? >>> >>> Same question for >>> >>> <dependency> >>> <groupId>org.apache.cxf.fediz</groupId> >>> <artifactId>fediz-oidc</artifactId> >>> <version>1.4.3</version> >>> <type>war</type> >>> </dependency> >>> >>> where I would like to add my own OpenID Connect Client. >>> >>> TIA >>> Regards. >>> >> > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
