Hi Colm,
it works like a charm now, thanks!

Regards.

On 02/05/2018 17:10, Colm O hEigeartaigh wrote:
Hi Francesco,

I fixed this in Fediz. Could you rebuild 1.4.4-SNAPSHOT (and also CXF
3.1.x-SNAPSHOT) and try again with it?

Colm.

On Mon, Apr 30, 2018 at 1:00 PM, Francesco Chicchiriccò <ilgro...@apache.org> 
wrote:
Hi Colm,
thanks for your answer.

Currently, I am quite stuck into the following.

I have configured CAS 5.2.4 as SP, and Fediz 1.4.3 as IdP according to
your instructions from the post below.

The problem seems to be that CAS (via Pac4J) generates an AuthnRequest as
follows:

https://localhost:8443/fediz-ip/saml?SAMLRequest=fVJdb5swFH3
fr0B%2BrQgOYVNqBSLaKlqlbosaWk19qRxzCW7BBl%2FD2vz6GUi19mF9tHX
PuefjrtYvdeX1YFBqFZP5jBIPlNC5VIeY3GUbf0nWyZcV8roKG5Z2tlS30Ha
A1ksRwViHu9QKuxrMDkwvBdzd3sSktLZBFgSVFrwqNVq2jKJFIDi6r4NUa1F
JUPZR8RritOGihLPL35uzDeTySLzUWiP3nYWJ26k5kV%2BrHF5i4mReOQ1ScTsK%2F8%2B6YmD
zZd4EgwHibbQRMJqIScErBOJdX8XksaP41P8RQI%2BF%2BWqr47HteVmU%
2B0OPvLfPr%2Fy5bUVbuGncckTZwz88YudUoeXKxiSk86VPI39BszllEWXhY
vbtfPlAvK3RVgtdXUg1hdsZxTRHiWzIAJkVbJf%2BuGHhjLL9NITse5Zt%2F
e2vXTYS9DIH83NIjLjEoid%2FcnX%2FVl841OcKVcimwj7f0pwkkWTql41ez
HuGzwn42wWQZBiruYARxkZ1M20Oq%2BA9c3J6fjyk5C8%3D&RelayState=h
ttps%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%
3DApache%2BCXF%2BFediz&SigAlg=http%3A%2F%2Fwww.w3.org%
2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=hs%2BIp
n0wqNKaAR2qCpqbdDSVMMiuB998iRI3teAx7b68WRwcrGynHy8CVCWqX70jX
crYd7VuiMz2I1TPPIm23%2BfyYXpWM5XjUTVYB%2BV4SJLssodBdtIh0U9GC
mVQ6FBNlIjgiI4E%2FvaPZyjAAT246cP%2FB8nrLUxv7bt3EtwmCwRT%2BrbWiTOK08u0S%
2Fuh9frZnjy%2FFqoGEn4GoMacVjMnPomqZaU2xgcLvlRQy%2BKd2BXftLC6
QGU7nKozRXJNRsyGexRhUxeedtttUWeHV8PKgib3UCzAbXKHWP%2By94pzBd
yDT0BrE46bxOLX8QoZOZsNbsLLEgdmMu%2BAnf4QEFcfMg%3D%3D

where, as you can see, the request itself is not signed, but the signature
is provided as query parameter, with SigAlg=http://www.w3.org/2001/
04/xmldsig-more#rsa-sha256

Now, I see that this causes an error in

https://github.com/apache/cxf-fediz/blob/fediz-1.4.3/service
s/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/
beans/samlsso/AuthnRequestParser.java#L263

as, just few lines above, SignAlg is statically set to
http://www.w3.org/2000/09/xmldsig#rsa-sha1

Since I am building such a setup only for running integration tests, I
could anyway skip signature validation, but I cannot find an obvious way to
configure AuthnRequestParser#setRequireSignature

Am I missing something?

Regards.

On 27/04/2018 18:45, Colm O hEigeartaigh wrote:

Hi Francesco,

It's not (currently) possible to register a service provider in Fediz
using
metadata. You have to do it manually by editing the config files instead,
e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here
for
how to do it (interop demo with Syncope):

http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apa
che-syncope-web.html

For OIDC there's a test-case here:

http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache
-cxf-fediz-130.html

The instructions are probably not very clear though...I should write a
blog
post explaining how to set it up from scratch.

Colm.

On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccò <
ilgro...@apache.org

wrote:
Hi there,
are there instructions around to run

      <dependency>
        <groupId>org.apache.cxf.fediz</groupId>
        <artifactId>fediz-idp</artifactId>
        <version>1.4.3</version>
        <type>war</type>
      </dependency>

as standalone "general purpose" SAML 2.0 IdP? I am able to run it ("
https://localhost:8443/fediz-idp/metadata"; responds fine), but I would
like to register my own SAML 2.0 Service Provider's metadata: is that
possible?

Same question for

<dependency>
      <groupId>org.apache.cxf.fediz</groupId>
      <artifactId>fediz-oidc</artifactId>
      <version>1.4.3</version>
      <type>war</type>
</dependency>

where I would like to add my own OpenID Connect Client.

TIA
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply via email to