THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Under construction
Fediz IDP
The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component which is responsible to validate credentials, getting the requested claims data and issues a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly. The second component is the IDP WAR which adapts the browser to the STS. The communication between the browser and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.
The Fediz STS is based on the CXF STS configured to support the use cases required by the examples.
Installation
The Fediz IDP has been tested with Tomcat 6 and 7 but there are no reasons why it shouldn't work in any commercial application server.
...
Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps) and ensure that Tomcat is started thus the WAR files get deployed.
Configuration
You can manage the users, their claims and the claims per application in the IDP.
User and password
The users and passwords are configured in a spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml. The following users are already configured and can easily be extended.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<util:map id="passwords">
<entry key="alice"
value="ecila" />
<entry key="bob"
value="bob" />
<entry key="ted"
value="det" />
</util:map>
|
User Claims
The claims of each user are configured in a spring configuration file webapps/fediz-idp-sts/WEB-INF/userClaims.xml. The following claims are already configured:
...
The claim id's are configured according to chapter 7.5 in the specification Identity Metasystem Interoperability. The mapping of claims to a SAML attribute statement are described in chapter 7.2.
Application claims
The required claims per relying party are configured in the webapps/fediz-idp/WEB-INF/RPClaims.xml. The XML file has the following structure:
...
The JIRA issue FEDIZ-1 will provide another option to manage the required claims on the Relying Party side.
Configure LDAP directory
The Fediz IDP can be configured to attach an LDAP directory to authenticate users and to retrieve claims information of users.
Username and password authentication
WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):
...
The property contextName must match with the context name defined in the JAAS configuration file which is myldap in this example.
Claims management
When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides org.apache.cxf.sts.claims.LdapClaimsHandler which is a claims handler implementation to get claims from user attributes in a LDAP directory.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.mycompany.org:389" />
<property name="userDn"
value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
<property name="password" value="mypassword" />
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<util:map id="claimsToLdapAttributeMapping">
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="givenName" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="sn" />
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="mail" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
value="c" />
</util:map>
<bean id="ldapClaimsHandler"
class="org.apache.cxf.sts.claims.LdapClaimsHandler">
<property name="ldapTemplate" ref="ldapTemplate" />
<property name="claimsLdapAttributeMapping"
ref="claimsToLdapAttributeMapping" />
<property name="userBaseDN"
value="OU=Users,DC=mycompany,DC=org" />
</bean>
|
Configure CA certificates
tbd