Versions Compared

Old Version 2

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version 3

changes.mady.by.user Glen Mazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Editorial cleanup.

...

The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component which is responsible to validate for validating credentials, getting the requested claims data and issues issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly. The , necessitating the second component is the , an IDP WAR which adapts the allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.

The Fediz STS is based on the a customized CXF STS configured to support the standard Federation use cases required demonstrated by the examples.

Installation

The Fediz IDP has been tested with Tomcat 6 and 7 but there are no reasons why it shouldn't work in should be able to work with any commercial JEE application server.

It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. The Fediz examples use the following TCP ports to interact with the IDP/STS:

  • HTTP port: 9080 (used for maven Maven deployment, mvn tomcat:redeploy)
  • HTTPS port: 9443 (where IDP and STS are accessed)

...

The keystoreFile is relative to catalina home$CATALINA_HOME. See here for the Tomcat 7 configuration reference. This page also describes how to create certificates.

...

The users and passwords are configured in a spring Spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml. The following users are already configured and can easily be extended.

...

The claim id's are configured according to chapter Section 7.5 in the specification Identity Metasystem Interoperability. The mapping of claims to a SAML attribute statement are described in chapter Section 7.2.

Application claims

The required claims per relying party are configured in the webapps/fediz-idp/WEB-INF/RPClaims.xml. The XML file has the following structure:

...

The key of each map entry must match with the wtrealm paramater in the redirect triggered by the relying party. The required claims for the different type of applications are grouped in beans which are a list of String Strings as illustrated in claimsWsfedhelloworld.

...

Next, the STS endpoint has to be configured to use the JAAS LoginModule which is acomplished accomplished by the JAASUsernameTokenValidator.

...

The property contextName must match with the context name defined in the JAAS configuration file which is myldap in this example.

...