Versions Compared

Old Version 9

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version 10

changes.mady.by.user Glen Mazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Editorial cleanup.

...

This page describes the Fediz configuration file which is referenced by the security interceptor (eg. authenticator in Tomcat/Jetty).

Example

The following example describes shows the minimum configuration for Fediz.

Code Block
xml
xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
    <contextConfig name="/fedizhelloworld">
        <audienceUris>
            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
        </audienceUris>
        <certificateStores>
            <trustManager>
                <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
            </trustManager>
        </certificateStores>
        <trustedIssuers>
            <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
        </trustedIssuers>
        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
            <issuer>https://localhost:9443/fedizidp/</issuer>
        </protocol>
    </contextConfig>
</FedizConfig>

The protocol element protocol defines declares that you use the WS-Federation protocol is being used. The issuer says element shows the URL to which URL authenticated requests will be redirected with the a SignIn request.

The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in certificateStore. The signing certificate itself is not required because certificateValidation is set to ChainTrust. The subject defines the trusted signing certificate using the subject as a regular expression.
Finally, the audience URI is validated against the audience restriction in the SAML token.

...

XML element

Name

Use

Description

audienceUris

Audience URI

Required

The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token

certificateStores

Trusted certificate store

Required

The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token.
If the file location is not fully qualified it 's needs to be relative to the Container home directory

trustedIssuers

Trusted Issuers

Required

There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust)

maximumClockSkew

Maximum Clock Skew

Optional

Maximum allowable time difference between the system clocks of the IDP and RP.
Default 5 seconds.

...

These configuration elements provides to configure allows for configuring a CallbackHandler which gets a Callback object where the appropriate value must be set. The CallbackHandler implementation has access to the HttpServletRequest. The XML attribute type must be set to Class.

...

The following example defines the required claims and configure configures a custom callback handler to define some configuration values at runtime.

...