...
Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). Once done, you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl, assuming you're using port 9080 as listed below.
A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks
. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores
.
...
It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change these port values so they don't conflict with the original Tomcat installation. The Fediz examples use the following TCP ports to interact with the IDP/STS:
...
Production: It's highly recommended to deploy certificates signed by a Certificate Authority
To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:
Code Block |
---|
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
|
and
Code Block |
---|
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
|
If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined.
User and password
The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml
. The following users are already configured and can easily be extended.
...