Versions Compared

Old Version 15

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version 16

changes.mady.by.user Oliver Wulff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

WS-Federation protocol configuration reference

XML element

Name

Use

Metadata

Description

issuer

Issuer URL

Required

PassiveRequestorEndpoint

This URL defines the location of the IDP to whom unauthenticated requests are redirected

realm

Realm

Optional

TargetScope

Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter.
Default: URL including the Servlet Context

authenticationType

Authentication Type

Optional

NA

The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth)
The WS-Federation standard defines a list of predefined URIs for wauth here.

roleURI

Role Claim URI

Optional

NA

Defines the attribute name of the SAML token which contains the roles.
Required for Role Based Access Control.

roleDelimiter

Role Value Delimiter

Optional

NA

There are different ways to encode multi value attributes in SAML.

  • Single attribute with multiple values
  • Several attributes with the same name but only one value
  • Single attribute with single value. Roles are delimited by roleDelimiter

claimTypesRequested

Requested claims

Optional

ClaimTypesRequested

The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail

homeRealm

Home Realm

Optional

NA

Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter

tokenValidators

TokenValidators

Optional

NA

Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.
See example here

signingKey

Key for Signature

Optional

Metadata signature

If configured, the published WS-Federation Metadata document is signed by this key. Otherwise, not signed.

Attributes resolved at runtime

...

Code Block
xml
xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
    <contextConfig name="/fedizhelloworld">
        <audienceUris>
            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
        </audienceUris>
        <certificateStores>
            <keyStore file="conf/stsstore.jks" password="stsspass" type="file" />
        </certificateStores>
        <maximumClockSkew>10</maximumClockSkew>
        <trustedIssuers>
            <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
        </trustedIssuers>
        <signingKey keyPassword="tompass">
            <keyStore file="tomcatKeystore.jks" password="tompass" type="JKS" />
        </signingKey>
        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
            <issuer>https://localhost:9443/fedizidp/</issuer>
            <roleDelimiter>,</roleDelimiter>
            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
            <claimTypesRequested>
                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" />
            </claimTypesRequested>
            <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" />
            <homeRealm type="Class" value="example.HomeRealmCallbackHandler" />
            <tokenValidators>
                <validator>org.apache.cxf.fediz.core.CustomValidator</validator>
            </tokenValidators>
        </protocol>
    </contextConfig>
</FedizConfig>