Versions Compared

Old Version 9

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version 10

changes.mady.by.user Glen Mazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added clarifications for keystore requirements.

...

The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.

Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). Once done, you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdlImage Removed, assuming you're using port 9080 as listed below.

A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores.

This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party

Configuration

You can manage the users, their claims and the claims per application in the IDP.

HTTPS configuration

It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change these port values so they don't conflict with the original Tomcat installation. The Fediz examples use the following TCP ports to interact with the IDP/STS:

  • HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)
  • HTTPS port: 9443 (where IDP and STS are accessed)

The Tomcat HTTP(s) configuration is done in conf/server.xml.

This is a sample snippet for an HTTPS configuration:

It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change these port values so they don't conflict with the original Tomcat installation.

To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:

Code Block

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh

and

Code Block

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh

If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined.

The Fediz examples use the following TCP ports for the IDP/STS:

  • HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)
  • HTTPS port: 9443 (where IDP and STS are accessed)

The Tomcat HTTP(s) configuration is done in conf/server.xml.

This is a sample snippet for an HTTPS configuration:

Code Block
xml
xml

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
Code Block
xmlxml

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="tomcatKeystoretomcat-idp.jks"
               keystorePass="tompass" sslProtocol="TLS" />

The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 7 configuration reference. This page also describes how to create certificates.

Production: It's highly recommended to deploy certificates signed by a Certificate Authority

To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:

Code Block

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh

and

Code Block

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh

Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdlImage Added, assuming you're using port 9080 as listed above.

To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See this page for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.

Warning: The sample keystores provided in the WAR files are for development/prototyping use ONLY. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.

Configuration

You can manage the users, their claims and the claims per application in the IDPIf you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined.

User and password

The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml. The following users are already configured and can easily be extended.

...

  • lang-2.1.0.jar
  • ldapbp-1.0.jar
  • spring-ldap-1.2.jar

Configure CA certificates

...