Versions Compared

Old Version 24

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version 25

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following example shows the minimum configuration for Fediz.

Code Block
xml
xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
    <contextConfig name="/fedizhelloworld">
        <audienceUris>
            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
        </audienceUris>
        <certificateStores>
            <trustManager>
                <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
            </trustManager>
        </certificateStores>
        <trustedIssuers>
            <issuer certificateValidation="PeerTrust" />
        </trustedIssuers>
        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
            <issuer>https://localhost:9443/fediz-idp/</issuer>
        </protocol>
    </contextConfig>
</FedizConfig>

...

XML element

Name

Use

Metadata

Description

issuer

Issuer URL

Required

PassiveRequestorEndpoint

This URL defines the location of the IDP to whom unauthenticated requests are redirected

realm

Realm

Optional

TargetScope

Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter.
Default: URL including the Servlet Context

authenticationType

Authentication Type

Optional

NA

The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth)
The WS-Federation standard defines a list of predefined URIs for wauth here.

roleURI

Role Claim URI

Optional

NA

Defines the attribute name of the SAML token which contains the roles.
Required for Role Based Access Control.

roleDelimiter

Role Value Delimiter

Optional

NA

There are different ways to encode multi value attributes in SAML.

  • Single attribute with multiple values
  • Several attributes with the same name but only one value
  • Single attribute with single value. Roles are delimited by roleDelimiter

claimTypesRequested

Requested claims

Optional

ClaimTypesRequested

The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail

homeRealm

Home Realm

Optional

NA

Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter

freshness

Freshness

Optional

NA

The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (paramater parameter wfresh)

requestRequestOptionalNAThis value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP.

tokenValidators

TokenValidators

Optional

NA

Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.
See example here

...

The following example defines the required claims and configures a custom callback handler to define some configuration values at runtime.

Code Block
xml
xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
    <contextConfig name="/fedizhelloworld">
        <audienceUris>
            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
        </audienceUris>
        <certificateStores>
            <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
        </certificateStores>
        <maximumClockSkew>10</maximumClockSkew>
        <trustedIssuers>
            <issuer certificateValidation="PeerTrust" />
        </trustedIssuers>
        <signingKey keyPassword="tompass">
            <keyStore file="tomcatKeystore.jks" password="tompass" type="JKS" />
        </signingKey>
        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
            <issuer>https://localhost:9443/fediz-idp/</issuer>
            <roleDelimiter>,</roleDelimiter>
            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
            <claimTypesRequested>
                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" />
            </claimTypesRequested>
            <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" />
            <homeRealm type="Class" value="example.HomeRealmCallbackHandler" />
            <tokenValidators>
                <validator>org.apache.cxf.fediz.core.CustomValidator</validator>
            </tokenValidators>
        </protocol>
    </contextConfig>
</FedizConfig>