...
The following example shows the minimum configuration for Fediz.
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
<contextConfig name="/fedizhelloworld">
<audienceUris>
<audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
<issuer>https://localhost:9443/fediz-idp/</issuer>
</protocol>
</contextConfig>
</FedizConfig>
|
...
XML element | Name | Use | Metadata | Description |
---|---|---|---|---|
issuer | Issuer URL | Required | PassiveRequestorEndpoint | This URL defines the location of the IDP to whom unauthenticated requests are redirected |
realm | Realm | Optional | TargetScope | Security realm of the Relying Party / Application. This value is part of the SignIn request as the |
authenticationType | Authentication Type | Optional | NA | The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter |
roleURI | Role Claim URI | Optional | NA | Defines the attribute name of the SAML token which contains the roles. |
roleDelimiter | Role Value Delimiter | Optional | NA | There are different ways to encode multi value attributes in SAML.
|
claimTypesRequested | Requested claims | Optional | ClaimTypesRequested | The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail |
homeRealm | Home Realm | Optional | NA | Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the |
freshness | Freshness | Optional | NA | The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (paramater parameter |
request | Request | Optional | NA | This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP. |
tokenValidators | TokenValidators | Optional | NA | Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. |
...
The following example defines the required claims and configures a custom callback handler to define some configuration values at runtime.
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
<contextConfig name="/fedizhelloworld">
<audienceUris>
<audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
</audienceUris>
<certificateStores>
<keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
</certificateStores>
<maximumClockSkew>10</maximumClockSkew>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<signingKey keyPassword="tompass">
<keyStore file="tomcatKeystore.jks" password="tompass" type="JKS" />
</signingKey>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
<issuer>https://localhost:9443/fediz-idp/</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<claimTypesRequested>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" />
</claimTypesRequested>
<authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" />
<homeRealm type="Class" value="example.HomeRealmCallbackHandler" />
<tokenValidators>
<validator>org.apache.cxf.fediz.core.CustomValidator</validator>
</tokenValidators>
</protocol>
</contextConfig>
</FedizConfig>
|