Versions Compared

Old Version 7

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version 8

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:

User

Password

Realm A

 

alice

ecila

bob

bob

ted

det

Realm B

 

ALICE

ECILA

BOB

BOB

TED

DET

The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.

...

To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:

Code Block

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh

and

Code Block

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh

...

Here is a sample snippet for showing the configuration of the above three values:

Code Block
xml
xml

<Server port="9005" shutdown="SHUTDOWN">
...

   <!-- http configuration -->
   <Connector port="9080" protocol="HTTP/1.1"
        connectionTimeout="20000"
        redirectPort="9443" />

   ...

   <!-- https configuration -->
   <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        keystoreFile="idp-ssl-server.jks"
        keystorePass="tompass" sslProtocol="TLS" />
   ...

   <Connector port="9009" protocol="AJP/1.3" redirectPort="9443" />

...
</Server>

...

Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the STS WSDL is available at:

VersionSTS WSDL location
Fediz 1.0.xhttp://localhost:9080/fediz-idp-sts/STSService?wsdl

...

Fediz 1.1.xhttp://localhost:9080/fediz-idp-sts/REALMA/STSServiceTransport?wsdl

Configuration

You can manage the users, their claims and the claims per application in the IDP.

...

The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml. The following users are already configured for the Realm A and can easily be extended.

Code Block
xml
xml

    <util:map id="REALMA">
        <entry key="alice" value="ecila" />
        <entry key="bob" value="bob" />
        <entry key="ted" value="det" />
    </util:map>
	
    <util:map id="REALMB">
        <entry key="ALICE" value="ECILA" />
        <entry key="BOB" value="BOB" />
        <entry key="TED" value="DET" />
    </util:map>

...

The claims of each user are configured in a spring configuration file webapps/fediz-idp-sts/WEB-INF/userClaims.xml. The following claims are already configured:

Code Block
xml
xml

  <util:map id="userClaimsREALMA">
    <entry key="alice"
      value-ref="REALMA_aliceClaims" />
    <entry key="bob"
      value-ref="REALMA_bobClaims" />
    <entry key="ted"
      value-ref="REALMA_tedClaims" />
  </util:map>

  <util:map id="REALMA_aliceClaims">
    <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
      value="Alice" />
    <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
      value="Smith" />
    <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      value="alice@realma.org" />
    <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
      value="User" />
  </util:map>

...

The IDP configuration is done in the new configuration file idp-config-<realm>.xml which is illustrated below

Code Block
xml
xml

    <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
        <property name="uri" value="realma" />
        <!--<property name="hrds" value="" />--> <!-- TBD, not defined, provide list if enabled -->
        <property name="provideIDPList" value="true" />
        <property name="useCurrentIDP" value="true" />
        <property name="certificate" value="stsKeystoreA.properties" />
        <property name="certificatePassword" value="realma" />
        <property name="stsUrl" value="https://localhost:9443/fediz-idp-sts/REALMA" />
        <property name="idpUrl" value="https://localhost:9443/fediz-idp/federation" />
        <property name="supportedProtocols">
            <util:list>
                <value>http://docs.oasis-open.org/wsfed/federation/200706</value>
                <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512</value>
            </util:list>
        </property>
        <property name="services">
            <util:map>
	        <entry key="urn:org:apache:cxf:fediz:fedizhelloworld" value-ref="srv-fedizhelloworld" />
            </util:map>
        </property>
        <property name="authenticationURIs">
            <util:map>
	        <entry key="default" value="/login/default" />
            </util:map>       
        </property>
        <property name="trustedIDPs">
            <util:map>
                <entry key="urn:org:apache:cxf:fediz:idp:realm-B" value-ref="trusted-idp-realmB" />
            </util:map>
        </property>
        <property name="serviceDisplayName" value="REALM A" />
        <property name="serviceDescription" value="IDP of Realm A" />
    </bean>

...

The application related configuration like required claims are configured in the new IDP configuration file idp-config-<realm>.xml which has been enhanced to support other configuration parameters as well:

Code Block
xml
xml

    <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
        <property name="serviceDisplayName" value="Fedizhelloworld" />
        <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
        <property name="role" value="ApplicationServiceType" />
        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
        <property name="lifeTime" value="3600" />
        <property name="requestedClaims">
            <util:list>
                <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
                    <property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
                    <property name="optional" value="false" />
                </bean>
                <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
                    <property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
                    <property name="optional" value="false" />
                </bean>
                <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
                    <property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
                    <property name="optional" value="false" />
                </bean>
                <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
                    <property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
                    <property name="optional" value="true" />
                </bean>
            </util:list>
        </property>
    </bean>

...

This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP. The following configuration is required:

Code Block

    <bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
        <property name="url" value="https://localhost:12443/fediz-idp-remote/federation" />
        <property name="certificate" value="realmb.cert" />
        <property name="trustType" value="PEER_TRUST" />
        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
        <property name="federationType" value="FederateIdentity" />
        <property name="name" value="REALM B" />
        <property name="description" value="IDP of Realm B" />
    </bean>

...

WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):

Code Block

myldap {
 com.sun.security.auth.module.LdapLoginModule REQUIRED
 userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
 authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
 useSSL=false
 debug=true;
};

...

In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. jaas.config. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file setenv.sh/bat located in directory tomcat/bin. This script is called implicitly by catalina.bat/sh and might look like this for UNIX:

Code Block

#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS

Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the JAASUsernameTokenValidator.

Code Block
xml
xml

<bean
  class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
      id="jaasUTValidator">
   <property name="contextName" value="myldap"/>
</bean>

<jaxws:endpoint id="transportSTSUT"
  endpointName="ns1:TransportUT_Port"
  serviceName="ns1:SecurityTokenService"
  xmlns:ns1=http://docs.oasis-open.org/ws-sx/ws-trust/200512/
  wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
  address="/STSServiceTransportUT"
  implementor="#transportSTSProviderBean">

  <jaxws:properties>
    <entry key="ws-security.ut.validator"
         value-ref="jaasUTValidator"/>
  </jaxws:properties>
</jaxws:endpoint>

...

The following example illustrate the changes to be made in webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml:

Code Block
xml
xml

<util:list id="claimHandlerList">
  <ref bean="ldapClaimsHandler" />
</util:list>

<bean id="contextSource"
   class="org.springframework.ldap.core.support.LdapContextSource">
  <property name="url" value="ldap://ldap.mycompany.org:389" />
  <property name="userDn"
    value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
  <property name="password" value="mypassword" />
</bean>

<bean id="ldapTemplate"
   class="org.springframework.ldap.core.LdapTemplate">
  <constructor-arg ref="contextSource" />
</bean>

<util:map id="claimsToLdapAttributeMapping">
  <entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="givenName" />
  <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="sn" />
  <entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="mail" />
  <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
value="c" />
</util:map>

<bean id="ldapClaimsHandler"
    class="org.apache.cxf.sts.claims.LdapClaimsHandler">
  <property name="ldapTemplate" ref="ldapTemplate" />
  <property name="claimsLdapAttributeMapping"
            ref="claimsToLdapAttributeMapping" />
  <property name="userBaseDN"
      value="OU=Users,DC=mycompany,DC=org" />
</bean>

...