Fediz IDP
Note: Fediz IDP 1.0 is described here .
The Release 1.1 introduces the following new feature:
...
The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:
User | Password |
---|---|
Realm A |
alice | ecila |
bob | bob |
ted | det |
Realm B |
ALICE | ECILA |
BOB | BOB |
TED | DET |
The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.
...
To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:
Code Block |
---|
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
|
and
Code Block |
---|
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
|
...
Here is a sample snippet for showing the configuration of the above three values:
Code Block | ||||
---|---|---|---|---|
| ||||
<Server port="9005" shutdown="SHUTDOWN"> ... <!-- http configuration --> <Connector port="9080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="9443" /> ... <!-- https configuration --> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="idp-ssl-serverkey.jks" keystorePass="tompass" keystorePasstruststoreFile="tompassidp-ssl-trust.jks" sslProtocoltruststorePass="TLSispass" /> ... <Connector port="9009" protocol="AJP/1.3" redirectPort="9443" /> ... </Server> |
...
To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See this page for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.
...
The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles realm-a and realm-b. More information is provided in the {{README.txt
} here
Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser at http:. Assuming port 9080 as listed above, the STS WSDL is available at:
Version | STS WSDL location |
---|---|
Fediz 1.0.x | http://localhost:9080/fediz-idp-sts/STSService?wsdl |
...
Configuration
You can manage the users, their claims and the claims per application in the IDP.
...
The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/data/passwords.xml
. The following users are already configured for the Realm A and can easily be extended.
Code Block | ||||
---|---|---|---|---|
| ||||
<util:map id="passwordsREALMA"> <entry key="alice" value="ecila" /> <entry key="bob" value="ecilabob" /> <entry key="bobted" value="det" /> </util:map> <util:map valueid="bobREALMB" /> <entry key="tedALICE" value="ECILA" /> <entry key="BOB" value="detBOB" /> </util<entry key="TED" value="DET" /> </util:map> |
User Claims
The claims of each user are configured in a spring configuration file webapps/fediz-idp-sts/WEB-INF/data/userClaims.xml
. The following claims are already configured:
Code Block | ||||
---|---|---|---|---|
| ||||
<util:map id="userClaimsREALMA">
<entry key="alice"
value-ref="REALMA_aliceClaims" />
<entry key="bob"
value-ref="REALMA_bobClaims" />
<entry key="ted"
value-ref="REALMA_tedClaims" />
</util:map>
<util:map id="REALMA_aliceClaims">
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="Alice" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="Smith" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="alice@realma.org" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
value="User" />
</util:map>
|
The claim id's are configured according to Section 7.5 in the specification Identity Metasystem Interoperability. The mapping of claims to a SAML attribute statement are described in Section 7.2.
...
IDP configuration
Note: The configuration file RPClaims.xml
has been replacedThe required claims per relying party are configured IDP configuration is done in the new IDP configuration file idp-config-<realm>.xml
which has been enhanced to support other configuration parameters as well:is illustrated below
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="srvidp-fedizhelloworldrealmA" class="org.apache.cxf.fediz.service.idp.model.ServiceConfigIDPConfig"> <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworldidp:realm-A" /> <property name="protocoluri" value="http://docs.oasis-open.org/wsfed/federation/200706realma" /> <!--<property name="serviceDisplayNamehrds" value="Fedizhelloworld" />--> <!-- TBD, not defined, provide list if enabled --> <property name="serviceDescriptionprovideIDPList" value="true"Web Application to illustrate WS-Federation" / /> <property name="roleuseCurrentIDP" value="ApplicationServiceTypetrue" /> <property name="tokenTypecertificate" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0stsKeystoreA.properties" /> <property name="lifeTimecertificatePassword" value="3600realma" /> <property name="requestedClaimsstsUrl"> <util:list> value="https://localhost:9443/fediz-idp-sts/REALMA" /> <property name="idpUrl" value="https://localhost:9443/fediz-idp/federation" /> <bean <property classname="org.apache.cxf.fediz.service.idp.model.RequestClaimsupportedProtocols"> <util:list> <property name="claimType" value="http <value>http://schemasdocs.xmlsoapoasis-open.org/wswsfed/2005federation/05/identity/claims/givenname" /> 200706</value> <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512</value> <property name="optional" value="false" /> </util:list> </bean>property> <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim<property name="services"> <util:map> <property<entry namekey="claimTypeurn:org:apache:cxf:fediz:fedizhelloworld" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname-ref="srv-fedizhelloworld" /> </util:map> <property name="optional" value="false" /></property> <property name="authenticationURIs"> </bean> <util:map> <entry <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim"> key="default" value="/login/default" /> </util:map> </property> <property name="claimTypetrustedIDPs" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> > <util:map> <entry key="urn:org:apache:cxf:fediz:idp:realm-B" value-ref="trusted-idp-realmB" /> </util:map> </property> <property name="serviceDisplayName" value="REALM A" /> <property name="serviceDescription" value="IDP of Realm A" /> </bean> |
Relying Party / Application configuration
Note: The configuration file RPClaims.xml
has been replaced
The application related configuration like required claims are configured in the new IDP configuration file idp-config-<realm>.xml
which has been enhanced to support other configuration parameters as well:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
<property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
<property name="serviceDisplayName" value="Fedizhelloworld" />
<property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="requestedClaims">
<util:list>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
<property name="optional" value="false" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
<property name="optional" value="false" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
<property name="optional" value="false" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
<property name="optional" value="true" />
</bean>
</util:list>
</property>
</bean>
|
Trusted IDP configuration
This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP. The following configuration is required:
Code Block |
---|
<bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig"> <property name="optionalrealm" value="falseurn:org:apache:cxf:fediz:idp:realm-B" /> <property </bean>name="url" value="https://localhost:12443/fediz-idp-remote/federation" /> <property <bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim"name="certificate" value="realmb.cert" /> <property name="trustType" value="PEER_TRUST" /> <property name="claimTypeprotocol" value="http://schemasdocs.xmlsoapoasis-open.org/ws/2005/05/identity/claims/rolewsfed/federation/200706" /> <property name="optionalfederationType" value="trueFederateIdentity" /> <property name="name" value="REALM B" </bean>> <property name="description" value="IDP </util:list> </property>of Realm B" /> </bean> |
Configure LDAP directory
...
WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):
Code Block |
---|
myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
useSSL=false
debug=true;
};
|
...
In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. jaas.config
. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file setenv.sh/bat
located in directory tomcat/bin
. This script is called implicitly by catalina.bat/sh
and might look like this for UNIX:
Code Block |
---|
#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
|
Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the JAASUsernameTokenValidator
.
Code Block | ||||
---|---|---|---|---|
| ||||
<bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
<property name="contextName" value="myldap"/>
</bean>
<jaxws:endpoint id="transportSTSUT"
endpointName="ns1:TransportUT_Port"
serviceName="ns1:SecurityTokenService"
xmlns:ns1=http://docs.oasis-open.org/ws-sx/ws-trust/200512/
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
address="/STSServiceTransportUT"
implementor="#transportSTSProviderBean">
<jaxws:properties>
<entry key="ws-security.ut.validator"
value-ref="jaasUTValidator"/>
</jaxws:properties>
</jaxws:endpoint>
|
...
The following example illustrate the changes to be made in webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml
:
Code Block | ||||
---|---|---|---|---|
| ||||
<util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.mycompany.org:389" />
<property name="userDn"
value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
<property name="password" value="mypassword" />
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<util:map id="claimsToLdapAttributeMapping">
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="givenName" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="sn" />
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="mail" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
value="c" />
</util:map>
<bean id="ldapClaimsHandler"
class="org.apache.cxf.sts.claims.LdapClaimsHandler">
<property name="ldapTemplate" ref="ldapTemplate" />
<property name="claimsLdapAttributeMapping"
ref="claimsToLdapAttributeMapping" />
<property name="userBaseDN"
value="OU=Users,DC=mycompany,DC=org" />
</bean>
|
...