...
Note: Fediz IDP 1.0 is described here .
The Release 1.1 introduces the following new feature:
...
The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:
User | Password |
---|---|
Realm A |
alice | ecila |
bob | bob |
ted | det |
Realm B |
ALICE | ECILA |
BOB | BOB |
TED | DET |
The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.
...
To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:
Code Block |
---|
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
|
and
Code Block |
---|
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
|
...
Here is a sample snippet for showing the configuration of the above three values:
Code Block | ||||
---|---|---|---|---|
| ||||
<Server port="9005" shutdown="SHUTDOWN"> ... <!-- http configuration --> <Connector port="9080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="9443" /> ... <!-- https configuration --> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="idp-ssl-serverkey.jks" keystorePass="tompass" keystorePasstruststoreFile="tompassidp-ssl-trust.jks" sslProtocoltruststorePass="TLSispass" /> ... <Connector port="9009" protocol="AJP/1.3" redirectPort="9443" /> ... </Server> |
...
To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See this page for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.
...
Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the STS WSDL is available at:
Version | STS WSDL location |
---|---|
Fediz 1.0.x | http://localhost:9080/fediz-idp-sts/STSService?wsdl |
...
Configuration
You can manage the users, their claims and the claims per application in the IDP.
...
The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/data/passwords.xml
. The following users are already configured for the Realm A and can easily be extended.
Code Block | ||||
---|---|---|---|---|
| ||||
<util:map id="REALMA">
<entry key="alice" value="ecila" />
<entry key="bob" value="bob" />
<entry key="ted" value="det" />
</util:map>
<util:map id="REALMB">
<entry key="ALICE" value="ECILA" />
<entry key="BOB" value="BOB" />
<entry key="TED" value="DET" />
</util:map>
|
...
The claims of each user are configured in a spring configuration file webapps/fediz-idp-sts/WEB-INF/data/userClaims.xml
. The following claims are already configured:
Code Block | ||||
---|---|---|---|---|
| ||||
<util:map id="userClaimsREALMA">
<entry key="alice"
value-ref="REALMA_aliceClaims" />
<entry key="bob"
value-ref="REALMA_bobClaims" />
<entry key="ted"
value-ref="REALMA_tedClaims" />
</util:map>
<util:map id="REALMA_aliceClaims">
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="Alice" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="Smith" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="alice@realma.org" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
value="User" />
</util:map>
|
...
The IDP configuration is done in the new configuration file idp-config-<realm>.xml
which is illustrated below
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
<property name="uri" value="realma" />
<!--<property name="hrds" value="" />--> <!-- TBD, not defined, provide list if enabled -->
<property name="provideIDPList" value="true" />
<property name="useCurrentIDP" value="true" />
<property name="certificate" value="stsKeystoreA.properties" />
<property name="certificatePassword" value="realma" />
<property name="stsUrl" value="https://localhost:9443/fediz-idp-sts/REALMA" />
<property name="idpUrl" value="https://localhost:9443/fediz-idp/federation" />
<property name="supportedProtocols">
<util:list>
<value>http://docs.oasis-open.org/wsfed/federation/200706</value>
<value>http://docs.oasis-open.org/ws-sx/ws-trust/200512</value>
</util:list>
</property>
<property name="services">
<util:map>
<entry key="urn:org:apache:cxf:fediz:fedizhelloworld" value-ref="srv-fedizhelloworld" />
</util:map>
</property>
<property name="authenticationURIs">
<util:map>
<entry key="default" value="/login/default" />
</util:map>
</property>
<property name="trustedIDPs">
<util:map>
<entry key="urn:org:apache:cxf:fediz:idp:realm-B" value-ref="trusted-idp-realmB" />
</util:map>
</property>
<property name="serviceDisplayName" value="REALM A" />
<property name="serviceDescription" value="IDP of Realm A" />
</bean>
|
...
The application related configuration like required claims are configured in the new IDP configuration file idp-config-<realm>.xml
which has been enhanced to support other configuration parameters as well:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
<property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
<property name="serviceDisplayName" value="Fedizhelloworld" />
<property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="requestedClaims">
<util:list>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
<property name="optional" value="false" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
<property name="optional" value="false" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
<property name="optional" value="false" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
<property name="claimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
<property name="optional" value="true" />
</bean>
</util:list>
</property>
</bean>
|
...
This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP. The following configuration is required:
Code Block |
---|
<bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
<property name="url" value="https://localhost:12443/fediz-idp-remote/federation" />
<property name="certificate" value="realmb.cert" />
<property name="trustType" value="PEER_TRUST" />
<property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
<property name="federationType" value="FederateIdentity" />
<property name="name" value="REALM B" />
<property name="description" value="IDP of Realm B" />
</bean>
|
...
WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):
Code Block |
---|
myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
useSSL=false
debug=true;
};
|
...
In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. jaas.config
. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file setenv.sh/bat
located in directory tomcat/bin
. This script is called implicitly by catalina.bat/sh
and might look like this for UNIX:
Code Block |
---|
#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
|
Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the JAASUsernameTokenValidator
.
Code Block | ||||
---|---|---|---|---|
| ||||
<bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
<property name="contextName" value="myldap"/>
</bean>
<jaxws:endpoint id="transportSTSUT"
endpointName="ns1:TransportUT_Port"
serviceName="ns1:SecurityTokenService"
xmlns:ns1=http://docs.oasis-open.org/ws-sx/ws-trust/200512/
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
address="/STSServiceTransportUT"
implementor="#transportSTSProviderBean">
<jaxws:properties>
<entry key="ws-security.ut.validator"
value-ref="jaasUTValidator"/>
</jaxws:properties>
</jaxws:endpoint>
|
...
The following example illustrate the changes to be made in webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml
:
Code Block | ||||
---|---|---|---|---|
| ||||
<util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.mycompany.org:389" />
<property name="userDn"
value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
<property name="password" value="mypassword" />
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<util:map id="claimsToLdapAttributeMapping">
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="givenName" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="sn" />
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="mail" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
value="c" />
</util:map>
<bean id="ldapClaimsHandler"
class="org.apache.cxf.sts.claims.LdapClaimsHandler">
<property name="ldapTemplate" ref="ldapTemplate" />
<property name="claimsLdapAttributeMapping"
ref="claimsToLdapAttributeMapping" />
<property name="userBaseDN"
value="OU=Users,DC=mycompany,DC=org" />
</bean>
|
...