You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Fediz IDP

The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component, fedizidpsts.war, which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR (fedizidp.war) which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.

The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples.

Installation

The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.

Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). Once done, you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl, assuming you're using port 9080 as listed below.

A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores.

This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party

Configuration

You can manage the users, their claims and the claims per application in the IDP.

HTTPS configuration

It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change these port values so they don't conflict with the original Tomcat installation. The Fediz examples use the following TCP ports to interact with the IDP/STS:

  • HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)
  • HTTPS port: 9443 (where IDP and STS are accessed)

The Tomcat HTTP(s) configuration is done in conf/server.xml.

This is a sample snippet for an HTTPS configuration:

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="tomcatKeystore.jks"
               keystorePass="tompass" sslProtocol="TLS" />

The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 7 configuration reference. This page also describes how to create certificates.

Production: It's highly recommended to deploy certificates signed by a Certificate Authority

To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh

and

CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh

If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined.

User and password

The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml. The following users are already configured and can easily be extended.

    <util:map id="passwords">
        <entry key="alice"
            value="ecila" />
        <entry key="bob"
            value="bob" />
        <entry key="ted"
            value="det" />
    </util:map>
User Claims

The claims of each user are configured in a spring configuration file webapps/fediz-idp-sts/WEB-INF/userClaims.xml. The following claims are already configured:

    <util:map id="userClaims">
        <entry key="alice"
            value-ref="aliceClaims" />
        <entry key="bob"
            value-ref="bobClaims" />
        <entry key="ted"
            value-ref="tedClaims" />
    </util:map>
   
    <util:map id="aliceClaims">
        <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
            value="Alice" />
        <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
            value="Smith" />
        <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
            value="alice@mycompany.org" />
        <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
            value="user" />
           
    </util:map>

The claim id's are configured according to Section 7.5 in the specification Identity Metasystem Interoperability. The mapping of claims to a SAML attribute statement are described in Section 7.2.

Application claims

The required claims per relying party are configured in the webapps/fediz-idp/WEB-INF/RPClaims.xml. The XML file has the following structure:

    <util:map id="realm2ClaimsMap">
        <entry key="https://localhost:8443/fedizhelloworld/"
            value-ref="claimsWsfedhelloworld" />
    </util:map>

    <util:list id="claimsWsfedhelloworld">
        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value>
        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
    </util:list>

The key of each map entry must match with the wtrealm paramater in the redirect triggered by the relying party. The required claims for the different type of applications are grouped in beans which are a list of Strings as illustrated in claimsWsfedhelloworld.

The bean realm2ClaimsMap must be named realm2ClaimsMap and maps the different Relying Parties (applications) to one of the claim lists. This map is required to manage which claims are required for the applications.

The JIRA issue FEDIZ-1 will provide another option to manage the required claims on the Relying Party side.

Configure LDAP directory

The Fediz IDP can be configured to attach an LDAP directory to authenticate users and to retrieve claims information of users.

Username and password authentication

WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):

myldap {
 com.sun.security.auth.module.LdapLoginModule REQUIRED
 userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
 authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
 useSSL=false
 debug=true;
};

You can get more information about this LoginModule here.

In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. jaas.config. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file setenv.sh/bat located in directory tomcat/bin. This script is called implicitly by catalina.bat/sh and might look like this for UNIX:

#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS

Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the JAASUsernameTokenValidator.

<bean
  class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
      id="jaasUTValidator">
   <property name="contextName" value="myldap"/>
</bean>

<jaxws:endpoint id="transportSTSUT"
  endpointName="ns1:TransportUT_Port"
  serviceName="ns1:SecurityTokenService"
  xmlns:ns1=http://docs.oasis-open.org/ws-sx/ws-trust/200512/
  wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
  address="/STSServiceTransportUT"
  implementor="#transportSTSProviderBean">

  <jaxws:properties>
    <entry key="ws-security.ut.validator"
         value-ref="jaasUTValidator"/>
  </jaxws:properties>
</jaxws:endpoint>

The property contextName must match the context name defined in the JAAS configuration file which is myldap in this example.

Claims management

When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides org.apache.cxf.sts.claims.LdapClaimsHandler which is a claims handler implementation to get claims from user attributes in a LDAP directory.

You configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring Ldap Module (LdapTemplate).

The following example illustrate the changes to be made in webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml:

<util:list id="claimHandlerList">
  <ref bean="ldapClaimsHandler" />
</util:list>

<bean id="contextSource"
   class="org.springframework.ldap.core.support.LdapContextSource">
  <property name="url" value="ldap://ldap.mycompany.org:389" />
  <property name="userDn"
    value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
  <property name="password" value="mypassword" />
</bean>

<bean id="ldapTemplate"
   class="org.springframework.ldap.core.LdapTemplate">
  <constructor-arg ref="contextSource" />
</bean>

<util:map id="claimsToLdapAttributeMapping">
  <entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="givenName" />
  <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="sn" />
  <entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="mail" />
  <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
value="c" />
</util:map>

<bean id="ldapClaimsHandler"
    class="org.apache.cxf.sts.claims.LdapClaimsHandler">
  <property name="ldapTemplate" ref="ldapTemplate" />
  <property name="claimsLdapAttributeMapping"
            ref="claimsToLdapAttributeMapping" />
  <property name="userBaseDN"
      value="OU=Users,DC=mycompany,DC=org" />
</bean>

You must deploy the library for the spring ldap module and its dependencies. The POM of the spring ldap module is available here.

You can add the dependency to spring ldap module to the Fediz STS POM, add the above configuration and rebuild the STS component or do the configuration in the deployed STS directly and add the following JAR files:

  • lang-2.1.0.jar
  • ldapbp-1.0.jar
  • spring-ldap-1.2.jar

Configure CA certificates

tbd

  • No labels