THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Tomcat Plugin
This page describes how to enable Federation in Tomcat. This Tomcat instance acts as the Relying Party which means it validates the incoming SignInResponse which has been created by the Identity Provider (IDP) server.
Installation
You can either build the Fediz plugin on your own or download the package here. If you have built the plugin on your own you'll find the required libraries in plugins/tomcat/target/...zip-with-dependencies.zip
- Create sub-directory
fedizin${catalina.home}/lib - Update calatina.properties in ${catalina.home}/conf
add the previously created directory to the common loader:
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar - Deploy the libraries to the directory created in (1)
Configuration
HTTPS configuration
It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz examples requires configuring the following TCP ports:
- HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)
- HTTPS port: 8443 (where IDP and STS are accessed)
The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.
The Tomcat HTTP(s) configuration is done in conf/server.xml.
This is a sample snippet for an HTTPS configuration:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="tomcatKeystore.jks"
keystorePass="tompass" sslProtocol="TLS" />
The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 7 configuration reference. This page also describes how to create certificates.
Production: It's highly recommended to deploy certificates signed by a Certificate Authority
Fediz Plugin configuration for Your Web Application
The Fediz related configuration is done in a Servlet Container independent configuration file which is described here.
The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available here.
A Valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml
You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file. (The sample RP applications bundled with Fediz already have this configured via the latter option.)
META-INF/context.xml
<Context>
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/Fediz_config.xml" />
</Context>
Host level in server.xml
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/Fediz_config.xml" />
</Host>
Context level in server.xml
<Context path="/fedizhelloworld" docBase="fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/Fediz_config.xml" />
</Context>
The Fediz configuration file is a Servlet container independent configuration file and described here
Web Application deployment
Deploy your Web Application to your Tomcat installation (<catalina.home>/webapps).
Federation Metadata document
The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which is described here.