cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz IDP
Date Tue, 05 Jun 2012 20:16:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+IDP">Fediz
IDP</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~mazzag">Glen
Mazza</a>
    </h4>
        <div id="versionComment">
        <b>Comment:</b>
        Editorial cleanup.<br />
    </div>
        <br/>
                         <h4>Changes (14)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h1. Fediz IDP <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service
(STS) component which is responsible to validate credentials, getting the requested claims
data and issues a SAML token. There is no easy way for Web browsers to issue SOAP requests
to the STS directly. The second component is the IDP WAR which adapts the browser to the STS.
The communication between the browser and the IDP must be performed within the confines of
the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols
semantic. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service
(STS) component which is responsible for validating credentials, getting the requested claims
data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests
to the STS directly, necessitating the second component, an IDP WAR which allows browser-based
applications to interact with the STS. The communication between the browser and the IDP must
be performed within the confines of the base HTTP 1.1 functionality and conform as closely
as possible to the WS-Trust protocols semantic. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz STS is based on the CXF STS configured to support the use cases required by the examples.
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
Fediz STS is based on a customized CXF STS configured to support standard Federation use cases
demonstrated by the examples. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Installation <br>
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz IDP has been tested with Tomcat 6 and 7 but there are no reasons why it shouldn&#39;t
work in any commercial application server. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial
JEE application server. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >It&#39;s recommended to set
up a dedicated <span class="diff-added-words"style="background-color: #dfd;">(separate)</span>
Tomcat instance for the IDP. The Fediz examples use the following TCP ports to interact with
the IDP/STS: <br></td></tr>
            <tr><td class="diff-changed-lines" >* HTTP port: 9080 (used for <span
class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">m</span><span
class="diff-added-chars"style="background-color: #dfd;">M</span>aven</span>
deployment, mvn tomcat:redeploy) <br></td></tr>
            <tr><td class="diff-unchanged" >* HTTPS port: 9443 (where IDP and
STS are accessed) <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The keystoreFile is relative to
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">catalina
home.</span> <span class="diff-added-words"style="background-color: #dfd;">$CATALINA_HOME.</span>
See [here|http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html] for <span class="diff-added-words"style="background-color:
#dfd;">the</span> Tomcat 7 configuration reference. This page also describes how
to create certificates. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>*Production: It&#39;s
highly recommended to deploy certificates signed by a Certificate Authority* <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h5. User and password <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The users and passwords are configured
in a <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">s</span><span
class="diff-added-chars"style="background-color: #dfd;">S</span>pring</span>
configuration file in {{webapps/fediz-idp-sts/WEB-INF/passwords.xml}}. The following users
are already configured and can easily be extended. <br></td></tr>
            <tr><td class="diff-unchanged" >{code:xml} <br>    &lt;util:map
id=&quot;passwords&quot;&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The claim id&#39;s are configured
according to <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">chapter</span>
<span class="diff-added-words"style="background-color: #dfd;">Section</span> 7.5
in the specification [Identity Metasystem Interoperability|http://docs.oasis-open.org/imi/identity/v1.0/identity.html].
The mapping of claims to a SAML attribute statement are described in <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">chapter</span>
<span class="diff-added-words"style="background-color: #dfd;">Section</span> 7.2.
<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h5. Application claims
<br> <br></td></tr>
            <tr><td class="diff-unchanged" >The required claims per relying party
are configured in the {{webapps/fediz-idp/WEB-INF/RPClaims.xml}}. The XML file has the following
structure: <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The key of each map entry must
match with the {{wtrealm}} paramater in the redirect triggered by the relying party. The required
claims for the different type of applications are grouped in beans which are a list of <span
class="diff-changed-words">String<span class="diff-added-chars"style="background-color:
#dfd;">s</span></span> as illustrated in {{claimsWsfedhelloworld}}. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>The bean {{realm2ClaimsMap}}
must be named realm2ClaimsMap and maps the different Relying Parties (applications) to one
of the claim lists. This map is required to manage which claims are required for the applications.
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >The JIRA issue [FEDIZ-1|https://issues.apache.org/jira/browse/FEDIZ-1]
will provide another option to manage the required claims on the Relying Party side. <br>
<br></td></tr>
            <tr><td class="diff-unchanged" >h3. Configure LDAP directory <br>
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Next, the STS endpoint has to
be configured to use the JAAS LoginModule which is <span class="diff-changed-words">ac<span
class="diff-added-chars"style="background-color: #dfd;">c</span>omplished</span>
by the {{JAASUsernameTokenValidator}}. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code:xml} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The property {{contextName}} must
match <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">with</span>
the context name defined in the JAAS configuration file which is {{myldap}} in this example.
<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h5. Claims management <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><img class="emoticon" src="/confluence/images/icons/emoticons/warning.gif"
height="16" width="16" align="absmiddle" alt="" border="0"/> Under construction</p>

<h1><a name="FedizIDP-FedizIDP"></a>Fediz IDP</h1>

<p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security
Token Service (STS) component which is responsible for validating credentials, getting the
requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue
SOAP requests to the STS directly, necessitating the second component, an IDP WAR which allows
browser-based applications to interact with the STS. The communication between the browser
and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform
as closely as possible to the WS-Trust protocols semantic.</p>

<p>The Fediz STS is based on a customized CXF STS configured to support standard Federation
use cases demonstrated by the examples.</p>

<h3><a name="FedizIDP-Installation"></a>Installation</h3>

<p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with
any commercial JEE application server.</p>

<p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. The
Fediz examples use the following TCP ports to interact with the IDP/STS:</p>
<ul>
	<li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li>
	<li>HTTPS port: 9443 (where IDP and STS are accessed)</li>
</ul>


<p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>

<p>This is a sample snippet for an HTTPS configuration:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    &lt;Connector port=<span class="code-quote">"9443"</span> protocol=<span
class="code-quote">"HTTP/1.1"</span> SSLEnabled=<span class="code-quote">"true"</span>
               maxThreads=<span class="code-quote">"150"</span> scheme=<span
class="code-quote">"https"</span> secure=<span class="code-quote">"true"</span>
               keystoreFile=<span class="code-quote">"tomcatKeystore.jks"</span>
               keystorePass=<span class="code-quote">"tompass"</span> sslProtocol=<span
class="code-quote">"TLS"</span> /&gt;
</pre>
</div></div>

<p>The keystoreFile is relative to $CATALINA_HOME. See <a href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html"
class="external-link" rel="nofollow">here</a> for the Tomcat 7 configuration reference.
This page also describes how to create certificates.</p>

<p><b>Production: It's highly recommended to deploy certificates signed by a Certificate
Authority</b></p>

<p>Deploy the WAR files to your Tomcat installation (&lt;catalina.home&gt;/webapps)
and ensure that Tomcat is started thus the WAR files get deployed.</p>

<h3><a name="FedizIDP-Configuration"></a>Configuration</h3>

<p>You can manage the users, their claims and the claims per application in the IDP.</p>

<h5><a name="FedizIDP-Userandpassword"></a>User and password</h5>

<p>The users and passwords are configured in a Spring configuration file in <tt>webapps/fediz-idp-sts/WEB-INF/passwords.xml</tt>.
The following users are already configured and can easily be extended.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    <span class="code-tag">&lt;util:map id=<span class="code-quote">"passwords"</span>&gt;</span>
        &lt;entry key=<span class="code-quote">"alice"</span>
            value=<span class="code-quote">"ecila"</span> /&gt;
        &lt;entry key=<span class="code-quote">"bob"</span>
            value=<span class="code-quote">"bob"</span> /&gt;
        &lt;entry key=<span class="code-quote">"ted"</span>
            value=<span class="code-quote">"det"</span> /&gt;
    <span class="code-tag">&lt;/util:map&gt;</span>
</pre>
</div></div>

<h5><a name="FedizIDP-UserClaims"></a>User Claims</h5>

<p>The claims of each user are configured in a spring configuration file <tt>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</tt>.
The following claims are already configured:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    <span class="code-tag">&lt;util:map id=<span class="code-quote">"userClaims"</span>&gt;</span>
        &lt;entry key=<span class="code-quote">"alice"</span>
            value-ref=<span class="code-quote">"aliceClaims"</span> /&gt;
        &lt;entry key=<span class="code-quote">"bob"</span>
            value-ref=<span class="code-quote">"bobClaims"</span> /&gt;
        &lt;entry key=<span class="code-quote">"ted"</span>
            value-ref=<span class="code-quote">"tedClaims"</span> /&gt;
    <span class="code-tag">&lt;/util:map&gt;</span>
   
    <span class="code-tag">&lt;util:map id=<span class="code-quote">"aliceClaims"</span>&gt;</span>
        &lt;entry key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"</span>
            value=<span class="code-quote">"Alice"</span> /&gt;
        &lt;entry key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"</span>
            value=<span class="code-quote">"Smith"</span> /&gt;
        &lt;entry key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"</span>
            value=<span class="code-quote">"alice@mycompany.org"</span> /&gt;
        &lt;entry key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>
            value=<span class="code-quote">"user"</span> /&gt;
           
    <span class="code-tag">&lt;/util:map&gt;</span>
</pre>
</div></div>

<p>The claim id's are configured according to Section 7.5 in the specification <a
href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html" class="external-link" rel="nofollow">Identity
Metasystem Interoperability</a>. The mapping of claims to a SAML attribute statement
are described in Section 7.2.</p>

<h5><a name="FedizIDP-Applicationclaims"></a>Application claims</h5>

<p>The required claims per relying party are configured in the <tt>webapps/fediz-idp/WEB-INF/RPClaims.xml</tt>.
The XML file has the following structure:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    <span class="code-tag">&lt;util:map id=<span class="code-quote">"realm2ClaimsMap"</span>&gt;</span>
        &lt;entry key=<span class="code-quote">"https://localhost:8443/fedizhelloworld/"</span>
            value-ref=<span class="code-quote">"claimsWsfedhelloworld"</span>
/&gt;
    <span class="code-tag">&lt;/util:map&gt;</span>

    <span class="code-tag">&lt;util:list id=<span class="code-quote">"claimsWsfedhelloworld"</span>&gt;</span>
        <span class="code-tag">&lt;value&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname<span
class="code-tag">&lt;/value&gt;</span>
        <span class="code-tag">&lt;value&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname<span
class="code-tag">&lt;/value&gt;</span>
        <span class="code-tag">&lt;value&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress<span
class="code-tag">&lt;/value&gt;</span>
        <span class="code-tag">&lt;value&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role<span
class="code-tag">&lt;/value&gt;</span>
    <span class="code-tag">&lt;/util:list&gt;</span>   
</pre>
</div></div>

<p>The key of each map entry must match with the <tt>wtrealm</tt> paramater
in the redirect triggered by the relying party. The required claims for the different type
of applications are grouped in beans which are a list of Strings as illustrated in <tt>claimsWsfedhelloworld</tt>.</p>

<p>The bean <tt>realm2ClaimsMap</tt> must be named realm2ClaimsMap and maps
the different Relying Parties (applications) to one of the claim lists. This map is required
to manage which claims are required for the applications.</p>

<p>The JIRA issue <a href="https://issues.apache.org/jira/browse/FEDIZ-1" class="external-link"
rel="nofollow">FEDIZ-1</a> will provide another option to manage the required claims
on the Relying Party side.</p>

<h3><a name="FedizIDP-ConfigureLDAPdirectory"></a>Configure LDAP directory</h3>

<p>The Fediz IDP can be configured to attach an LDAP directory to authenticate users
and to retrieve claims information of users.</p>

<h5><a name="FedizIDP-Usernameandpasswordauthentication"></a>Username and
password authentication</h5>

<p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS
LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration
(jaas.config):</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
myldap {
 com.sun.security.auth.module.LdapLoginModule REQUIRED
 userProvider=ldap:<span class="code-comment">//ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
</span> authIdentity=<span class="code-quote">"cn={USERNAME},OU=Users,DC=mycompany,DC=org"</span>
 useSSL=<span class="code-keyword">false</span>
 debug=<span class="code-keyword">true</span>;
};
</pre>
</div></div>

<p>You can get more information about this LoginModule <a href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html"
class="external-link" rel="nofollow">here</a>.</p>

<p>In this example, all the users are stored in the organization unit Users within mycompany.org.
The configuration filename can be chosen, e.g. <tt>jaas.config</tt>. The filename
must be configured as a JVM argument. JVM related configurations for Tomcat can be done in
the file <tt>setenv.sh/bat</tt> located in directory <tt>tomcat/bin</tt>.
This script is called implicitly by <tt>catalina.bat/sh</tt> and might look like
this for UNIX:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
#!/bin/sh
JAVA_OPTS=<span class="code-quote">"-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"</span>
export JAVA_OPTS
</pre>
</div></div>

<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is
accomplished by the <tt>JAASUsernameTokenValidator</tt>.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;bean
  class=<span class="code-quote">"org.apache.ws.security.validate.JAASUsernameTokenValidator"</span>
      id=<span class="code-quote">"jaasUTValidator"</span>&gt;
   <span class="code-tag">&lt;property name=<span class="code-quote">"contextName"</span>
value=<span class="code-quote">"myldap"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

&lt;jaxws:endpoint id=<span class="code-quote">"transportSTSUT"</span>
  endpointName=<span class="code-quote">"ns1:TransportUT_Port"</span>
  serviceName=<span class="code-quote">"ns1:SecurityTokenService"</span>
  <span class="code-keyword">xmlns:ns1</span>=http://docs.oasis-open.org/ws-sx/ws-trust/200512/
  wsdlLocation=<span class="code-quote">"/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"</span>
  address=<span class="code-quote">"/STSServiceTransportUT"</span>
  implementor=<span class="code-quote">"#transportSTSProviderBean"</span>&gt;

  <span class="code-tag">&lt;jaxws:properties&gt;</span>
    &lt;entry key=<span class="code-quote">"ws-security.ut.validator"</span>
         value-ref=<span class="code-quote">"jaasUTValidator"</span>/&gt;
  <span class="code-tag">&lt;/jaxws:properties&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
</pre>
</div></div>

<p>The property <tt>contextName</tt> must match the context name defined
in the JAAS configuration file which is <tt>myldap</tt> in this example.</p>

<h5><a name="FedizIDP-Claimsmanagement"></a>Claims management</h5>

<p>When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every
registered ClaimsHandler who can provide the data of the requested claim.  The CXF STS provides
<tt>org.apache.cxf.sts.claims.LdapClaimsHandler</tt> which is a claims handler
implementation to get claims from user attributes in a LDAP directory.</p>

<p>You configure which claim URI maps to which LDAP user attribute. The implementation
uses the Spring Ldap Module (LdapTemplate).</p>

<p>The following example illustrate the changes to be made in <tt>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</tt>:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;util:list id=<span class="code-quote">"claimHandlerList"</span>&gt;</span>
  <span class="code-tag">&lt;ref bean=<span class="code-quote">"ldapClaimsHandler"</span>
/&gt;</span>
<span class="code-tag">&lt;/util:list&gt;</span>

&lt;bean id=<span class="code-quote">"contextSource"</span>
   class=<span class="code-quote">"org.springframework.ldap.core.support.LdapContextSource"</span>&gt;
  <span class="code-tag">&lt;property name=<span class="code-quote">"url"</span>
value=<span class="code-quote">"ldap://ldap.mycompany.org:389"</span> /&gt;</span>
  &lt;property name=<span class="code-quote">"userDn"</span>
    value=<span class="code-quote">"CN=techUser,OU=Users,DC=mycompany,DC=org"</span>
/&gt;
  <span class="code-tag">&lt;property name=<span class="code-quote">"password"</span>
value=<span class="code-quote">"mypassword"</span> /&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

&lt;bean id=<span class="code-quote">"ldapTemplate"</span>
   class=<span class="code-quote">"org.springframework.ldap.core.LdapTemplate"</span>&gt;
  <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"contextSource"</span>
/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;util:map id=<span class="code-quote">"claimsToLdapAttributeMapping"</span>&gt;</span>
  &lt;entry
key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"</span>
value=<span class="code-quote">"givenName"</span> /&gt;
  &lt;entry key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"</span>
value=<span class="code-quote">"sn"</span> /&gt;
  &lt;entry
key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"</span>
value=<span class="code-quote">"mail"</span> /&gt;
  &lt;entry key=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"</span>
value=<span class="code-quote">"c"</span> /&gt;
<span class="code-tag">&lt;/util:map&gt;</span>

&lt;bean id=<span class="code-quote">"ldapClaimsHandler"</span>
    class=<span class="code-quote">"org.apache.cxf.sts.claims.LdapClaimsHandler"</span>&gt;
  <span class="code-tag">&lt;property name=<span class="code-quote">"ldapTemplate"</span>
ref=<span class="code-quote">"ldapTemplate"</span> /&gt;</span>
  &lt;property name=<span class="code-quote">"claimsLdapAttributeMapping"</span>
            ref=<span class="code-quote">"claimsToLdapAttributeMapping"</span>
/&gt;
  &lt;property name=<span class="code-quote">"userBaseDN"</span>
      value=<span class="code-quote">"OU=Users,DC=mycompany,DC=org"</span> /&gt;
<span class="code-tag">&lt;/bean&gt;</span>
</pre>
</div></div>

<h3><a name="FedizIDP-ConfigureCAcertificates"></a>Configure CA certificates</h3>

<p>tbd</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+IDP">View Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27846949&revisedVersion=3&originalVersion=2">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+IDP?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message