-

Under construction

- -

Fediz Plugin configuration

+

Fediz Plugin configuration

This page describes the Fediz configuration file referenced by the security interceptor (eg. authenticator in Tomcat/Jetty).

Example

@@ -188,13 +186,16 @@ Default 5 seconds.

XML element	Name	Use	Description
issuer	Issuer URL	Required	This URL defines the location of the IDP to whom unauthenticated requests are redirected
realm	Realm	Optional	Security realm of the Relying Party / Application. This value is part of the SignIn request as the `wtrealm` parameter. Default: URL including the Servlet Context
authenticationType	Authentication Type	Optional	The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter `wauth`) -The WS-Federation standard defines a list of predefined URIs for wauth here.
roleURI	Role Claim URI	Optional	Defines the attribute name of the SAML token which contains the roles
roleDelimiter	Role Value Delimiter	Optional	There are different ways to encode multi value attributes in SAML. +The WS-Federation standard defines a list of predefined URIs for wauth here.
roleURI	Role Claim URI	Optional	Defines the attribute name of the SAML token which contains the roles. +Required for Role Based Access Control.
roleDelimiter	Role Value Delimiter	Optional	There are different ways to encode multi value attributes in SAML. Single attribute with multiple values Several attributes with the same name but only one value Single attribute with single value. Roles are delimited by `roleDelimiter` -
claimTypesRequested	Requested claims	Optional	The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail
homeRealm	Home Realm	Optional	Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the `whr` parameter

+ claimTypesRequested Requested claims Optional The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail homeRealm Home Realm Optional Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter tokenValidators TokenValidators Optional Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.
+See example here

+

Attributes resolved at runtime

The following attributes can be either configured statically at deployment time or dynamically when the initial request is received:

@@ -233,6 +234,9 @@ The WS-Federation standard defines a lis </claimTypesRequested> <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" /> <homeRealm type="Class" value="example.HomeRealmCallbackHandler" /> + <tokenValidators> + <validator>org.apache.cxf.fediz.core.CustomValidator</validator> + </tokenValidators> </protocol> </contextConfig> </FedizConfig> Added: websites/production/cxf/content/fediz-extensions.html ============================================================================== --- websites/production/cxf/content/fediz-extensions.html (added) +++ websites/production/cxf/content/fediz-extensions.html Wed Jun 6 19:48:37 2012 @@ -0,0 +1,192 @@ + + + + + + + + + + + + +Apache CXF -- Fediz Extensions + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+

+ +

+ + + + + +

+ +

+

Fediz Extensions

+

This page describes the extension points in Fediz to enrich its functionality further.

+ +

Callback Handler

+ +

Custom Token Validator

+

+ +

+

+ +

+ + + + + + + Modified: websites/production/cxf/content/fediz-idp.html ============================================================================== --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Wed Jun 6 19:48:37 2012 @@ -146,6 +146,19 @@ Apache CXF -- Fediz IDP

The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.

+

Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps).

+ +

A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores.

+ +

This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party

+ + +

Configuration

+ +

You can manage the users, their claims and the claims per application in the IDP.

+ +

HTTPS configuration

+

It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. The Fediz examples use the following TCP ports to interact with the IDP/STS:

HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)
HTTPS port: 9443 (where IDP and STS are accessed)

@@ -167,16 +180,6 @@ Apache CXF -- Fediz IDP

Production: It's highly recommended to deploy certificates signed by a Certificate Authority

-

Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps) and ensure that Tomcat is started thus the WAR files get deployed.

- -

A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores.

- -

This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party

- - -

Configuration

- -

You can manage the users, their claims and the claims per application in the IDP.

User and password

Modified: websites/production/cxf/content/fediz-tomcat.html ============================================================================== --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Wed Jun 6 19:48:37 2012 @@ -136,15 +136,12 @@ Apache CXF -- Fediz Tomcat

-

Under construction

- -

Tomcat Plugin

+

Tomcat Plugin

This page describes how to enable Federation in Tomcat. This Tomcat instance acts as the Relying Party which means it validates the incoming SignInResponse which has been created by the Identity Provider (IDP) server.

Installation

-

You can either build the plugin on your own or download the package here (tbd). If you have built the plugin on your own you'll find the required libraries in plugins/tomcat/target/...zip-with-dependencies.zip

- +

You can either build the Fediz plugin on your own or download the package here. If you have built the plugin on your own you'll find the required libraries in plugins/tomcat/target/...zip-with-dependencies.zip

Create sub-directory fediz in ${catalina.home}/lib
Update calatina.properties in ${catalina.home}/conf
add the previously created directory to the common loader:
@@ -154,16 +151,45 @@ add the previously created directory to
Configuration
+
HTTPS configuration
+ +
It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz examples requires configuring the following TCP ports:
+
- HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)
- HTTPS port: 8443 (where IDP and STS are accessed)
+ + +
The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.
+ +
The Tomcat HTTP(s) configuration is done in conf/server.xml.
+ +
This is a sample snippet for an HTTPS configuration:
+ +
+
```
+    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+               maxThreads="150" scheme="https" secure="true"
+               keystoreFile="tomcatKeystore.jks"
+               keystorePass="tompass" sslProtocol="TLS" />
+
```
+
+ +
The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 7 configuration reference. This page also describes how to create certificates.
+ +
Production: It's highly recommended to deploy certificates signed by a Certificate Authority
+ + + +
Fediz configuration
+
The Fediz related configuration is done in a Servlet Container independent configuration file which is described here.

The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available here.
-
A valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml
+
A Valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml

You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.
-
META-INF/context.xml
+
META-INF/context.xml
```
 
   <Context> 
@@ -173,7 +199,7 @@ add the previously created directory to 
 
```
-
Host level in server.xml
+
Host level in server.xml
```
 
   <Host name="localhost"  appBase="webapps"
@@ -184,7 +210,7 @@ add the previously created directory to 
 
```
-
Context level in server.xml
+
Context level in server.xml
```
 
   <Context path="/fedizhelloworld" docBase="fedizhelloworld">
@@ -194,7 +220,12 @@ add the previously created directory to 
 
```
-
The Fediz configuration file is container independent and described here.
+
The Fediz configuration file is a Servlet container independent configuration file and described here
+ +
Web Application deployment
+ +
Deploy your Web Application to your Tomcat installation (<catalina.home>/webapps).
+

Fediz Plugin configuration

Fediz Plugin configuration

Example

Attributes resolved at runtime

Apache CXF

Users

Search

Developers

Subprojects

ASF

Fediz Extensions

Callback Handler

Custom Token Validator

Configuration

HTTPS configuration

Configuration

User and password

Tomcat Plugin

Tomcat Plugin

Installation

Configuration

HTTPS configuration

Fediz configuration

META-INF/context.xml

META-INF/context.xml

Host level in server.xml

Host level in server.xml

Context level in server.xml

Context level in server.xml

Web Application deployment