cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz Metadata
Date Tue, 25 Sep 2012 10:04:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Metadata">Fediz
Metadata</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code:xml} <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">&lt;EntityDescriptor
ID=&quot;_36BF9BFBF49BA48A2D13395075556522&quot; entityID=&quot;https://localhost:8443/fedizhelloworld/&quot;
xmlns:auth=&quot;http://docs.oasis-open.org/wsfed/federation/200706&quot; xmlns:fed=&quot;http://docs.oasis-open.org/wsfed/federation/200706&quot;
xmlns:wsa=&quot;http://www.w3.org/2005/08/addressing&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">&lt;EntityDescriptor
ID=&quot;_36BF9BFBF49BA48A2D13395075556522&quot; entityID=&quot;https://localhost:8443/fedizhelloworld/&quot;
 <br>   xmlns:auth=&quot;http://docs.oasis-open.org/wsfed/federation/200706&quot;
 <br>   xmlns:fed=&quot;http://docs.oasis-open.org/wsfed/federation/200706&quot;
 <br>   xmlns:wsa=&quot;http://www.w3.org/2005/08/addressing&quot;  <br>
  xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt; <br></td></tr>
            <tr><td class="diff-unchanged" >   &lt;Signature xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;
<br>      &lt;SignedInfo&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >      &lt;/KeyInfo&gt; <br>
  &lt;/Signature&gt; <br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;fed:RoleDescriptor protocolSupportEnumeration=&quot;http://docs.oasis-open.org/wsfed/federation/200706&quot;
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">xsi:type=&quot;fed:ApplicationServiceType&quot;&gt;</span>
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
     xsi:type=&quot;fed:ApplicationServiceType&quot;&gt; <br></td></tr>
            <tr><td class="diff-unchanged" >      &lt;fed:ApplicationServiceEndpoint&gt;
<br>         &lt;wsa:EndpointReference&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizMetadata-FedizMetadata"></a>Fediz Metadata</h1>
<p>Both the Relying Party (RP) and IDP/STS (Security Token Service) can publish its
Federation information in the standardized federation metadata document as defined <a href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174943"
class="external-link" rel="nofollow">here</a>.</p>

<h3><a name="FedizMetadata-Introduction"></a>Introduction</h3>
<p>This specification defines concrete service roles. The <b>ApplicationServiceType</b>
describes the capabilities of the Relying Party whereas the <b>SecurityTokenServiceType</b>
describes the capabilities of the IDP/STS.</p>

<p>The following xml snippets are copied from the spec to illustrate the structure:</p>

<ul>
	<li><b>Relying Party</b></li>
</ul>


<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;EntityDescriptor xmlns=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:metadata"</span>
   <span class="code-keyword">xmlns:saml</span>=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span>
   <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
   entityID=<span class="code-quote">"..."</span>&gt;
   <span class="code-tag">&lt;ds:Signature&gt;</span>...<span class="code-tag">&lt;/ds:Signature&gt;</span>
   &lt;RoleDescriptor xsi:type=<span class="code-quote">"fed:ApplicationServiceType"</span>
          protocolSupportEnumeration=<span class="code-quote">"http://docs.oasis-open.org/wsfed/federation/200706"</span>
          <span class="code-quote">"http://docs.oasis-open.org/ws-sx/ws-trust/200512"</span>&gt;
          ...
   <span class="code-tag">&lt;/RoleDescriptor&gt;</span>
   ...
<span class="code-tag">&lt;/EntityDescriptor&gt;</span>
</pre>
</div></div>


<ul>
	<li><b>IDP / STS</b></li>
</ul>


<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;EntityDescriptor xmlns=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:metadata"</span>
   <span class="code-keyword">xmlns:saml</span>=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span>
   <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
   entityID=<span class="code-quote">"..."</span>&gt;
   <span class="code-tag">&lt;ds:Signature&gt;</span>...<span class="code-tag">&lt;/ds:Signature&gt;</span>
   &lt;RoleDescriptor xsi:type=<span class="code-quote">"fed:SecurityTokenServiceType"</span>
          protocolSupportEnumeration=<span class="code-quote">"http://docs.oasis-open.org/wsfed/federation/200706"</span>
          <span class="code-quote">"http://docs.oasis-open.org/ws-sx/ws-trust/200512"</span>&gt;
          ...
   <span class="code-tag">&lt;/RoleDescriptor&gt;</span>
   ...
<span class="code-tag">&lt;/EntityDescriptor&gt;</span>
</pre>
</div></div>

<h3><a name="FedizMetadata-Usage"></a>Usage</h3>

<p>The Federation metadata document is an easier way to configure the RP in the IDP/STS
or to configure the IDP/STS in the RP. The following two sections describe the usage of each
case.</p>

<h5><a name="FedizMetadata-MetadatadocumentofIDP%2FSTS"></a>Metadata document
of IDP/STS</h5>

<p>The federation metadata document of the IDP/STS can be used to resolve IDP/STS configuration
information at runtime or during deployment time.</p>

<p><em>Example:</em> The Microsoft tool FedUtil allows to establish the
trust in the RP application to an already existing IDP/STS. You configure the URL of the published
metadata document and it generates the federation related configuration in the application
configuration file <tt>web.config</tt> thus you don't have to configure it manually.</p>

<p>Fediz doesn't provide such kind of tool to generate the IDP/STS related configuration
in the <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz Configuration">Fediz
configuration</a> file right now.</p>

<h5><a name="FedizMetadata-MetadatadocumentofRP"></a>Metadata document of
RP</h5>

<p>The federation metadata document of the RP can be used within the IDP/STS to resolve
configuration information at runtime. This is pretty useful as it allows to tell the IDP/STS
what claims are required by the application. If the application requires additional claims
it can be configured on the application side.</p>

<p>Fediz supports publishing the Metadata document on the RP side. This document is
built at runtime based on the <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz
Configuration">Fediz configuration</a>.</p>

<p>The syntax of the url is:</p>

<p><b><tt>https://&lt;host&gt;:&lt;port&gt;/&lt;context&gt;/FederationMetadata/2007-06/FederationMetadata.xml</tt></b></p>

<p>The Fediz example applications have got the context <tt>fedizhelloworld</tt>.</p>

<p>This is an example metadata document:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;EntityDescriptor ID=<span class="code-quote">"_36BF9BFBF49BA48A2D13395075556522"</span>
entityID=<span class="code-quote">"https://localhost:8443/fedizhelloworld/"</span>

   <span class="code-keyword">xmlns:auth</span>=<span class="code-quote">"http://docs.oasis-open.org/wsfed/federation/200706"</span>

   <span class="code-keyword">xmlns:fed</span>=<span class="code-quote">"http://docs.oasis-open.org/wsfed/federation/200706"</span>

   <span class="code-keyword">xmlns:wsa</span>=<span class="code-quote">"http://www.w3.org/2005/08/addressing"</span>

   <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
   <span class="code-tag">&lt;Signature xmlns=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
      <span class="code-tag">&lt;SignedInfo&gt;</span>
         <span class="code-tag">&lt;CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
         <span class="code-tag">&lt;SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;Reference URI=<span class="code-quote">"#_36BF9BFBF49BA48A2D13395075556522"</span>&gt;</span>
            <span class="code-tag">&lt;Transforms&gt;</span>
               <span class="code-tag">&lt;Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/&gt;</span>
            <span class="code-tag">&lt;/Transforms&gt;</span>
            <span class="code-tag">&lt;DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
            <span class="code-tag">&lt;DigestValue&gt;</span>GP0clMqrkm58j17R/IlG+ksITDQ=<span
class="code-tag">&lt;/DigestValue&gt;</span>
         <span class="code-tag">&lt;/Reference&gt;</span>
      <span class="code-tag">&lt;/SignedInfo&gt;</span>
      <span class="code-tag">&lt;SignatureValue&gt;</span>REMOVED<span
class="code-tag">&lt;/SignatureValue&gt;</span>
      <span class="code-tag">&lt;KeyInfo&gt;</span>
         <span class="code-tag">&lt;X509Data&gt;</span>
            <span class="code-tag">&lt;X509SubjectName&gt;</span>CN=localhost<span
class="code-tag">&lt;/X509SubjectName&gt;</span>
            <span class="code-tag">&lt;X509Certificate&gt;</span>REMOVED<span
class="code-tag">&lt;/X509Certificate&gt;</span>
         <span class="code-tag">&lt;/X509Data&gt;</span>
      <span class="code-tag">&lt;/KeyInfo&gt;</span>
   <span class="code-tag">&lt;/Signature&gt;</span>
   &lt;fed:RoleDescriptor protocolSupportEnumeration=<span class="code-quote">"http://docs.oasis-open.org/wsfed/federation/200706"</span>

      xsi:type=<span class="code-quote">"fed:ApplicationServiceType"</span>&gt;
      <span class="code-tag">&lt;fed:ApplicationServiceEndpoint&gt;</span>
         <span class="code-tag">&lt;wsa:EndpointReference&gt;</span>
            <span class="code-tag">&lt;wsa:Address&gt;</span>https://localhost:8443/fedizhelloworld/<span
class="code-tag">&lt;/wsa:Address&gt;</span>
         <span class="code-tag">&lt;/wsa:EndpointReference&gt;</span>
      <span class="code-tag">&lt;/fed:ApplicationServiceEndpoint&gt;</span>
      <span class="code-tag">&lt;fed:TargetScope&gt;</span>
         <span class="code-tag">&lt;wsa:EndpointReference&gt;</span>
            <span class="code-tag">&lt;wsa:Address/&gt;</span>
         <span class="code-tag">&lt;/wsa:EndpointReference&gt;</span>
         <span class="code-tag">&lt;/fed:TargetScope&gt;</span>
      <span class="code-tag">&lt;fed:ClaimTypesRequested&gt;</span>
         <span class="code-tag">&lt;auth:ClaimType Optional=<span class="code-quote">"true"</span>
Uri=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>/&gt;</span>
      <span class="code-tag">&lt;/fed:ClaimTypesRequested&gt;</span>
      <span class="code-tag">&lt;fed:PassiveRequestorEndpoint&gt;</span>
         <span class="code-tag">&lt;wsa:EndpointReference&gt;</span>
            <span class="code-tag">&lt;wsa:Address&gt;</span>https://localhost:9443/fedizidp/<span
class="code-tag">&lt;/wsa:Address&gt;</span>
         <span class="code-tag">&lt;/wsa:EndpointReference&gt;</span>
      <span class="code-tag">&lt;/fed:PassiveRequestorEndpoint&gt;</span>
   <span class="code-tag">&lt;/fed:RoleDescriptor&gt;</span>
<span class="code-tag">&lt;/EntityDescriptor&gt;</span>
</pre>
</div></div>




    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Metadata">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27849296&revisedVersion=3&originalVersion=2">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Metadata?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message