cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r923396 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp-11.html
Date Wed, 24 Sep 2014 13:47:21 GMT
Author: buildbot
Date: Wed Sep 24 13:47:21 2014
New Revision: 923396

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-idp-11.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp-11.html
==============================================================================
--- websites/production/cxf/content/fediz-idp-11.html (original)
+++ websites/production/cxf/content/fediz-idp-11.html Wed Sep 24 13:47:21 2014
@@ -109,71 +109,16 @@ Apache CXF -- Fediz IDP 1.1
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz IDP</h1>
-
-<p><em>Note:</em> Fediz IDP 1.0 is described <a shape="rect" href="fediz-idp.html">here
</a>.</p>
-
-<p>The Release 1.1 introduces the following new feature:</p>
-
-<ul><li>Federation Metadata<br clear="none">
-The IDP supports publishing the WS-Federation Metadata document which allows to more easily
integrate the IDP into platforms which support referencing a Metadata document. Metadata consists
of the signing certificate, the provided claims, etc.</li></ul>
-
-
-<ul><li>Spring Web Flow support<br clear="none">
-The IDP has been refactored to use Spring Web Flow to manage the federation flow. This provides
flexibility to be able to customize the IDP to company's specific requirements. The IDP is
secured by Spring Security to get the benefits and flexibility of Spring Security.</li></ul>
-
-
-<ul><li>Resource IDP and Home Realm Discovery<br clear="none">
-This is the major new feature. The IDP is able to figure out from which security domain/realm
the browser request is coming from to redirect the sign-in request to the requestor IDP which
does the authentication and issues a token which is sent to the Resource IDP. The Resource
IDP will then either map the principal from one security domain to the target security domain
and get claims information of the mapped principal or transform the claims information and
finally issue a new token for the relying party (application).</li></ul>
-
-
-
-<p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security
Token Service (STS) component, fediz-idp-sts.war, which is responsible for validating credentials,
getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers
to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR
(fediz-idp.war) which allows browser-based applications to interact with the STS. The communication
between the browser and the IDP must be performed within the confines of the base HTTP 1.1
functionality and conform as closely as possible to the WS-Trust protocols semantic.</p>
-
-<p>The Fediz STS is based on a customized CXF STS configured to support standard Federation
use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms
*Realm-A* and *Realm-B* with the following set of users:</p>
-<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p> User </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p> Password<br clear="none" class="atl-forced-newline">
</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>
<em>Realm A</em><br clear="none" class="atl-forced-newline"> </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> alice<br clear="none" class="atl-forced-newline">
</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> ecila<br
clear="none" class="atl-forced-newline"> </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> bob<br clear="none" class="atl-forced-newline">
</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> bob<br
clear="none" class="atl-forced-newline"> </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> ted<br clear="none" class=
 "atl-forced-newline"> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
det<br clear="none" class="atl-forced-newline"> </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> <em>Realm B</em><br
clear="none" class="atl-forced-newline"> </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>&#160;</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> ALICE<br clear="none" class="atl-forced-newline">
</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> ECILA<br
clear="none" class="atl-forced-newline"> </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> BOB<br clear="none" class="atl-forced-newline">
</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> BOB<br
clear="none" class="atl-forced-newline"> </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> TED<br clear="none" class="atl-forced-newline">
</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> DET<br
clear="none" cla
 ss="atl-forced-newline"> </p></td></tr></tbody></table></div>
-
-
-<p>The Fediz IDP doesn't support several realms within one WAR which requires to build
a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below
how to build a Fediz IDP WAR for a specific realm.</p>
-
-<h3 id="FedizIDP1.1-Installation">Installation</h3>
-
-<p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with
any commercial JEE application server.</p>
-
-<p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared
to the one hosting the RP (relying party) applications.   Using one deployment of Tomcat with
multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/"
rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder
will be shared throughout each of the activated CATALINA_BASE instances.  Another probably
simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml
file and <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"
rel="nofollow">change port values</a> (discussed below) so they don't conflict with
the original Tomcat installation.</p>
-
-<p>To start and stop this second Tomcat instance, it is perhaps easiest to create small
startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first
to the second instance, for example:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-CATALINA_HOME=/path/to/second/tomcat
+<div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz IDP</h1><p><em>Note:</em>
Fediz IDP 1.0 is described <a shape="rect" href="fediz-idp.html">here </a>.</p><p>The
Release 1.1 introduces the following new feature:</p><ul><li>Federation
Metadata<br clear="none"> The IDP supports publishing the WS-Federation Metadata document
which allows to more easily integrate the IDP into platforms which support referencing a Metadata
document. Metadata consists of the signing certificate, the provided claims, etc.</li></ul><ul><li>Spring
Web Flow support<br clear="none"> The IDP has been refactored to use Spring Web Flow
to manage the federation flow. This provides flexibility to be able to customize the IDP to
company's specific requirements. The IDP is secured by Spring Security to get the benefits
and flexibility of Spring Security.</li></ul><ul><li>Resource IDP
and Home Realm Discovery<br clear="none"> This is the major new feature. The IDP is
able to figure out from which securit
 y domain/realm the browser request is coming from to redirect the sign-in request to the
requestor IDP which does the authentication and issues a token which is sent to the Resource
IDP. The Resource IDP will then either map the principal from one security domain to the target
security domain and get claims information of the mapped principal or transform the claims
information and finally issue a new token for the relying party (application).</li></ul><p>The
Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service
(STS) component, fediz-idp-sts.war, which is responsible for validating credentials, getting
the requested claims data and issuing a SAML token. There is no easy way for Web browsers
to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR
(fediz-idp.war) which allows browser-based applications to interact with the STS. The communication
between the browser and the IDP must be performed within the confine
 s of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols
semantic.</p><p>The Fediz STS is based on a customized CXF STS configured to support
standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced
to support two realms *Realm-A* and *Realm-B* with the following set of users:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>User</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Password</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm A</em></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>alice</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ecila</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>bob</p></td></tr><tr>
 <td colspan="1" rowspan="1" class="confluenceTd"><p>ted</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>det</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm B</em></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>ALICE</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ECILA</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>BOB</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>TED</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>DET</p></td></tr></tbody></table></div><p>The
Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP
WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build
a Fediz IDP WAR for a specific realm.</p><h3 id="FedizIDP1.1-Installation">Insta
 llation</h3><p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be
able to work with any commercial JEE application server.</p><p>It's recommended
to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the
RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE
instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/"
rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder
will be shared throughout each of the activated CATALINA_BASE instances. Another probably
simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml
file and <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"
rel="nofollow">change port values</a> (discussed below) so they don't conflict with
the original Tomcat i
 nstallation.</p><p>To start and stop this second Tomcat instance, it is perhaps
easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME
from the first to the second instance, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[CATALINA_HOME=/path/to/second/tomcat
 $CATALINA_HOME/bin/startup.sh
 ]]></script>
-</div></div>
-
-<p>and</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-CATALINA_HOME=/path/to/second/tomcat
+</div></div><p>and</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[CATALINA_HOME=/path/to/second/tomcat
 $CATALINA_HOME/bin/shutdown.sh
 ]]></script>
-</div></div>
-
-<p>If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE
instead that will need to be redefined above.</p>
-
-<h5 id="FedizIDP1.1-Tomcatserver.xmlconfiguration">Tomcat server.xml configuration</h5>
-
-<p>The Fediz examples use the following Tomcat port values for the IDP/STS, defined
in the conf/server.xml file.  We use ports different from the Tomcat defaults so as not to
conflict with the Tomcat instance running the RP applications.</p>
-
-<ul><li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS
port: 9443 (where IDP and STS are accessed)</li><li>Server port: 9005 (for shutdown
and other commands)</li></ul>
-
-
-<p>Here is a sample snippet for showing the configuration of the above three values:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;Server port=&quot;9005&quot; shutdown=&quot;SHUTDOWN&quot;&gt;
+</div></div><p>If you're using the one Tomcat with multiple instance option,
it's $CATALINA_BASE instead that will need to be redefined above.</p><h5 id="FedizIDP1.1-Tomcatserver.xmlconfiguration">Tomcat
server.xml configuration</h5><p>The Fediz examples use the following Tomcat port
values for the IDP/STS, defined in the conf/server.xml file. We use ports different from the
Tomcat defaults so as not to conflict with the Tomcat instance running the RP applications.</p><ul><li>HTTP
port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port:
9443 (where IDP and STS are accessed)</li><li>Server port: 9005 (for shutdown
and other commands)</li></ul><p>Here is a sample snippet for showing the
configuration of the above three values:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;Server
port=&quot;9005&quot; shutdown=&quot;SHUTDOWN&quot;&gt;
 ...
 
    &lt;!-- http configuration --&gt;
@@ -195,31 +140,8 @@ $CATALINA_HOME/bin/shutdown.sh
 ...
 &lt;/Server&gt;
 ]]></script>
-</div></div>
-
-<p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat
7 configuration reference. This page also describes how to create certificates.  Sample Tomcat
keystores (not for production use, but useful for demoing Fediz and running the sample applications)
are provided in the examples/samplekeys folder of the Fediz distribution.</p>
-
-<p>To establish trust, there are significant keystore/truststore requirements between
the Tomcat instances and the various web applications (IDP, STS, Relying party applications,
third party web services, etc.)  See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&amp;view=co">this
page</a> for more details, it lists the trust requirements as well as sample scripts
for creating your own (self-signed) keys.</p>
-
-<p><strong>Warning:  All sample keystores provided with Fediz (including in the
WAR files for its services and examples) are for development/prototyping use only.  They'll
need to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</strong></p>
-
-<h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5>
-
-<p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default.
The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em>
and <em>realm-b</em>. More information is provided in the <code>README.txt</code>
<a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p>
-
-<p>Once you deploy the IDP WAR files to your Tomcat installation (&lt;catalina.home&gt;/webapps),
you should be able to see the Fediz STS from a browser at <a shape="rect" class="external-link"
href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a>
, assuming you're using port 9080 as listed above.</p>
-
-
-<h3 id="FedizIDP1.1-Configuration">Configuration</h3>
-
-<p>You can manage the users, their claims and the claims per application in the IDP.</p>
-
-<h5 id="FedizIDP1.1-Userandpassword">User and password</h5>
-
-<p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>.
The following users are already configured for the <em>Realm A</em> and can easily
be extended.</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;util:map id=&quot;REALMA&quot;&gt;
+</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a
shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a>
for the Tomcat 7 configuration reference. This page also describes how to create certificates.
Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running
the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To
establish trust, there are significant keystore/truststore requirements between the Tomcat
instances and the various web applications (IDP, STS, Relying party applications, third party
web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&amp;view=co">this
page</a> for more details, it lists the trust requirements as well as sample scripts
for creating your own (self-signed) keys.</p><p><s
 trong>Warning: All sample keystores provided with Fediz (including in the WAR files for
its services and examples) are for development/prototyping use only. They'll need to be replaced
for production use, at a minimum with your own self-signed keys but strongly recommended to
use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build
the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for
Realm-A by default. The distribution also contains the IDP and STS sources with two Maven
Profiles <em>realm-a</em> and <em>realm-b</em>. More information is
provided in the <code>README.txt</code> <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once
you deploy the IDP WAR files to your Tomcat installation (&lt;catalina.home&gt;/webapps),
you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above,
the STS WSDL is availabl
 e at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1"
class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl"
rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a
shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl"
rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1"
class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl"
rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" class="external-link"
href="https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransp
 ort?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3
id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users,
their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User
and password</h5><p>The users and passwords are configured in a Spring configuration
file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following
users are already configured for the <em>Realm A</em> and can easily be extended.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
   &lt;util:map id=&quot;REALMA&quot;&gt;
         &lt;entry key=&quot;alice&quot; value=&quot;ecila&quot; /&gt;
         &lt;entry key=&quot;bob&quot; value=&quot;bob&quot; /&gt;
         &lt;entry key=&quot;ted&quot; value=&quot;det&quot; /&gt;
@@ -231,14 +153,8 @@ $CATALINA_HOME/bin/shutdown.sh
         &lt;entry key=&quot;TED&quot; value=&quot;DET&quot; /&gt;
     &lt;/util:map&gt;
 ]]></script>
-</div></div>
-
-<h5 id="FedizIDP1.1-UserClaims">User Claims</h5>
-
-<p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>.
The following claims are already configured:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-  &lt;util:map id=&quot;userClaimsREALMA&quot;&gt;
+</div></div><h5 id="FedizIDP1.1-UserClaims">User Claims</h5><p>The
claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>.
The following claims are already configured:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
 &lt;util:map id=&quot;userClaimsREALMA&quot;&gt;
     &lt;entry key=&quot;alice&quot;
       value-ref=&quot;REALMA_aliceClaims&quot; /&gt;
     &lt;entry key=&quot;bob&quot;
@@ -258,17 +174,8 @@ $CATALINA_HOME/bin/shutdown.sh
       value=&quot;User&quot; /&gt;
   &lt;/util:map&gt;
 ]]></script>
-</div></div>
-
-<p>The claim id's are configured according to Section 7.5 in the specification <a
shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html"
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to
a SAML attribute statement are described in Section 7.2.</p>
-
-<h5 id="FedizIDP1.1-IDPconfiguration">IDP configuration</h5>
-
-<p>The IDP configuration is done in the new configuration file <code>idp-config-&lt;realm&gt;.xml</code>
which is illustrated below</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;bean id=&quot;idp-realmA&quot; class=&quot;org.apache.cxf.fediz.service.idp.model.IDPConfig&quot;&gt;
+</div></div><p>The claim id's are configured according to Section 7.5 in
the specification <a shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html"
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to
a SAML attribute statement are described in Section 7.2.</p><h5 id="FedizIDP1.1-IDPconfiguration">IDP
configuration</h5><p>The IDP configuration is done in the new configuration file
<code>idp-config-&lt;realm&gt;.xml</code> which is illustrated below</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
   &lt;bean id=&quot;idp-realmA&quot; class=&quot;org.apache.cxf.fediz.service.idp.model.IDPConfig&quot;&gt;
         &lt;property name=&quot;realm&quot; value=&quot;urn:org:apache:cxf:fediz:idp:realm-A&quot;
/&gt;
         &lt;property name=&quot;uri&quot; value=&quot;realma&quot; /&gt;
         &lt;!--&lt;property name=&quot;hrds&quot; value=&quot;&quot;
/&gt;--&gt; &lt;!-- TBD, not defined, provide list if enabled --&gt;
@@ -303,16 +210,8 @@ $CATALINA_HOME/bin/shutdown.sh
         &lt;property name=&quot;serviceDescription&quot; value=&quot;IDP
of Realm A&quot; /&gt;
     &lt;/bean&gt;
 ]]></script>
-</div></div>
-
-<h5 id="FedizIDP1.1-RelyingParty/Applicationconfiguration">Relying Party / Application
configuration</h5>
-
-<p><em>Note: The configuration file</em> <code><em>RPClaims.xml</em></code>
<em>has been replaced</em></p>
-
-<p>The application related configuration like required claims are configured in the
new IDP configuration file <code>idp-config-&lt;realm&gt;.xml</code> which
has been enhanced to support other configuration parameters as well:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;bean id=&quot;srv-fedizhelloworld&quot; class=&quot;org.apache.cxf.fediz.service.idp.model.ServiceConfig&quot;&gt;
+</div></div><h5 id="FedizIDP1.1-RelyingParty/Applicationconfiguration">Relying
Party / Application configuration</h5><p><em>Note: The configuration file</em>
<code><em>RPClaims.xml</em></code> <em>has been replaced</em></p><p>The
application related configuration like required claims are configured in the new IDP configuration
file <code>idp-config-&lt;realm&gt;.xml</code> which has been enhanced
to support other configuration parameters as well:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
   &lt;bean id=&quot;srv-fedizhelloworld&quot; class=&quot;org.apache.cxf.fediz.service.idp.model.ServiceConfig&quot;&gt;
         &lt;property name=&quot;realm&quot; value=&quot;urn:org:apache:cxf:fediz:fedizhelloworld&quot;
/&gt;
         &lt;property name=&quot;protocol&quot; value=&quot;http://docs.oasis-open.org/wsfed/federation/200706&quot;
/&gt;
         &lt;property name=&quot;serviceDisplayName&quot; value=&quot;Fedizhelloworld&quot;
/&gt;
@@ -342,15 +241,8 @@ $CATALINA_HOME/bin/shutdown.sh
         &lt;/property&gt;
     &lt;/bean&gt;
 ]]></script>
-</div></div>
-
-<h5 id="FedizIDP1.1-TrustedIDPconfiguration">Trusted IDP configuration</h5>
-
-<p>This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to
a trusted IDP. The following configuration is required:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;bean id=&quot;trusted-idp-realmB&quot; class=&quot;org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig&quot;&gt;
+</div></div><h5 id="FedizIDP1.1-TrustedIDPconfiguration">Trusted IDP configuration</h5><p>This
feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP.
The following configuration is required:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
   &lt;bean id=&quot;trusted-idp-realmB&quot; class=&quot;org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig&quot;&gt;
         &lt;property name=&quot;realm&quot; value=&quot;urn:org:apache:cxf:fediz:idp:realm-B&quot;
/&gt;
         &lt;property name=&quot;url&quot; value=&quot;https://localhost:12443/fediz-idp-remote/federation&quot;
/&gt;
         &lt;property name=&quot;certificate&quot; value=&quot;realmb.cert&quot;
/&gt;
@@ -361,19 +253,8 @@ $CATALINA_HOME/bin/shutdown.sh
         &lt;property name=&quot;description&quot; value=&quot;IDP of Realm
B&quot; /&gt;
     &lt;/bean&gt;
 ]]></script>
-</div></div>
-
-<h3 id="FedizIDP1.1-ConfigureLDAPdirectory">Configure LDAP directory</h3>
-
-<p>The Fediz IDP can be configured to attach an LDAP directory to authenticate users
and to retrieve claims information of users.</p>
-
-<h5 id="FedizIDP1.1-Usernameandpasswordauthentication">Username and password authentication</h5>
-
-<p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS
LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration
(jaas.config):</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-myldap {
+</div></div><h3 id="FedizIDP1.1-ConfigureLDAPdirectory">Configure LDAP
directory</h3><p>The Fediz IDP can be configured to attach an LDAP directory to
authenticate users and to retrieve claims information of users.</p><h5 id="FedizIDP1.1-Usernameandpasswordauthentication">Username
and password authentication</h5><p>WSS4J supports username/password authentication
using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated
here in a sample jaas configuration (jaas.config):</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[myldap
{
  com.sun.security.auth.module.LdapLoginModule REQUIRED
  userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org&quot;
  authIdentity=&quot;cn={USERNAME},OU=Users,DC=mycompany,DC=org&quot;
@@ -381,25 +262,13 @@ myldap {
  debug=true;
 };
 ]]></script>
-</div></div>
-
-<p>You can get more information about this LoginModule <a shape="rect" class="external-link"
href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html"
rel="nofollow">here</a>.</p>
-
-<p>In this example, all the users are stored in the organization unit Users within
mycompany.org. The configuration filename can be chosen, e.g. <code>jaas.config</code>.
The filename must be configured as a JVM argument. JVM related configurations for Tomcat can
be done in the file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>.
This script is called implicitly by <code>catalina.bat/sh</code> and might look
like this for UNIX:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-#!/bin/sh
+</div></div><p>You can get more information about this LoginModule <a
shape="rect" class="external-link" href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html"
rel="nofollow">here</a>.</p><p>In this example, all the users are stored
in the organization unit Users within mycompany.org. The configuration filename can be chosen,
e.g. <code>jaas.config</code>. The filename must be configured as a JVM argument.
JVM related configurations for Tomcat can be done in the file <code>setenv.sh/bat</code>
located in directory <code>tomcat/bin</code>. This script is called implicitly
by <code>catalina.bat/sh</code> and might look like this for UNIX:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[#!/bin/sh
 JAVA_OPTS=&quot;-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config&quot;
 export JAVA_OPTS
 ]]></script>
-</div></div>
-
-<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is
accomplished by the <code>JAASUsernameTokenValidator</code>.</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;bean
+</div></div><p>Next, the STS endpoint has to be configured to use the JAAS
LoginModule which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;bean
   class=&quot;org.apache.ws.security.validate.JAASUsernameTokenValidator&quot;
       id=&quot;jaasUTValidator&quot;&gt;
    &lt;property name=&quot;contextName&quot; value=&quot;myldap&quot;/&gt;
@@ -419,21 +288,8 @@ export JAVA_OPTS
   &lt;/jaxws:properties&gt;
 &lt;/jaxws:endpoint&gt;
 ]]></script>
-</div></div>
-
-<p>The property <code>contextName</code> must match the context name defined
in the JAAS configuration file which is <code>myldap</code> in this example.</p>
-
-<h5 id="FedizIDP1.1-Claimsmanagement">Claims management</h5>
-
-<p>When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every
registered ClaimsHandler who can provide the data of the requested claim.  The CXF STS provides
<code>org.apache.cxf.sts.claims.LdapClaimsHandler</code> which is a claims handler
implementation to get claims from user attributes in a LDAP directory.</p>
-
-<p>You configure which claim URI maps to which LDAP user attribute. The implementation
uses the Spring Ldap Module (LdapTemplate).</p>
-
-<p>The following example illustrate the changes to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;util:list id=&quot;claimHandlerList&quot;&gt;
+</div></div><p>The property <code>contextName</code> must match
the context name defined in the JAAS configuration file which is <code>myldap</code>
in this example.</p><h5 id="FedizIDP1.1-Claimsmanagement">Claims management</h5><p>When
a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered
ClaimsHandler who can provide the data of the requested claim. The CXF STS provides <code>org.apache.cxf.sts.claims.LdapClaimsHandler</code>
which is a claims handler implementation to get claims from user attributes in a LDAP directory.</p><p>You
configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring
Ldap Module (LdapTemplate).</p><p>The following example illustrate the changes
to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;util:list
id=&quot;claimHandlerList&quot;&gt;
   &lt;ref bean=&quot;ldapClaimsHandler&quot; /&gt;
 &lt;/util:list&gt;
 
@@ -472,13 +328,7 @@ value=&quot;c&quot; /&gt;
       value=&quot;OU=Users,DC=mycompany,DC=org&quot; /&gt;
 &lt;/bean&gt;
 ]]></script>
-</div></div>
-
-<p>You must deploy the library for the spring ldap module and its dependencies. The
POM of the spring ldap module is available <a shape="rect" class="external-link" href="http://repo1.maven.org/maven2/org/springframework/ldap/spring-ldap/1.2/spring-ldap-1.2.pom"
rel="nofollow">here</a>.</p>
-
-<p>You can add the dependency to spring ldap module to the Fediz STS POM, add the above
configuration and rebuild the STS component or do the configuration in the deployed STS directly
and add the following JAR files:</p>
-
-<ul><li>lang-2.1.0.jar</li><li>ldapbp-1.0.jar</li><li>spring-ldap-1.2.jar</li></ul></div>
+</div></div><p>You must deploy the library for the spring ldap module and
its dependencies. The POM of the spring ldap module is available <a shape="rect" class="external-link"
href="http://repo1.maven.org/maven2/org/springframework/ldap/spring-ldap/1.2/spring-ldap-1.2.pom"
rel="nofollow">here</a>.</p><p>You can add the dependency to spring ldap
module to the Fediz STS POM, add the above configuration and rebuild the STS component or
do the configuration in the deployed STS directly and add the following JAR files:</p><ul><li>lang-2.1.0.jar</li><li>ldapbp-1.0.jar</li><li>spring-ldap-1.2.jar</li></ul></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message