cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r953002 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Date Thu, 28 May 2015 15:47:04 GMT
Author: buildbot
Date: Thu May 28 15:47:04 2015
New Revision: 953002

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==============================================================================
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Thu May 28 15:47:04 2015
@@ -117,12 +117,12 @@ Apache CXF -- SAML Web SSO
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p><span class="inline-first-p" style="font-size:2em;font-weight:bold">
JAX-RS: SAML Web SSO</span></p><p></p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1430923636954 {padding: 0px;}
-div.rbtoc1430923636954 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1430923636954 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p><span class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS:
SAML Web SSO</span>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1432828022790 {padding: 0px;}
+div.rbtoc1432828022790 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1432828022790 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1430923636954">
+/*]]>*/</style></p><div class="toc-macro rbtoc1432828022790">
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-Introduction">Introduction</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-TypicalFlow">Typical
Flow</a></li></ul>
 </li><li><a shape="rect" href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity Provider</a></li><li><a
shape="rect" href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a>
@@ -131,7 +131,7 @@ div.rbtoc1430923636954 li {margin-left:
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-DealingwithsignedSAMLResponses">Dealing
with signed SAML Responses</a></li><li><a shape="rect" href="#SAMLWebSSO-SignatureKeyInfoValidation">Signature
Key Info Validation</a></li><li><a shape="rect" href="#SAMLWebSSO-UsingRACSasEndpointFilter">Using
RACS as Endpoint Filter</a></li></ul>
 </li><li><a shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO State
Provider</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-DistributedStateManagement">Distributed
State Management</a></li></ul>
-</li><li><a shape="rect" href="#SAMLWebSSO-LogoutService">Logout Service</a></li></ul>
+</li><li><a shape="rect" href="#SAMLWebSSO-LogoutService">Logout Service</a></li><li><a
shape="rect" href="#SAMLWebSSO-MetadataService">Metadata Service</a></li></ul>
 </div><h1 id="SAMLWebSSO-Introduction">Introduction</h1><p><a
shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Single_sign-on" rel="nofollow">SSO</a>
is about a user having to sign in only once when interacting with a custom web application
which may offer of a number of individual endpoints.</p><p>CXF 2.6.1 introduces
a comprehensive service provider (SP) support for the SAML Web SSO <a shape="rect" class="external-link"
href="http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf" rel="nofollow">profile</a>.
This <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0"
rel="nofollow">page</a> also offers a good overview of the <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile" rel="nofollow">profile</a>.</p><p>HTTP
Redirect(via GET) and POST bindings are supported. The module has been tested against many
IDP providers and is easily configurable.</p><p>The followin
 g components are required to get SSO supported:</p><ul class="alternate"><li>Identity
Provider (IDP) supporting SAML SSO</li><li>Request Assertion Consumer Service
(RACS)</li><li>Service Provider Security Filter</li><li>SSO State
Provider</li></ul><p>The following sections will describe these components
in more details</p><h2 id="SAMLWebSSO-TypicalFlow">Typical Flow</h2><p>Typically,
the following flow represents the way SAML SSO is enforced:</p><p>1. User accesses
a custom application for the first time<br clear="none"> 2. Service Provider Security
Filter checks if the security context is available <br clear="none"> and redirects the
user to IDP with a SAML SSO request<br clear="none"> 3. IDP challenges the user with
the authentication dialog and redirects the user to<br clear="none"> Request Assertion
Consumer Service (RACS) after the user has authenticated<br clear="none"> 4. RACS validates
the response from IDP, establishes a security context and redirects the user <br clear="no
 ne"> to the original application endpoint<br clear="none"> 5. Service Provider Security
Filter enforces that a valid security context is available and lets the user<br clear="none">
access the custom application.</p><h1 id="SAMLWebSSO-Mavendependencies">Maven
dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
@@ -327,7 +327,7 @@ Assuming this configuration is saved in
  &lt;/bean&gt;
 
 ]]></script>
-</div></div><p>Note that a JAX-RS Client proxy to the HTTPSPStateManager
endpoint is used as SPStateManager reference.</p><p>The alternative to having
a distributed state cache be set up is to simply have a RACS endpoint collocated with every
individual web application constituting the bigger application, see the earlier section describing
SSO filters on how this can be easily set up. One possible downside of it is that there will
be no centralized store managing the state required by different filters and RACS which in
turn can make it more difficult to audit and log all the SSO-related activities spanning across
all the bigger application.</p><p>&#160;</p><h1 id="SAMLWebSSO-LogoutService">Logout
Service</h1><p>&#160;</p><p>CXF 3.0.0 introduces <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/LogoutService.java;h=048f7c11ccc5f8dd8fd243e4b8344901420d6652;hb
 =HEAD">LogoutService</a>. It will remove the SSO state for the logged-in user, and
can be registered as an independent endpoint or service bean.</p><p>It returns
LogoutResponse bean which is expected to be processed by the View handler.</p><p>For
example, one can imagine a user getting HTML page confirming the logout has been successful
and linking to the application front page.</p><p>&#160;</p><p>&#160;</p></div>
+</div></div><p>Note that a JAX-RS Client proxy to the HTTPSPStateManager
endpoint is used as SPStateManager reference.</p><p>The alternative to having
a distributed state cache be set up is to simply have a RACS endpoint collocated with every
individual web application constituting the bigger application, see the earlier section describing
SSO filters on how this can be easily set up. One possible downside of it is that there will
be no centralized store managing the state required by different filters and RACS which in
turn can make it more difficult to audit and log all the SSO-related activities spanning across
all the bigger application.</p><p>&#160;</p><h1 id="SAMLWebSSO-LogoutService">Logout
Service</h1><p>&#160;</p><p>CXF 3.0.0 introduces <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/LogoutService.java;h=048f7c11ccc5f8dd8fd243e4b8344901420d6652;hb
 =HEAD">LogoutService</a>. It will remove the SSO state for the logged-in user, and
can be registered as an independent endpoint or service bean.</p><p>It returns
LogoutResponse bean which is expected to be processed by the View handler.</p><p>For
example, one can imagine a user getting HTML page confirming the logout has been successful
and linking to the application front page.</p><h1 id="SAMLWebSSO-MetadataService">Metadata
Service</h1><p>&#160;</p><p>A new <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/MetadataService.java;h=63619c313b6e2adae48f1b72476d3d1de81212c6;hb=HEAD">MetadataService</a>
is available in CXF 3.1.0 and 3.0.5, which can publish SAML SSO Metadata for a given service.
Similar to the Logout Service, it is registered as an independent endpoint or service bean.
A sample spring configuration is available <a shape="rect" class="external-li
 nk" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/samlsso/metadata-server.xml;h=e130b3cb727051f6c0db3e7e3d571dc19cb536cc;hb=HEAD">here</a>
in the CXF system tests.</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message