cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf-fediz git commit: xAdding interop with new SAML SSO support in Fediz
Date Fri, 25 Mar 2016 13:51:18 GMT
xAdding interop with new SAML SSO support in Fediz


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d1c0d7e2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d1c0d7e2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d1c0d7e2

Branch: refs/heads/master
Commit: d1c0d7e236548b28da4b4fbd2dd0d3b8824416af
Parents: 6426abb
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Mar 25 13:50:51 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Mar 25 13:50:51 2016 +0000

----------------------------------------------------------------------
 systests/federation/samlsso/pom.xml             |  59 +++
 .../integrationtests/SAMLSSOFedizTest.java      | 309 ++++++++++++++
 .../src/test/resources/entities-realma.xml      |  21 +
 .../test/resources/fediz_config_saml_sso.xml    |  30 ++
 .../test/resources/realmb/entities-realmb.xml   | 423 +++++++++++++++++++
 .../src/test/resources/realmb/idp-servlet.xml   | 120 ++++++
 .../resources/realmb/persistence.properties     |  15 +
 .../src/test/resources/realmb/realm.properties  |   6 +
 .../test/resources/realmb/security-config.xml   | 135 ++++++
 9 files changed, 1118 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/pom.xml b/systests/federation/samlsso/pom.xml
index 116527c..9c11b78 100644
--- a/systests/federation/samlsso/pom.xml
+++ b/systests/federation/samlsso/pom.xml
@@ -128,6 +128,7 @@
                             <portNames>
                                 <portName>idp.https.port</portName>
                                 <portName>idp.samlsso.https.port</portName>
+                                <portName>idp.realmb.https.port</portName>
                                 <portName>rp.https.port</portName>
                             </portNames>
                         </configuration>
@@ -186,6 +187,22 @@
                                     <overWrite>true</overWrite>
                                     <outputDirectory>target/tomcat/rp/webapps/simpleWebapp2</outputDirectory>
                                 </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.apache.cxf.fediz</groupId>
+                                    <artifactId>fediz-idp</artifactId>
+                                    <version>${project.version}</version>
+                                    <type>war</type>
+                                    <overWrite>true</overWrite>
+                                    <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-realmb</outputDirectory>
+                                </artifactItem>
+                                <artifactItem>
+                                    <groupId>org.apache.cxf.fediz</groupId>
+                                    <artifactId>fediz-idp-sts</artifactId>
+                                    <version>${project.version}</version>
+                                    <type>war</type>
+                                    <overWrite>true</overWrite>
+                                    <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-sts-realmb</outputDirectory>
+                                </artifactItem>
                             </artifactItems>
                             <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
                             <overWriteSnapshots>true</overWriteSnapshots>
@@ -235,6 +252,47 @@
                             </resources>              
                         </configuration>            
                     </execution>
+                    <execution>
+                        <id>copy-entities-to-remote-idp</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF/classes</outputDirectory>
+                            <resources>          
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/realmb</directory>
+                                    <includes>
+                                        <include>entities-realmb.xml</include>
+                                        <include>realm.properties</include>
+                                        <include>persistence.properties</include>
+                                    </includes>
+                                    <filtering>true</filtering>
+                                </resource>
+                            </resources>              
+                        </configuration>            
+                    </execution>
+                    <execution>
+                        <id>copy-entities-to-remote-idp2</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF</outputDirectory>
+                            <resources>          
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/realmb</directory>
+                                    <includes>
+                                        <include>idp-servlet.xml</include>
+                                        <include>security-config.xml</include>
+                                    </includes>
+                                    <filtering>true</filtering>
+                                </resource>
+                            </resources>              
+                        </configuration>            
+                    </execution>
                 </executions>
             </plugin>
             <plugin>
@@ -253,6 +311,7 @@
                                 <wt.headless>true</wt.headless>
                                 <idp.https.port>${idp.https.port}</idp.https.port>
                                 <idp.samlsso.https.port>${idp.samlsso.https.port}</idp.samlsso.https.port>
+                                <idp.realmb.https.port>${idp.realmb.https.port}</idp.realmb.https.port>
                                 <rp.https.port>${rp.https.port}</rp.https.port>
                             </systemPropertyVariables>
                             <includes>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java b/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java
new file mode 100644
index 0000000..42518f3
--- /dev/null
+++ b/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java
@@ -0,0 +1,309 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+
+import java.io.File;
+import java.io.IOException;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.cxf.fediz.tomcat7.FederationAuthenticator;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * This is a test for federation in the IdP. The RP application is configured to use a home realm of "realm b". The
+ * client gets redirected to the IdP for "realm a", which in turn redirects to the (Fediz) IdP for "realm b"
+ * via SAML SSO. The user authenticates + is redirected back to the IdP for "realm a" to get a 
+ * SAML token from the STS + then back to the application.
+ */
+public class SAMLSSOFedizTest {
+
+    static String idpHttpsPort;
+    static String idpRealmbHttpsPort;
+    static String rpHttpsPort;
+    
+    private static Tomcat idpServer;
+    private static Tomcat idpRealmbServer;
+    private static Tomcat rpServer;
+    
+    @BeforeClass
+    public static void init() {
+        System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
+        System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
+        System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");  
+        
+        idpHttpsPort = System.getProperty("idp.https.port");
+        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+        idpRealmbHttpsPort = System.getProperty("idp.realmb.https.port");
+        Assert.assertNotNull("Property 'idp.realmb.https.port' null", idpRealmbHttpsPort);
+        rpHttpsPort = System.getProperty("rp.https.port");
+        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+        initIdp();
+        initRealmbIdp();
+        initRp();
+    }
+    
+    private static void initIdp() {
+        try {
+            idpServer = new Tomcat();
+            idpServer.setPort(0);
+            String currentDir = new File(".").getCanonicalPath();
+            idpServer.setBaseDir(currentDir + File.separator + "target");
+            
+            idpServer.getHost().setAppBase("tomcat/idp/webapps");
+            idpServer.getHost().setAutoDeploy(true);
+            idpServer.getHost().setDeployOnStartup(true);
+            
+            Connector httpsConnector = new Connector();
+            httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
+            httpsConnector.setSecure(true);
+            httpsConnector.setScheme("https");
+            //httpsConnector.setAttribute("keyAlias", keyAlias);
+            httpsConnector.setAttribute("keystorePass", "tompass");
+            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("truststorePass", "tompass");
+            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("clientAuth", "want");
+            // httpsConnector.setAttribute("clientAuth", "false");
+            httpsConnector.setAttribute("sslProtocol", "TLS");
+            httpsConnector.setAttribute("SSLEnabled", true);
+
+            idpServer.getService().addConnector(httpsConnector);
+            
+            idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
+            idpServer.addWebapp("/fediz-idp", "fediz-idp");
+            
+            idpServer.start();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    private static void initRealmbIdp() {
+        try {
+            idpRealmbServer = new Tomcat();
+            idpRealmbServer.setPort(0);
+            String currentDir = new File(".").getCanonicalPath();
+            idpRealmbServer.setBaseDir(currentDir + File.separator + "target");
+            
+            idpRealmbServer.getHost().setAppBase("tomcat/idprealmb/webapps");
+            idpRealmbServer.getHost().setAutoDeploy(true);
+            idpRealmbServer.getHost().setDeployOnStartup(true);
+            
+            Connector httpsConnector = new Connector();
+            httpsConnector.setPort(Integer.parseInt(idpRealmbHttpsPort));
+            httpsConnector.setSecure(true);
+            httpsConnector.setScheme("https");
+            //httpsConnector.setAttribute("keyAlias", keyAlias);
+            httpsConnector.setAttribute("keystorePass", "tompass");
+            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("truststorePass", "tompass");
+            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("clientAuth", "want");
+            // httpsConnector.setAttribute("clientAuth", "false");
+            httpsConnector.setAttribute("sslProtocol", "TLS");
+            httpsConnector.setAttribute("SSLEnabled", true);
+
+            idpRealmbServer.getService().addConnector(httpsConnector);
+            
+            idpRealmbServer.addWebapp("/fediz-idp-sts-realmb", "fediz-idp-sts-realmb");
+            idpRealmbServer.addWebapp("/fediz-idp-realmb", "fediz-idp-realmb");
+            
+            idpRealmbServer.start();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    private static void initRp() {
+        try {
+            rpServer = new Tomcat();
+            rpServer.setPort(0);
+            String currentDir = new File(".").getCanonicalPath();
+            rpServer.setBaseDir(currentDir + File.separator + "target");
+            
+            rpServer.getHost().setAppBase("tomcat/rp/webapps");
+            rpServer.getHost().setAutoDeploy(true);
+            rpServer.getHost().setDeployOnStartup(true);
+            
+            Connector httpsConnector = new Connector();
+            httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
+            httpsConnector.setSecure(true);
+            httpsConnector.setScheme("https");
+            //httpsConnector.setAttribute("keyAlias", keyAlias);
+            httpsConnector.setAttribute("keystorePass", "tompass");
+            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("truststorePass", "tompass");
+            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+            // httpsConnector.setAttribute("clientAuth", "false");
+            httpsConnector.setAttribute("clientAuth", "want");
+            httpsConnector.setAttribute("sslProtocol", "TLS");
+            httpsConnector.setAttribute("SSLEnabled", true);
+
+            rpServer.getService().addConnector(httpsConnector);
+            
+            //Context ctx =
+            Context cxt = rpServer.addWebapp("/fedizhelloworld3", "simpleWebapp");
+            FederationAuthenticator fa = new FederationAuthenticator();
+            fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+                             + "test-classes" + File.separator + "fediz_config_saml_sso.xml");
+            cxt.getPipeline().addValve(fa);
+            
+            
+            rpServer.start();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    @AfterClass
+    public static void cleanup() {
+        try {
+            if (idpServer.getServer() != null
+                && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
+                if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
+                    idpServer.stop();
+                }
+                idpServer.destroy();
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        try {
+            if (rpServer.getServer() != null
+                && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
+                if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
+                    rpServer.stop();
+                }
+                rpServer.destroy();
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    public String getIdpHttpsPort() {
+        return idpHttpsPort;
+    }
+    
+    public String getIdpRealmbHttpsPort() {
+        return idpRealmbHttpsPort;
+    }
+
+    public String getRpHttpsPort() {
+        return rpHttpsPort;
+    }
+    
+    public String getServletContextName() {
+        return "fedizhelloworld";
+    }
+    
+    @org.junit.Test
+    public void testSAMLSSO() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld3/secure/fedservlet";
+        // System.out.println(url);
+        // Thread.sleep(60 * 2 * 1000);
+        String user = "ALICE";  // realm b credentials
+        String password = "ECILA";
+        
+        final String bodyTextContent = 
+            login(url, user, password, getIdpRealmbHttpsPort(), getIdpHttpsPort(), true);
+        
+        Assert.assertTrue("Principal not alice",
+                          bodyTextContent.contains("userPrincipal=alice"));
+        Assert.assertTrue("User " + user + " does not have role Admin",
+                          bodyTextContent.contains("role:Admin=false"));
+        Assert.assertTrue("User " + user + " does not have role Manager",
+                          bodyTextContent.contains("role:Manager=false"));
+        Assert.assertTrue("User " + user + " must have role User",
+                          bodyTextContent.contains("role:User=true"));
+
+        String claim = ClaimTypes.FIRSTNAME.toString();
+        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+                          bodyTextContent.contains(claim + "=Alice"));
+        claim = ClaimTypes.LASTNAME.toString();
+        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+                          bodyTextContent.contains(claim + "=Smith"));
+        claim = ClaimTypes.EMAILADDRESS.toString();
+        Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+                          bodyTextContent.contains(claim + "=alice@realma.org"));
+    }
+    
+    private static String login(String url, String user, String password, 
+                                String idpPort, String rpIdpPort, boolean postBinding) throws IOException {
+        //
+        // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for
+        // "realm b".
+        //
+        final WebClient webClient = new WebClient();
+        CookieManager cookieManager = new CookieManager();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(idpPort)),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        HtmlPage idpPage = webClient.getPage(url);
+        
+        if (postBinding) {
+            Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+            final HtmlForm form = idpPage.getFormByName("samlsigninresponseform");
+            final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+            idpPage = button.click();
+        }
+        
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Now redirect back to the RP
+        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+        final HtmlPage rpPage = button.click();
+        Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+        webClient.close();
+        return rpPage.getBody().getTextContent();
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/entities-realma.xml b/systests/federation/samlsso/src/test/resources/entities-realma.xml
index 145d1a8..ec7782b 100644
--- a/systests/federation/samlsso/src/test/resources/entities-realma.xml
+++ b/systests/federation/samlsso/src/test/resources/entities-realma.xml
@@ -72,6 +72,7 @@
             <util:list>
                 <ref bean="trusted-idp-realmB" />
                 <ref bean="trusted-idp-realmC" />
+                <ref bean="trusted-idp-realmD" />
             </util:list>
         </property>
         <property name="claimTypesOffered">
@@ -121,6 +122,26 @@
             </util:map>
         </property>
     </bean>
+    
+    <bean id="trusted-idp-realmD"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-D" />
+        <property name="issuer" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+        <property name="cacheTokens" value="true" />
+        <property name="url" value="https://localhost:${idp.realmb.https.port}/fediz-idp-realmb/saml/up" />
+        <property name="certificate" value="realmb.cert" />
+        <property name="trustType" value="PEER_TRUST" />
+        <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" />
+        <property name="federationType" value="FEDERATE_IDENTITY" />
+        <property name="name" value="Realm B" />
+        <property name="description" value="Realm B description" />
+        <property name="parameters">
+            <util:map>
+                <entry key="sign.request" value="true" />
+                <entry key="support.deflate.encoding" value="false" />
+            </util:map>
+        </property>
+    </bean>
 
     <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
         <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml b/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml
index 89f158b..5109172 100644
--- a/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml
+++ b/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml
@@ -82,5 +82,35 @@
         <logoutURL>/secure/logout</logoutURL>
         <logoutRedirectTo>/index.html</logoutRedirectTo>
     </contextConfig>
+    <contextConfig name="/fedizhelloworld3">
+        <audienceUris>
+            <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+        </audienceUris>
+        <certificateStores>
+            <trustManager>
+                <keyStore file="test-classes/clienttrust.jks"
+                          password="storepass" type="JKS" />
+            </trustManager>
+        </certificateStores>
+        <trustedIssuers>
+            <issuer certificateValidation="PeerTrust" />
+        </trustedIssuers>
+        <maximumClockSkew>1000</maximumClockSkew>
+        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:type="federationProtocolType" version="1.0.0">
+            <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+            <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+            <roleDelimiter>,</roleDelimiter>
+            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+            <freshness>10</freshness>
+            <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-D</homeRealm>
+            <claimTypesRequested>
+                <claimType type="a particular claim type"
+                           optional="true" />
+            </claimTypesRequested>
+        </protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+    </contextConfig>
 </FedizConfig>
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
new file mode 100644
index 0000000..9984af1
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
@@ -0,0 +1,423 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+    <bean id="idp-realmB" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+        <property name="uri" value="realmb" />
+        <property name="provideIdpList" value="false" />
+        <property name="useCurrentIdp" value="true" />
+        <property name="certificate" value="stsKeystoreB.properties" />
+        <property name="certificatePassword" value="realmb" />
+        <property name="stsUrl" value="https://localhost:${idp.realmb.https.port}/fediz-idp-sts-realmb/REALMB" />
+        <property name="idpUrl" value="https://localhost:${idp.realmb.https.port}/fediz-idp-realmb/saml" />
+        <property name="supportedProtocols">
+            <util:list>
+                <value>urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
+                </value>
+                <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512
+                </value>
+            </util:list>
+        </property>
+        <property name="tokenTypesOffered">
+            <util:list>
+                <value>urn:oasis:names:tc:SAML:1.0:assertion</value>
+                <value>urn:oasis:names:tc:SAML:2.0:assertion</value>
+            </util:list>
+        </property>
+        <property name="authenticationURIs">
+            <util:map>
+                <entry key="default" value="saml/up" />
+            </util:map>
+        </property>
+        <property name="serviceDisplayName" value="REALM B" />
+        <property name="serviceDescription" value="IDP of Realm B" />
+        <property name="applications">
+            <util:list>
+                <ref bean="idp-realmA" />
+            </util:list>
+        </property>
+        <property name="claimTypesOffered">
+            <util:list>
+                <ref bean="claim_role" />
+                <ref bean="claim_surname" />
+                <ref bean="claim_givenname" />
+                <ref bean="claim_email" />
+            </util:list>
+        </property>
+    </bean>
+
+    <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+        <property name="serviceDisplayName" value="Resource IDP Realm A" />
+        <property name="serviceDescription" value="Resource IDP Realm A" />
+        <property name="role" value="SecurityTokenServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+        <property name="lifeTime" value="3600" />
+        <property name="validatingCertificate" value="realma.cert" />
+    </bean>
+    
+    <bean id="claim_role"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+        <property name="claimType"
+            value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
+        <property name="displayName"
+            value="role" />
+        <property name="description"
+            value="Description for role" />
+    </bean>
+    <bean id="claim_givenname"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+        <property name="claimType"
+            value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
+        <property name="displayName"
+            value="firstname" />
+        <property name="description"
+            value="Description for firstname" />
+    </bean>
+    <bean id="claim_surname"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+        <property name="claimType"
+            value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
+        <property name="displayName"
+            value="lastname" />
+        <property name="description"
+            value="Description for lastname" />
+    </bean>
+    <bean id="claim_email"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+        <property name="claimType"
+            value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
+        <property name="displayName"
+            value="email" />
+        <property name="description"
+            value="Description for email" />
+    </bean>
+
+    <bean id="entitlement_claim_list"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="CLAIM_LIST" />
+        <property name="description"
+            value="Description for CLAIM_LIST" />
+    </bean>
+    <bean id="entitlement_claim_create"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="CLAIM_CREATE" />
+        <property name="description"
+            value="Description for CLAIM_CREATE" />
+    </bean>
+    <bean id="entitlement_claim_read"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="CLAIM_READ" />
+        <property name="description"
+            value="Description for CLAIM_READ" />
+    </bean>
+    <bean id="entitlement_claim_update"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="CLAIM_UPDATE" />
+        <property name="description"
+            value="Description for CLAIM_UPDATE" />
+    </bean>
+    <bean id="entitlement_claim_delete"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="CLAIM_DELETE" />
+        <property name="description"
+            value="Description for CLAIM_DELETE" />
+    </bean>
+
+    <bean id="entitlement_application_list"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="APPLICATION_LIST" />
+        <property name="description"
+            value="Description for APPLICATION_LIST" />
+    </bean>
+    <bean id="entitlement_application_create"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="APPLICATION_CREATE" />
+        <property name="description"
+            value="Description for APPLICATION_CREATE" />
+    </bean>
+    <bean id="entitlement_application_read"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="APPLICATION_READ" />
+        <property name="description"
+            value="Description for APPLICATION_READ" />
+    </bean>
+    <bean id="entitlement_application_update"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="APPLICATION_UPDATE" />
+        <property name="description"
+            value="Description for APPLICATION_UPDATE" />
+    </bean>
+    <bean id="entitlement_application_delete"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="APPLICATION_DELETE" />
+        <property name="description"
+            value="Description for APPLICATION_DELETE" />
+    </bean>
+    
+    <bean id="entitlement_trustedidp_list"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="TRUSTEDIDP_LIST" />
+        <property name="description"
+            value="Description for TRUSTEDIDP_LIST" />
+    </bean>
+    <bean id="entitlement_trustedidp_create"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="TRUSTEDIDP_CREATE" />
+        <property name="description"
+            value="Description for TRUSTEDIDP_CREATE" />
+    </bean>
+    <bean id="entitlement_trustedidp_read"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="TRUSTEDIDP_READ" />
+        <property name="description"
+            value="Description for TRUSTEDIDP_READ" />
+    </bean>
+    <bean id="entitlement_trustedidp_update"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="TRUSTEDIDP_UPDATE" />
+        <property name="description"
+            value="Description for TRUSTEDIDP_UPDATE" />
+    </bean>
+    <bean id="entitlement_trustedidp_delete"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="TRUSTEDIDP_DELETE" />
+        <property name="description"
+            value="Description for TRUSTEDIDP_DELETE" />
+    </bean>
+
+    <bean id="entitlement_idp_list"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="IDP_LIST" />
+        <property name="description"
+            value="Description for IDP_LIST" />
+    </bean>
+    <bean id="entitlement_idp_create"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="IDP_CREATE" />
+        <property name="description"
+            value="Description for IDP_CREATE" />
+    </bean>
+    <bean id="entitlement_idp_read"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="IDP_READ" />
+        <property name="description"
+            value="Description for IDP_READ" />
+    </bean>
+    <bean id="entitlement_idp_update"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="IDP_UPDATE" />
+        <property name="description"
+            value="Description for IDP_UPDATE" />
+    </bean>
+    <bean id="entitlement_idp_delete"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="IDP_DELETE" />
+        <property name="description"
+            value="Description for IDP_DELETE" />
+    </bean>
+    
+    <bean id="entitlement_role_list"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ROLE_LIST" />
+        <property name="description"
+            value="Description for ROLE_LIST" />
+    </bean>
+    <bean id="entitlement_role_create"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ROLE_CREATE" />
+        <property name="description"
+            value="Description for ROLE_CREATE" />
+    </bean>
+    <bean id="entitlement_role_read"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ROLE_READ" />
+        <property name="description"
+            value="Description for ROLE_READ" />
+    </bean>
+    <bean id="entitlement_role_update"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ROLE_UPDATE" />
+        <property name="description"
+            value="Description for ROLE_UPDATE" />
+    </bean>
+    <bean id="entitlement_role_delete"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ROLE_DELETE" />
+        <property name="description"
+            value="Description for ROLE_DELETE" />
+    </bean>
+    
+    <bean id="entitlement_entitlement_list"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ENTITLEMENT_LIST" />
+        <property name="description"
+            value="Description for ENTITLEMENT_LIST" />
+    </bean>
+    <bean id="entitlement_entitlement_create"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ENTITLEMENT_CREATE" />
+        <property name="description"
+            value="Description for ENTITLEMENT_CREATE" />
+    </bean>
+    <bean id="entitlement_entitlement_read"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ENTITLEMENT_READ" />
+        <property name="description"
+            value="Description for ENTITLEMENT_READ" />
+    </bean>
+    <bean id="entitlement_entitlement_update"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ENTITLEMENT_UPDATE" />
+        <property name="description"
+            value="Description for ENTITLEMENT_UPDATE" />
+    </bean>
+    <bean id="entitlement_entitlement_delete"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <property name="name"
+            value="ENTITLEMENT_DELETE" />
+        <property name="description"
+            value="Description for ENTITLEMENT_DELETE" />
+    </bean>
+    
+    <bean id="role_admin"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+        <property name="name"
+            value="ADMIN" />
+        <property name="description"
+            value="This is the administrator role with full access" />
+        <property name="entitlements">
+            <util:list>
+                <ref bean="entitlement_claim_list" />
+                <ref bean="entitlement_claim_create" />
+                <ref bean="entitlement_claim_read" />
+                <ref bean="entitlement_claim_update" />
+                <ref bean="entitlement_claim_delete" />
+                <ref bean="entitlement_idp_list" />
+                <ref bean="entitlement_idp_create" />
+                <ref bean="entitlement_idp_read" />
+                <ref bean="entitlement_idp_update" />
+                <ref bean="entitlement_idp_delete" />
+                <ref bean="entitlement_trustedidp_list" />
+                <ref bean="entitlement_trustedidp_create" />
+                <ref bean="entitlement_trustedidp_read" />
+                <ref bean="entitlement_trustedidp_update" />
+                <ref bean="entitlement_trustedidp_delete" />
+                <ref bean="entitlement_application_list" />
+                <ref bean="entitlement_application_create" />
+                <ref bean="entitlement_application_read" />
+                <ref bean="entitlement_application_update" />
+                <ref bean="entitlement_application_delete" />
+                <ref bean="entitlement_role_list" />
+                <ref bean="entitlement_role_create" />
+                <ref bean="entitlement_role_read" />
+                <ref bean="entitlement_role_update" />
+                <ref bean="entitlement_role_delete" />
+                <ref bean="entitlement_entitlement_list" />
+                <ref bean="entitlement_entitlement_create" />
+                <ref bean="entitlement_entitlement_read" />
+                <ref bean="entitlement_entitlement_update" />
+                <ref bean="entitlement_entitlement_delete" />
+            </util:list>
+        </property>
+    </bean>
+    <bean id="role_user"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+        <property name="name"
+            value="USER" />
+        <property name="description"
+            value="This is the user role with read access" />
+        <property name="entitlements">
+            <util:list>
+                <ref bean="entitlement_claim_list" />
+                <ref bean="entitlement_claim_read" />
+                <ref bean="entitlement_idp_list" />
+                <ref bean="entitlement_idp_read" />
+                <ref bean="entitlement_trustedidp_list" />
+                <ref bean="entitlement_trustedidp_read" />
+                <ref bean="entitlement_application_list" />
+                <ref bean="entitlement_application_read" />
+                <ref bean="entitlement_role_list" />
+                <ref bean="entitlement_role_read" />
+                <ref bean="entitlement_entitlement_list" />
+                <ref bean="entitlement_entitlement_read" />
+            </util:list>
+        </property>
+    </bean>
+    <bean id="role_idp_login"
+        class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+        <property name="name"
+            value="IDP_LOGIN" />
+        <property name="description"
+            value="This is the IDP login role which is applied to Users during the IDP SSO" />
+        <property name="entitlements">
+            <util:list>
+                <ref bean="entitlement_claim_list" />
+                <ref bean="entitlement_claim_read" />
+                <ref bean="entitlement_idp_list" />
+                <ref bean="entitlement_idp_read" />
+                <ref bean="entitlement_trustedidp_list" />
+                <ref bean="entitlement_trustedidp_read" />
+                <ref bean="entitlement_application_list" />
+                <ref bean="entitlement_application_read" />
+            </util:list>
+        </property>
+    </bean>
+
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
new file mode 100644
index 0000000..e557819
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:webflow="http://www.springframework.org/schema/webflow-config"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
+        http://www.springframework.org/schema/webflow-config
+        http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
+
+    <context:property-placeholder location="classpath:realm.properties" />
+    
+    <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" />
+
+    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
+        p:flowRegistry-ref="flowRegistry" p:order="2">
+    </bean>
+
+    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter"
+        p:flowExecutor-ref="flowExecutor" />
+
+    <webflow:flow-executor id="flowExecutor"
+        flow-registry="flowRegistry">
+        <webflow:flow-execution-attributes>
+            <webflow:always-redirect-on-pause
+                value="false" />
+        </webflow:flow-execution-attributes>
+
+        <webflow:flow-execution-listeners>
+            <webflow:listener ref="securityFlowExecutionListener" />
+        </webflow:flow-execution-listeners>
+    </webflow:flow-executor>
+
+    <bean id="securityFlowExecutionListener"
+        class="org.springframework.webflow.security.SecurityFlowExecutionListener">
+        <property name="accessDecisionManager" ref="accessDecisionManager" />
+    </bean>
+
+    <bean id="accessDecisionManager"
+        class="org.springframework.security.access.vote.AffirmativeBased">
+        <property name="decisionVoters">
+            <list>
+                <bean
+                    class="org.springframework.security.access.vote.RoleVoter">
+                    <property name="rolePrefix" value="ROLE_" />
+                </bean>
+                <bean
+                    class="org.springframework.security.access.vote.AuthenticatedVoter" />
+            </list>
+        </property>
+    </bean>
+
+    <webflow:flow-registry id="flowRegistry"
+        flow-builder-services="builder">
+        <webflow:flow-location
+            path="/WEB-INF/flows/federation-validate-request.xml" id="federation" />
+        <webflow:flow-location
+            path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" />
+        <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml"
+            id="signinRequest" />
+        <webflow:flow-location path="/WEB-INF/flows/federation-signin-response.xml"
+            id="signinResponse" />
+            
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml" />
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up" />
+        <webflow:flow-location path="/WEB-INF/flows/saml-signin-request.xml" id="signinSAMLRequest" />
+    </webflow:flow-registry>
+
+    <webflow:flow-builder-services id="builder"
+        view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" />
+
+    <bean id="expressionParser"
+        class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" />
+
+    <bean id="viewFactoryCreator"
+        class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
+        <property name="viewResolvers">
+            <list>
+                <ref local="viewResolver" />
+            </list>
+        </property>
+    </bean>
+
+    <bean id="viewResolver"
+        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+        <property name="prefix" value="/WEB-INF/views/" />
+        <property name="suffix" value=".jsp" />
+    </bean>
+
+    <bean id="stsClientForRpAction"
+        class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
+        <property name="wsdlLocation"
+            value="https://localhost:0/fediz-idp-sts-realmb/${realm.STS_URI}/STSServiceTransport?wsdl" />
+        <property name="wsdlEndpoint" value="Transport_Port" />
+        <property name="tokenType"
+            value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+    </bean>
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/persistence.properties
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/persistence.properties b/systests/federation/samlsso/src/test/resources/realmb/persistence.properties
new file mode 100644
index 0000000..2628714
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/realmb/persistence.properties
@@ -0,0 +1,15 @@
+#jpa.driverClassName=org.apache.derby.jdbc.ClientDriver
+#jpa.url=jdbc:derby://localhost:1527/Fediz
+#jpa.username=admin
+#jpa.password=admin
+#jpa.defaultData=true
+#jpa.platform=DerbyDictionary
+
+
+jpa.driverClassName=org.hsqldb.jdbcDriver
+#jpa.url=jdbc:hsqldb:target/fediz/db/myDB;shutdown=true
+jpa.url=jdbc:hsqldb:target/db/realmb/myDB;shutdown=true
+jpa.username=sa
+jpa.password=
+jpa.defaultData=true
+jpa.platform=HSQLDictionary
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/realm.properties
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/realm.properties b/systests/federation/samlsso/src/test/resources/realmb/realm.properties
new file mode 100644
index 0000000..41d04cd
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/realmb/realm.properties
@@ -0,0 +1,6 @@
+realm.STS_URI=REALMB
+realmA.port=${idp.https.port}
+realmB.port=${idp.realmb.https.port}
+idp-config=idp-config-realmb.xml
+db-load-config=entities-realmb.xml
+realm-uri=urn:org:apache:cxf:fediz:idp:realm-B

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/security-config.xml b/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
new file mode 100644
index 0000000..78e50c8
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/realmb/security-config.xml
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        ">
+
+    <context:property-placeholder location="classpath:realm.properties"/>
+    
+    <!-- DISABLE in production as it might log confidential information about the user -->
+    <!-- <security:debug /> -->
+
+    <!-- Configure Spring Security -->
+    
+    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
+    <!-- The user has no role during the login phase of WS-Federation -->
+    <security:global-method-security pre-post-annotations="enabled"/>
+
+    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
+        <security:http-basic />
+    </security:http>
+
+    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
+    
+    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
+    
+    <security:authentication-manager id="restAuthenticationManager">
+        <security:authentication-provider>
+          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
+          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+          <!--  
+          <security:password-encoder hash="sha-256" base64="true">
+            <security:salt-source user-property="username"/>
+          </security:password-encoder>
+          -->
+          <security:user-service properties="classpath:/users.properties" />
+        </security:authentication-provider>
+        <security:authentication-provider ref="stsAuthProvider" />
+    </security:authentication-manager>
+
+    <!-- Redirects to a dedicated http config -->
+    <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+        <property name="configService" ref="config" />
+    </bean>
+    
+    <!-- Main entry point -->
+    <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+    </security:http>
+    
+    <!-- HTTP/BA entry point -->
+    <security:http pattern="/federation/up" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+
+        <security:http-basic />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <!-- Main entry point -->
+    <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+    </security:http>
+    
+    <!-- HTTP/BA entry point -->
+    <security:http pattern="/saml/up/**" use-expressions="true">
+        <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:http-basic />
+        <!--security:form-login login-page='/federation/up/login'
+            login-processing-url="/federation/up/login.do"
+            authentication-failure-url="/federation/up/login?error" 
+            default-target-url="/"
+            username-parameter="username" 
+            password-parameter="password"
+            /-->
+        <security:logout logout-url="/saml/up/logout" 
+            logout-success-url="/saml/up/login?out" 
+            delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+            invalidate-session="true" 
+            />
+    </security:http>
+
+    <security:authentication-manager>
+        <security:authentication-provider ref="stsAuthProvider" />
+    </security:authentication-manager>
+	
+    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+    
+    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
+	
+    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts-realmb/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
+        <property name="wsdlEndpoint" value="TransportUT_Port"/>
+        <property name="wsdlService" value="SecurityTokenService"/>
+        <property name="appliesTo" value="urn:fediz:idp"/>
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+    </bean>
+
+</beans>


Mime
View raw message