[CONF] Apache CXF > Fediz Configuration

[confluence]

Fediz Configuration Page edited by Oliver Wulff Changes (1) (!) Under construction h1. Fediz Plugin configuration This page describes the Fediz configuration file which is referenced by the security interceptor (eg. authenticator in Tomcat/Jetty). ... Full Content Under construction Fediz Plugin configuration This page describes the Fediz configuration file which is referenced by the security interceptor (eg. authenticator in Tomcat/Jetty). Example The following example describes the minimum configuration for Fediz. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FedizConfig> <contextConfig name="/fedizhelloworld"> <audienceUris> <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem> </audienceUris> <certificateStore> <trustManager> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="JKS" /> </trustManager> </certificateStore> <trustedIssuers> <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" /> </trustedIssuers> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2"> <issuer>https://localhost:9443/fedizidp/</issuer> </protocol> </contextConfig> </FedizConfig> The element protocol defines that you use the WS-Federation protocol. The issuer says to which URL authenticated requests will be redirected with the SignIn request. The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in certificateStore. The signing certificate itself is not required because certificateValidation is set to ChainTrust. The subject defines the trusted signing certificate using the subject as a regular _expression_. Finally, the audience URI is validated against the audience restriction in the SAML token. Configuration reference XML element Name Use Description audienceUris Audience URI Required The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token certificateStore Trusted certificate store Required The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token trustedIssuers Trusted Issuers Required There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) WS-Federation protocol configuration reference XML element Name Use Description issuer Issuer URL Required This URL defines the location of the IDP to whom unauthenticated requests are redirected authenticationType Authentication Type Optional The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth) The WS-Federation standard defines a list of predefined URIs for wauth here. Advanced example The following example defines the required claims and configure custom callback handler to define some configuration values at runtime. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FedizConfig> <contextConfig name="/fedizhelloworld"> <audienceUris> <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem> </audienceUris> <certificateStore> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="file" /> </certificateStore> <trustedIssuers> <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" /> </trustedIssuers> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.0.0"> <issuer>https://localhost:9443/fedizidp/</issuer> <roleDelimiter>,</roleDelimiter> <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> <claimTypesRequested> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" /> </claimTypesRequested> <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" /> <homeRealm type="Class" value="example.HomeRealmCallbackHandler.class" /> </protocol> </contextConfig> </FedizConfig> http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997 Change Notification Preferences View Online | View Changes | Add Comment