Author: buildbot
Date: Fri Aug 24 16:57:50 2018
New Revision: 1034390
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Fri Aug 24
16:57:50 2018
@@ -130,7 +130,7 @@ Apache CXF -- Fediz Configuration
</contextConfig>
</FedizConfig>
</pre>
-</div></div><p>The IDP issues a SAML token which must be validated by the
plugin. The validation requires the certificate store of the Certificate
Authority(ies) of the certificate which signed the SAML token. This is defined
in <code>certificateStore</code>. The signing certificate itself is not
required because <code>certificateValidation</code> is set to
<code>ChainTrust</code>. The audience URI is validated against the audience
restriction in the SAML token.</p><p>The protocol element declares that the
WS-Federation protocol is being used. If SAML SSO was being used instead, then
the "xsi:type" value would be "samlProtocolType". The configuration items
outside of the "protocol" section are independent of whether WS-Federation or
SAML SSO are being used.</p><p>The issuer element shows the URL to which
authenticated requests will be redirected with a SignIn request.</p><h3
id="FedizConfiguration-Protocol-independentconfigurationreference">Protocol-independent
configuration referen
ce</h3><p>The configuration schema can be seen <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/main/resources/schemas/FedizConfig.xsd";
rel="nofollow">here</a>.</p><div class="table-wrap"><table
class="confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are
verified against the element <code>AudienceRestriction</code> in the SAML
token. If a SAML token contains a audience restriction which is not listed
within this collection, the tok
en will be refused.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The list of keystores (JKS, PEM) includes at least the
certificate of the Certificate Authorities (CA) which signed the certificate
which is used to sign the SAML token.<br clear="none"> If the file location is
not fully qualified it needs to be relative to the Container home
directory</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">tokenExpirationValidation</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime)
shall be performed on every request (true) or only once at initial
authentication (false). The default is "false".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">addAuthenticatedRole</td><td
colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to add the "Authenticated" role to
the list of roles associated with the "authenticated" user. This could be
useful if you don't care about authorizing the user, only about authentication.
A role is required to activate authentication, and it may be problematic to
list all relevant roles in web.xml. Note that if the user has no roles, then
the "Authenticated" role is added automatically. The default is
"false".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Maximum allowable time difference between the system
clocks of the IDP and RP. Default 5 seconds.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optio
nal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The <a
shape="rect" class="external-link"
href="https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java";>ReplayCache</a>
implementation to use to cache tokens. The default is an implementation based
on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation or SAML
SSO) <a shape="rect" href="fediz-metadata.html">Metadata document</a> is signed
by this key. Otherwise, not signed.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.<
/p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP).
Either you configure the subject name and the CA(s) who signed the certificate
of the IDP (<code>certificateValidation=ChainTrust</code>) or you configure the
certificate of the IDP and the CA(s) who signed it
(<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">protocol</td><td colspan="1" rowspan="1"
class="confluenceTd">Required</td><td colspan="1" rowspan="1"
class="confluenceTd">A protocolType instance that defines the SSO protocol that
is supported. Currently supported protocols are "federationProtocolType" and
"samlProtocolType". See below for protocol-specific configuration
items.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">logoutURL<
/td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td
colspan="1" rowspan="1" class="confluenceTd">User defined logout URL to trigger
federated logout process.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">logoutRedirectTo</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>URL to landing-page after successful
logout.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">logoutRedirectToConstraint</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>A regular expression constraint on the 'wreply'
parameter, which is used to obtain the URL to navigate to after successful
logout. Only applies to WS-Federation
protocol.</p></td></tr></tbody></table></div><h5
id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference</h5><div class="table-wrap"><table class="r
elative-table confluenceTable" style="width: 92.1635%;"><colgroup
span="1"><col span="1" style="width: 12.2678%;"><col span="1" style="width:
5.85594%;"><col span="1" style="width: 15.8395%;"><col span="1" style="width:
66.0368%;"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">applicationServiceURL</td><td colspan="1"
rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">entityID</td><td colspan="1" rowspan="1"
class="confluenceTd">Used to set the "entityID" for the Metadata. If not
specified, the context path of the application is used
instead.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleDelimiter</p></td><td col
span="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML:</p><ul><li>Single attribute with multiple
values</li><li>Several attributes with the same name but only one
value</li><li>Single attribute with single value. Roles are delimited by
<code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which
contains the roles. Required for Role Based Access Control. Typically this is
configured with the value "<span
class="nolink">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</span>".</p></td></tr><tr><td
cols
pan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested (WS-Fed) /
RequestedAttribute (SAML SSO)</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The claims required by the Relying Party are listed
here. Claims can be optional. If a mandatory claim can't be provided by the IDP
the issuance of the token should fail.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>This URL defines the location of the IDP to whom
unauthenticated requests are redirected.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><t
d colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party /
Application. For WS-Federation, this value is part of the SignIn request as the
<code>wtrealm</code> parameter. For SAML SSO, it is used as the Issuer of the
AuthnRequest. Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be
configured here. The SAML Token validator is enabled by default. See example <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/CustomValidator.java";
rel="nofollow">here.</a></p></td></tr><tr><td colspan="1" rowspan="1
" class="confluenceTd">metadataURI</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The URI where Metadata is served. The default is
"FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and
"SAML/Metadata.xml" for SAML SSO.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The authentication type defines what kind of
authentication is required. This information is provided in the SignInRequest
to the IDP (parameter <code>wauth</code>). The WS-Federation standard defines a
list of predefined URIs for wauth <a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os
.html#_Toc223174997" rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Indicates the Resource IDP the home realm of the
requestor. This may be an URL or an identifier like urn: or uuid: and depends
on the Resource IDP implementation. This value is part of the SignIn request as
the <code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The desired "freshness" of the token from the IdP. This
information is provided in the SignInRequest to the IdP (parameter
<code>wfresh</code>)</p></td></tr><tr><td colspa
n="1" rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">This value is part of the SignIn request as the wreq
parameter. It can be used to specify a desired TokenType from the
IdP.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">signInQuery</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Additional queries to be appended to the sign-in
URL.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">signOutQuery</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Additional queries to be appended to the sign-out
URL.</td></tr></tbody></table></div><h5 id="FedizConfigurati
on-SAMLSSOprotocolconfigurationreference">SAML SSO protocol configuration
reference</h5><div class="table-wrap"><table class="relative-table
confluenceTable" style="width: 93.4696%;"><colgroup span="1"><col span="1"
style="width: 10.8815%;"><col span="1" style="width: 5.22796%;"><col span="1"
style="width: 15.5572%;"><col span="1" style="width:
68.3333%;"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">applicationServiceURL</td><td colspan="1"
rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">entityID</td><td colspan="1" rowspan="1"
class="confluenceTd">Used to set the "entityID" for the Metadata. If not
specified, the context path of
the application is used instead.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML:</p><ul><li>Single attribute with multiple
values</li><li>Several attributes with the same name but only one
value</li><li>Single attribute with single value. Roles are delimited by
<code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which
contains the roles. Required for Role Based Access Control. Typically this is
configured wit
h the value "<span class="nolink"><a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a></span>".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>ClaimTypesRequested (WS-Fed) / RequestedAttribute (SAML
SSO)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The claims
required by the Relying Party are listed here. Claims can be optional. If a
mandatory claim can't be provided by the IDP the issuance of the token should
fail.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceT
d"><p>This URL defines the location of the IDP to whom unauthenticated
requests are redirected.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Security realm of the Relying Party / Application. For
WS-Federation, this value is part of the SignIn request as the
<code>wtrealm</code> parameter. For SAML SSO, it is used as the Issuer of the
AuthnRequest. Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be
configured here. The SAML Token validator is enabled by default. See exam
ple <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/CustomValidator.java";
rel="nofollow">here.</a></p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">metadataURI</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The URI where Metadata is served. The default is
"FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and
"SAML/Metadata.xml" for SAML SSO.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">signRequest</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to sign the AuthnRequest or not. The default is
false.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">authnRequestBu
ilder</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td
colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">A <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java";
rel="nofollow">SAMLPRequestBuilder</a> instance used to build the
AuthnRequest/LogoutRequest. The default is <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java";
rel="nofollow">here</a>.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">disableDeflateEncoding</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to disable deflate encoding or not. The default is
"fal
se".</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">doNotEnforceKnownIssuer</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to not enforce that the issuer of the SAML
Response is a known value. The default it false (meaning that it is
enforced).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">issuerLogoutURL</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The logout URL to redirect to. If not specified it falls
back to the Issuer URL.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">checkClientAddress</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to check the cl
ient address against the subject confirmation data address. The default is
true.</td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at
runtime</h5><p>The following attributes can be either configured statically at
deployment time or dynamically when the initial request is
received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li><li>logoutRedirectToConstraint</li><li>request</li><li>freshness</li><li>signInQuery</li><li>signOutQuery</li><li>reply</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a
Callback object where the appropriate value must be set. The CallbackHandler
implementation has access to the HttpServletRequest. The XML attribute
<code>type</code> must be set to <code>Class</code>.</p><p>For more information
see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-AdvancedWS-Federationexample">Adv
anced WS-Federation example</h3><p>The following example defines the required
claims and configures a custom callback handler to define some configuration
values at runtime.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The IDP issues a SAML token which must be validated by the
plugin. The validation requires the certificate store of the Certificate
Authority(ies) of the certificate which signed the SAML token. This is defined
in <code>certificateStore</code>. The signing certificate itself is not
required because <code>certificateValidation</code> is set to
<code>ChainTrust</code>. The audience URI is validated against the audience
restriction in the SAML token.</p><p>The protocol element declares that the
WS-Federation protocol is being used. If SAML SSO was being used instead, then
the "xsi:type" value would be "samlProtocolType". The configuration items
outside of the "protocol" section are independent of whether WS-Federation or
SAML SSO are being used.</p><p>The issuer element shows the URL to which
authenticated requests will be redirected with a SignIn request.</p><h3
id="FedizConfiguration-Protocol-independentconfigurationreference">Protocol-independent
configuration referen
ce</h3><p>The configuration schema can be seen <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/main/resources/schemas/FedizConfig.xsd";
rel="nofollow">here</a>.</p><div class="table-wrap"><table
class="confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are
verified against the element <code>AudienceRestriction</code> in the SAML
token. If a SAML token contains a audience restriction which is not listed
within this collection, the tok
en will be refused.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The list of keystores (JKS, PEM) includes at least the
certificate of the Certificate Authorities (CA) which signed the certificate
which is used to sign the SAML token.<br clear="none"> If the file location is
not fully qualified it needs to be relative to the Container home
directory</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">tokenExpirationValidation</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime)
shall be performed on every request (true) or only once at initial
authentication (false). The default is "false".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">addAuthenticatedRole</td><td
colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to add the "Authenticated" role to
the list of roles associated with the "authenticated" user. This could be
useful if you don't care about authorizing the user, only about authentication.
A role is required to activate authentication, and it may be problematic to
list all relevant roles in web.xml. Note that if the user has no roles, then
the "Authenticated" role is added automatically. The default is
"false".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Maximum allowable time difference between the system
clocks of the IDP and RP. Default 5 seconds.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optio
nal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The <a
shape="rect" class="external-link"
href="https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java";>ReplayCache</a>
implementation to use to cache tokens. The default is an implementation based
on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation or SAML
SSO) <a shape="rect" href="fediz-metadata.html">Metadata document</a> is signed
by this key. Otherwise, not signed.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.<
/p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP).
Either you configure the subject name and the CA(s) who signed the certificate
of the IDP (<code>certificateValidation=ChainTrust</code>) or you configure the
certificate of the IDP and the CA(s) who signed it
(<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">protocol</td><td colspan="1" rowspan="1"
class="confluenceTd">Required</td><td colspan="1" rowspan="1"
class="confluenceTd">A protocolType instance that defines the SSO protocol that
is supported. Currently supported protocols are "federationProtocolType" and
"samlProtocolType". See below for protocol-specific configuration
items.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">logoutURL<
/td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td
colspan="1" rowspan="1" class="confluenceTd">User defined logout URL to trigger
federated logout process.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">logoutRedirectTo</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>URL to landing-page after successful
logout.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">logoutRedirectToConstraint</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>A regular expression constraint on the 'wreply'
parameter, which is used to obtain the URL to navigate to after successful
logout. Only applies to WS-Federation
protocol.</p></td></tr></tbody></table></div><h5
id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference</h5><div class="table-wrap"><table class="r
elative-table confluenceTable" style="width: 92.1635%;"><colgroup
span="1"><col span="1" style="width: 12.2678%;"><col span="1" style="width:
5.85594%;"><col span="1" style="width: 15.8395%;"><col span="1" style="width:
66.0368%;"></colgroup><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">applicationServiceURL</td><td colspan="1"
rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">entityID</td><td colspan="1" rowspan="1"
class="confluenceTd">Used to set the "entityID" for the Metadata. If not
specified, the context path of the application is used
instead.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleDelimiter</p></td><td col
span="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML:</p><ul><li>Single attribute with multiple
values</li><li>Several attributes with the same name but only one
value</li><li>Single attribute with single value. Roles are delimited by
<code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which
contains the roles. Required for Role Based Access Control. Typically this is
configured with the value "<span
class="nolink">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</span>".</p></td></tr><tr><td
cols
pan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested (WS-Fed) /
RequestedAttribute (SAML SSO)</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The claims required by the Relying Party are listed
here. Claims can be optional. If a mandatory claim can't be provided by the IDP
the issuance of the token should fail.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>This URL defines the location of the IDP to whom
unauthenticated requests are redirected.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><t
d colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party /
Application. For WS-Federation, this value is part of the SignIn request as the
<code>wtrealm</code> parameter. For SAML SSO, it is used as the Issuer of the
AuthnRequest. Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be
configured here. The SAML Token validator is enabled by default. See example <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/CustomValidator.java";
rel="nofollow">here.</a></p></td></tr><tr><td colspan="1" rowspan="1
" class="confluenceTd">metadataURI</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The URI where Metadata is served. The default is
"FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and
"SAML/Metadata.xml" for SAML SSO.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">reply</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The value to send to the IdP in the "wreply"
parameter.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The authentication type defines what kind of
authentication is
required. This information is provided in the SignInRequest to the IDP
(parameter <code>wauth</code>). The WS-Federation standard defines a list of
predefined URIs for wauth <a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>homeRealm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Indicates the Resource IDP the home realm of the
requestor. This may be an URL or an identifier like urn: or uuid: and depends
on the Resource IDP implementation. This value is part of the SignIn request as
the <code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional
</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The desired "freshness" of the
token from the IdP. This information is provided in the SignInRequest to the
IdP (parameter <code>wfresh</code>)</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">This value is part of the SignIn request as the wreq
parameter. It can be used to specify a desired TokenType from the
IdP.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">signInQuery</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Additional queries to be appended to the sign-in
URL.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"
>signOutQuery</td><td colspan="1" rowspan="1"
>class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
>class="confluenceTd">NA</td><td colspan="1" rowspan="1"
>class="confluenceTd">Additional queries to be appended to the sign-out
>URL.</td></tr></tbody></table></div><h5
>id="FedizConfiguration-SAMLSSOprotocolconfigurationreference">SAML SSO
>protocol configuration reference</h5><div class="table-wrap"><table
>class="relative-table confluenceTable" style="width: 93.4696%;"><colgroup
>span="1"><col span="1" style="width: 10.8815%;"><col span="1" style="width:
>5.22796%;"><col span="1" style="width: 15.5572%;"><col span="1" style="width:
>68.3333%;"></colgroup><tbody><tr><th colspan="1" rowspan="1"
>class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
>class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
>class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
>class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
>rowspan="1" class="c
onfluenceTd">applicationServiceURL</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">entityID</td><td colspan="1" rowspan="1"
class="confluenceTd">Used to set the "entityID" for the Metadata. If not
specified, the context path of the application is used
instead.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML:</p><ul><li>Single attribute with multiple
values</li><li>Several attributes with the same name but only one
value</li><li>Single attribute with single value. Roles are delimited by
<code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1" clas
s="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which
contains the roles. Required for Role Based Access Control. Typically this is
configured with the value "<span class="nolink"><a shape="rect"
class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a></span>".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>ClaimTypesRequested (WS-Fed) / RequestedAttribute (SAML
SSO)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The claims
required by the Relying Party are listed here. Claims can be optional. If a
mandatory claim can't be provided by the IDP the is
suance of the token should fail.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>This URL defines the location of the IDP to whom
unauthenticated requests are redirected.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Security realm of the Relying Party / Application. For
WS-Federation, this value is part of the SignIn request as the
<code>wtrealm</code> parameter. For SAML SSO, it is used as the Issuer of the
AuthnRequest. Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td>
<td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be
configured here. The SAML Token validator is enabled by default. See example <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/CustomValidator.java";
rel="nofollow">here.</a></p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">metadataURI</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The URI where Metadata is served. The default is
"FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and
"SAML/Metadata.xml" for SAML SSO.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">reply</td><td colspan="1" r
owspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The value for the AssertionConsumerService URL in the
AuthnRequest</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">signRequest</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to sign the AuthnRequest or not. The default is
false.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">authnRequestBuilder</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1" class="confluenceTd">A
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLPRequestBuilder.java";
rel="nofollow">SAMLPRequestBuilder</a>
instance used to build the AuthnRequest/LogoutRequest. The default is <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/DefaultSAMLPRequestBuilder.java";
rel="nofollow">here</a>.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">disableDeflateEncoding</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to disable deflate encoding or not. The default is
"false".</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">doNotEnforceKnownIssuer</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to not enforce that the issuer of the SAML
Response is a known value. The default it false (meaning that it is
enforced).</td>
</tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">issuerLogoutURL</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">The logout URL to redirect to. If not specified it falls
back to the Issuer URL.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">checkClientAddress</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to check the client address against the subject
confirmation data address. The default is
true.</td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at
runtime</h5><p>The following attributes can be either configured statically at
deployment time or dynamically when the initial request is
received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>i
ssuer</li><li>realm</li><li>logoutRedirectToConstraint</li><li>request</li><li>freshness</li><li>signInQuery</li><li>signOutQuery</li><li>reply</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a
Callback object where the appropriate value must be set. The CallbackHandler
implementation has access to the HttpServletRequest. The XML attribute
<code>type</code> must be set to <code>Class</code>.</p><p>For more information
see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-AdvancedWS-Federationexample">Advanced WS-Federation
example</h3><p>The following example defines the required claims and configures
a custom callback handler to define some configuration values at
runtime.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"><?xml version="1.0"
encoding="UTF-8" standalone="yes"?>
<FedizConfig>
<contextConfig name="/fedizhelloworld">
@@ -163,7 +163,7 @@ Apache CXF -- Fediz Configuration
</contextConfig>
</FedizConfig>
</pre>
-</div></div><p>checkClientAddress</p></div>
+</div></div></div>
</div>
<!-- Content -->
</td>
