Hi Hua Jie The certificates are used for different purposes. On the one hand, there are web server certificates for https (idp, application) and on the other hand the signer certificate for the SAML token.
Glen did a great job in giving the background where which certificate is used: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co Oli ________________________________________ From: 杨华杰 [yhj...@gmail.com] Sent: 19 October 2012 03:31 To: dev@cxf.apache.org Subject: Re: Updated Fediz roadmap Hi Oliver I have make Fediz working long time ago. But I still can not figured out why do I need to generate so many SSL certs. How do you explain this when you are facing the people like me. Any document improvement release? Regards, Hua Jie On Fri, Oct 19, 2012 at 2:02 AM, Oliver Wulff <owu...@talend.com> wrote: > Hi all > > The following issues were fixed: > FEDIZ-17 Current Fediz STS exposes SOAP 1.1 end point > FEDIZ-18 Make supported claims configurable in FileClaimsHandler > FEDIZ-25 Look for fediz_config.xml in catalina base too > FEDIZ-20 Maintain authentication state (Prevents using the same Fediz > IDP for different RPs) > FEDIZ-28 Logout capability in IDP > > I'd like to prepare the release for 1.0.2 which is a significant > improvement especially of the idp/sts. > > Then, I'd create a fixes branch for 1.0 and move trunk to 1.1. > > Thoughts? > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > From: Oliver Wulff [owu...@talend.com] > Sent: 04 October 2012 21:59 > To: dev@cxf.apache.org > Subject: Updated Fediz roadmap > > Hi all > > What do you think about the following roadmap? > > Release 1.0.2 (include CXF STS 2.6.3) > > FEDIZ-17 Current Fediz STS exposes SOAP 1.1 end point > FEDIZ-18 Make supported claims configurable in FileClaimsHandler > FEDIZ-25 Look for fediz_config.xml in catalina base too > FEDIZ-20 Maintain authentication state (Prevents using the same Fediz > IDP for different RPs) > FEDIZ-27 Signout in RP (only support processing signout requests, don't > support redirect signout to IDP) > FEDIZ-28 Logout capability in IDP > > > Release 1.1 (planned release end of year) > --------------- > > FEDIZ-5 > Support Jetty container (will support then TESB with WAR deployment) > > FEDIZ-9 CXF Plugin > - add jaxrs interceptor which adapts fediz-core to support WS-Federation > for JAX-RS > - add FederationFilter, SecurityTokenThreadLocal, > ThreadLocalCallbackHandler from examples" > > FEDIZ-2 Support encrypted tokens > Support encrypted tokens > "Initial redesign of IDP... > custom functionality can be plugged in as ServletFilters (small state > machine in IDP) > configuration design (configs per wtrealm, url to metadata or everything > local, not all information can be retrieved from metadata document)" > > FEDIZ-23 Support different authentication mechanism > > FEDIZ-15 Support that IDP publishes Metadata document (which covers > SAML-P as well) > > FEDIZ-16 Instead configure required claims per wtrealm in RPClaims.xml > configure the metadata url > > FEDIZ-19 "IDP must provide a webpage where the user can click logout > (login if requested explicitly) > All signed in apps must be cached > After signout click, IDP returns html page which downloads a resource from > each RP > > Support for wfresh (reauthenticate) > Pseudonym Service support > > > Release 1.2 (planned release Q1 of 2013) > --------------- > > FEDIZ-3 "Support RP-IDP/STS > add basic home realm discovery service (whr provided by RP), default RP > and maybe dependent on source ip, http header, query parameter (expression > language)" > > FEDIZ-4 "Support for HOK > > FEDIZ-7 Support for SAML-P > > > Looking forward for your feedback, ideas and as always welcome - patches > ;-) > > Thanks > Oli > > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > Solution Architect > http://coders.talend.com > > <http://coders.talend.com>Talend Application Integration Division > http://www.talend.com >
