Hi Gina
Please ensure to configure the ClaimsAttributeStatementProvider as illustrated
in this example:
<bean id="transportSamlTokenProvider"
class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
<property name="attributeStatementProviders"
ref="attributeStatementProvidersList" />
</bean>
<util:list id="attributeStatementProvidersList">
<ref bean="claimAttributeProvider" />
</util:list>
<bean id="claimAttributeProvider"
class="org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider">
</bean>
I have to add this to the wiki.
Thanks
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Gina Choi [[email protected]]
Sent: 28 June 2012 23:27
To: [email protected]
Cc: [email protected]
Subject: Re: Configuring Fediz IDP with OpenLDAP
So, I got OpenLDAP working and user is authenticated an got back RSTR. Only
problem is that I don't see expected Attributes in the AttributeStatement
of the RSTR.
1. Following is part of my RSTR token which contains AttributeStatement. I
supposed to have First Name, Last Name, Email and Role instead of
'authenticated'.
<saml2:AudienceRestriction>
<saml2:Audience>
https://wkengchoi.global.sdl.corp:8443/fedizhelloworld/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="token-requestor"
NameFormat="http://cxf.apache.org/sts";>
<saml2:AttributeValue xsi:type="xs:string">
authenticated</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</RequestedSecurityToken>
2. I have following configured in RPClaims.xml on IDP.
<util:map id="realm2ClaimsMap">
<entry key=http://localhost:8080/fedizhelloworldother/
value-ref="claimsWsfedhelloworld" />
<entry key=http://localhost:8080/fedizhelloworld/
value-ref="claimsWsfedhelloworld2" />
<entry key="*https://localhost:8443/fedizhelloworld*/";
value-ref="*claimsWsfedhelloworld2*" />
</util:map>
<util:list id="claimsWsfedhelloworld"> <value>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
<value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
</util:list>
<util:list id="*claimsWsfedhelloworld2*"> <value>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
<value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
<value>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value>
<value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role
</value>
</util:list>
3. And I have following content in cxf-transport.xml
<util:map id="claimsToLdapAttributeMapping">
<entry key="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
value="givenName" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";
value="sn" />
<entry key="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
value="mail" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
value="title" />
</util:map>
<bean id="ldapClaimsHandler"
class="org.apache.cxf.sts.claims.LdapClaimsHandler">
<property name="ldapTemplate" ref="ldapTemplate" />
<property name="claimsLdapAttributeMapping"
ref="claimsToLdapAttributeMapping" />
<property name="userBaseDN" value="ou=People,dc=maxcrc,dc=com" />
</bean>
4. And I was able to get back attributes using following test code.
NamingEnumeration srchResponse = ctx.search(base, searchFilter, controls);
if (srchResponse != null) {
SearchResult searchResult = (SearchResult) srchResponse.next();
if (searchResult != null) {
String distName = (String) searchResult.getAttributes().get("mail").get();
String email = (String) searchResult.getAttributes().get("cn").get();
String lastName = (String) searchResult.getAttributes().get("sn").get();
String firstName = (String)
searchResult.getAttributes().get("givenName").get();
String title = (String) searchResult.getAttributes().get("title").get();
}
}
Am I missing any configuration steps?
Thanks.
Gina Choi
On Thu, Jun 28, 2012 at 9:03 AM, Gina Choi <[email protected]> wrote:
> You are right. In test code, I used root level user and password and I
> thought if root level binding works, regular user login wouldn't be a
> problem.
> I found following from Internet.
> *********
> Any LDAP authentication -routine typically contain *two* binds, not just
> one. The first bind
> should be as a service account (probably better not to use the directory
> Manager account) which does the search for the user's DN.
> The second bind actually binds as the user with the password given, so
> you don't need to compare anything. The directory simply returns
> authentication success or failure.
> ************
> So, I used attached code tested user "gchoi" and I got [LDAP: error code
> 49 - Invalid Credentials]. I even changed password for user "gchoi" and
> tried with other user credentials, but it is still the same. So, I have to
> fix this issue first. This must be something to do with OpenLDAP
> installation.
> On Wed, Jun 27, 2012 at 5:19 AM, Colm O hEigeartaigh
> <[email protected]>wrote:
>
>>
>> You don't appear to be using the username "gchoi" in the java test code?
>> Are you sure this username/password is correct?
>>
>> Colm.
>
>
