Hi Oli, Thanks for checking over the image. Happy for the image to be uploaded to the wiki. I have the Visio document it came from too if that helps.
As for the option for IDP to STS authentication using SignedSupportingTokens or mutual SSL-handshake, I'm not sure yet. At this stage, I'm trying to work out and document all the options (along with reading the WS-FEDERATION and WS-TRUST specifications). I'm still not sure where: - the IDP APP Public key is configured within the STS service - the IDP APP Private key is configured within the IDP service Many thanks, Chris On Fri, May 3, 2013 at 2:59 PM, Oliver Wulff <owu...@talend.com> wrote: > Great overview. Would be great to have something like this on the wiki. I > spotted one thing. The public key in the RP is the "STS App Public Key" > instead of "STS Container SSL Public Key". > > The keystore to validate the SAML token signature is configured here: > http://cxf.apache.org/fediz-configuration.html -->certificateStores > > Do you plan a SignedSupportingTokens policy between the IDP and STS or use > mutual SSL-handshake? > > Thanks > Oli > > > ________________________________________ > From: chris snow [chsnow...@gmail.com] > Sent: 03 May 2013 14:49 > To: users@cxf.apache.org > Subject: Re: Fediz: key and keystore requirements > > I'm trying to understand the key and keystore requirements for fediz using > IDP, STS and RP all deployed in separate web containers and using native > spring security in the RP. > > I have uploaded my current understanding here: > > http://picpaste.com/Fediz_Keystores-INNrABZM.png > > Questions: > > Is this diagram correct? > The diagram has some questions: "Configured in ?" - where are these keys > configured in the code? > -- Chris Snow - http://uk.linkedin.com/pub/chris-snow-mba-tech-mgmt-cissp/6/0/316