>>> If those 2 are the only stores I have to manage from my application, then reading the keystore documentation I think what I have to do is: - import the IDP key (from the active directory) in the stsstore.jks >>> That's correct. See below how to import that.
>> Because the example already has the other 2 step done from the beggining: - export the key from stsstore.jks into MySTS.cer - import the MySTS.cer into tomcat-rp.jks So I need to get the IDP key. Would it the the public key I can export from the browser when accessing the identity server I want to authenticate to? >>> No, the certificate you see as part of the SSL handshake is different. You see the IDP certificate here: https://186.33.232.65/FederationMetadata/2007-06/FederationMetadata.xml RoleDescriptor->KeyDescriptor->KeyInfo->X509Data HTH Oli ________________________________________ From: Federico Tello Gentile [[email protected]] Sent: 19 July 2013 16:44 To: [email protected] Cc: Oliver Wulff Subject: Re: Running Fediz Spring example webapp El 15/07/13 12:14, Oliver Wulff escribió: > Please update the issuer url to the following (WEB-INF/fediz_config.xml, I'll > delete the one in src/main/config) > https://localhost:9443/fediz-idp/federation Thanks for your help. I made great progress. I have my own application authenticating against the a Tomcat running Fediz IDP-STS. My question now is about the certificates on the relaying party side (my application). I'm now using the example's keystores and certificates. In the CATALINA_HOME of my application's Tomcat 7 I have "tomcat-rp.jks" which is used to set up HTTPS connector and inside my application's WAR I have "stsstore.jks" which is referenced in my application's WEB-INF/fediz_config.xml like this <certificateStores> <trustManager> <keyStore file="stsstore.jks" password="stsspass" type="JKS" /> </trustManager> </certificateStores> I'm a bit confused as the documentation [http://cxf.apache.org/fediz-configuration.html] says - certificateStores - Trusted certificate store - Required "The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. If the file location is not fully qualified it needs to be relative to the Container home directory" Right now that file is not relative to the container. So maybe the doc is outdated? I want to authenticate to a different identity server (I think this one is based on ActiveDirectory). If those 2 are the only stores I have to manage from my application, then reading the keystore documentation I think what I have to do is: - import the IDP key (from the active directory) in the stsstore.jks Because the example already has the other 2 step done from the beggining: - export the key from stsstore.jks into MySTS.cer - import the MySTS.cer into tomcat-rp.jks So I need to get the IDP key. Would it the the public key I can export from the browser when accessing the identity server I want to authenticate to? https://186.33.232.65/ I may be confused because I'm new to the WS-Federation protocol. Any help is appreciated. Thanks.
