Tuesday, August 25, 2015

Apache CXF Fediz 1.2.0 tutorial - part VII

This is the seventh and final blog post on a series of new features introduced in Apache CXF Fediz 1.2.0. The previous post looked at the new REST API of the IdP. Up to now, we have only covered the basic scenario where the application and the IdP are in the same realm. However, a more sophisticated example is when the application is in a different realm. In this case, the IdP must redirect the user to the home IdP of the application for authentication. The IdP has supported this functionality up to now using WS-Federation only. However, the 1.2.0 IdP supports the ability to redirect to a SAML SSO IdP, thus acting as an identity broker between the two protocols. We will cover this functionality in this tutorial.

1) Setup simpleWebapp + SAML SSO IdP

As with previous tutorials, please follow the first tutorial to deploy the Fediz IdP + STS to Apache Tomcat, as well as the "simpleWebapp. However, this time the "simpleWebapp" is going to be deployed in a different realm. Edit 'conf/fediz_config.xml' and add the following under the "protocol" section:
  • <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-B</homeRealm>
This tells the IdP that the application is to be authenticated in "realm-B".

The next thing we are going to do is to set up a SAML SSO IdP which will authenticate users who want to access "simpleWebapp". In this tutorial we will just use a mocked SAML SSO IdP in the Fediz system tests for convenience. Build the war as in the following steps + deploy to Tomcat:
2) Configure the Fediz IdP

Next we need to take a look at configuring the Fediz IdP so that it knows where to find the SAML SSO IdP associated with "realm B" and how to communicate with it. Edit 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml':

In the 'idp-realmA' bean:
  • Change the port in "idpUrl" to "8443". 
In the 'trusted-idp-realmB' bean:
  • Change the "url" value to "https://localhost:8443/samlssoidp/samlsso".
  • Change the "protocol" value to "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser".
  • Add the following: <property name="parameters"><util:map><entry key="support.deflate.encoding" value="true" /></util:map></property>
The "parameters" map above is a way to provide SAML SSO specific configuration options to the Fediz IdP. The following options can be configured:
  • sign.request - Whether to sign the request or not. The default is "true".
  • require.keyinfo - Whether to require a KeyInfo or not when processing a (signed) Response. The default is "true".
  • require.signed.assertions - Whether the assertions contained in the Response must be signed or not. The default is "true".
  • require.known.issuer - Whether we have to "know" the issuer of the SAML Response or not. The default is "true".
  • support.base64.encoding - Whether we BASE-64 decode the response or not. The default is "true".
  • support.deflate.encoding - Whether we support Deflate encoding or not. The default is "false".
Redeploy the Fediz IdP + navigate to the following URL in a browser:
  • https://localhost:8443/fedizhelloworld/secure/fedservlet
You will see that the Fediz IdP will redirect the browser to the mocked SAML SSO IdP for authentication (authenticate with "ALICE/ECILA") and then back to the Fediz IdP and eventually back to the client application.


  1. Hi Colm,
    I was reviewing the code in TrustedIdpSAMLProtocolHandler
    and it looks like that the require.keyinfo property is not used at all.
    I guess this is a bug.

    1. Yep, this is now fixed: https://issues.apache.org/jira/browse/FEDIZ-142