Experimenting with Apache CXF Fediz in docker

I have covered the capabilities of Apache CXF Fediz many times on this blog, giving instructions of how to deploy the IdP or a sample secured web application to a container such as Apache Tomcat. However such instructions can be quite complex, ranging from building Fediz from scratch and deploying the resulting web applications, to configuring jars + keys in Tomcat, etc. Wouldn't it be great to just be able to build a few docker images and launch them instead? In this post we will show how to easily deploy the Fediz IdP and STS to docker, as well as how to deploy a sample application secured using WS-Federation. Then we show how easy it is to switch the IdP and the application to use SAML SSO instead.

1) The Apache CXF Fediz Identity Provider

The Apache CXF Fediz Identity Provider (IdP) actually consists of two web applications - the IdP itself which can handle both WS-Federation and SAML SSO login requests, as well as an Apache CXF-based Security Token Service (STS) to authenticate the end users. In addition, we also have a third web application, which is the Apache CXF Fediz OpenId Connect IdP, but we will cover that in a future post. It is possible to build docker images for each of these components with the following project on github:

• fediz-idp: A sample project to deploy the Fediz IdP

To launch the IdP in docker, build each of the individual components and then launch using docker-compose, e.g.:

• cd sts; docker build -t coheigea/fediz-sts .
• cd idp; docker build -t coheigea/fediz-idp .
• cd oidc; docker build -t coheigea/fediz-oidc .
• docker-compose up

Please note that this project is provided as a quick and easy way to play around with the Apache CXF Fediz IdP. It should not be deployed in production as it uses default security credentials, etc.

2) The Apache CXF Fediz 'fedizhelloworld' application

Now that the IdP is configured, we will configure a sample application which is secured using the Fediz plugin (for Apache Tomcat). The project is also available on github here:

• fediz-helloworld: Dockerfile to deploy a WS-Federation secured 'fedizhelloworld' application

The docker image can be built and run via:

• docker build -t coheigea/fediz-helloworld .
• docker run -p 8443:8443 coheigea/fediz-helloworld

Now just open a browser and navigate to 'https://localhost:8443/fedizhelloworld/secure/fedservlet'. You will be redirected to the IdP for authentication. Select the default home realm and use the credentials "alice" (password: "ecila") to log in. You should be successfully authenticated and redirected back to the web application.

3) Switching to use SAML SSO instead of WS-Federation

Let's also show how we can switch the security protocol to use SAML SSO instead of WS-Federation. Edit the Dockerfile for the fediz-idp project and uncomment the final two lines (to copy entities-realma.xml and mytomrpkey.cert into the docker image). 'mytomrpkey.cert' is used to validate the Signature of the SAML AuthnRequest, something that is not needed for the WS-Federation case as the client request is not signed. Rebuild the IdP image (docker build -t coheigea/fediz-idp .) and re-launch the IdP again via "docker-compose up".

To switch the 'fedizhelloworld' application we need to make some changes to the 'fediz_config.xml'. These changes are already made in the file 'fediz_config_saml.xml':

	<FedizConfig>
	<contextConfig name="/fedizhelloworld">
	<audienceUris>
	<audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
	</audienceUris>
	<certificateStores>
	<trustManager>
	<keyStore file="ststrust.jks" password="storepass" type="JKS" />
	</trustManager>
	</certificateStores>
	<trustedIssuers>
	<issuer certificateValidation="PeerTrust" />
	</trustedIssuers>
	<maximumClockSkew>1000</maximumClockSkew>
	<signingKey keyAlias="mytomrpkey" keyPassword="tompass">
	<keyStore file="rp-ssl-key.jks" password="tompass" type="JKS" />
	</signingKey>
	<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:type="samlProtocolType" version="1.0.0">
	<realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
	<issuer>https://localhost:10001/fediz-idp/saml</issuer>
	<signRequest>true</signRequest>
	<disableDeflateEncoding>true</disableDeflateEncoding>
	<checkClientAddress>false</checkClientAddress>
	<roleDelimiter>,</roleDelimiter>
	<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
	<claimTypesRequested>
	<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
	<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
	<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
	<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
	</claimTypesRequested>
	</protocol>
	</contextConfig>
	</FedizConfig>

view raw fediz_config_saml.xml hosted with ❤ by GitHub

Copy 'fediz_config_saml.xml' to 'fediz_config.xml' and rebuild the docker image:

• docker build -t coheigea/fediz-helloworld .
• docker run -p 8443:8443 coheigea/fediz-helloworld

Open a browser and navigate to 'https://localhost:8443/fedizhelloworld/secure/fedservlet' again. Authentication should succeed as before, but this time using SAML SSO as the authentication protocol instead of WS-Federation.