1) The Apache CXF Fediz Identity Provider
The Apache CXF Fediz Identity Provider (IdP) actually consists of two web applications - the IdP itself which can handle both WS-Federation and SAML SSO login requests, as well as an Apache CXF-based Security Token Service (STS) to authenticate the end users. In addition, we also have a third web application, which is the Apache CXF Fediz OpenId Connect IdP, but we will cover that in a future post. It is possible to build docker images for each of these components with the following project on github:
- fediz-idp: A sample project to deploy the Fediz IdP
- cd sts; docker build -t coheigea/fediz-sts .
- cd idp; docker build -t coheigea/fediz-idp .
- cd oidc; docker build -t coheigea/fediz-oidc .
- docker-compose up
2) The Apache CXF Fediz 'fedizhelloworld' application
Now that the IdP is configured, we will configure a sample application which is secured using the Fediz plugin (for Apache Tomcat). The project is also available on github here:
- fediz-helloworld: Dockerfile to deploy a WS-Federation secured 'fedizhelloworld' application
- docker build -t coheigea/fediz-helloworld .
- docker run -p 8443:8443 coheigea/fediz-helloworld
3) Switching to use SAML SSO instead of WS-Federation
Let's also show how we can switch the security protocol to use SAML SSO instead of WS-Federation. Edit the Dockerfile for the fediz-idp project and uncomment the final two lines (to copy entities-realma.xml and mytomrpkey.cert into the docker image). 'mytomrpkey.cert' is used to validate the Signature of the SAML AuthnRequest, something that is not needed for the WS-Federation case as the client request is not signed. Rebuild the IdP image (docker build -t coheigea/fediz-idp .) and re-launch the IdP again via "docker-compose up".
To switch the 'fedizhelloworld' application we need to make some changes to the 'fediz_config.xml'. These changes are already made in the file 'fediz_config_saml.xml':
Copy 'fediz_config_saml.xml' to 'fediz_config.xml' and rebuild the docker image:
- docker build -t coheigea/fediz-helloworld .
- docker run -p 8443:8443 coheigea/fediz-helloworld
No comments:
Post a Comment