Date: Tue, 19 Mar 2024 04:51:22 +0000 (UTC) Message-ID: <2063292962.54311.1710823882384@cwiki-he-fi.apache.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_54310_403855044.1710823882384" ------=_Part_54310_403855044.1710823882384 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Apache CXF Fediz ships plugins for Jetty 8 and 9 instances. Previous ver= sions of Fediz shipped plugins for Jetty 7. From release 1.4.5, the Jetty 8= and 9 plugins support both WS-Federation and SAML SSO.
This page describes how to enable Federation for a Jetty 7/8 instance ho= sting Relying Party (RP) applications. This configuration is not for a sepa= rate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for t= hird-party applications that use Fediz STS-generated SAML assertions for au= thentication. After this configuration is done, the Jetty-RP instance will = validate the incoming SignInResponse created by the IDP server.
Prior to doing this configuration, make sure you've first deployed the F= ediz IDP and STS on the Tomcat IDP instance as discussed here, and can view the STS WSDL at the = URL given on that page. That page also provides some tips for running multi= ple Tomcat instances on your machine.
You can either build the Fediz plugin on your own or download the packag=
e here. If you have=
built the plugin on your own you'll find the required libraries in p=
lugins/jetty${version}/target/...zip-with-dependencies.zip
fediz
in ${jetty.home}/lib/fedi=
z
Update start.ini in ${jetty.home}/start.ini by adding fediz to the OPTIONS
OPTIONS=3DSer= ver,fediz
It's recommended to set up a dedicated (separate) Jetty instance for the= Relying Party. The Fediz RP web applications use the following TCP ports:<= /p>
These are the default ports for a standard Jetty installation.
The Relying Party must be accessed over HTTPS to protect the security to= kens issued by the IDP.
The Jetty HTTP(s) configuration is done in etc/jetty-ssl.xml.
The configuration is described in detail here
This page also describes how to create certificates. Sample Jetty keysto= res (not for production use, but useful for demoing Fediz and running the s= ample applications) are provided in the examples/samplekeys folder of the F= ediz distribution. Note the Jetty keystore here is different from the one u= sed to configure the Tomcat-IDP instance.
To establish trust, there are significant keystore/truststore requiremen= ts between the Servlet Container instances and the various web applications= (IDP, STS, Relying party applications, third party web services, etc.) See= this page for more details, i= t lists the trust requirements as well as sample scripts for creating your = own (self-signed) keys.
Warning: All sample keystores provided with Fediz (including in = the WAR files for its services and examples) are for development/prototypin= g use only. They'll need to be replaced for production use, at a minimum wi= th your own self-signed keys but strongly recommended to use third-party si= gned keys.
If you are currently just trying to run the Fediz samples, the configura= tion above is all you need (the below configuration is already provided wit= hin the samples) so you can return now to the samples' READMEs for the next= steps in running them.
The Fediz related configuration is done in a Servlet Container independe= nt configuration file which is described here.
The Fediz plugin requires configuring the FederationAuthenticator like a= ny other authenticator in Jetty. Detailed information about the Authenticat= ors and SecurityHandler is available here.
The Fediz configuration file allows to configure all servlet contexts in= one file or choosing one file per Servlet Context.
You can configure the context in context configuration file located in &= lt;jetty.home>/contexts.
Hint: file name must be equal to war file name
=20 <Get name=3D"securityHandler"> <Set name=3D"loginService"> <New class=3D"org.apache.cxf.fediz.jetty.FederationLoginService"&g= t; <Set name=3D"name">WSFED</Set> </New> </Set> <Set name=3D"authenticator"> <New class=3D"org.apache.cxf.fediz.jetty.FederationAuthenticator"&= gt; <Set name=3D"configFile"><SystemProperty name=3D"jetty.hom= e" default=3D"."/>/etc/fediz_config.xml</Set> </New> </Set> </Get>
The Fediz configuration file is a Servlet container independent configur= ation file and described here
Deploy your Web Application to your Jetty installation (<jetty.home&g= t;/webapps). If you're running the Fediz examples, their README files will = have instructions on how to do this.
The Jetty Fediz plugin supports publishing the WS-Federation Metadata do= cument which is described here.