Versions Compared

Old Version 31

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 32

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

XML element

Use

Metadata

Description

applicationServiceURLOptionalentityIDUsed to set the "entityID" for the Metadata. If not specified, the context path of the application is used instead.

roleDelimiter

Optional

NA

There are different ways to encode multi value attributes in SAML:

  • Single attribute with multiple values
  • Several attributes with the same name but only one value
  • Single attribute with single value. Roles are delimited by roleDelimiter

roleURI

Optional

NA

Defines the attribute name of the SAML token which contains the roles. Required for Role Based Access Control. Typically this is configured with the value "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".

claimTypesRequested

Optional

ClaimTypesRequested (WS-Fed) / RequestedAttribute (SAML SSO)

The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail.

issuer

Required

NA

This URL defines the location of the IDP to whom unauthenticated requests are redirected.

realm

Optional

NA

Security realm of the Relying Party / Application. For WS-Federation, this value is part of the SignIn request as the wtrealm parameter. For SAML SSO, it is used as the Issuer of the AuthnRequest. Default: URL including the Servlet Context

tokenValidators

Optional

NA

Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. See example here.

metadataURIOptionalNAThe URI where Metadata is served. The default is "FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and "SAML/Metadata.xml" for SAML SSO.
replyOptionalNAThe value to send to the IdP in the "wreply" parameter.

authenticationType

Optional

NA

The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth). The WS-Federation standard defines a list of predefined URIs for wauth here.

homeRealm

Optional

NA

Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter

freshness

Optional

NA

The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (parameter wfresh)

requestOptionalNAThis value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP.
signInQueryOptionalNAAdditional queries to be appended to the sign-in URL.
signOutQueryOptionalNAAdditional queries to be appended to the sign-out URL.

...

XML element

Use

Metadata

Description

applicationServiceURLOptionalentityIDUsed to set the "entityID" for the Metadata. If not specified, the context path of the application is used instead.

roleDelimiter

Optional

NA

There are different ways to encode multi value attributes in SAML:

  • Single attribute with multiple values
  • Several attributes with the same name but only one value
  • Single attribute with single value. Roles are delimited by roleDelimiter

roleURI

Optional

NA

Defines the attribute name of the SAML token which contains the roles. Required for Role Based Access Control. Typically this is configured with the value "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".

claimTypesRequested

Optional

ClaimTypesRequested (WS-Fed) / RequestedAttribute (SAML SSO)

The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail.

issuer

Required

NA

This URL defines the location of the IDP to whom unauthenticated requests are redirected.

realm

Optional

NA

Security realm of the Relying Party / Application. For WS-Federation, this value is part of the SignIn request as the wtrealm parameter. For SAML SSO, it is used as the Issuer of the AuthnRequest. Default: URL including the Servlet Context

tokenValidators

Optional

NA

Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. See example here.

metadataURIOptionalNAThe URI where Metadata is served. The default is "FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and "SAML/Metadata.xml" for SAML SSO.
replyOptionalNAThe value for the AssertionConsumerService URL in the AuthnRequest
signRequestOptionalNAWhether to sign the AuthnRequest or not. The default is false.
authnRequestBuilderOptionalNAA SAMLPRequestBuilder instance used to build the AuthnRequest/LogoutRequest. The default is here.
disableDeflateEncodingOptionalNAWhether to disable deflate encoding or not. The default is "false".
doNotEnforceKnownIssuerOptionalNAWhether to not enforce that the issuer of the SAML Response is a known value. The default it false (meaning that it is enforced).
issuerLogoutURLOptionalNAThe logout URL to redirect to. If not specified it falls back to the Issuer URL.
checkClientAddressOptionalNAWhether to check the client address against the subject confirmation data address. The default is true.

...

Code Block
xml
xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
    <contextConfig name="/fedizhelloworld">
        <audienceUris>
            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
        </audienceUris>
        <certificateStores>
            <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
        </certificateStores>
        <maximumClockSkew>10</maximumClockSkew>
        <trustedIssuers>
            <issuer certificateValidation="PeerTrust" />
        </trustedIssuers>
        <signingKey keyPassword="tompass">
            <keyStore file="tomcatKeystore.jks" password="tompass" type="JKS" />
        </signingKey>
        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
            <issuer>https://localhost:9443/fediz-idp/federation/</issuer>
            <roleDelimiter>,</roleDelimiter>
            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
            <claimTypesRequested>
                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" />
            </claimTypesRequested>
            <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" />
            <homeRealm type="Class" value="example.HomeRealmCallbackHandler" />
            <tokenValidators>
                <validator>org.apache.cxf.fediz.core.CustomValidator</validator>
            </tokenValidators>
        </protocol>
    </contextConfig>
</FedizConfig>

...