18 December 2015

Register trusted 3rd party IDP with SAML Web Browser SSO Profile

In this Post I'll explain how to configure Apache Fediz IDP so that it can be used with a trusted 3rd party IDP based on SAML Web Browser SSO Profile.

In my previous posts about Apache Fediz I focused on the WS-Federation passive protocol only since it is the successor standard for the SAML Web Browser SSO Profile. But in some cases you will have to establish a federated trust relation with an IDP how does not support the WS-Federation Standard yet, but only the older SAML Web Browser SSO Profile.


I'll explain how to register a SAML trusted IDP at the IDP as well as how to setup a demonstrator. Please also take a look at Colms post about this topic.

Preconditions

I would assume that you have the fedizhelloworld demo application already running within your Tomcat container, as well as the Fediz IDP & STS in a second Tomcat  container. If you don't know how to do this, you will find a detailed instruction in my previous post about Fediz, as well as this post from Colm.

Install SAML IDP

Fediz IDP itself does not support the SAML Web Browser Profile as a primary IDP protocol. So you cannot use Fediz IDP so login based on SAML Web Browser Profile. But you can register a 3rd party IDP based on that profile when Fediz is acting as a Service Provider (client).

For purposes of integration testing however the Fediz Project provides a mockup implementation of a SAML IDP which we will use for demonstration purposes here. To build the war file you should do the following:

1. Clone the Fediz Sources on your computer with GIT
> git clone -v https://github.com/apache/cxf-fediz.git
2. Goto the systestfolder and build the systest with maven
> cd cxf-fediz/systests/federation/samlIdpWebapp/
> mvn -Pfastinstall
3. Copy war file to tomcat webapps folder
> cp target/*.war ${tomcat.fediz.idp.home}/webapps
4. Start Fediz-IDP and Fediz Demo app (if not already done yet)
> ${tomcat.fediz.idp.home}/bin/startup.sh
> ${tomcat.fediz.rp.home}/bin/startup.sh 

Register 3rd Party IDP

Next you must register the SAML SSO IDP at your Fediz-IDP so that you can choose it as your home realm at the login process. This can be done via a REST API since version 1.2.0.

The REST Service API requires a Basic user authentication. Default username is admin and password is password.

1. Register a new 3rd Party IDP
POST https://localhost:9443/fediz-idp/services/rs/trusted-idps
<ns2:trustedIdp id="0" xmlns:ns2="http://org.apache.cxf.fediz/">
   <realm>urn:org:apache:cxf:fediz:idp:realm-C</realm>
   <url>https://localhost:9443/samlssoidp/samlsso</url>
   <name>Realm C</name>
   <description>SAML Web SSO</description>
   <protocol>urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser</protocol>
   <trustType>PEER_TRUST</trustType>
   <certificate>realmb.cert</certificate>
   <federationType>FEDERATE_IDENTITY</federationType>
   <cacheTokens>true</cacheTokens>
   <parameters>
      <entry>
         <key>support.deflate.encoding</key>
         <value>true</value>
      </entry>
   </parameters>
</ns2:trustedIdp>
If you use a POST Binding for the SAMLResponse your response will most likely not be deflated. If you use the GET Binding your response will most likely be deflated. Adjust the support.deflate.encoding value accordingly.

2. Assign this new 3rd Party IDP to your Realm-A Fediz IDP
POST https://localhost:9443/fediz-idp/services/rs/idps/urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A/trusted-idps
<ns2:trustedIdp xmlns:ns2="http://org.apache.cxf.fediz/">
    <realm>urn:org:apache:cxf:fediz:idp:realm-C</realm>   
</ns2:trustedIdp> 

Test: Perform a federated Login


Make sure to delete any localhost cookies within your browser. Otherwise your preferred home realm could be stored within a cookie and therefore your would not see a home realm selection screen.

Now you can perform a login by invoking the following URL:
https://localhost:8443/fedizhelloworld/secure/fedservlet

You should see a home realm selection screen, with our new SAML SSO IDP which you should select. Next you should see a Basic user authentication window. Here you can login with ALICE and ECILA as your password.


After some redirect you should see the demo page with your federated user account from alice:

Review Redirects in Detail

If you use a monitoring tool like Fiddler, you will be able to analyze the redirects in greater detail.

After invoking the fedizhelloworld demo app, I'll get redirected to the Fediz IDP:
GET https://localhost:9443/fediz-idp/federation
      ?wa=wsignin1.0
      &wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecure%2Ffedservlet
      &wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld
      &wct=2015-12-18T17%3A45%3A36.860Z
      &wctx=b9220a8a-5802-41a2-9128-a2ba649a72bc

The Fediz IDP will show you the home realm selection page and after selection will redirect you to the SAML SSO IDP
GET https://localhost:9443/samlssoidp/samlsso
      ?SAMLRequest=nVNdb9owFP0rkd9TEkihuQIkBpqG1G0pZHvYm3FuiiXHznydlu3Xz07TlofBpL3545xzj8%2B9nhNv1LiFVeeOeoc%2FOyQXrYjQOmn02mjqGrR7tE9S4Lfd%2FYIdnWsJRiNlBFdHQw7yLJuMaqzk71hWbVih5YHOoo2Xk7rfXGQGB0QmUIcliz4aK7D3tGA1V4Qs2m4WTMzq5DDNeFxPJkmc3aXTOM9nWZxM0yrnh6ziSeqRVHAi%2BYTvXKIOt5oc127Bxkl6G6fjOL0r0xlktzDJb2Z5%2BoNFhTXOCKM%2BSF1J%2FbhgndVgOEkCzRskcAL2q8%2F3ML5J4PACIvhUlkVcfN2XLPqOlvq3egCLTo3SBC8JX9dqh8JsOe%2Fh0Du25wrXBfhry9iyh9lH4C0XRwRxqqFvDviEwSJXTbyaj87LDEVb%2BOJ1t5vCKCl%2BRSulzPPaE5wP0tkO%2B7Y03F13Ek5kFdc9FNoQCDnUjkX7Iug%2FdFzJWqIdZP7hlI3e3A3jiVU%2FGH42HZ5ctDZNy62kkDqeuHBvGZ7D1sontMP6%2FxO9BBMggrY%2FDlP3bGwVpgiF91larqk11r3G%2FTdHy%2BHywvver8%2B%2F6PIP
      &RelayState=962c9908-489c-4ea2-b1a4-090e180c91f3
      &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
      &Signature=PyFe4kjQLWUoatdKZ0uZig27CSgrIZpmgU%2FiGL86KW8JIeVgAEIm9StYwdPUWiJO9KMM5wKmd9o6tWjFM7oIEtv8yIYo%2Fcr1nX7qDj5QRd2ni2akDH61OdV%2FvPECS0auRolW1vDwT6qwnqBFNC1KWSJXXpHu0bk7HXRkfnyA3p557ZECunsYsPhMp1JfaGQJUP8tw2LR0HNweoL7NA%2FbKU8lzwKrIcmJ7kFsYC2OrW3TucfqruQ0hrQYIvHFyISwqc7uWRgiGo8KhvTuw1pg2JvpZJZq%2F50OWHGWLWuE5QKT2C5yjJeb7xch4gPkg4PIBJCqrENZSE7OZWIcb%2Fydjw%3D%3D

You can use for example Notepad++ to decode SAML-P Requests & Responses.


After decoding the SAMLRequest you will see the following SAML AuthnRequest:
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://localhost:9443/fediz-idp/federation" Destination="https://localhost:9443/samlssoidp/samlsso" ForceAuthn="false" ID="c7f0b64a-f330-4816-9974-061d9ab4da01" IsPassive="false" IssueInstant="2015-12-18T17:45:39.791Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:org:apache:cxf:fediz:idp:realm-A</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="urn:org:apache:cxf:fediz:idp:realm-A"/>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

After login at the SAML IDP the user will be redirected back to Fediz-IDP:
GET https://localhost:9443/fediz-idp/federation
      ?SAMLResponse=rVdZk6JMFn33V1TYj4YFCYhAdFUEiwsKgiIqvEywJIuySYLbrx%2B0ytqmqqfniwkfJC93OffcJDn8Rk6aEAW3gKjIMwQfZOmpzUBI9hkHdH2A97sUSwZdF7heF2dpD3dZlqEDov0gZ/egZf7U9voB7tKU0w1IEu9SDKC7LNunujgNfNZxKd/BQRODUA3lDFVOVj21CRz0uoDoAmYJ%2BhzV40j2kSFxu/2wgiWK86xxecTbD6c0yRD3gvSpXZcZlzsoRlzmpBBxlccZvKpwjStXlHmVe3nSfv59c%2BduBcuPGf6cwEEIllVTuv0cVVWBOAxLcs9JohxVHEtRJHZNglAe%2B8X98jf2sdZr5YIzKqeq0ZelmPvwYeUkNfwzDnTz5oza8yBCbez5tciXtBx/x3sb3L9YQDE0QzBdzyV7XQr0mC7ju0yXpkjAeC5OeX38/zCFv%2BXwNeaE4qf2lc6GzePx%2BHgkH/MyxAgcB9hGVQwvgqnTjW%2BAPNhEoZirzkVD0Zcml43xy2j/%2BZj8ht44zBo2S/gK1Ec/4MQxnMUaHx/F4a/2Wyz05SzIb0vRyfIsbiDEF%2BcKVYVVlPsPfBLmZVxF6Y8EAPyauAtPXtcDVPbrOuuP0P4y0SeEJXK6KHLAa64FDGAJG2ofzIX81P71d9vkFrosnQwFeZmiz8v/DQ/MDjDJC%2Bh30b2tV2h/n/B7prD/xCjFIUTVP6HtA2UvSW4P6jM7r1aVQScStV%2BeeJ3igaqVnjMrhOPTDcBH55vhjfCX5Zet8jbal4ghSA3AWtlZP1qzmglsIDn9%2BcLaXlYXRpdwYOIRT1L0ft9bDFczYjY3Ombp7Ox0Wep1NauKmtFxeROWKbVH/WGhRoJTVbxrni9o6MtLeWPLOl8SypJQsWQqOEzMFpI2cQNWm4S14eY4bxm8MdY3YDZVjkSA2QsKGEHQIS8nuTfWjoW58cb%2Bsq8IU1zbTGNKK5SL2wlPoifyNCmpaDE9r3GgT3HEb6roMoQBEpyOp5xlpIdqudrpQ8OzmfzSmXWGmTvU0m2fKdw5sdlsjsuB5UwjhtqPowu6jGpS1EUlV7cFpdRAHa51TzpT%2B10RwJnhgXHfww5jw%2BxjEFvXwWgsshB6grGa0HYmx8I0M87Hp6c36j9wfaV/Cs9vo9j0cFZyKudtIV4PmqB5jiv4rMqyeFyKIu%2BkIX%2BUBT6UB75DXIoLPxPC3T7axSP2iAv8HA15iV%2Boc%2BYozS1pNZ9Lg6NtLMyhujTl4zjyZq3m6jjbDo7NPz6TVGLdGNVtY5MG1Jtt%2B3OSMBzEKo%2BPRGM/ahmyS0rzQVPZ5HlKFqQjf3WY8nmDci4OvZ6A4Wd3aNmZsc1YgyZrfc/Kwnq%2BQgQ8ODZl4sdDAOnDKmnttZrXGDraTjB6EBpurY0TVY9lyyUTH1IpXO7pQWdTrPMTrgwY5WzM/RN2AAYDVsRkqoA862/iZiO4lNnCiRTfb2YwpvsLYIr83K7cqDgsoTdJ/SznHbfQ5MnO2CfzTKsYoqT8zWlgDXumXMb2KJ5bKr0zB41oOBQtfQgunfLEwHJLx8yomkNdW8fbKjMTex%2BOjsrgsMNnRH%2B0kEOgjTvJaFQQxWiHy%2BxYXbDaebnDFrvhYQcF1OKTvbIXk%2B15m4tbf4E0ewQ1tEaCR9jZqgOgop2yogeZ3KFjK5/V0t6ubEZNwSEZM5M1PQY6H6oCz4%2B2LXnJB6qAj3hg%2BlI4XwvCgoDYycysYguUgFY3qrbeL0pfWW2I7Tfbhdcabga8crLZFnAmEhwO1BAPPEhHghhtzqYHtIk3LE4nwk4vENcu61PEW%2BuQzDdEXzVn4aK389VcnwSBSEiRiUiTXHeElrWY4ltxX9S4ilnUIDxR8f4cjj3eWS54PcVGlb1DnaQDlcW4Y2BbfRWRl2m8xjEz2M2ts9Xb7e04ETJpo7fsodpkMDNPZyGrsDGRns364lUFu8lZdbS2lr3zcBojF2SH2TQkC2sydegqCwKgqGR4glvRSz1hPj0nZUtvzs2%2BnljRmXV2m9U4nUvlBYwR5E8l5lPWAXWsMhqXqR0N93W191V5YExGs%2Bb0Ho%2BtxTDVdBe/CGqNU1QLapHX0cwTpYzrCyywbFqlUj4bj0YnZ5pY5IB/PQC%2BPtRvxpfHHvt4IHw6MO4yw6jdLfSq%2B3LWyB1Zehg2rxun%2BlkHgUdws8R%2BN7i5cnWGCug1MKDffuYVWRzcBclLyi/1xDwL4mvgVdu9vMz%2BrLq8lHOhU8Ky/YdM16YfeN8vG1H51AZE/xFvfuCfiflZXmmZVvJBBcuvMrKHv8vIRdN2EcOr1vxBrAXQjy/dq1ZrrmB5g/queb9r5Ou9e8%2BNjx9fHdAVngAb8uFPEhfYf9dD4/cmt2s/vr7XG7KqMvZekHy%2B9XwbUhlyTuE0wpbzTgF3649r%2BuNK6CRpl7%2Bjfwv6avhUAPva23vNKsquHwQwbeh9uC3/u67/FN0kreCp%2Bs4mJo2Sb6TM8x/Fvsd5V7/GrDd/x7z033v5Jtd3Nz8b3/p5N9/1//tX0H23Pv8b     
      &RelayState=962c9908-489c-4ea2-b1a4-090e180c91f3
Usually you would receive a POST message from the SAML IDP instead of a GET redirect, as done here by the mockup IDP.

A decoded SAMLResponse will look like this:
<saml2p:Response ID="1772f107-14b9-4d27-9d21-f3a1cf655648" InResponseTo="41e5c1dc-7cfe-446e-b475-3fb7a40b5432" IssueInstant="2015-12-18T14:16:24.456Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:9443/samlssoidp/samlsso</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="_42311918-c677-4773-86b7-e5b42340354d" IssueInstant="2015-12-18T14:16:24.456Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="saml2:AssertionType">
        <saml2:Issuer>https://localhost:9443/samlssoidp/samlsso</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#_42311918-c677-4773-86b7-e5b42340354d">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>IvKTW0enrkTeXynCf9Aj0053fXM=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>GcHGaMUt6zM+tdKty0yXWOniNXh5V8JfYrCkjerx1LPI7K2w4oWCTfGtZ4TCnAhoKZQsyA3+VDpFg25HZIMjJVznazHPQ1idjvy5zlKdmG+jaHf+JWrKMuCb3w3UPJwWFEod49BnLGgLkBORr4rgWi0c4eloSK8NCnBHOXwhJHxkw5nUe+FIiuLpuIxbWnNddsWr7091ImuawDxfYfPDJuxaXX19EP2nx2zc7oQrmbqZAIIftao87OeAr2hfg4BDpAO7kFQC+Iw2B4pkmLUnJNyzspfU96bN9HaNvhBZSWD1HEdTzkHaNr9r1h9SSksBZLdmT8+p0+QidzNXN5H/sw==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIICwTCCAamgAwIBAgIEda2zpzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUIwHhcN
MTUwNjEwMTU0NDM2WhcNMjUwNDE4MTU0NDM2WjARMQ8wDQYDVQQDEwZSRUFMTUIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCFc5B/0ybFYZnSjn9S63uPq9IBWQVs2evaZ4U0wvfe6vVl
qOuAO86hjJ/6EgSbuOHlMPiIYb3lde4meTq6E+XpWox0LE8LySQdx/v1S81V2JKL1on7XiCcCb4U
02m0qXNei67R1UCAQZtbhpvTecJmdnoAabpOIJkSqlQnOt82r4dXxEYF5UIriZGiQYM6kUE61dvp
PF1z+rx8erj6i8GtQePOWijtnUlZqgGwLEvk0N27GRIg1OH+lGGp2pGk0I9HMR9OyTk/RkFvkeBs
AlqLqCljyjoCjdRsOZGeOsWsBc2ZnV+1eLOxnp5e8oa6iYoNuDqZtZ8Mm1vlH8JW6H1PAgMBAAGj
ITAfMB0GA1UdDgQWBBR2e/xUnYpj1Lf6MXMOWqRrdLVX2jANBgkqhkiG9w0BAQsFAAOCAQEALxZ9
1aJDeFEMg0fce6hBChXyUc1OJcFpxx2Zmze0OzWxhAYWg3oX27MUNgR5kdMoPJffC2DhUs3U3W+B
YRK0jCqpu0M/Y4Egx4iqygHcAaTRAPm/GtZks+l+eLRH+S/jPVh3zKiW0/UfkQYyY5kqZilBnDXP
ZFMEgxUncP9e9L9i2myUuzctp9Xo9MGWYT5yFKisb1nvNKg3pYJKa6tnff1LM3gxejCcmcBQKylr
PA1M7PlYhy9akXVHmQDrz1HseAxr/d4Yvs+YrhHrmZhFqutqdMIESJGNithHHYRFmOPb0zBMu044
eOhc+OUx4LHuzep/nKtmDoNHGGxaKlY3EA==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ALICE</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="127.0.0.1" InResponseTo="41e5c1dc-7cfe-446e-b475-3fb7a40b5432" NotOnOrAfter="2015-12-18T14:21:24.456Z" Recipient="https://localhost:9443/fediz-idp/federation"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2015-12-18T14:16:24.456Z" NotOnOrAfter="2015-12-18T14:21:24.456Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>urn:org:apache:cxf:fediz:idp:realm-A</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2015-12-18T14:16:24.456Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>


Fediz-IDP is configured to do a identity mapping and will return a SAML token back to the demo application according to WS-Federation.
POST https://localhost:8443/fedizhelloworld/secure/fedservlet 

wa=wsignin1.0
&wresult=%3CRequestSecurityTokenResponseCollection+xmlns%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fws-sx%2Fws-trust%2F200512%22+xmlns%3Ans2%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22+xmlns%3Ans3%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22+xmlns%3Ans4%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%22+xmlns%3Ans5%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fws-sx%2Fws-trust%2F200802%22%3E%3CRequestSecurityTokenResponse%3E%3CTokenType%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-saml-token-profile-1.1%23SAMLV2.0%3C%2FTokenType%3E%3CRequestedSecurityToken%3E%3Csaml2%3AAssertion+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22+xmlns%3Axsd%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%22+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%22+ID%3D%22_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436%22+IssueInstant%3D%222015-12-18T17%3A45%3A39.933Z%22+Version%3D%222.0%22+xsi%3Atype%3D%22saml2%3AAssertionType%22%3E%3Csaml2%3AIssuer%3ESTS+Realm+A%3C%2Fsaml2%3AIssuer%3E%3Cds%3ASignature+xmlns%3Ads%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3Cds%3ASignedInfo%3E%3Cds%3ACanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%2F%3E%3Cds%3ASignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256%22%2F%3E%3Cds%3AReference+URI%3D%22%23_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436%22%3E%3Cds%3ATransforms%3E%3Cds%3ATransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%2F%3E%3Cds%3ATransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3Cec%3AInclusiveNamespaces+xmlns%3Aec%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+PrefixList%3D%22xsd%22%2F%3E%3C%2Fds%3ATransform%3E%3C%2Fds%3ATransforms%3E%3Cds%3ADigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23sha256%22%2F%3E%3Cds%3ADigestValue%3EOB6hSosPWjhA5dxCE%2BF3eFAC4dRu%2FZxFT9XO%2B9tXBAI%3D%3C%2Fds%3ADigestValue%3E%3C%2Fds%3AReference%3E%3C%2Fds%3ASignedInfo%3E%3Cds%3ASignatureValue%3EOAZHDiqlANZXtK0UPfrusUTAf1E9hrPHjUw9kB0sP24RMtxjIfcJ0UFTIb1gBHMqGz%2BbxPJozH7c6O%2F%2F2OYa5V3eRDadQOqnxKvReDh8YjHqs641uhdNqlJl9SogWsm7MPmznmwB5jRLqCaQpTQDfFnjwHXPgxwcASh1i3anfYSpJebnq4ipC3%2Flyuy99xXb1tQoai6hgdRiPs5ragYUPLqE9bIrULj%2FOTbuXY4ikKcNBHltKzAhPJtvaVDzgUkAKRYNBk64te1vRTCYYdMWXjMjA%2FC2obHhIB4zA5eMjxoMPmZHe7ZxVVRiB938S%2FJW%2B4ysJvoVdFX2FTmqRmIKhA%3D%3D%3C%2Fds%3ASignatureValue%3E%3Cds%3AKeyInfo%3E%3Cds%3AX509Data%3E%3Cds%3AX509Certificate%3EMIICwTCCAamgAwIBAgIEINqJ9TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN%0D%0AMTUwNjEwMTU0NDE3WhcNMjUwNDE4MTU0NDE3WjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG%0D%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJDSXn2lDR%2BJM%2BAsJarFG3%2FXGH7K%2B9AfAbQIz2IgB9MCpO%0D%0AKVWTUPCvuo1I%2BFp5nEGreuHYLEwgIiam3o%2BC9tvpLgtDDaDkmXjDzkWpk8z6%2Bim72HZ%2FODF93Rqw%0D%0AjIiY5ZCzgDumFyPzdKiGwChThamidy%2Brd6oheSoi6qRVSMMcnwiEUmvkfFvV3izXRqeT5nGQwsin%0D%0Ay9mCEiGx8jkfxP%2B%2BH0RQjVjhOwzfQ7epsR7dTQNf2ZhkBR3o6wKV9QnF2IBWHZpA9EK58rWU9H6j%0D%0AG7b631rYvwsbOUF9HcZ8DI2BFh%2B4p18jDN%2FfnjNGSLr9rYOExpsIiF1cHBK7Tr7WwCmDAgMBAAGj%0D%0AITAfMB0GA1UdDgQWBBRHy0qYoLm9jx%2F1L6r61NznHKun2jANBgkqhkiG9w0BAQsFAAOCAQEAR9rU%0D%0A5Sp1FsOErdvKNFqeaKl0oq6Fuz7BWcGm2kK6%2B1ZbWE8IOv6Vh%2BBlLuOe5hF7aLUbm8UIjhKsmg0M%0D%0AEy5MBwkBZktT1qhQteMuiKgYR7CxayCxO0f125RYvvwntJa5rI7bUrzOqX29VQD1qQ%2FTb%2B08fULT%0D%0AL7oURP%2Bg88Ff99dn3IpO4VZxZdsbl4%2BKZRtqQvPAdXNYjOajJtPzS489%2B%2FDtfWJ6wPm%2F7YZ4did4%0D%0A1fYcrdwyEZ15L0%2F5i931z7sztNickm5WhO40qEVDKN6KrlV2Eyea0%2B933v2Pwe4resTlko9G2T5h%0D%0AdEaSbvht2Q%2FJOMMmT91daeto2oS8HTKhTA%3D%3D%3C%2Fds%3AX509Certificate%3E%3C%2Fds%3AX509Data%3E%3C%2Fds%3AKeyInfo%3E%3C%2Fds%3ASignature%3E%3Csaml2%3ASubject%3E%3Csaml2%3ANameID+Format%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.1%3Anameid-format%3Aunspecified%22+NameQualifier%3D%22http%3A%2F%2Fcxf.apache.org%2Fsts%22%3Ealice%3C%2Fsaml2%3ANameID%3E%3Csaml2%3ASubjectConfirmation+Method%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Acm%3Abearer%22%2F%3E%3C%2Fsaml2%3ASubject%3E%3Csaml2%3AConditions+NotBefore%3D%222015-12-18T17%3A45%3A39.890Z%22+NotOnOrAfter%3D%222015-12-18T18%3A45%3A39.890Z%22%3E%3Csaml2%3AAudienceRestriction%3E%3Csaml2%3AAudience%3Eurn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld%3C%2Fsaml2%3AAudience%3E%3C%2Fsaml2%3AAudienceRestriction%3E%3C%2Fsaml2%3AConditions%3E%3Csaml2%3AAttributeStatement%3E%3Csaml2%3AAttribute+Name%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Frole%22+NameFormat%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aattrname-format%3Aunspecified%22%3E%3Csaml2%3AAttributeValue+xsi%3Atype%3D%22xsd%3Astring%22%3EUser%3C%2Fsaml2%3AAttributeValue%3E%3C%2Fsaml2%3AAttribute%3E%3Csaml2%3AAttribute+Name%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fgivenname%22+NameFormat%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aattrname-format%3Aunspecified%22%3E%3Csaml2%3AAttributeValue+xsi%3Atype%3D%22xsd%3Astring%22%3EAlice%3C%2Fsaml2%3AAttributeValue%3E%3C%2Fsaml2%3AAttribute%3E%3Csaml2%3AAttribute+Name%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fsurname%22+NameFormat%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aattrname-format%3Aunspecified%22%3E%3Csaml2%3AAttributeValue+xsi%3Atype%3D%22xsd%3Astring%22%3ESmith%3C%2Fsaml2%3AAttributeValue%3E%3C%2Fsaml2%3AAttribute%3E%3Csaml2%3AAttribute+Name%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Femailaddress%22+NameFormat%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aattrname-format%3Aunspecified%22%3E%3Csaml2%3AAttributeValue+xsi%3Atype%3D%22xsd%3Astring%22%3Ealice%40realma.org%3C%2Fsaml2%3AAttributeValue%3E%3C%2Fsaml2%3AAttribute%3E%3C%2Fsaml2%3AAttributeStatement%3E%3C%2Fsaml2%3AAssertion%3E%3C%2FRequestedSecurityToken%3E%3CRequestedAttachedReference%3E%3Cns4%3ASecurityTokenReference+xmlns%3Awsse11%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-wssecurity-secext-1.1.xsd%22+wsse11%3ATokenType%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-saml-token-profile-1.1%23SAMLV2.0%22%3E%3Cns4%3AKeyIdentifier+ValueType%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-saml-token-profile-1.1%23SAMLID%22%3E_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436%3C%2Fns4%3AKeyIdentifier%3E%3C%2Fns4%3ASecurityTokenReference%3E%3C%2FRequestedAttachedReference%3E%3CRequestedUnattachedReference%3E%3Cns4%3ASecurityTokenReference+xmlns%3Awsse11%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-wssecurity-secext-1.1.xsd%22+wsse11%3ATokenType%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-saml-token-profile-1.1%23SAMLV2.0%22%3E%3Cns4%3AKeyIdentifier+ValueType%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2Foasis-wss-saml-token-profile-1.1%23SAMLID%22%3E_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436%3C%2Fns4%3AKeyIdentifier%3E%3C%2Fns4%3ASecurityTokenReference%3E%3C%2FRequestedUnattachedReference%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fwww.w3.org%2Fns%2Fws-policy%22+xmlns%3Awst%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fws-sx%2Fws-trust%2F200512%22%3E%3Cwsa%3AEndpointReference+xmlns%3Awsa%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22%3E%3Cwsa%3AAddress%3Eurn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld%3C%2Fwsa%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3CLifetime%3E%3Cns3%3ACreated%3E2015-12-18T17%3A45%3A39.890Z%3C%2Fns3%3ACreated%3E%3Cns3%3AExpires%3E2015-12-18T18%3A45%3A39.890Z%3C%2Fns3%3AExpires%3E%3C%2FLifetime%3E%3C%2FRequestSecurityTokenResponse%3E%3C%2FRequestSecurityTokenResponseCollection%3E
&wctx=b9220a8a-5802-41a2-9128-a2ba649a72bc
&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld

The final wresult which will be sent to the demo app looks like this:
<RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://www.w3.org/2005/08/addressing" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802">
 <RequestSecurityTokenResponse>
  <TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
  <RequestedSecurityToken>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436" IssueInstant="2015-12-18T17:45:39.933Z" Version="2.0" xsi:type="saml2:AssertionType">
    <saml2:Issuer>STS Realm A</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="#_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436">
       <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
         <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>
        </ds:Transform>
       </ds:Transforms>
       <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
       <ds:DigestValue>OB6hSosPWjhA5dxCE+F3eFAC4dRu/ZxFT9XO+9tXBAI=</ds:DigestValue>
      </ds:Reference>
     </ds:SignedInfo>
     <ds:SignatureValue>OAZHDiqlANZXtK0UPfrusUTAf1E9hrPHjUw9kB0sP24RMtxjIfcJ0UFTIb1gBHMqGz+bxPJozH7c6O//2OYa5V3eRDadQOqnxKvReDh8YjHqs641uhdNqlJl9SogWsm7MPmznmwB5jRLqCaQpTQDfFnjwHXPgxwcASh1i3anfYSpJebnq4ipC3/lyuy99xXb1tQoai6hgdRiPs5ragYUPLqE9bIrULj/OTbuXY4ikKcNBHltKzAhPJtvaVDzgUkAKRYNBk64te1vRTCYYdMWXjMjA/C2obHhIB4zA5eMjxoMPmZHe7ZxVVRiB938S/JW+4ysJvoVdFX2FTmqRmIKhA==</ds:SignatureValue>
     <ds:KeyInfo>
      <ds:X509Data>
       <ds:X509Certificate>MIICwTCCAamgAwIBAgIEINqJ9TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTUwNjEwMTU0NDE3WhcNMjUwNDE4MTU0NDE3WjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJDSXn2lDR+JM+AsJarFG3/XGH7K+9AfAbQIz2IgB9MCpO
KVWTUPCvuo1I+Fp5nEGreuHYLEwgIiam3o+C9tvpLgtDDaDkmXjDzkWpk8z6+im72HZ/ODF93Rqw
jIiY5ZCzgDumFyPzdKiGwChThamidy+rd6oheSoi6qRVSMMcnwiEUmvkfFvV3izXRqeT5nGQwsin
y9mCEiGx8jkfxP++H0RQjVjhOwzfQ7epsR7dTQNf2ZhkBR3o6wKV9QnF2IBWHZpA9EK58rWU9H6j
G7b631rYvwsbOUF9HcZ8DI2BFh+4p18jDN/fnjNGSLr9rYOExpsIiF1cHBK7Tr7WwCmDAgMBAAGj
ITAfMB0GA1UdDgQWBBRHy0qYoLm9jx/1L6r61NznHKun2jANBgkqhkiG9w0BAQsFAAOCAQEAR9rU
5Sp1FsOErdvKNFqeaKl0oq6Fuz7BWcGm2kK6+1ZbWE8IOv6Vh+BlLuOe5hF7aLUbm8UIjhKsmg0M
Ey5MBwkBZktT1qhQteMuiKgYR7CxayCxO0f125RYvvwntJa5rI7bUrzOqX29VQD1qQ/Tb+08fULT
L7oURP+g88Ff99dn3IpO4VZxZdsbl4+KZRtqQvPAdXNYjOajJtPzS489+/DtfWJ6wPm/7YZ4did4
1fYcrdwyEZ15L0/5i931z7sztNickm5WhO40qEVDKN6KrlV2Eyea0+933v2Pwe4resTlko9G2T5h
dEaSbvht2Q/JOMMmT91daeto2oS8HTKhTA==</ds:X509Certificate>
      </ds:X509Data>
     </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
     <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID>
     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2015-12-18T17:45:39.890Z" NotOnOrAfter="2015-12-18T18:45:39.890Z">
     <saml2:AudienceRestriction>
      <saml2:Audience>urn:org:apache:cxf:fediz:fedizhelloworld</saml2:Audience>
     </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AttributeStatement>
     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xsd:string">User</saml2:AttributeValue>
     </saml2:Attribute>
     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xsd:string">Alice</saml2:AttributeValue>
     </saml2:Attribute>
     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xsd:string">Smith</saml2:AttributeValue>
     </saml2:Attribute>
     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xsd:string">alice@realma.org</saml2:AttributeValue>
     </saml2:Attribute>
    </saml2:AttributeStatement>
   </saml2:Assertion>
  </RequestedSecurityToken>
  <RequestedAttachedReference>
   <ns4:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
    <ns4:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436</ns4:KeyIdentifier>
   </ns4:SecurityTokenReference>
  </RequestedAttachedReference>
  <RequestedUnattachedReference>
   <ns4:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
    <ns4:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_d11b7fa4-3dc2-4b81-a29e-c80cc6e20436</ns4:KeyIdentifier>
   </ns4:SecurityTokenReference>
  </RequestedUnattachedReference>
  <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
   <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsa:Address>urn:org:apache:cxf:fediz:fedizhelloworld</wsa:Address>
   </wsa:EndpointReference>
  </wsp:AppliesTo>
  <Lifetime>
   <ns3:Created>2015-12-18T17:45:39.890Z</ns3:Created>
   <ns3:Expires>2015-12-18T18:45:39.890Z</ns3:Expires>
  </Lifetime>
 </RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete