Apache Fediz plugin provides now a support for custom claim processing since version 1.4.5. This allows fine grained claim control on application side, which is very useful if you are not in control of the IDP/STS claim creation itself. Or if you want to do some local claim value mapping that is very application specific.
In this blog post, I will show you how to leverage this new Fediz feature.
Showing posts with label WS-Federation. Show all posts
Showing posts with label WS-Federation. Show all posts
12 December 2018
04 August 2016
Apache Fediz with Client Certificate Authentication (X.509)
In this blog post I will explain how to generate your own SSL key-pair to perform certificate based authentication for SSO purposes with Apache Fediz IDP.
05 February 2016
Apache Fediz installation in production
In this article I'll explain to you what to do and what to be aware of, when you want to user Fediz IDP in production.
Basically you need to change all default passwords and certificates.
If you will use Tomcat as user Servlet container I'll also give you some tips how to secure tomcat best, so that an attacker will have a hard time breaking into your system.
Basically you need to change all default passwords and certificates.
If you will use Tomcat as user Servlet container I'll also give you some tips how to secure tomcat best, so that an attacker will have a hard time breaking into your system.
18 December 2015
Register trusted 3rd party IDP with SAML Web Browser SSO Profile
In this Post I'll explain how to configure Apache Fediz IDP so that it can be used with a trusted 3rd party IDP based on SAML Web Browser SSO Profile.
In my previous posts about Apache Fediz I focused on the WS-Federation passive protocol only since it is the successor standard for the SAML Web Browser SSO Profile. But in some cases you will have to establish a federated trust relation with an IDP how does not support the WS-Federation Standard yet, but only the older SAML Web Browser SSO Profile.
I'll explain how to register a SAML trusted IDP at the IDP as well as how to setup a demonstrator. Please also take a look at Colms post about this topic.
In my previous posts about Apache Fediz I focused on the WS-Federation passive protocol only since it is the successor standard for the SAML Web Browser SSO Profile. But in some cases you will have to establish a federated trust relation with an IDP how does not support the WS-Federation Standard yet, but only the older SAML Web Browser SSO Profile.
I'll explain how to register a SAML trusted IDP at the IDP as well as how to setup a demonstrator. Please also take a look at Colms post about this topic.
14 December 2015
Fediz with OpenID Connect Support and WS-Federation Bridge (2/2)
Setup a Demonstrator
Setup Fediz IDP & OIDC
First you need to setup the Fediz IDP as usual. To get the OIDC Service working you also need to do the following:- Install Fediz Plugin for the Fediz IDP Server (usually you would do this for the client application only)
For thefediz_config.xmlyou can use the sample provided with the OIDC Service. - Download or build the OIDC service and then deploy the
fediz-oidc.warfile to your webapps folder (same place where you deployed STS & IDP)
09 December 2015
Fediz with OpenID Connect Support and WS-Federation Bridge (1/2)
I'm currently engaged for a big company to provide a solution that allows this company to offer various (REST) services to their partners while these services are hosted and maintained by the company but users can login to these services with accounts managed within their own partner network.
This solution should work for Web-Portals, Mobile Apps & Desktop Applications.
First I was skeptical if it will be possible to find one solution fitting all theses different use cases. But I think I actually did find a very interesting solution. In this post I'll explain the overall architecture of this solution. In my next posts I'll tell you how to get a Liferay Web-Portal integrated as well as a mobile App based on Android.
WS-Federation normally uses SAML Tokens for user authentication. This is fine for container based security solutions, when the user wants to login to a web-portal. But modern web applications (e.g. AJAX based) tend to be executed primarily in the Browser, invoking REST backend services directly from within the Browser.
Handling XML based tokens (incl. XML signature validation) is just a too heavy burden for this type of applications. Also handling lifetime issues with SAML Token could require a Token exchange with an STS. But an STS only provides a SOAP interface according to WS-Trust. It is not feasible for a AJAX Web Application to handle SOAP communication including XML security. Browser based applications should be light-weight and thus they prefer talking to REST services.
This solution should work for Web-Portals, Mobile Apps & Desktop Applications.
First I was skeptical if it will be possible to find one solution fitting all theses different use cases. But I think I actually did find a very interesting solution. In this post I'll explain the overall architecture of this solution. In my next posts I'll tell you how to get a Liferay Web-Portal integrated as well as a mobile App based on Android.
WS-Federation normally uses SAML Tokens for user authentication. This is fine for container based security solutions, when the user wants to login to a web-portal. But modern web applications (e.g. AJAX based) tend to be executed primarily in the Browser, invoking REST backend services directly from within the Browser.
Handling XML based tokens (incl. XML signature validation) is just a too heavy burden for this type of applications. Also handling lifetime issues with SAML Token could require a Token exchange with an STS. But an STS only provides a SOAP interface according to WS-Trust. It is not feasible for a AJAX Web Application to handle SOAP communication including XML security. Browser based applications should be light-weight and thus they prefer talking to REST services.
Subscribe to:
Posts (Atom)