- Single Logout
The IDP supports to logout from all web applications in one click according the WS-Federation specification
- REST interface and JPA persistence store
Configure your IDP, its relying parties (applications) and Trusted IDPs using a REST interface and make the configuration persistent in a database instead of using Spring configuration files.
The current release version of the IDP is configured with spring configuration files which is fine for static configurations. If you make a change to support new claims or register a new relying party (web application) you have to update the spring configuration file of the fediz-idp WAR and redeploy. Therefore, the IDP has been enhanced to provide a REST interface to manage the IDP(s), its trusted IDPs, the applications and the claims for each application as well as for the IDP. The data is persistet using JPA. The complexity of the IDP is increased due to the requirement of a database but you can also use a database like H2 or HSQL which supports to launch the database embedded. The following picture illustrates the class diagram and its relationships:
As you notice, all relationships are aggregations which means the lifecycle of application has no dependency to the claims. The relationship between application and claim is specical because depending on the relation an claim is optional or mandatory.
REST Interface
The classes in the above class diagram map to root level resources which are independently managed (create, read, update, delete).
Base URL: https://
Resource Claim
/claims
- GET
-
Returns all resources for
- N.A.
- 200 (OK)
Response Body:
<ns2:claims xmlns:ns2="http://org.apache.cxf.fediz/"> <ns2:claim> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postal</claimType> </ns2:claim> <ns2:claim> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surename</claimType> </ns2:claim> </ns2:claims>
- 500 (Error)
Claim
. This is a collection and can be filtered (see below)Request
- POST
-
Create a new Claim resource
Request
<ns2:claim xmlns:ns2="http://org.apache.cxf.fediz/"> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postal</claimType> </ns2:claim>
Response- 201 (Created)
Response Body: The created resource.
Response Header:
Location
contains the URL of the created resource. - 500 (Error)
- 201 (Created)
/claims/{claimType}
- GET
-
Get the claim with the requested
- N.A.
- 200
Response Body: The claim with the requested
claimType
- 500 (Error)
- 404 (Not found)
claimType
Request
- PUT
-
Update the claim with PathParam
claimType
Request
<ns2:claim xmlns:ns2="http://org.apache.cxf.fediz/"> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postal</claimType> <displayName>Postal</displayName> </ns2:claim>
Response- 204 (No Content)
- 500 (Error)
-
Delete the claim with the
- N.A.
- 204 (NoContent)
- 500 (Error)
claimType
passed as PathParamRequest
Resource Application
/applications
- GET
-
Returns all resources for
- N.A.
- 200 (OK)
Response Body:
<applications xmlns:ns2="http://org.apache.cxf.fediz/"> <ns2:application id="100"> <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> <role>ApplicationServiceType</role> <serviceDisplayName>Fedizhelloworld</serviceDisplayName> ...
- 500 (Error)
Application
. This is a collection and can be filtered (see below)Request
- POST
-
Create a new Application resource
Request
<ns2:application xmlns:ns2="http://org.apache.cxf.fediz/"> <realm>urn:org:apache:cxf:fediz:newapp</realm> <role>ApplicationServiceType</role> <serviceDisplayName>Fedizhelloworld new</serviceDisplayName>
Response- 201 (Created)
Response Body: The created resource.
Response Header:
Location
contains the URL of the created resource. - 500 (Error)
- 201 (Created)
/applications/{realm}
- GET
-
Get the application with the requested
- N.A.
- 200
Response Body: The application with the requested
realm
- 500 (Error)
- 404 (Not found)
realm
Request
- PUT
-
Update the application with PathParam
realm
Request
<ns2:application xmlns:ns2="http://org.apache.cxf.fediz/"> <realm>urn:org:apache:cxf:fediz:newapp</realm> <role>ApplicationServiceType</role> <serviceDisplayName>Fedizhelloworld new</serviceDisplayName> ...
Response- 204 (No Content)
- 500 (Error)
-
Delete the application with the
- N.A.
- 204 (NoContent)
- 500 (Error)
realm
passed as PathParamRequest
/applications/{realm}/claims
- POST
-
Add a relationship (aggregation) between the application
realm
to an existing claimRequest
<ns2:requestClaim xmlns:ns2="http://org.apache.cxf.fediz/"> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</claimType> <optional>false</optional> </ns2:requestClaim>
Response- 201 (No Content)
- 409 (Conflict)
If the claim is already added to the resource
- 500 (Error)
/applications/{realm}/claims/{claimType}
- DELETE
-
Delete the relationship (aggregation) between resource
- N.A.
- 204 (NoContent)
- 500 (Error)
Application
with therealm
and the Sub-Resourceclaim
Request
Resource TrustedIdp
/trusted-idps
- Trusted IDP has got the same methods like the Resource
Claim
andApplication
/trusted-idps/{realm}
- Trusted IDP has got the same methods like the Resource
Claim
andApplication
Resource Idp
/idps
- IDP has got the same methods like the other resources
/idps/{realm}
- IDP has got the same methods like the other resources
/idps/{realm}/claims
- POST
-
Add a relationship (aggregation) between the resource
Idp
with therealm
to an existing claimRequest
<ns2:Claim xmlns:ns2="http://org.apache.cxf.fediz/"> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</claimType> </ns2:Claim>
Response- 204 (No Content)
- 409 (Conflict)
If the claim is already added to the resource
- 500 (Error)
/idps/{realm}/claims/{claimType}
- DELETE
-
Delete the relationship (aggregation) between resource
- N.A.
- 204 (NoContent)
- 500 (Error)
Idp
with therealm
and the Sub-Resourceclaim
Request
/idps/{realm}/applications
- POST
-
Add a relationship (aggregation) between the resource
Idp
with therealm
to an existing resourceApplication
Request
<ns2:Application xmlns:ns2="http://org.apache.cxf.fediz/"> <realm>urn:org:apache:cxf:fediz:newapp</realm> </ns2:Application>
Response- 204 (No Content)
- 409 (Conflict)
If the application is already added to the resource
- 500 (Error)
/idps/{realm}/applications/{applicationRealm}
- DELETE
-
Delete the relationship (aggregation) between resource
- N.A.
- 204 (NoContent)
- 500 (Error)
Idp
with therealm
and the Sub-ResourceApplication
passed inapplicationRealm
Request
/idps/{realm}/trusted-idps
- POST
-
Add a relationship (aggregation) between the resource
Idp
with therealm
to an existing resourceTrustedIdp
Request
<ns2:TrustedIdp xmlns:ns2="http://org.apache.cxf.fediz/"> <realm>urn:org:apache:cxf:fediz:idp:realm-B</realm> </ns2:TrustedIdp>
Response- 204 (No Content)
- 409 (Conflict)
If the trusted IDP is already added to the resource
- 500 (Error)
/idps/{realm}/trusted-idps/{trustedIdpRealm}
- DELETE
-
Delete the relationship (aggregation) between resource
- N.A.
- 204 (NoContent)
- 500 (Error)
Idp
with therealm
and the Sub-ResourceTrustedIdp
passed intrustedIdpRealm
Request
Additional features of the REST interface
- JSON Support
By adding
.json
as a suffix to the URL you can enforce to get a JSON representation back instead of the default XML representation - Filter entries on collections (paging)
The query parameters
start
andsize
allow you to define (default, 0, 5) - Query parameter
expand
As of now, sub-resources are embedded in the response by default. But I'm considering to not return all sub-resources by default when hypermedia support is added to the REST interface. Hypermedia will return link URLs where the sub-resources can be resolved
Claim
is embedded in the resource Application
.
<ns2:application id="100" xmlns:ns2="http://org.apache.cxf.fediz/"> <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> ... <claims> <ns2:requestClaim id="100"> <claimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</claimType> <description>Description for firstname</description> <displayName>firstname</displayName> <optional>true</optional> </ns2:requestClaim>The resource
Application
supports the values claims and all for the query parameter expand
and the resource Idp
supports the values claims, trusted-idps and applications. You can also send several values for the query parameter expand
as illustrated in the following example:
?expand=claims&expand=applications
What is missing in the current SNAPSHOT version
The following features are missing in the current SNAPSHOT version:- Single Log Out (Patch applied to JIRA request)
- Authentication support for REST interface
- Hypermedia support for REST interface
Note
As you noticed, the IDP supports a collection of IDPs. This is by intention even the current version doesn't support several realms in one IDP whereas the feature is already supported by the STS. This is planned in the next release.
In smaller companies you might have only one Identity Store whereas in bigger companies you probably have more than one Identity Store. To avoid deploying each IDP realm in a different Servlet Contexts the Fediz IDP will support several IDPs in one deployment. The realms are differentiated by the URL which is addressed by property uri
in the future.
Testing
You can either start the IDP standalone (Jetty Maven Plugin) or within a pre-configured Tomcat Container.
Standalone deployment
The easiest approach to test the new IDP is checking out the sources as described in section Building here and build from the project root directory:mvn clean installThen run within the sub-directory
services/idp
the following Maven command:
mvn jetty:run-warThis command will start the Jetty container and deploy the IDP in there. The database used in HSQL and the default HTTPS port is 9443 and HTTP is 9080. You can overwrite the ports with the Maven properties
idp.https.port
and idp.http.port
as illustrated here:
mvn jetty:run-war -Didp.https.port=8443
Tomcat Deployment
Thefediz-idp.war
does NOT ship the JDBC driver JAR. Be sure to deploy it under $CATALINA_HOME/lib
. If you don't update the persistence.properties
the default database is HSQL.
You can also define the datasource on the Container Level if you like under the JNDI name java:comp/env/jdbc/fedizDataSource
.
soapUI Test
After you started the IDP you can import the WADL (WADL is the counterpart of a WDSL for Web Services) which can be accessed at the following URL (assumption: you started the IDP with the defaults):https://localhost:9443/fediz-idp/services/rs?_wadl
Summary
The REST interface is in early stage and subject to change. It's very important to have a stable REST interface for future. As the current IDP doesn't provide a Web-UI yet, you can build your own Web-UI and use the REST interface to administer the behaviour of the Fediz IDP. Therefore, it's very important to get a stable REST interface without requiring changes in your Web-UI with each new Fediz IDP release.Please provide feedback to the CXF Dev Mailing list to discuss the feedback in broader audience.
Hi Oliver,
ReplyDeleteDo you know when Fediz 1.2 will be released? I am keen to use Fediz 1.2 for its REST interface on a project that I am working on.
Thanks,
Shannon
Good morning,
ReplyDeleteI would tell, It is a great soft . I am Tomek , programmer, Warsaw, Poland.
I have been trying to install and setup the Fediz Software on Tomcat 7. I have a problems runtime work about IDP (1.2.0-snapshot). Therfore i trying to setup the fediz-1.1.0 , and it work
good.
There is one little issue under Fediz deployment in other Locality than EN / DE. The artifact "org.apache.santurio" "xmlsec-1.5.5" or "xmlsec-2.0.0-snapshot" do not include the file xmlsecurity_Locale.properties with other language versions than EN or DE. These files are placed in path:
/org/apache/xml/security/resource/ . I created and add to the new version of that artifiact, the xmlsecurity_pl.properties file for , accroding to the ones with "en" and "de" locality/language versions. The lack of this file causes the runtime exception , under deployment with other Locality than DE or EN. I can provide this file to Apache Cxf, or Apache Santurio, could You give me a clue where i should to go with it.
I have some problems with integration and set-up the fediz-1.2.0-Snapshot.
with fediz-1.2.0 , The errors which i have are about the IDP service:
I write about this issue in next comments.
Best Regards.
Tomek.
You can log an issue in the santuario project here:
Deletehttps://issues.apache.org/jira/browse/SANTUARIO
and attach your patch.
Thanks
Oli
I have some problems with integration and set-up the fediz-1.2.0-Snapshot.
ReplyDeletewith fediz-1.2.0 , The errors which i have are about the IDP service:
2014-03-12 14:47:38,502 [http-bio-9080-exec-7] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2014-03-12 14:47:38,505 [http-bio-9080-exec-7] DEBUG org.springframework.security.authentication.dao.DaoAuthenticationProvider - User 'alice' not found
2014-03-12 14:47:39,682 [http-bio-9080-exec-7] INFO org.apache.cxf.fediz.service.idp.STSAuthenticationProvider - Failed to authenticate user 'alice'
org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
at org.apache.cxf.wsdl11.WSDLServiceFactory.(WSDLServiceFactory.java:87)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.createClient(AbstractSTSClient.java:581)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:661)
at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
at org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:123)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
2014-03-12 14:47:46,025 [http-bio-9080-exec-7] DEBUG org.springframework.security.authentication.dao.DaoAuthenticationProvider - User 'bob' not found
2014-03-12 14:47:46,026 [http-bio-9080-exec-7] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
2014-03-12 14:47:46,084 [http-bio-9080-exec-7] INFO org.apache.cxf.fediz.service.idp.STSAuthenticationProvider - Failed to authenticate user 'bob'
org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
at org.apache.cxf.wsdl11.WSDLServiceFactory.(WSDLServiceFactory.java:87)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.createClient(AbstractSTSClient.java:581)
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://localhost:0/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl'.: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
Caused by: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
2014-03-13 15:57:23,343 [http-bio-9443-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /federation?wa=wsignin1.0&wreply=http%3A%2F%2Flocalhost%3A8080%2Ffedizhelloworld%2Fsecure%2Ftest.html&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld&wct=2014-03-13T14%3A57%3A14.199Z at position 6 of 10 in additional filter chain; firing Filter: 'GrantedAuthorityEntitlements'
2014-03-13 15:57:23,370 [http-bio-9443-exec-5] ERROR org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements - Role 'APPLICATION_LIST' not found
2014-03-13 15:57:23,375 [http-bio-9443-exec-5] ERROR org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements - Role 'TRUSTEDIDP_UPDATE' not found
2014-03-13 15:57:23,380 [http-bio-9443-exec-5] ERROR org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements - Role 'CLAIM_CREATE' not found
Can you check the log statements of the STSPortFilter? The purpose of this is that if IDP (fediz-idp.war) and STS (fediz-idp-sts.war) are deployed in the same container, you don't have to update the STS url if the URL is localhost and port 0. Then, it will be updated automatically.
DeleteI'd recommend to place this request in the CXF mailing list and attach the zipped log file.
Thanks
Oli
Hi Shannon
ReplyDeleteThere are a few features missing like SAML-P support. Recently, I just added fine grained authorization support for the REST interface. You can define your own roles and map these to the entitlements. Fediz depends on CXF 3.0 which is not yet released but should be soon.
Gut feeling is end of april. But keep using Fediz and post feedback to the CXF mailing list
Thanks
Oli