You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by chris snow <ch...@gmail.com> on 2013/05/03 14:46:03 UTC
Fediz: key and keystore requirements
I'm trying to understand the key and keystore requirements for fediz using
IDP, STS and RP all deployed in separate web containers and using native
spring security in the RP.
I have uploaded my current understanding here:
Re: Fediz: key and keystore requirements
Posted by chris snow <ch...@gmail.com>.
Hi Oli,
Thanks for checking over the image. Happy for the image to be uploaded to
the wiki. I have the Visio document it came from too if that helps.
As for the option for IDP to STS authentication using
SignedSupportingTokens or mutual SSL-handshake, I'm not sure yet. At this
stage, I'm trying to work out and document all the options (along with
reading the WS-FEDERATION and WS-TRUST specifications).
I'm still not sure where:
- the IDP APP Public key is configured within the STS service
- the IDP APP Private key is configured within the IDP service
Many thanks,
Chris
On Fri, May 3, 2013 at 2:59 PM, Oliver Wulff <ow...@talend.com> wrote:
> Great overview. Would be great to have something like this on the wiki. I
> spotted one thing. The public key in the RP is the "STS App Public Key"
> instead of "STS Container SSL Public Key".
>
> The keystore to validate the SAML token signature is configured here:
> http://cxf.apache.org/fediz-configuration.html -->certificateStores
>
> Do you plan a SignedSupportingTokens policy between the IDP and STS or use
> mutual SSL-handshake?
>
> Thanks
> Oli
>
>
> ________________________________________
> From: chris snow [chsnow123@gmail.com]
> Sent: 03 May 2013 14:49
> To: users@cxf.apache.org
> Subject: Re: Fediz: key and keystore requirements
>
> I'm trying to understand the key and keystore requirements for fediz using
> IDP, STS and RP all deployed in separate web containers and using native
> spring security in the RP.
>
> I have uploaded my current understanding here:
>
> http://picpaste.com/Fediz_Keystores-INNrABZM.png
>
> Questions:
>
> Is this diagram correct?
> The diagram has some questions: "Configured in ?" - where are these keys
> configured in the code?
>
--
Chris Snow -
http://uk.linkedin.com/pub/chris-snow-mba-tech-mgmt-cissp/6/0/316
RE: Fediz: key and keystore requirements
Posted by Oliver Wulff <ow...@talend.com>.
Great overview. Would be great to have something like this on the wiki. I spotted one thing. The public key in the RP is the "STS App Public Key" instead of "STS Container SSL Public Key".
The keystore to validate the SAML token signature is configured here:
http://cxf.apache.org/fediz-configuration.html -->certificateStores
Do you plan a SignedSupportingTokens policy between the IDP and STS or use mutual SSL-handshake?
Thanks
Oli
________________________________________
From: chris snow [chsnow123@gmail.com]
Sent: 03 May 2013 14:49
To: users@cxf.apache.org
Subject: Re: Fediz: key and keystore requirements
I'm trying to understand the key and keystore requirements for fediz using
IDP, STS and RP all deployed in separate web containers and using native
spring security in the RP.
I have uploaded my current understanding here:
http://picpaste.com/Fediz_Keystores-INNrABZM.png
Questions:
Is this diagram correct?
The diagram has some questions: "Configured in ?" - where are these keys
configured in the code?
Re: Fediz: key and keystore requirements
Posted by chris snow <ch...@gmail.com>.
I'm trying to understand the key and keystore requirements for fediz using
IDP, STS and RP all deployed in separate web containers and using native
spring security in the RP.
I have uploaded my current understanding here:
http://picpaste.com/Fediz_Keystores-INNrABZM.png
Questions:
Is this diagram correct?
The diagram has some questions: "Configured in ?" - where are these keys
configured in the code?