You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by jasonlbetz <be...@mayo.edu> on 2015/08/18 17:04:56 UTC
CXF Fediz and ADFS Configuration Help
I’m trying to use Fediz to tie into my organization’s ADFS environment. I
have successfully setup my app as a RP to the sample Fediz IDP/STS. However,
when I try and switch the fediz_config to use the ADFS STS, I get the
following error.
2015-08-17 11:28:52,951 [http-bio-8443-exec-4] WARN
org.apache.cxf.fediz.core.s
aml.SAMLTokenValidator - Issuer
'http://dev.login.mayo.edu/adfs/services/trust'
not trusted
2015-08-17 11:28:52,954 [http-bio-8443-exec-4] ERROR
org.apache.cxf.fediz.spring
.authentication.FederationAuthenticationProvider - Failed to validate
SignIn re
quest
org.apache.cxf.fediz.core.exception.ProcessingException: Security token
issuer n
ot trusted
I have extracted the signing key from the ADFS Federation Metadata and added
it to my ststrust.jks keystore.
I have also modified the fediz_config as follows.
<trustedIssuers>
<issuer subject=".*CN=MFAD ADFS Token Signing Certificate -
dev.login.mayo.edu.*" certificateValidation="ChainTrust" name=" MFAD ADFS
Token Signing Certificate - dev.login.mayo.edu" />
</trustedIssuers>
I have tried both ChainTrust and PeerTrust and receive the error under both.
I wasn’t sure what the Name attribute was supposed to contain, but I’ve
tried various strings to no avail.
Any guidance on this config would be much appreciated. I’d love to get my
Tomcat environment participating in our ADFS federation environment.
Thanks,
Jason Betz
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-and-ADFS-Configuration-Help-tp5760244.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF Fediz and ADFS Configuration Help
Posted by jasonlbetz <be...@mayo.edu>.
Jan,
Thank you so much for the guidance.
I made the config change as you suggested and inspected the token coming back from ADFS. It was the same token I had already imported into my ststrust keystore.
That got me thinking if fediz was validating against a different keystore. Sure enough, there was another keystore in my app called ststrust. After deleting the app specific ststrust keystore, federation worked perfectly. I then moved my server ststrust keystore into my app and it still worked perfectly.
Everything is now working! Thank you for the quick reply.
Jason
From: janb [via CXF] [mailto:ml-node+s547215n5760247h91@n5.nabble.com]
Sent: Tuesday, August 18, 2015 10:42 AM
To: Betz, Jason L. <Be...@mayo.edu>
Subject: AW: CXF Fediz and ADFS Configuration Help
Hi Jason,
I would recommend Fiddler to you to monitor all redirects from your browser.
Did you disable to token encryption at your ADFS? I think by default ADFS encrypts the SAML Token, which makes it harder to analyze any issues. So if it is still enabled, please disable the token encryption.
Then next you should check (with fiddler for example) if the certificate included within the SAML token (which is sent to the RP) is the same as in your ststrust.jks. Maybe you picked the wrong certificate from the metadata document.
I would also recommend to use "PeerTrust". In this case you do not need the complete certificate chain in your keystore but the STS certificate only.
I would also recommend to you to use the following configuration at your RP (completely without issuersubject name)
<certificateStores>
<trustManager>
<keyStore file="ststrust.jks" password="storepass" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
Kind regards
Jan
--
Jan Bernhardt
Talend Community Coder
http://coders.talend.com
Visit my Blog
https://janbernhardt.blogspot.de
> -----Ursprüngliche Nachricht-----
> Von: jasonlbetz [mailto:[hidden email]</user/SendEmail.jtp?type=node&node=5760247&i=0>]
> Gesendet: Dienstag, 18. August 2015 17:05
> An: [hidden email]</user/SendEmail.jtp?type=node&node=5760247&i=1>
> Betreff: CXF Fediz and ADFS Configuration Help
>
> I’m trying to use Fediz to tie into my organization’s ADFS environment. I have
> successfully setup my app as a RP to the sample Fediz IDP/STS. However,
> when I try and switch the fediz_config to use the ADFS STS, I get the
> following error.
>
> 2015-08-17 11:28:52,951 [http-bio-8443-exec-4] WARN
> org.apache.cxf.fediz.core.s aml.SAMLTokenValidator - Issuer
> 'http://dev.login.mayo.edu/adfs/services/trust'
> not trusted
> 2015-08-17 11:28:52,954 [http-bio-8443-exec-4] ERROR
> org.apache.cxf.fediz.spring
> .authentication.FederationAuthenticationProvider - Failed to validate SignIn
> re quest
> org.apache.cxf.fediz.core.exception.ProcessingException: Security token
> issuer n ot trusted
>
> I have extracted the signing key from the ADFS Federation Metadata and
> added it to my ststrust.jks keystore.
> I have also modified the fediz_config as follows.
>
> <trustedIssuers>
> <issuer subject=".*CN=MFAD ADFS Token Signing Certificate -
> dev.login.mayo.edu.*" certificateValidation="ChainTrust" name=" MFAD
> ADFS Token Signing Certificate - dev.login.mayo.edu" /> </trustedIssuers>
>
> I have tried both ChainTrust and PeerTrust and receive the error under both.
> I wasn’t sure what the Name attribute was supposed to contain, but I’ve
> tried various strings to no avail.
>
> Any guidance on this config would be much appreciated. I’d love to get my
> Tomcat environment participating in our ADFS federation environment.
>
> Thanks,
> Jason Betz
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-
> and-ADFS-Configuration-Help-tp5760244.html
> Sent from the cxf-user mailing list archive at Nabble.com.
________________________________
If you reply to this email, your message will be added to the discussion below:
http://cxf.547215.n5.nabble.com/CXF-Fediz-and-ADFS-Configuration-Help-tp5760244p5760247.html
To unsubscribe from CXF Fediz and ADFS Configuration Help, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5760244&code=YmV0ei5qYXNvbkBtYXlvLmVkdXw1NzYwMjQ0fC0yNDQyMDE0NDA=>.
NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-and-ADFS-Configuration-Help-tp5760244p5760261.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: CXF Fediz and ADFS Configuration Help
Posted by Jan Bernhardt <jb...@talend.com>.
Hi Jason,
I would recommend Fiddler to you to monitor all redirects from your browser.
Did you disable to token encryption at your ADFS? I think by default ADFS encrypts the SAML Token, which makes it harder to analyze any issues. So if it is still enabled, please disable the token encryption.
Then next you should check (with fiddler for example) if the certificate included within the SAML token (which is sent to the RP) is the same as in your ststrust.jks. Maybe you picked the wrong certificate from the metadata document.
I would also recommend to use "PeerTrust". In this case you do not need the complete certificate chain in your keystore but the STS certificate only.
I would also recommend to you to use the following configuration at your RP (completely without issuersubject name)
<certificateStores>
<trustManager>
<keyStore file="ststrust.jks" password="storepass" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
Kind regards
Jan
--
Jan Bernhardt
Talend Community Coder
http://coders.talend.com
Visit my Blog
https://janbernhardt.blogspot.de
> -----Ursprüngliche Nachricht-----
> Von: jasonlbetz [mailto:betz.jason@mayo.edu]
> Gesendet: Dienstag, 18. August 2015 17:05
> An: users@cxf.apache.org
> Betreff: CXF Fediz and ADFS Configuration Help
>
> I’m trying to use Fediz to tie into my organization’s ADFS environment. I have
> successfully setup my app as a RP to the sample Fediz IDP/STS. However,
> when I try and switch the fediz_config to use the ADFS STS, I get the
> following error.
>
> 2015-08-17 11:28:52,951 [http-bio-8443-exec-4] WARN
> org.apache.cxf.fediz.core.s aml.SAMLTokenValidator - Issuer
> 'http://dev.login.mayo.edu/adfs/services/trust'
> not trusted
> 2015-08-17 11:28:52,954 [http-bio-8443-exec-4] ERROR
> org.apache.cxf.fediz.spring
> .authentication.FederationAuthenticationProvider - Failed to validate SignIn
> re quest
> org.apache.cxf.fediz.core.exception.ProcessingException: Security token
> issuer n ot trusted
>
> I have extracted the signing key from the ADFS Federation Metadata and
> added it to my ststrust.jks keystore.
> I have also modified the fediz_config as follows.
>
> <trustedIssuers>
> <issuer subject=".*CN=MFAD ADFS Token Signing Certificate -
> dev.login.mayo.edu.*" certificateValidation="ChainTrust" name=" MFAD
> ADFS Token Signing Certificate - dev.login.mayo.edu" /> </trustedIssuers>
>
> I have tried both ChainTrust and PeerTrust and receive the error under both.
> I wasn’t sure what the Name attribute was supposed to contain, but I’ve
> tried various strings to no avail.
>
> Any guidance on this config would be much appreciated. I’d love to get my
> Tomcat environment participating in our ADFS federation environment.
>
> Thanks,
> Jason Betz
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-Fediz-
> and-ADFS-Configuration-Help-tp5760244.html
> Sent from the cxf-user mailing list archive at Nabble.com.