You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Sarafian <sa...@yahoo.gr> on 2012/06/11 16:39:56 UTC

Compatibility with Windows Identity Foundation (WIF)

Hi,

I'm part of a team that is prototyping against moving security from a
trusted subsystem architecture towards an STS one.

Most of the application is build on top of the .NET stack using the WIF
library and the Windows Identity Foundation Federation Utility (FedUtil) for
configuration. The STS tested against for now is ADFS.

Our test include passive and active profile with and without identity
delegation.

Now we want to test against another STS, preferably one that doesn't use
Active Directory as an Identity Provider.

We are thinking about CFX STS and we are wondering how compatible is it. 
Does CFX STS exposes endpoints for configuration like ADFS does through the
FederationMetadata.xml? This would be very useful for the FedUtil.
Does the STS support identity delegation trough the ActAs element?

Whatever information you can provide will be appreciated.
Thank you in advance


--
View this message in context: http://cxf.547215.n5.nabble.com/Compatibility-with-Windows-Identity-Foundation-WIF-tp5709520.html
Sent from the cxf-user mailing list archive at Nabble.com.

RE: Compatibility with Windows Identity Foundation (WIF)

Posted by Oliver Wulff <ow...@talend.com>.

>>>
At least from my .NET WCF experience with ADFS, it is the most difficult part from both ends. And having a tool like FedUtil helps a lot for deployment.
>>>
I think the challenge with .NET is that you have to configure a lot in a .NET specific way like the different kind of bindings. In CXF, you can express a lot in WS-SecurityPolicy which is not specific to CXF.

I'll look at the Fediz IDP/STS to support publishing the Metadata document.

Oli

------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Sarafian [sarafian_developer@yahoo.gr]
Sent: 12 June 2012 08:59
To: users@cxf.apache.org
Subject: RE: Compatibility with Windows Identity Foundation (WIF)

Hi Oliver,

Thank you for your answers.

I have read your post and looks helpful especially on the certificates part.
Configuring WIF for the passive profile is easy. My biggest worry is the
Active Profile though. At least from my .NET WCF experience with ADFS, it is
the most difficult part from both ends. And having a tool like FedUtil helps
a lot for deployment.

Regarding the WS-Federation Publish Document here is the jira item
https://issues.apache.org/jira/browse/FEDIZ-15

I'll let you know also when I run my test and have my conclusions.

Thank you again.


--
View this message in context: http://cxf.547215.n5.nabble.com/Compatibility-with-Windows-Identity-Foundation-WIF-tp5709520p5709567.html
Sent from the cxf-user mailing list archive at Nabble.com.

RE: Compatibility with Windows Identity Foundation (WIF)

Posted by Sarafian <sa...@yahoo.gr>.

Hi Oliver,

Thank you for your answers.

I have read your post and looks helpful especially on the certificates part.
Configuring WIF for the passive profile is easy. My biggest worry is the
Active Profile though. At least from my .NET WCF experience with ADFS, it is
the most difficult part from both ends. And having a tool like FedUtil helps
a lot for deployment.

Regarding the WS-Federation Publish Document here is the jira item
https://issues.apache.org/jira/browse/FEDIZ-15

I'll let you know also when I run my test and have my conclusions.

Thank you again.


--
View this message in context: http://cxf.547215.n5.nabble.com/Compatibility-with-Windows-Identity-Foundation-WIF-tp5709520p5709567.html
Sent from the cxf-user mailing list archive at Nabble.com.

RE: Compatibility with Windows Identity Foundation (WIF)

Posted by Oliver Wulff <ow...@talend.com>.

Hi Sarafian

I can give you experience I made with WIF and CXF based primarely on the Passive Requestor Profile.

The WS-Federation Passive Requestor Profile is supported by the CXF subproject called Fediz which is described here (hope a release is available next week)
http://cxf.apache.org/fediz.html

I've tested the Fediz IDP/STS with ASP.NET and WIF which is described on the following blog:
http://owulff.blogspot.ch/2012/02/configure-fediz-idp-and-aspnet-using.html

The Fediz STS is based on the CXF STS 2.6.1 which configures username/password and the user's claim in a file but you can also attach an LDAP directory or write your custom plugin. You find more information here:
http://cxf.apache.org/fediz-idp.html

In my case, I haven't used the FedUtil to generate the web.config configuration. I've created the config once and then copy/pasted it into the different ASP.NET projects. Right now, neither the Fediz IDP nor STS support to publish the WS-Federation Metadata document. This is supported only the Fediz Relying Party - committed today morning ;-)
Please raise a JIRA with Fediz and CXF to track this request.

>>>
Does the STS support identity delegation trough the ActAs element?
>>>
The STS supports identity delegation either with ActAs or OnBehalfOf. Fediz ships an example where a WS-Federation (passive) protected web application calls a web service which is protected by an IssuedToken policy. This example uses OnBehalfOf but ActAs is supported as well.

Check the README here for more information:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/

HTH

------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Sarafian [sarafian_developer@yahoo.gr]
Sent: 11 June 2012 16:39
To: users@cxf.apache.org
Subject: Compatibility with Windows Identity Foundation (WIF)

Hi,

I'm part of a team that is prototyping against moving security from a
trusted subsystem architecture towards an STS one.

Most of the application is build on top of the .NET stack using the WIF
library and the Windows Identity Foundation Federation Utility (FedUtil) for
configuration. The STS tested against for now is ADFS.

Our test include passive and active profile with and without identity
delegation.

Now we want to test against another STS, preferably one that doesn't use
Active Directory as an Identity Provider.

We are thinking about CFX STS and we are wondering how compatible is it.
Does CFX STS exposes endpoints for configuration like ADFS does through the
FederationMetadata.xml? This would be very useful for the FedUtil.
Does the STS support identity delegation trough the ActAs element?

Whatever information you can provide will be appreciated.
Thank you in advance


--
View this message in context: http://cxf.547215.n5.nabble.com/Compatibility-with-Windows-Identity-Foundation-WIF-tp5709520.html
Sent from the cxf-user mailing list archive at Nabble.com.