You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by GiannisSam <io...@gmail.com> on 2014/10/01 01:03:38 UTC
Re: Use Fediz with LDAP
Hello.
So I kind of solved my problem myself. After all using one realm (REALMA), 2
endpoints are needed:
1) address="/REALMA/STSServiceTransportUT" in ldap.xml and jaasUTValidator
2) address="/REALMA/STSServiceTransport" in cxf-transport
So now my LDAP users are getting authenticated along with their claims and
with their "role" from LDAP groups.
I see all that correctly in tomcat output, tokens getting created and
everything but my RP application is giving me "HTTP Status 403 - Access to
the requested resource has been denied".. That application is working with
file based authentication and I cant understand why now it does not since
authentication is successful and all claims are passed correctly.
Any insight would be really great.
Here is the IDP-tomcat output:
INFO: Server startup in 21982 ms
2014-10-01 01:40:15,461 [http-bio-9443-exec-1] INFO
org.apache.cxf.fediz.service.idp.STSPortFilter -
STSAuthenticationProvider.wsdlLocation set to
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
2014-10-01 01:40:15,789 [http-bio-9443-exec-1] INFO
org.springframework.web.context.support.GenericWebApplicationContext -
Refreshing Flow ApplicationContext [federation]: startup date [Wed Oct 01
01:40:15 EEST 2014]; parent: WebApplicationContext for namespace
'idp-servlet'
2014-10-01 01:40:15,792 [http-bio-9443-exec-1] INFO
org.springframework.beans.factory.support.DefaultListableBeanFactory -
Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@6834cd6a:
defining beans
[org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@2a2e2155
2014-10-01 01:40:16,025 [http-bio-9443-exec-1] INFO
org.springframework.web.context.support.GenericWebApplicationContext -
Refreshing Flow ApplicationContext [signinRequest]: startup date [Wed Oct 01
01:40:16 EEST 2014]; parent: WebApplicationContext for namespace
'idp-servlet'
2014-10-01 01:40:16,031 [http-bio-9443-exec-1] INFO
org.springframework.beans.factory.support.DefaultListableBeanFactory -
Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@3d1d1a49:
defining beans
[org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor];
parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@2a2e2155
2014-10-01 01:40:16,101 [http-bio-9443-exec-1] INFO
org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS
is null (Mock).
2014-10-01 01:40:24,896 [http-bio-9443-exec-3] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 1
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:25,371 [http-bio-9443-exec-5] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 2
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:25,802 [http-bio-9443-exec-2] WARN
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl - No assertion
builder for type {http://www.w3.org/2006/05/addressing/wsdl}UsingAddressing
registered.
2014-10-01 01:40:26,496 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS -
Outbound Message
---------------------------
ID: 1
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-D4D2167BDFF08F2B2C14121168264901"><wsse:Username>alice</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ecila</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:26,549 [http-bio-9443-exec-7] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 3
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
Content-Length=[1333], content-type=[text/xml; charset=UTF-8],
host=[localhost:9443], pragma=[no-cache],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"],
user-agent=[Apache CXF 2.7.11]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsse:UsernameToken
wsu:Id="UsernameToken-D4D2167BDFF08F2B2C14121168264901"><wsse:Username>alice</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ecila</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
[LdapLoginModule] authentication-only mode; SSL disabled
[LdapLoginModule] user provider:
ldap://localhost:389/ou=Users,dc=ldap,dc=fediz
[LdapLoginModule] attempting to authenticate user: alice
[LdapLoginModule] authentication succeeded
[LdapLoginModule] added LdapPrincipal "cn=alice,ou=Users,dc=ldap,dc=fediz"
to Subject
[LdapLoginModule] added UserPrincipal "alice" to Subject
2014-10-01 01:40:28,705 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-10-01 01:40:28,732 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-10-01 01:40:28,732 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:28,732 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-10-01 01:40:28,745 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-10-01 01:40:28,746 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:fediz:idp
2014-10-01 01:40:28,761 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.service.StaticService - Address urn:fediz:idp matches
with pattern .*
2014-10-01 01:40:28,763 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of
type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:28,774 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: alice
2014-10-01 01:40:31,690 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-10-01 01:40:31,690 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is
null so using default alias: realma
2014-10-01 01:40:31,691 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-10-01 01:40:31,691 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-10-01 01:40:31,910 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-10-01 01:40:31,912 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-30T22:40:31.661Z
2014-10-01 01:40:31,912 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-30T23:00:31.661Z
2014-10-01 01:40:31,913 [http-bio-9443-exec-7] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 10/1/14 1:40:31
AM;SUCCESS;3339ms;127.0.0.1;59826;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT;REALMA;alice;<null>;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:fediz:idp;<null>;<null>;<null>;<null>;
2014-10-01 01:40:32,171 [http-bio-9443-exec-7] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS -
Outbound Message
---------------------------
ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:31.661Z</ns3:Created><ns3:Expires>2014-09-30T23:00:31.661Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,181 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS - Inbound
Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {content-type=[text/xml;charset=UTF-8], Date=[Tue, 30 Sep 2014
22:40:32 GMT], Server=[Apache-Coyote/1.1], transfer-encoding=[chunked]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168315051</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:fediz:idp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:31.661Z</ns3:Created><ns3:Expires>2014-09-30T23:00:31.661Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,320 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction - HRDS
is null (Mock).
2014-10-01 01:40:32,322 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction - Token
[IDP_TOKEN=_4C3D3D7257E6DF71B714121168315051] for realm
[urn:org:apache:cxf:fediz:idp:realm-A] successfully cached.
2014-10-01 01:40:32,330 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction - STS WSDL URL
updated to
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
2014-10-01 01:40:32,410 [http-bio-9443-exec-9] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 4
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:32,636 [http-bio-9443-exec-1] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 5
Address:
https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl=ws-trust-1.4.wsdl
Http-Method: GET
Content-Type: text/xml
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml], host=[localhost:9443], pragma=[no-cache],
user-agent=[Apache CXF 2.7.11]}
--------------------------------------
2014-10-01 01:40:32,811 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Outbound
Message
---------------------------
ID: 2
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[*/*],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="true"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/></wst:Claims><wst:OnBehalfOf><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></wst:OnBehalfOf><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2014-09-30T22:40:32.723Z</wsu:Created><wsu:Expires>2014-09-30T23:40:32.723Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,812 [http-bio-9443-exec-5] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 6
Address: https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml; charset=UTF-8], host=[localhost:9443],
pragma=[no-cache],
SOAPAction=["http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"],
transfer-encoding=[chunked], user-agent=[Apache CXF 2.7.11]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="false"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/><ic:ClaimType
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" Optional="true"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/></wst:Claims><wst:OnBehalfOf><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168315051"
IssueInstant="2014-09-30T22:40:31.620Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168315051"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DhIjb9vI/mOQb+v8LV6johTHltk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Az/yTFieY3qVzBSOt+tiSepaf2pOttbWqDRw1+lQNG2Bb5nOWIk1AwS1K9gZ0pKKawC/DYqXPTJ6gtt/7twkk7zwXAtET2a94WEN2XlahlP2v8Qij/N611kgTPNoSz57rEGcXj8hDfKeK1684fR7EB6bXEpw+mD9z7Ne49SxU13ke/LDLXL+izJR2MVcapBoHHVd7xlZjyu43ClWQ/auqRm48m5RTsqyRN/xPYhL/cfemETNhrwY7Gnr/btLqPxvO34CZ1/sJqX8MlyU5umZ8+7aCGcOZHM3javwDqBEvtiP4ETsbIK+pIABs2gNROLxAbqeYkyfbVuw5RsGI0FRsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:31.661Z"
NotOnOrAfter="2014-09-30T23:00:31.661Z"><saml2:AudienceRestriction><saml2:Audience>urn:fediz:idp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions></saml2:Assertion></wst:OnBehalfOf><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2014-09-30T22:40:32.723Z</wsu:Created><wsu:Expires>2014-09-30T23:40:32.723Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:32,834 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Parsing RequestSecurityToken
2014-10-01 01:40:32,834 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found AppliesTo element
2014-10-01 01:40:32,873 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Primary Claims token
2014-10-01 01:40:32,875 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.ReceivedToken - Found ValidateTarget element:
Assertion
2014-10-01 01:40:32,875 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found OnBehalfOf token
2014-10-01 01:40:32,875 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found TokenType:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.Lifetime - Found created value:
2014-09-30T22:40:32.723Z
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.Lifetime - Found expires value:
2014-09-30T23:40:32.723Z
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Lifetime element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found KeyType:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Found Renewing token
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.request.RequestParser - Received Context attribute: null
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - The AppliesTo address that
has been received is: urn:org:apache:cxf:fediz:storage
2014-10-01 01:40:32,876 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.service.StaticService - Address
urn:org:apache:cxf:fediz:storage matches with pattern .*
2014-10-01 01:40:32,877 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.validator.SAMLTokenValidator - Validating SAML
Token
2014-10-01 01:40:32,982 [http-bio-9443-exec-5] WARN
org.apache.ws.security.validate.SignatureTrustValidator - No Subject DN
Certificate Constraints were defined. This could be a security issue
2014-10-01 01:40:32,994 [http-bio-9443-exec-5] INFO
org.apache.cxf.fediz.service.sts.realms.SamlRealmCodec - Realm parsed in
certificate: REALMA
2014-10-01 01:40:33,047 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Parsing AppliesTo element
2014-10-01 01:40:33,047 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found EndpointReference
element
2014-10-01 01:40:33,047 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Found address element
2014-10-01 01:40:33,049 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Handling token of
type:
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2014-10-01 01:40:34,491 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - DN for
(cn=cn=alice,ou=Users,dc=ldap,dc=fediz) found:
cn=alice,ou=Users,dc=ldap,dc=fediz
2014-10-01 01:40:34,496 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - Groups for user 'alice':
[user]
2014-10-01 01:40:34,496 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - AppliesTo matchs with
scope: Storage
2014-10-01 01:40:34,496 [http-bio-9443-exec-5] INFO
org.apache.cxf.sts.claims.LdapGroupClaimsHandler - Filtered groups: [user]
2014-10-01 01:40:34,497 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider -
AttributeStatementsorg.apache.ws.security.saml.ext.bean.AttributeStatementBean@889ee2ereturned
by AttributeStatementProvider
org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider
2014-10-01 01:40:34,497 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.DefaultSubjectProvider - Creating new
subject with principal name: alice
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - SAMLRealm signature
keystore used
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signature alias is
null so using default alias: realma
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Creating SAML Token
2014-10-01 01:40:34,502 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.token.provider.SAMLTokenProvider - Signing SAML Token
2014-10-01 01:40:34,520 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.TokenIssueOperation - Encrypting Issued Token:
false
2014-10-01 01:40:34,520 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime creation:
2014-09-30T22:40:32.723Z
2014-10-01 01:40:34,520 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.operation.AbstractOperation - Token lifetime expiration:
2014-09-30T23:40:32.723Z
2014-10-01 01:40:34,521 [http-bio-9443-exec-5] DEBUG
org.apache.cxf.sts.event.map.MapEventLogger - 10/1/14 1:40:34
AM;SUCCESS;1686ms;127.0.0.1;59831;Issue;https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport;REALMA;<null>;alice;<null>;<null>;<null>;<null>;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0;urn:org:apache:cxf:fediz:storage;[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role];<null>;<null>;<null>;
2014-10-01 01:40:34,531 [http-bio-9443-exec-5] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Outbound
Message
---------------------------
ID: 6
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168344982"
IssueInstant="2014-09-30T22:40:34.498Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168344982"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>91uIcJic2hx5JQm3V+R3kGc5c2Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>YYrfZlfkwrDKS1nFBe8z8/ThCcCtefo+NRxNCJdYq0FpdFUoscZuLDtFQTr3q66TgN/Nj5FHF9pVvL54Azijv6Ontj1ucNcInk3XlUwJhk+StrgrlHLNYpknWUWotDIz6zAICupxLEu4xZcwFWj1fg1WDnrNDF14x85FERAuJyDWAycz+KoTfYbg8eGd3RkNvtQ74m5DQEXR7MJtu3+SPLC9m4lm0KAeBqRWGEjDbiw64CTOaIVjyB6rrSzNu5CZpYLb1vX1hnC2ADNzPyiPVE+bALgaJIN6WVRdpH5Fl6quVHzkGv/Gk5ZNuxGtzPnPN7UGsv6tuRe8grVkz8fkqA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:32.723Z"
NotOnOrAfter="2014-09-30T23:40:32.723Z"><saml2:AudienceRestriction><saml2:Audience>urn:org:apache:cxf:fediz:storage</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice@ldap.fediz</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">user</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:32.723Z</ns3:Created><ns3:Expires>2014-09-30T23:40:32.723Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:34,534 [http-bio-9443-exec-2] INFO
org.apache.cxf.services.SecurityTokenService.Transport_Port.STS - Inbound
Message
----------------------------
ID: 2
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {content-type=[text/xml;charset=UTF-8], Date=[Tue, 30 Sep 2014
22:40:34 GMT], Server=[Apache-Coyote/1.1], transfer-encoding=[chunked]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/><soap:Body><RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://www.w3.org/2005/08/addressing"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType><RequestedSecurityToken><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_4C3D3D7257E6DF71B714121168344982"
IssueInstant="2014-09-30T22:40:34.498Z" Version="2.0"
xsi:type="saml2:AssertionType"><saml2:Issuer>STS Realm
A</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_4C3D3D7257E6DF71B714121168344982"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>91uIcJic2hx5JQm3V+R3kGc5c2Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>YYrfZlfkwrDKS1nFBe8z8/ThCcCtefo+NRxNCJdYq0FpdFUoscZuLDtFQTr3q66TgN/Nj5FHF9pVvL54Azijv6Ontj1ucNcInk3XlUwJhk+StrgrlHLNYpknWUWotDIz6zAICupxLEu4xZcwFWj1fg1WDnrNDF14x85FERAuJyDWAycz+KoTfYbg8eGd3RkNvtQ74m5DQEXR7MJtu3+SPLC9m4lm0KAeBqRWGEjDbiw64CTOaIVjyB6rrSzNu5CZpYLb1vX1hnC2ADNzPyiPVE+bALgaJIN6WVRdpH5Fl6quVHzkGv/Gk5ZNuxGtzPnPN7UGsv6tuRe8grVkz8fkqA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICwTCCAamgAwIBAgIEFKo9KjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN
MTMwOTAzMjAyMjMxWhcNMjMwNzEzMjAyMjMxWjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmQKgcHaFmTG/rMzlSP1DDVUn1AIVlUo2eBNBaOloKvyX
rYT6zwd+mno1Skj9EQMntx9LvK6xLiquLvuKP0XGeWHhJwgG4dBB1QQ71hosrWIaClLQrNuV8d8p
ztSkPfVrL5SdmlqDUAlC598rGhU7ttXPKp2FF8set2QIDSFZrRURpeAoh7aCdlySrJGBQsTGTvb4
N6yF8yoxKcVBIBb62q4xS1qU10Oa+iYig3+b+vNwSzcN5RE9Etw+nQ8q8soiwfGcVLmWjv1oDuLr
x1BOqL2zXxmISlJgv2/cC3DVnPb6IOmHaEklLbod7Nq0JgD0L27s4Js+ccXtkoBcQtRxAgMBAAGj
ITAfMB0GA1UdDgQWBBSSn4p1eScqsNyywCH37ipMdZNykzANBgkqhkiG9w0BAQsFAAOCAQEAnkmN
aVR3lXJWh4nOvNvzXz6vBSMbm/K4khu8mRtUWHikbwZE72ZLCD2Bv69YhNsaAZmtH02CERUXZTbh
8YXfZ0VnMh9ieTKHWpNGDOBdvfsd8jSLd4svIrP2vfMciS0px0Q87W4jntiQovhPuTEeOOanaG8R
2eaROTONRsTQxWWGep5FqhH6Of2hL7kwEjFyLDE/NIMHHeURlxmbwwMbnJoA8/wVOZnGOCkmnKs9
6DXHD+MBCboD+2UMl76GONiksAsD+LjiqZwZeWsZCP+NDPEjXOv/7MzpiCSMLLk+AWzQAZDqpDwj
ys1YXREbVVFVlS+3Sob0hd0SJr/hsHl9Hw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://cxf.apache.org/sts">alice</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject><saml2:Conditions
NotBefore="2014-09-30T22:40:32.723Z"
NotOnOrAfter="2014-09-30T23:40:32.723Z"><saml2:AudienceRestriction><saml2:Audience>urn:org:apache:cxf:fediz:storage</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">alice@ldap.fediz</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue
xsi:type="xs:string">user</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></RequestedSecurityToken><RequestedAttachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedAttachedReference><RequestedUnattachedReference><ns4:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns4:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_4C3D3D7257E6DF71B714121168344982</ns4:KeyIdentifier></ns4:SecurityTokenReference></RequestedUnattachedReference><wsp:AppliesTo
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:org:apache:cxf:fediz:storage</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><Lifetime><ns3:Created>2014-09-30T22:40:32.723Z</ns3:Created><ns3:Expires>2014-09-30T23:40:32.723Z</ns3:Expires></Lifetime></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
--------------------------------------
2014-10-01 01:40:36,286 [http-bio-9443-exec-2] INFO
org.apache.cxf.fediz.service.idp.beans.STSClientAction -
[RP_TOKEN=_4C3D3D7257E6DF71B714121168344982] successfully created for realm
[urn:org:apache:cxf:fediz:storage] on behalf of
[IDP_TOKEN=_4C3D3D7257E6DF71B714121168315051]
--
View this message in context: http://cxf.547215.n5.nabble.com/Use-Fediz-with-LDAP-tp5748800p5749361.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Use Fediz with LDAP
Posted by GiannisSam <io...@gmail.com>.
Hello.
I finally solved the problem. I used in LDAP groups "user" and "admin"
instead of "User" and "Admin" and I got access denied all together. Stupid
mistake, although still not sure why exactly my request was denied all
together.
After all I get logged in with LDAP users and with roles being drained from
LDAP groups. So it works perfectly now.
Now I will continue with attaching other web services on that IDP and see
how that works out.
Ioannis Samartzis
--
View this message in context: http://cxf.547215.n5.nabble.com/Use-Fediz-with-LDAP-tp5748800p5749378.html
Sent from the cxf-user mailing list archive at Nabble.com.