In this chapter, we describe the configuration for Web SSO with XML Signature Support.
The IDP needs to be configured to provide Web SSO with XML Signature Support.
Follow the web.xml security configuration for the IDP from the previous section "Simple Usage".
Create a context.xml file for configuring the valves for the IDP.
The context.xml file should look like:
<Context> <Valve className ="org.jboss.identity.federation.bindings.tomcat.idp.IDPRedirectWithSignatureValve" /> </Context>
If the IDP is running in Apache Tomcat, then place the context.xml in META-INF of your IDP web application.
If the IDP is running in JBoss Application Server, then place the context.xml in WEB-INF of your IDP web application.
Configure jboss-idfed.xml in WEB-INF of your IDP web application
<JBossIDP xmlns="urn:jboss:identity-federation:config:1.0" > <IdentityURL>http://localhost:8080/idp-sig</IdentityURL> <Trust> <Domains>localhost,jboss.com,jboss.org</Domains> </Trust> <KeyProvider ClassName="org.jboss.identity.federation.bindings.tomcat.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="jbid_test_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert"/> <ValidatingAlias Key="127.0.0.1" Value="servercert"/> </KeyProvider> </JBossIDP>
In this configuration file, you are providing the URL of your IDP. This is the URL that gets added as the issuer in the outgoing SAML2 assertions to the Service Providers.
Additionally, you can configure the Trust element to indicate which domains the IDP trusts.
You can configure a TrustKeyManager implementation for the Signing (Private) Key and the Validating (Public) Key information. In this example, we have used the KeyStoreKeyManager that stores the keys in a Java KeyStore. The Auth element define the key value pair needed to authenticate against the TrustKeyManager implementation. The ValidatingAlias is a map of the domains that need to be validated against an alias where the public key of the domains are stored.
The SP can be a JBoss Application Server or a Tomcat instance.
You need to configure a web application as the Service Provider(SP).
Follow the web.xml security configuration for the SP from the previous section "Simple Usage".
Create a context.xml file for configuring the valves for the SP.
The context.xml file should look like:
<Context> <Valve className= "org.jboss.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator" /> </Context>
If the SP is running in Apache Tomcat, then place the context.xml in META-INF of your SP web application.
If the SP is running in JBoss Application Server, then place the context.xml in WEB-INF of your SP web application.
Configure jboss-idfed.xml in WEB-INF of your IDP web application
<JBossIDP xmlns="urn:jboss:identity-federation:config:1.0" > <IdentityURL>http://localhost:8080/idp-sig</IdentityURL> <Trust> <Domains>localhost,jboss.com,jboss.org</Domains> </Trust> <KeyProvider ClassName="org.jboss.identity.federation.bindings.tomcat.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="jbid_test_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert"/> <ValidatingAlias Key="127.0.0.1" Value="servercert"/> </KeyProvider> </JBossIDP>
In this configuration file, we define the URLs for the service provider and the identity provider.
Additionally, you can configure the Trust element to indicate which domains the SP trusts.
You can configure a TrustKeyManager implementation for the Signing (Private) Key and the Validating (Public) Key information. In this example, we have used the KeyStoreKeyManager that stores the keys in a Java KeyStore. The Auth element define the key value pair needed to authenticate against the TrustKeyManager implementation. The ValidatingAlias is a map of the domains that need to be validated against an alias where the public key of the domains are stored.