Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. Apache CXF Fediz supports both WS-Federation Passive Requestor Profile and the SAML Web Browser SSO Profile. Fediz supports Claims Based Access Control beyond Role Based Access Control (RBAC).

Getting Started

The WS-Federation specification defines the following parties involved during a web login:


    Identity Provider (IDP)

    The IDP is a centralized, application independent runtime component which implements the protocol defined by WS-Federation. You can use any open source or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it allows for testing your web application in a sandbox without having all infrastructure components available. The Fediz IDP consists of two WAR components. The Security Token Service (STS) does most of the work including user authentication, claims/role data retrieval and creating the SAML token. The IDP WAR translates the response to an HTML response allowing a browser to process it.

    Relying Party (RP)

    The RP is a web application that needs to be protected. The RP must be able to implement the protocol as defined by WS-Federation. This component is called "Fediz Plugin" in this project which consists of container agnostic module/jar and a container specific jar. When an authenticated request is detected by the plugin it redirects to the IDP for authentication. The browser sends the response from the IDP to the RP after successful authentication. The RP validates the response and creates the container security context.

It's recommended to deploy the IDP and the web application (RP) into different container instances as in a production deployment. The container with the IDP can be used during development and testing for multiple web applications needing security.


The following features are supported by Fediz 1.2

    WS-Federation 1.0/1.1/1.2

    SAML 1.1/2.0 Tokens

    Support for encrypted SAML Tokens (Release 1.1)

    Support for Holder-Of-Key SubjectConfirmationMethod (1.1)

    Custom token Support

    Publish WS-Federation Metadata document

    Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens

    Claims information provided by FederationPrincipal Interface

    Support for Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)

    Fediz IDP supports "Resource IDP" role as well (1.1)

    A new REST API for the IdP (1.2)

    Support for logout in both the RP and IdP (1.2)

    Support for logging on to the IdP via Kerberos and TLS client authentication (1.2)

    A new container-independent CXF plugin for WS-Federation (1.2)

    Support to use the IdP as an identity broker with a remote SAML SSO IdP (1.2)