In my previous blog I got Single Sign On working with J2EE container security. In this blog entry I got it also working with ADF Security. Just create a SAML source and destination site and follow these steps
Create a new relying party for the ADF Security Application on the SAML source site.
Go the WLS console of the Saml source server and go to the myrealm Security Realm
Go to providers -> Credential Mapping -> SAMLCredentialMapper
SAMLCredentialMapper -> Managment -> new Relying Party
Partner ID: rp_00004
Profile: Browser/POST
Target URL: http://localhost:7101/appC/adfAuthentication the url of ADF security servlet on the destination site
Assertion Consumer URL: https://localhost:7102/samlacs/acs
Assertion Consumer Parameters: APID=ap_00002
Saml Destination server , this is the WebLogic Server of the ADF Security Application
Go the myrealm Security Realm -> Providers -> Authentication and select the SAML Identity Assertion provider -> Management -> Asserting Party
Partner ID: ap_00002
Profile: Browser/POST
Target URL: http://localhost:7001/appA This is the main application on the SAML source site
Source Site Redirect URIs: /appC/adfAuthentication The url of ADF Security Servlet
Source Site ITS URL: https://localhost:7002/samlits_ba/its
Source Site ITS Parameters: RPID=rp_00004
On the main site you can add a link to the ADF Security application like this <a href="http://localhost:7101/appC/adfAuthentication">appC</a>
And change login-conf in the web.xml of the ADF Security Application so it uses certificate auhtentication.
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
The only thing that isn't working yet is the redirecting to the success url after the succesfull authentication by the ADF Security servlet.
Edwin --Very helpful blogs. I had a confusion/I am not clear on how one can pass the security token from a java web application to the webserice stub that it calls -if the domains are not trusted. ie if i have cookie in my web hhtp layer, i do not want to pass it directly to the service clinet stub, but use some kind of underlying security layer so that the webservice client picks the cookie/token and send it in soap.
ReplyDeleteThis must be a very easy question for you to answer:)
Thanks in advance
Dave
Hi,
ReplyDeleteIf you saml source and destinations sites and it does not matter if the domains are trusted.
In one case I you use jsf with security and ejb's on a different domain then you can setup a global trust between these domain.
thanks
Hi Edwin,
ReplyDeleteDid you try using Oracle SSO with ADF. We managed to protect the ADF application using Oracle SSO to authenticate the user. But we are unable to map the ADF application roles with the OID groups.
We would like to use ADF security features to provide field level autherization based on the roles in the OID database.
can you please suggest w.r.t autherization using sso in ADF application.
Thanks and Regards,
S R Prasad
Hi,
ReplyDeletedid you add a weblogic.xml to the web-inf folder. and this file you can do your mappings
thanks
Hi Edwin, did you get it working to redirect to the success url after the succesfull authentication by the ADF Security servlet? As i got to the same point you did. If you did so, how can i get it? Thanks a lot!
ReplyDeleteHi,
ReplyDeleteI don't have a solution for this, I tried it myself a few weeks ago and also asked Frank Nimphius.
I already know jps-config.xml is not the way, It has to be fixed in the wls console
thanks
Hi Edwin,
ReplyDeleteI got stuck exactly on the same point, any solution or workaround so far? I'm trying to SSO between WebCenter and URM.
Thanks
Ricardo Bortoloto
Hi Edwin, Ur blogs have been very usefulWe need to establish a SAML SSO link between Oracle Image and Process Management(OIPM) and BPEL Workflow Human Task. We have tried ur steps however this is at the AdminServer level... How would ur steps work at the Managed Server level. Thanks
ReplyDeleteHi Edwin,
ReplyDeleteI'm trying to get an ADF application working with a WLS domain that has a SiteMinder Authentication Provider and Identity Asserter configured, similar to your SAML example. J2EE security works (eg. isUserInRole()) but ADF doesn't appear to be able to 'see' the groups/users that are populated into the Subject.
I know they are there, but the taskflows and regions I've granted to them simply won't show up when I log into the app.
I'd be very grateful if you had any thoughts. I've got a thread open on OTN here:
https://forums.oracle.com/forums/thread.jspa?messageID=9949595�
Hello Chris,
DeleteI am running into same issue. Did you find any solution for this and if so could you please share them?
Thanks,
Rashmi
Hi Chris,
ReplyDeletejust a few checks, is it a private principal? and do you get enterprise role (wls) and try to map this to application roles. ( weblogic.xml deployment descriptor)
like I describe here http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/
the applications roles can be mapped to the task flows.
is it a ldap repository and can you put it as first authenticator of the authenticators or add the virtualize attribute on the ldap entry of jps-context.xml
like I described here
http://biemond.blogspot.com/2011/10/using-fmw-identitystore-for-your-user.html
thanks and good luck
have you also attempted to configure ADF Security to leverage enterprise role membership via SAML as well?
ReplyDeleteHi,
ReplyDeleteThe enterprise roles comes from weblogic so ADF will use it. If it works in wls the adf can use it
or do you mean something different.
thanks
Edwin,
ReplyDeleteI have been reading your security articles and they are great.
I am attempting a project where I wish to integrate a secondary JEE application to leverage the security of a primary application.
I am working with Oracle Business Intelligence 11g. The installed primary application goes into the context-root /analytics. I would then like to create a secondary application that deploys to the context-root /analytics/myapp.
Is there a way to get the secondary application to know what user is logged in to the primary application if both are deployed on the same WLS server, domain, etc.?
I am creating the secondary application in ADF and I am attempting to use the ADF.shared.connection which I understand may only be available from the Oracle BI libraries.
I posted this question over on Oracle Forums and one responder even referenced your blog,
https://forums.oracle.com/forums/thread.jspa?threadID=2312079&tstart=0
Another responder mentioned WLS Shared Sessions. Can you provide any help on this?
Thanks very much in advance.
Hi,
ReplyDeleteI think you can do it with a single SSO software or I thin k build one ear with the 2 war , then you got some possibilities.
thanks
Thanks Edwin, this worked fine for me. Configuring SSO with SAML and ADF security. I have followed the same steps and configuration as mentioned above.
ReplyDeleteI have one issue here and seek your help.
I m trying to configure a application (which is built using ADF security) using SAML1.1. The requirement is that this desitnation application should also work as a standalone apart from getting request from the source application. I have made all changes required for SAML destination. When I am trying to access this application (as a standalone), request is getting redirected to "Source Site ITS URL" as mentioned in the asseter and expected user to key in the credentials. So thats means the application is depend on the source configuration (atleast the same user should be present at source also).
Any idea on how to bypass this? If the request is received from source then it should verfied with CLIENT-CERT other wise it should act as a simple FORM.
Hi,
Deletemaybe you can make a weblogic deployment plan which can change the CLIENT-CERT value to basic. But both is not possible.
Because you are using ADF you can put everything in a ADF lib ( TF, fragments and Model) and make 2 light web applications which uses the same adf libs but with different security.
thanks
Thanks Edwin.
DeleteWhen I sent a request from appA to ADF security application (after successful login) through browser IE9, then it just stucks at security certificate warning page. I tried clicking on the continue link but still stuck at same page.
It seems to me that you were also having similar problem as you have mentioned in the end of your blog.
So have you got any solution or workaroud for this?
Hi,
DeleteI never got it working with ADF, Don't know if it is possible.
thanks
I got this working.
DeleteA simple web application (appA) can connect to appB (ADF security application) via SSO with SAML. appB application can also be accessed direclty (request may not be always from appA) and tested in 3 browsers firefox, IE, and chrome.
You will experience some security certificate warning messages (as self signed certificate is not authorised by any certificate authority), you need to just accept and continue.
To access appB direclty from IE, you need to generate the certificate by giving hostname/IP address of the server (which one you use while accessing the server) as a Common Name (first name and last name parameter). Then import the generated certificate in IE under “Trusted Root Certificate Authorities”.
That solved all the problem for me:)
Hi,
DeleteGreat Stuff , what weblogic & ADF version did you use. Plus did you use saml1 or saml 2
Thanks
Edwin,
DeleteI have used weblogic 10.3.5, ADF 11.1.2 and SAML 1.1.
Thanks Edwin, I found this is for "SAMLCredentialMapper". How about the "SAML2CredentialMapper" SAML 2.0 Credential Mapping Provider? I tested with normal web app which is working. However, is there any special steps for ADF applications and ADF securities? Thanks.
ReplyDeleteHi,
DeleteI think it works the same as SAMLCredentialMapper but then for saml 2.0. see also this blogpost http://biemond.blogspot.nl/2009/09/sso-with-weblogic-1031-and-saml2.html
Thanks