Pages

Friday, May 15, 2009

SSO with SAML & ADF Security

In my previous blog I got Single Sign On working with J2EE container security. In this blog entry I got it also working with ADF Security. Just create a SAML source and destination site and follow these steps
Create a new relying party for the ADF Security Application on the SAML source site.

Go the WLS console of the Saml source server and go to the myrealm Security Realm
Go to providers -> Credential Mapping -> SAMLCredentialMapper
SAMLCredentialMapper -> Managment -> new Relying Party

Partner ID: rp_00004
Profile: Browser/POST
Target URL: http://localhost:7101/appC/adfAuthentication the url of ADF security servlet on the destination site
Assertion Consumer URL: https://localhost:7102/samlacs/acs
Assertion Consumer Parameters: APID=ap_00002

Saml Destination server , this is the WebLogic Server of the ADF Security Application
Go the myrealm Security Realm -> Providers -> Authentication and select the SAML Identity Assertion provider -> Management -> Asserting Party

Partner ID: ap_00002
Profile: Browser/POST
Target URL: http://localhost:7001/appA This is the main application on the SAML source site

Source Site Redirect URIs: /appC/adfAuthentication The url of ADF Security Servlet
Source Site ITS URL: https://localhost:7002/samlits_ba/its
Source Site ITS Parameters: RPID=rp_00004

On the main site you can add a link to the ADF Security application like this <a href="http://localhost:7101/appC/adfAuthentication">appC</a>

And change login-conf in the web.xml of the ADF Security Application so it uses certificate auhtentication.
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>

The only thing that isn't working yet is the redirecting to the success url after the succesfull authentication by the ADF Security servlet.

24 comments:

  1. Edwin --Very helpful blogs. I had a confusion/I am not clear on how one can pass the security token from a java web application to the webserice stub that it calls -if the domains are not trusted. ie if i have cookie in my web hhtp layer, i do not want to pass it directly to the service clinet stub, but use some kind of underlying security layer so that the webservice client picks the cookie/token and send it in soap.

    This must be a very easy question for you to answer:)

    Thanks in advance
    Dave

    ReplyDelete
  2. Hi,

    If you saml source and destinations sites and it does not matter if the domains are trusted.

    In one case I you use jsf with security and ejb's on a different domain then you can setup a global trust between these domain.

    thanks

    ReplyDelete
  3. Hi Edwin,

    Did you try using Oracle SSO with ADF. We managed to protect the ADF application using Oracle SSO to authenticate the user. But we are unable to map the ADF application roles with the OID groups.

    We would like to use ADF security features to provide field level autherization based on the roles in the OID database.

    can you please suggest w.r.t autherization using sso in ADF application.

    Thanks and Regards,

    S R Prasad

    ReplyDelete
  4. Hi,

    did you add a weblogic.xml to the web-inf folder. and this file you can do your mappings

    thanks

    ReplyDelete
  5. Hi Edwin, did you get it working to redirect to the success url after the succesfull authentication by the ADF Security servlet? As i got to the same point you did. If you did so, how can i get it? Thanks a lot!

    ReplyDelete
  6. Hi,

    I don't have a solution for this, I tried it myself a few weeks ago and also asked Frank Nimphius.

    I already know jps-config.xml is not the way, It has to be fixed in the wls console

    thanks

    ReplyDelete
  7. Hi Edwin,

    I got stuck exactly on the same point, any solution or workaround so far? I'm trying to SSO between WebCenter and URM.

    Thanks
    Ricardo Bortoloto

    ReplyDelete
  8. Hi Edwin, Ur blogs have been very usefulWe need to establish a SAML SSO link between Oracle Image and Process Management(OIPM) and BPEL Workflow Human Task. We have tried ur steps however this is at the AdminServer level... How would ur steps work at the Managed Server level. Thanks

    ReplyDelete
  9. Hi Edwin,

    I'm trying to get an ADF application working with a WLS domain that has a SiteMinder Authentication Provider and Identity Asserter configured, similar to your SAML example. J2EE security works (eg. isUserInRole()) but ADF doesn't appear to be able to 'see' the groups/users that are populated into the Subject.

    I know they are there, but the taskflows and regions I've granted to them simply won't show up when I log into the app.

    I'd be very grateful if you had any thoughts. I've got a thread open on OTN here:
    https://forums.oracle.com/forums/thread.jspa?messageID=9949595&#9949595

    ReplyDelete
    Replies
    1. Hello Chris,

      I am running into same issue. Did you find any solution for this and if so could you please share them?

      Thanks,
      Rashmi

      Delete
  10. Hi Chris,

    just a few checks, is it a private principal? and do you get enterprise role (wls) and try to map this to application roles. ( weblogic.xml deployment descriptor)

    like I describe here http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    the applications roles can be mapped to the task flows.

    is it a ldap repository and can you put it as first authenticator of the authenticators or add the virtualize attribute on the ldap entry of jps-context.xml

    like I described here
    http://biemond.blogspot.com/2011/10/using-fmw-identitystore-for-your-user.html

    thanks and good luck

    ReplyDelete
  11. have you also attempted to configure ADF Security to leverage enterprise role membership via SAML as well?

    ReplyDelete
  12. Hi,

    The enterprise roles comes from weblogic so ADF will use it. If it works in wls the adf can use it

    or do you mean something different.

    thanks

    ReplyDelete
  13. Edwin,

    I have been reading your security articles and they are great.

    I am attempting a project where I wish to integrate a secondary JEE application to leverage the security of a primary application.

    I am working with Oracle Business Intelligence 11g. The installed primary application goes into the context-root /analytics. I would then like to create a secondary application that deploys to the context-root /analytics/myapp.

    Is there a way to get the secondary application to know what user is logged in to the primary application if both are deployed on the same WLS server, domain, etc.?

    I am creating the secondary application in ADF and I am attempting to use the ADF.shared.connection which I understand may only be available from the Oracle BI libraries.

    I posted this question over on Oracle Forums and one responder even referenced your blog,
    https://forums.oracle.com/forums/thread.jspa?threadID=2312079&tstart=0
    Another responder mentioned WLS Shared Sessions. Can you provide any help on this?

    Thanks very much in advance.

    ReplyDelete
  14. Hi,

    I think you can do it with a single SSO software or I thin k build one ear with the 2 war , then you got some possibilities.

    thanks

    ReplyDelete
  15. Thanks Edwin, this worked fine for me. Configuring SSO with SAML and ADF security. I have followed the same steps and configuration as mentioned above.

    I have one issue here and seek your help.
    I m trying to configure a application (which is built using ADF security) using SAML1.1. The requirement is that this desitnation application should also work as a standalone apart from getting request from the source application. I have made all changes required for SAML destination. When I am trying to access this application (as a standalone), request is getting redirected to "Source Site ITS URL" as mentioned in the asseter and expected user to key in the credentials. So thats means the application is depend on the source configuration (atleast the same user should be present at source also).

    Any idea on how to bypass this? If the request is received from source then it should verfied with CLIENT-CERT other wise it should act as a simple FORM.

    ReplyDelete
    Replies
    1. Hi,

      maybe you can make a weblogic deployment plan which can change the CLIENT-CERT value to basic. But both is not possible.
      Because you are using ADF you can put everything in a ADF lib ( TF, fragments and Model) and make 2 light web applications which uses the same adf libs but with different security.

      thanks

      Delete
    2. Thanks Edwin.
      When I sent a request from appA to ADF security application (after successful login) through browser IE9, then it just stucks at security certificate warning page. I tried clicking on the continue link but still stuck at same page.
      It seems to me that you were also having similar problem as you have mentioned in the end of your blog.

      So have you got any solution or workaroud for this?

      Delete
    3. Hi,

      I never got it working with ADF, Don't know if it is possible.

      thanks

      Delete
    4. I got this working.
      A simple web application (appA) can connect to appB (ADF security application) via SSO with SAML. appB application can also be accessed direclty (request may not be always from appA) and tested in 3 browsers firefox, IE, and chrome.
      You will experience some security certificate warning messages (as self signed certificate is not authorised by any certificate authority), you need to just accept and continue.

      To access appB direclty from IE, you need to generate the certificate by giving hostname/IP address of the server (which one you use while accessing the server) as a Common Name (first name and last name parameter). Then import the generated certificate in IE under “Trusted Root Certificate Authorities”.

      That solved all the problem for me:)

      Delete
    5. Hi,

      Great Stuff , what weblogic & ADF version did you use. Plus did you use saml1 or saml 2

      Thanks

      Delete
    6. Edwin,
      I have used weblogic 10.3.5, ADF 11.1.2 and SAML 1.1.

      Delete
  16. Thanks Edwin, I found this is for "SAMLCredentialMapper". How about the "SAML2CredentialMapper" SAML 2.0 Credential Mapping Provider? I tested with normal web app which is working. However, is there any special steps for ADF applications and ADF securities? Thanks.

    ReplyDelete
    Replies
    1. Hi,

      I think it works the same as SAMLCredentialMapper but then for saml 2.0. see also this blogpost http://biemond.blogspot.nl/2009/09/sso-with-weblogic-1031-and-saml2.html

      Thanks

      Delete