With Weblogic it is relative easy to setup Single Sign On between Servers who has support for SAML. In this blog I will show you, how you can setup SSO between two ADF applications on different WebLogic servers. Off course you can also use Remote Task Flows for this, but when you setup SAML you can use this to protect your web services or use it for identity propagation with OWSM in combination with ESB, BPEL or OSB.
This blog is based on the article of Vikrant Sawant where he did the same with two WLS 9.2 Domains.I will use this blog as the starting point for my next blog entries, I am thinking about the following blog entries, How to use SSO / SAML with ADF Security , SAML with OWSM / OSB / ESB and BPEL. In this blog entry I will use the standard container security.
To make this work we need to have two WLS domains. I created a new domain with the configuration wizard of JDeveloper 11G and enabled the ADF option on this domain. I use the internal Weblogic domain of JDeveloper as the secondary domain.
The new domain will be the SAML Source site but first we need to configure the WebLogic server instance by enabling SSL. SAML will need SSL for the secured communication between the SAML source and destinations domains. For this source domain I will use port 7001 and 7002 (SSL)
Define the keystores, I have my own keystores but you can also use the WLS demo keystores
If you use your own keystore then you propably have to set the new private key alias.
Add a SAML 1.1 source site at the Federation Services tab.
The second step on the SAML Source site is to configure the myrealm security domain. In this step we start by adding a Credential Mapping.
In the provider Specific Tab of the just created credential mapping we have to define the details.
Now we can add the first SAML client (Relying Party ) of this source site. This will be the application which runs on the internal weblogic domain of JDeveloper. The first entry is called rp_00001
Add the url of secured page ( the url of the second application ) and the https port of the SAML destination url. Here we also have to provide the assertion id of the client SAML. This is APID=ap_00001. We will create this later (asserting party ) on the destination SAML domain.
For the communication we need to import the public keys. In my case is this the ca and the server public key. Just export these key from the keystores and rename these keys to the der file extension.
Step 3 is to setup the SAML destination site. I will use the internal Weblogic domain of JDeveloper for this. Default JDeveloper uses port 7101 and in this domain we also need to enable the SSL port ( port 7102 ).
Next go to the Federation Services of the server instance and enable SAML 1.1 destination Site.
Go to the myrealm security domain and add a new SAML authentication.
Add a new asserting party.
Here we add the url of the application which run on the source site. And the id of the relying party on the source site.
Here we also have to import the public keys of ca and server.
The last WebLogic step is to add a common authorization provider on both domains. I use a LDAP or a SQL authenticator for this. Both WLS domains need to have the same users and groups.
We are finished with the WebLogic configuration. Now we can make two ADF applications. For these application I will use the faces-config.xml and not the unbounded task flow. And I use the standard container security and not ADF Security.
the web.xml of the source application looks like this.
<security-constraint>
<web-resource-collection>
<web-resource-name>aut</web-resource-name>
<url-pattern>/faces/aut/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<role-name>valid-users</role-name>
</security-role>
the weblogic.xml of the source and destination application ( to map the valid-user role to the wls user group ).
<?xml version = '1.0' encoding = 'windows-1252'?>
<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>users</principal-name>
</security-role-assignment>
</weblogic-web-app>
the web.xml of the destination application, now we have to use CLIENT-CERT.
<security-constraint>
<web-resource-collection>
<web-resource-name>aut</web-resource-name>
<url-pattern>/faces/aut/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<role-name>valid-users</role-name>
</security-role>
When the user logs in on the destination site then it will automatically redirected to the source site .
That's all for now.
Posts
19 comments:
Hi Edwin,
Thanks for your post! It's very helpful!!!
I'm able to setup two applications and redirectly App1 to App2. However, I'm getting this error on the destination server:
Could not parse SAML response: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'exc14n:InclusiveNamespaces'.>
Well done Jack,
you are almost there. I got the same error , WLS tries to download the schema defined in the exc14n namespace.
WLS need to have a internet connection, then it works.
thanks
Hi Edwin,
I've got a workaround to not use internet connection.
Here's what I've done:
Under directory: $BEA_HOME$\modules, there's a file - com.bea.core.bea.opensaml_1.0.0.0_5-0-2-0.jar.
Make a change in this file:
com.bea.core.bea.opensaml_1.0.0.0_5-0-2-0.jar\opensaml\schemas\xmldsig-core-schema.xsd
At line 77, add processContents="lax" under the "any" tag so it reads like:
<any namespace="##any" minOccurs="0" maxOccurs="unbounded" processContents="lax"/>
This is a really good blog! And for those who has no easy internet access from WLS, this is a good workaround.
Regards,
Jack
Hi Jack,
Thanks for the great workaround.
Edwin
Hi,
How this SSO works when we have Weblogic cluster ?
Kuba
Hi Jakub,
I think you don't need saml in 1 domain. evertything is defined on the domain or the security realm so on every server in this domain should know the user.
I have never test this
WLS has built in identity propagation among domains - in fact there are two models. Global Trust and Cross Domain Security. For most cases, just use Global Trust.
Identity propagation in this case is something like a web-application invoking an EJB in another domain.
If you're looking for cross domain SSO at the Web Tier, SAML is reasonable, but using something like Oracle Access Manager makes more sense.
The work around works well but this seems like a bug (or a feature?). In production servers may not have access to an internet connection. Are you aware of a solution in this scenario?
Hi
i was trying to do same on my side with WLS 10.3
i was using DemoIdentity keystore but
its giving error as
An error occurred during activation of changes, please see the log for details.
[Management:141191]The prepare phase of the configuration update failed with an exception:
SAMLBeanUpdateListener SAMLSingleSignOnServiceConfigInfoImpl: prepareUpdate() failed with exception: weblogic.security.spi.ProviderInitializationException: [Security:097558]FederationServicesMBean configuration Protocol Signing Key DemoIdentity is invalid.
Please suggest
Hi
I am also facing same issue which Gaurav is facing
Please help....
Hi,
Can you generate your own keystore by following this guide
download openssl and make a jks private keystore and a trust jks keystore
http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
thanks
Edwin or anyone,
How would you configure the Web apps for "virtual user" where you do not want to have the destination know the user only use the incoming assertion. I have been trying to configure that with no luck.
Ex-BEA dude
Hi,
don't know if that is possible maybe when you make a domain trust.
let me know if you made some progress
thanks
Hi...
I am facing Error 403---Forbidden with SAML authentication. Please help...
Hi
Can you give me your wls settings of the two servers.
Thanks Edwin
Edwin,
I have followed the steps by Vikrant Sawant for WLS 9.2, but tried to use 10.3 insead. Settings are same as 9.2
Thanks...
Hi
Can you send me the config.xml of your two wls servers.
biemond at gmail dot com
thanks
This works fine for SAML 1.1; however, there is a huge difference between SAML 1.1 and SAML 2.0. Have you attempted to configure SAML 2.0?
Hi,
Made a new blog how to do this with SAML2
http://biemond.blogspot.com/2009/09/sso-with-weblogic-1031-and-saml2.html
thanks Edwin
Post a Comment