This blog is based on the article of Vikrant Sawant where he did the same with two WLS 9.2 Domains.I will use this blog as the starting point for my next blog entries, I am thinking about the following blog entries, How to use SSO / SAML with ADF Security , SAML with OWSM / OSB / ESB and BPEL. In this blog entry I will use the standard container security.
To make this work we need to have two WLS domains. I created a new domain with the configuration wizard of JDeveloper 11G and enabled the ADF option on this domain. I use the internal Weblogic domain of JDeveloper as the secondary domain.
The new domain will be the SAML Source site but first we need to configure the WebLogic server instance by enabling SSL. SAML will need SSL for the secured communication between the SAML source and destinations domains. For this source domain I will use port 7001 and 7002 (SSL)
Define the keystores, I have my own keystores but you can also use the WLS demo keystores
If you use your own keystore then you propably have to set the new private key alias.
Add a SAML 1.1 source site at the Federation Services tab.
The second step on the SAML Source site is to configure the myrealm security domain. In this step we start by adding a Credential Mapping.
In the provider Specific Tab of the just created credential mapping we have to define the details.
Now we can add the first SAML client (Relying Party ) of this source site. This will be the application which runs on the internal weblogic domain of JDeveloper. The first entry is called rp_00001
Add the url of secured page ( the url of the second application ) and the https port of the SAML destination url. Here we also have to provide the assertion id of the client SAML. This is APID=ap_00001. We will create this later (asserting party ) on the destination SAML domain.
For the communication we need to import the public keys. In my case is this the ca and the server public key. Just export these key from the keystores and rename these keys to the der file extension.
Step 3 is to setup the SAML destination site. I will use the internal Weblogic domain of JDeveloper for this. Default JDeveloper uses port 7101 and in this domain we also need to enable the SSL port ( port 7102 ).
Next go to the Federation Services of the server instance and enable SAML 1.1 destination Site.
Go to the myrealm security domain and add a new SAML authentication.
Add a new asserting party.
Here we add the url of the application which run on the source site. And the id of the relying party on the source site.
Here we also have to import the public keys of ca and server.
The last WebLogic step is to add a common authorization provider on both domains. I use a LDAP or a SQL authenticator for this. Both WLS domains need to have the same users and groups.
We are finished with the WebLogic configuration. Now we can make two ADF applications. For these application I will use the faces-config.xml and not the unbounded task flow. And I use the standard container security and not ADF Security.
the web.xml of the source application looks like this.
<security-constraint> <web-resource-collection> <web-resource-name>aut</web-resource-name> <url-pattern>/faces/aut/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>valid-users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <role-name>valid-users</role-name> </security-role>
the weblogic.xml of the source and destination application ( to map the valid-user role to the wls user group ).
<?xml version = '1.0' encoding = 'windows-1252'?> <weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app"> <security-role-assignment> <role-name>valid-users</role-name> <principal-name>users</principal-name> </security-role-assignment> </weblogic-web-app>
the web.xml of the destination application, now we have to use CLIENT-CERT.
<security-constraint> <web-resource-collection> <web-resource-name>aut</web-resource-name> <url-pattern>/faces/aut/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>valid-users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <role-name>valid-users</role-name> </security-role>
When the user logs in on the destination site then it will automatically redirected to the source site .
That's all for now.