Pages

Monday, September 14, 2009

SSO with WebLogic 10.3.1 and SAML2

In a previous blog entry I already explained how to setup Single Sign On (SSO) with SAML1.1. In this blogpost I do the same but then with SAML version 2 or SAML2 in Weblogic 10.3.1 server.
First we start with the SAML2 Identity Provider, in SAML1.1 this is called the source site. Because we can't do anything in the federation tab of the serve, we need to create a Credential Mapping Provider ( go to myrealm security, Providers , Credential Mappings. )
and choose the SAML2 credential mapping.

Fill the provider specific details and use the demoidentity keystore ( this is default)

Now we can go the Federation Services tab of the server configuration and create a SAML2 profile for this server, We need to save this to a file and import this later in the other SAML2 Service Providers.
The published site url is very important , choose url of this server , use http or https and add saml2 to this url. SAML needs this url to communicate with the other SAML services.

Second part of the SAML2 profile

Save this profile to a xml


Go the Identity provider tab and fill in these fields
Go to the second Weblogic server, this is called the Service provider or in SAML1.1 the destination. Here we need to create a new SAML2 Authentication provider ( Go to the myrealm Security realm , Providers and then Authentication )

Now we done this we can go the Federation Services Tab of this weblogic server and fill in this SAML2 profile. The published url is very important and it must match with the server url and have to end with saml2

Second part of this SAML profile

Save this metadata to a xml. This needs to be imported in the Credential Mapping Provider of the Identity Provider ( the first weblogic server).


Next step is to go the SAML2 Service Provider tab.
Go back to the SAML2 authentication provider where we will import the identity provider metadata xml.

Select the identity metadata xml.

You have to enable this and most important, fill in all the url's of your applications who needs SAML authentication.


Now we do the same for metadata xml of the service provider, We need to import this in the Credential Mapper provider of the Identity Provider
Select the Service Provider metadata xml

enable this Service Provider.

That's all

In this example I use http but it shoud also work with https and when it fails, please check your url's , don't mix localhost or pc name. Same for the domain name.

For more debug information in your server.log and set these java parameters in your setDomainEnv
set EXTRA_JAVA_PROPERTIES=-Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Atn=true %EXTRA_JAVA_PROPERTIES%

198 comments:

  1. Good post, but how does one get a SAML token from Weblogic IdP before even communicating with SP? Thanks. - John

    ReplyDelete
  2. Hi John,

    can you explain your use case. when I think about this you need to make a trust.

    thanks

    ReplyDelete
  3. Hi,
    can you tell me the content of the hidden fields (e. g. Web Service Assertion Signing Key Pass Phrase).
    I have no idea where to find these passwords/passphrases.

    Regards
    Edmund

    ReplyDelete
  4. Hi,

    hope this helps

    Trust store DemoTrust.jks
    Trust store password DemoTrustKeyStorePassPhrase

    Key store DemoIdentity.jks
    Key store password DemoIdentityKeyStorePassPhrase

    Private key password DemoIdentityPassPhrase

    thanks

    ReplyDelete
  5. Hi Edwin,

    Thanks for this post. I implemented this between two weblogic domains and it works. I am facing one problem though: I am able to go from source to destination fine, however, when I go back to source from destination, user gets logged out. It seems jsessionid created by souce gets overwritten by destination. Any ideas would be appreciated.

    Thanks!

    ReplyDelete
  6. Hi,
    I have some firewall restrictions and cannot expose its/acs URLs. Both source and destination are inside same network. How would it be possible to make the ITS url communication as back-channel without involving Browser. I believe ACS url communication happens as back-channel without going through the browser.

    ReplyDelete
  7. Hi,

    what I know you should use the same server names everywhere , so dont mix localhost, 127.0.0.1 , machine name.

    I think it should work.

    thanks

    ReplyDelete
  8. Hi Edwin, I've implemented your tutorial. After requesting some secured page from the service provider the authentication dialog is displayed. I'am sending login and password and then I've got Error 500. On the Identity provider server log I have:


    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1290079707526> <[ServletContext@378642627[app:saml2 module:saml2.war path:/saml2 spec-version:null]] Servlet failed with Exception
    java.lang.NullPointerException
    at weblogic.security.service.CommonSecurityLoggerSpiImpl$1.run(CommonSecurityLoggerSpiImpl.java:53)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.security.service.CommonSecurityLoggerSpiImpl.run(CommonSecurityLoggerSpiImpl.java:28)
    at weblogic.security.service.CommonSecurityLoggerSpiImpl.debug(CommonSecurityLoggerSpiImpl.java:50)
    at com.bea.security.saml2.service.AbstractService.logError(AbstractService.java:100)
    at com.bea.security.saml2.service.AbstractService.logAndSendError(AbstractService.java:83)
    at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:107)
    at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
    at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
    at $Proxy24.process(Unknown Source)
    at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3686)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)


    Can You help me?

    Michal.

    ReplyDelete
  9. Hi,

    Please check all my pics and your url's in WLS, everything must match

    and use the same server names everywhere , dont mix localhost and your server name.

    thanks

    ReplyDelete
  10. I have doublechecked.
    Well it seems that there was an exception with getMessage() == null and CommonSecurityLoggerSpiImpl was trying to log that exception by calling getMessage().toString() and that caused NullPointerException.
    Anyway I used SAML 1.1 and it works for me.

    ReplyDelete
  11. Hi the URL of login

    /saml2/idp/login

    should be the same. Or should be to my second aplication (Destination). In your case, do you have /saml2/idp/login in your destination?

    ReplyDelete
  12. Hi,

    it looks Ok, did you have a error.

    thanks

    ReplyDelete
  13. Hi Edwin, thanks for the post!
    I setup trust between 2 WLS domains following the article. However, I do not get the token generated in the HTTP POST of Idp domain. Do I have to embed the token programatically or simply rely on the selected protocol Http POST to do this.Please advise.
    I deployed Simple JSP app with form based auth and after a successful login, I have a form submit to post to an SP page.
    I have SP JSP app with CLIENT-CERT.

    Both apps behave as though there is no SSO setup. I do not see anything in the logs even though I have debug options on the domains. What else can I check?
    regards,
    krish

    ReplyDelete
  14. Hi Edwin, Thanks for the post!
    I setup trust between 2 WLS domains by following the article. I deployed simple JSP app on Idp with Form based auth. The successful login page has a Http Post to SP page. The app. on SP is another JSP app with CLIENT-CERT.
    However,I do not get the SAML token generated or embedded in the Html. Do we have to do this programatically or just rely on the selected protocol option "HTTP POST"? Trying to navigate to SP from Idp gives a 401 error.
    Both the apps behave as though no SSO is setup. I enabled options on logs, but I do not see any.
    please advise. Is there anything else I can check?
    regards,
    krish

    ReplyDelete
    Replies
    1. Hello how did you solve the 401 problem?

      What is "I finally got it to work after playing around with protocol options and configuring redirect URL on the SP" about?
      Regards

      Delete
    2. Finally i founded, i checked the logs and saw:


      in the web SSO idp Partner on the samlAP, it seems it doesnt recognize wildcards like /appB/* y put the entire path and it works.

      Delete
  15. Hi,

    please check your url's in both wls config and apps, use everywhere the same machine name, dont mix localhost and a servername or fullname with domain and without domain name.

    thanks

    ReplyDelete
  16. Edwin, thanks for your response. I finally got it to work after playing around with protocol options and configuring redirect URL on the SP. However, there are a couple of things that I request your help regarding.
    1. I only see the below in the Http header on a redirect from SP to IdP.
    http://[HOST]:[PORT]/saml2/idp/sso/artifact?SAMLart=AAQAAApriktiqPxDEvWbV4yOYVVARn3n%2Fq4L3yqGLEyBaeObjhqZNSQtXnA%3D
    Where should I locate the SAML token? I only see the above encrypted message being passed around to authenticate, but no saml.
    2. Also, I have a custom login url, and I use the "Login Return Query Parameter". My request redirects from SP to Idp's login page correctly with the URL
    http://{Idp_HOST}:{PORT}/idpapp/login.jsp;jsessionid=thS2NQxDwnDyLnGvYJz7H0jbHMS7PLCh2fJfnBWq0T67Trtp2dGr!1795540823?returnURL=http://{Idp_HOST}:{PORT}/saml2/idp/sso/login-return
    However,once I login, i dont get redirected back to original requesting page on SP. Is there anyway I can seemlessly redirect from SP to Idp login and back to SP?
    Thanks for your tremendous help!! There is very less help regarding this in weblogic docs, I'll be very thankful.
    krish

    ReplyDelete
    Replies
    1. Hi Edwin,I was able to successfully do sso viceversa as per the above steps you mentioned for basic authentication.But i could not able to do with customlogin where i configured in IDP end ,i was not able to navigate from IDP login page to SP do we need to write an code for it.Please advice.

      Delete
    2. Continue to the above i was able to login but i am redirecting to source site rather to SP site.I belive this happening because of jsecuritycheck which is redirecting to source site.How would we change this to redirect to SP in web.xml i,e target application URL.Essentially its SP initiated sso.

      Delete
  17. Hi Edwin,
    could you please help me with the above? I verified that I use consistent hostname everywhere.
    thanks,
    krish

    ReplyDelete
  18. Hi,

    please set the saml debug parameters and you will see every detail.

    Dont know if you can use a return url.

    thanks

    ReplyDelete
  19. SAML Service Provider or Identity Provider must be created before SAML profile can be published. Otherwise, an error "SAML2 services not enabled" will occur.

    ReplyDelete
  20. Hi Edwin

    I followed your post for the SAML2 authentication i am able to login thru my source page from doaminA to domainB but if i login thru weblogic when i reach DomainB i go as anonymous , so my doubt is whether i am doing something wrong also if i hit the target domain page i am being logged directly as anonymous i have the used

    CLIENT-CERT

    Please help

    ReplyDelete
  21. Hi,

    what do you mean, with i login thru weblogic when i reach DomainB i go as anonymous

    please explain everything you did

    ReplyDelete
  22. i am assuming you used rdbms security store for saml 2.0 , what databse was used

    ReplyDelete
  23. Hi,

    no I use the default option, no database repository for the myrealm security realm.

    ReplyDelete
  24. Hi Edwin,

    First thank you for documenting all steps. I was wondering if you would mind sharing the jsp files you have used? I'm sorry to ask, but I'm not a java developer, and have no clue how to write them.

    Many thanks

    Peter

    ReplyDelete
  25. Good post , it worked well for me too

    ReplyDelete
  26. Hi Edwin,

    Thank very much for the post, really useful!

    I am trying to implement a SP-initiated use case. For this I have a weblogic server working as a Service Provider and a Active Directory Federation Services working as Identity Provider.

    In my Weblogic instance I have configured, for my default security realm:

    1. Authentication Provider with a SSO Identity Provider Partner.
    2. Credential Mapper Provider with a SSO Service Provider Mapper

    After that I have configured one server as a Service Provider.

    The problem is that if I ask for any resource (web app) that I have deployed in this server, my request goes straight to the resource (without being asked for authentication). However if I set on the "Redirect URIs" of my Identity Provider Partner, the Weblogic Admin console URI (/console/index.jsp) I am asked for authentication (the IdP answer with the SSO login form).

    Any idea?

    Thanks in advance,

    Luis

    ReplyDelete
  27. By the way, Thanks in advance!!!

    Luis

    ReplyDelete
  28. Hi Edwin,

    Finally I think I got the right configuration of my SP. Now I am being redirected to the IdP login form and I am getting the assertions from it.

    My problem now is that I am getting a LoginException: ...Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException...

    I think that my problem is in the deployment descriptors of my app (web.xml and weblogic.xml).

    How can I map the "Groups" attribute of the SAML2 assertion with the "security-role" and "security-role-assignement"defined in the web.xml and weblogic.xml?

    Thanks in advance,

    Luis

    ReplyDelete
  29. Hi,

    just use the users wls role and map this in the weblogic.xml to a application role and use this role in the web.xml.

    Every authenticated user belongs to the users role.

    And what is the username of the person which logs in and what are his roles. ( maybe you can map this role (weblogic.xml) and make sure the user exists on both weblogic domains )

    thanks

    ReplyDelete
  30. Hi Edwin,

    Yes, you are right!!!If I use the "users" role it works perfectly.

    The problem is that I wanted to grant access just to a users that belong to a certain group.

    As I can see in the assertion received from my IdP, my user belong to a group called spain-staff:

    .../...

    .../...
    spain-staff

    .../...

    Supposedly, if my configuration is ok, mapping this principal at my Deployment Descriptors it should work, shouldn't it? My Deployment Descriptors look like this:

    web.xml



    sample_weblogic_app_2
    /secure/*


    FederatedUsers




    FederatedUsers


    And weblogic.xml:


    FederatedUsers
    spain-staff


    Now I am getting an ugly "403-Forbidden" error. In my server logs I can see that my principal is being authenticated, what I am not sure is that if the service provider is able to get the attributes assertion information (grops, etc...). These are extracts from my SP server log:













    So it seems that the SAML module is not able to get the user groups from the assertion. Maybe I am missing something? At my "SAML 2.0 Web Single Sign-on Identity Provider Partner's General Properties" I haved checked the "Virtual User" and "Process Attributes" options...

    Thanks in advance,

    Luis

    ReplyDelete
  31. Hi Edwin,

    It seems that the blogger system has not allowed the xml traces. Here they are in plain text:

    SAML2Assert.processAttributes - processAttrs: false, processGrpAttrs: true
    SAMLIALoginModule: login(): User name is 'luis@mydomain.com'
    SAMLIALoginModule: login(): Got groups: null
    SAMLIALoginModule: login(): don't get attribute principals, the element in context handler is empty.
    login(): Identity Asserted for: username:luis@mydomain.com, groups: null
    SAMLIALoginModule: login(): Check Groups: IdentityAssertion = true
    login(): login succeeded for username luis@mydomain.com
    SAMLIALoginModule: commit(): login succeeded, adding principals, returning true
    SAMLIALoginModule: commit(): LDAP Atn Principal Added
    com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1 Principal = class weblogic.security.principal.WLSUserImpl("luis@mydomain.com")
    Using redirect URL from request cache: 'http://myhost:80/sample_weblogic_app_2/secure/infoUser.jsp'

    ReplyDelete
  32. Hi,

    can you use the users role for the security part and try to display all the user roles.

    like I do in this blog.

    http://blog.whitehorses.nl/2010/01/29/weblogic-web-application-container-security-part-1/

    thanks

    ReplyDelete
  33. Hi Edwin,

    Thanks a lot for your answer! I still have not tried your test, for the moment we have added the AuthZ problem in our TODO's list.

    In the meantime I have got an answer from the OTN forums (thanks!):

    http://forums.oracle.com/forums/thread.jspa?messageID=9745589#9745589

    Thanks and best regards,

    Luis

    ReplyDelete
  34. Hi Edwin
    I have an issue ... I Log on on the first app and then navigate to the second app ... when I return back to the first app it shows the login screen again .. any help please

    ReplyDelete
  35. Hi,

    Please set the log level of the managed server to trace and enable the security logging. and check the logs why you are not authorized.

    and important keep the server names consistent , dont use localhost and next time your machine name. localhost and machine are different machine for security


    thanks.

    ReplyDelete
  36. I have configurated SAML2 with weblogic like this steps. All is well, but when I login the Idp and I can enter the page the other host it is ok the first time. When I login the Idp with other user for the Idp it is well but for the page the other host the user is the last, is the same user that the firs login. I think the user is present in the cookies of browser. I can use:

    weblogic.servlet.security.ServletAuthentication.logout(request);
    weblogic.servlet.security.ServletAuthentication.invalidateAll(request);
    weblogic.servlet.security.ServletAuthentication.killCookie(request);
    with these I can invalidate the session the page of the Service Provider; and back the login of the Idp. I want to control the session of all SSO from the firs page (Idp), How can I do this?

    Thanks;

    Jose Luis

    ReplyDelete
  37. Hi Jose Luis,

    I am afraid that for the moment the SAML Log Out is not supported in the Weblogic Server. You can take a look at this post: https://forums.oracle.com/forums/thread.jspa?messageID=9706446&#9706446

    Cheers,

    Luis

    ReplyDelete
    Replies
    1. Hi Luis,

      I read your detailed explanation on how to implement SLO for Weblogic by using saml2slo/sp servlet (Re: SAML2.0 Single logout weblogic 10.3 ). I am quite new to Weblogic and would really appreciate if you forward the implementation of servlet for reference to my email address sonikajain0101@gmail.com.

      Thank you and look forward to hearing back from you.

      Regards,
      Sonika

      Delete
    2. Hello Sonika,

      Sorry for my late answer, I completely missed your comment.

      You can clone it from here: https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo

      Hope it helps,

      Luis

      Delete
  38. Thanks very much, for your help, then I need develop a session.invalidate().

    Now, I have two applications
    appA - host1 - Domain1 (Idp)
    appB - host2 - Domain2 (Sp)

    When I login the appA and I can go the next application (appB) is well in the firs time. But en the second time in the appB the user is no propagate from the appA.

    firt time:
    appA (user1) -> appB(user1)

    Second time:
    appB (user2) -> appB(user1)

    This ocurr when I have two domain in two host differents but in the same host is well.

    Any suggestions?

    Thanks,
    Jose Luis

    ReplyDelete
  39. Hi everybody,

    Finally I solved the authorization problem, see: https://forums.oracle.com/forums/click.jspa?searchID=-1&messageID=9685014

    Thank you very much and best regards,

    Luis

    ReplyDelete
  40. Nice,

    you should make a blog about this. Great solution.

    thanks

    ReplyDelete
  41. Hi Jose Luis,

    Have you configured a provider authenticator, identity asserter an credential mapper for both domains (security realms)?

    I have to confess that I have tested my configuration only for one Weblogic Domain...

    Have you also enabled the debug options for atN, atZ and SAML2?

    For the Single Log Out I can recommend you this article: http://dsc.sun.com/identity/reference/techart/single-logout.html I am afraid that there is a lot of work to do...

    Hope it helps,

    Luis

    ReplyDelete
  42. Hi Edwin,

    You have explained things very clearly in this article and is easy for any one to understand. The Weblogic documentation is very poor.

    I tried setting things up according to your article using two local weblogic domains. I could not get it to work. Correct me if I am wrong. After setting up the Identity Provider Instance, I should be able to type in the URL such as http:///saml2/idp/login and be able to see a SAML 2 Login Page, is it not? I do not see this. Is there a SAML Web Application of some sort that needs to be deployed first?

    Thanks,

    Ronnie

    ReplyDelete
  43. Hi,


    I will be there , just provide the right server name and port.

    don't know you can call it directly.

    thanks

    ReplyDelete
  44. Hi Jose Luis,

    I have developed the SLO protocol for Weblogic.

    Take a look if you wish at the recipe:

    https://forums.oracle.com/forums/message.jspa?messageID=10017078#10017078

    Hope it helps,

    Luis

    ReplyDelete
  45. Forget about my previous post Edwin, I got it working. The simple web application on the SP that I was trying to get the authentication from the IdP for was not setup to require authentication. I realized it today and I changed it to require authentication by adding a in its web.xml and it worked. Anyways, again very thankful for your blog.

    ReplyDelete
  46. Hi Edwin,
    In my previous post I wrote about the problem I am facing during SAML creation. Let me replicate the requirement.
    I am using weblogic as an Identity Provider and Oracle Identity federation (OIF) as a service Provider. The federation will be IDP(weblogic) initiated.
    I have configured both sides. I have configured both the sides as per your blog (weblogic and OIF) , published metadata and exchanged.
    Now the problem we are facing is that we don’t know that any web application need to be deployed in weblogic or any out of box feature is there in weblogic which we can use in order to get SAML working.
    Is there any out of box feature of weblogic by which we can use SAML after configuration only or we need to write a separate java code in order to create login page and using the entire configuration which I made in weblogic.
    As my requirement is a bit different from the solution in your blog. I am using OIF as service provider and in your blog weblogic is being used on both the places. I used source site configuration part form the blog (cause I am also using weblogic as an IDP). I configured OIF on my own. Exchanged metadata of OIF and weblogic.
    IF I had used OIF at both sides in that case my job would be pretty easy (cause OIF is specifically made for this purpose. But our requirement is different as I have to use weblogic as an IDP).
    In your blog you you haven’t written about any web application which needs to be deployed on weblogic side .
    What URL I need to hit for SAML if there is out of box feature in weblogic for using SAML(after configuring everything in weblogic).
    It’s been so long I am doing this task but I am not able to achieve it. Therefore any help regarding this task will be highly appreciated

    Thanks.

    ReplyDelete
  47. Hi Edwin,

    Do you know how can I avoid this error?

    Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition)

    I have tried:

    -Synchronise the SP (Weblogic) with the IdP (ADFS2) clocks
    - Set different values for the time to live, offset, etc in the Credential Mapper
    - Disable the "POST One Use Check Enabled" in the SP

    Any ideas?

    Thanks in advance,

    Luis

    ReplyDelete
    Replies
    1. Hi,

      I think Microsoft send it too early or timezone problem. Maybe microsoft technet has some answers

      good luck

      Delete
    2. Hi Edwin,

      Yes, in the ADFS2 configuration you can find the "NotBeforeSkew" parameter that solves the problem, or at least seems to...

      http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f42d4f48-8169-4f38-866f-c0da11702a0d

      Thanks again,

      Luis

      Delete
  48. H Edwin,

    I am using this blog as a reference to setup SAML 2.0 for WebServices in WL 10.3.0.0. I have setup a SAML Cred Mapper with a WS SP partner. However, I get the following error when the assertion is being created
    #### <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1328178680678> and confirmation method urn:oasis:names:tc:SAML:2.0:cm:sender-vouches>
    #### <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1328178680678>

    I have setup the target endpoint URL in Audience URI as per the documentation
    [target:char:]

    What could be possibly wrong here? Any pointers would help :) Thanks in advance!!

    Thanks,
    Jackson

    ReplyDelete
  49. Putting the error messages belo. Seems like it got trimmed off.

    can not find sp partner based on target resource and confirmation method urn:oasis:names:tc:SAML:2.0:cm:sender-vouches
    SAML2CredentialMapper: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: Get SP Partner: null from store error

    Thanks,
    Jackson

    ReplyDelete
  50. Hi Jackson,

    It seems that it is not able to find the endpoints for your Service Provider. I would recommended to check them.

    By the way, is the SAML 2.0 Web Single Sign-on Service Provider Partner enabled?

    Hope it helps,

    Luis

    ReplyDelete
  51. Hi Luis,

    I have setup SAML 2.0 WebService Service Provider.

    I have tried following partner lookup strings in the Audience URI field, but did not help
    target:-:http://10.1.130.236:6001/WLProj/ddgs
    target:*:http://

    Thanks,
    Jackson

    ReplyDelete
    Replies
    1. Hi,

      don't mix ip , hostnames and full names together. it is very sensitive. Just use hostname + domain names.

      good luck.

      Delete
    2. Hi Jackson,

      Yes absolutely agree with Edwin...

      Also I am not sure if I am understanding well. For example, in my setup I have a Managed Weblogic Server working as a Service Provider. If I just invoke my Assertion Consumer Endpoint (acs):

      https://myhost:sslPort/saml2/sp/acs/post

      I get a 400 ERROR because it is expecting a SAMLResponse in the request (HTTP-POST binding). With this simple test I know that my saml2 module at least is working.

      I can see that yours is a little bit difference, but at the end of the day I think that you will need to declare in your Audience Uri's, "something" that is going to consume your assertion. I wolud begin for checking that.

      Hope it helps,

      Luis

      Delete
  52. Yes, the Service Provider partner is enabled

    Jackson

    ReplyDelete
  53. I have also noticed a LDAP search happening before this error is logged. Do we have to setup any LDAP config?

    LDAPStoreQuery: Performing LDAP search... base: ou=SPPartner,ou=myrealm,dc=saml2sts_domain filter: (&(objectclass=beaSAML2SPPartner)(beaSAML2PartnerConfirmationMethod=urn:oasis:names:tc:SAML:2.0:cm:sender-vouches))>
    LDAPStoreQuery: result count: 0>
    SecuritySAML2CredMap:can not find sp partner based on target resource http://10.1.130.236:6001/WLProj/ddgs and confirmation method urn:oasis:names:tc:SAML:2.0:cm:sender-vouches

    ReplyDelete
  54. Thanks Luis and Edwin. This issue is resolved. Turns out that the value for confirmation method is not stored correctly by WebLogic. It should be urn:oasis:names:tc:SAML:2.0:cm:sender-vouches. I updated the value using WLST script, and the issue was resolved. May be a bug in the version I am using (WL 10.3.0.0)

    Thanks,
    Jackson

    ReplyDelete
  55. I am getting another error.

    Trying to select key by mechanism: BY_TOKEN_REFERENCE.
    Trying to select key by KeyIdentifier J9S4ugluWd6COLSjk48dOG+TSXg=
    Could not derive key from encrypted key for requested algorithm. Cause: weblogic.xml.crypto.api.KeySelectorException: Failed to resolve key using SecurityTokenReference weblogic.xml.crypto.wss.BinarySecurityTokenReference@120069a URI: str_tmMy63PLjf9Al1vC because encrypted key doesn't support required algorithm or purpose

    It seems that WL is not able to find the key to decrypt the encrypted wsee header data. I have configured the correct assertion signing certificate on the WS Id Partner. Any idea what could be the issue?

    Thanks,
    Jackson

    ReplyDelete
  56. Hi Jackson,

    Mmmm, I experimented a similar issue a couple of months ago, but in the other side, this is sending requests to the IdP (ADFS2) from a servlet. For signing the request I was using SHA1 and the IdP was verifying them with SHA256. Just changing the IdP configuration the issue was solved.

    Hope it helps,

    Luis

    ReplyDelete
  57. Thanks Luis. What you told looks exactly the issue.

    From the WebService host log
    Selecting key for algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p purpose: decrypt KeyInfo: weblogic.xml.crypto.dsig.keyinfo.KeyInfoImpl@b6e580 from providers

    From the client domains log
    Selecting key for algorithm: http://www.w3.org/2000/09/xmldsig#hmac-sha1 purpose: sign KeyInfo: weblogic.xml.crypto.dsig.keyinfo.KeyInfoImpl@11183d8 from providers:


    I notice that the algorithm specified in the SAML token is http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.


    How can I fix this?

    Thanks,
    Jackson

    ReplyDelete
  58. Hi Jackson,

    I am not 100% sure but I think that Weblogic is using the same algorithm signature that is declared in your "Single Sign-On Signing Certificate" (see Home >Summary of Security Realms >myrealm >Credential Mappings >Providers >My Credential Mapper >WebSSO-SP-Partner-0).

    Hope it helps,

    Luis

    ReplyDelete
  59. I am using a certificate using SHA1. Given below are details of this certificate.
    Signature Algorithm: MD5withRSA
    Public Key: Sun RSA public key, 1024 bits modulus:
    Thumbprint Algorithm: SHA1

    The same certificate is used in both sides (client and server)

    I changed the algorithm suite from Basic256 to TripleDes in the WS policy, and found that this time it searches for KwRsa15. AS per this Oasis site - http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826555. These two algorithms (KwRsaOaep and KwRsa15) are used for asymmetric binding. I believe I need to make use of a different certificate. I will continue searching for more help. If you happen to get any information which can help, do let me know.

    Thanks,
    Jackson

    ReplyDelete
  60. Hi everybody,

    Currently I have several WLS domains authenticating against our SSO via SAML2, mapping attributes assertions to principals, now the sky is the limit, thanks!

    But there are still "little" issues to solve. One of these would be to have several "Published site URL" for a single WLS domain. This is, I would like to have something like this:

    https://my.domain.com/mydomain/cluster1/saml2
    https://my.domain.com/mydomain/cluster2/saml2
    https://my.domain.com/mydomain/cluster3/saml2

    In the Oracle docs is said that:

    "The published site URL should be appended with /saml2. For example: https://www.avitek.com:7001/avitek-domain/aviserver/saml2". See http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm#i1107411

    I have tried it in the simplest scenario, one domain with only the AdminServer, something like this: http://my.domain.com:7001/mydomain/AdminServer/saml2/ But I am getting a 404--Not Found...

    Am I missing something?

    Thanks in advance,

    Luis

    ReplyDelete
    Replies
    1. Hi,

      you need to resolve it in apache with re-direct or with a loadbalancer, on wls I think its always wls:port/saml2

      Delete
    2. Hi Edwin,

      Thank you very much for your answer! So, that means, that at the end of the day, in the WLS side, I will have always the same published url for all of the clusters, doesn't it?

      The problem is that with this configuration seems that I will be able to configure only one SP per domain... I have to check this...

      Thank you very much,

      Luis

      Delete
    3. Hi Luis,

      you can change /saml2 to something else like /aaa_saml2 but I don't think this is possible /aaa/saml2

      Delete
    4. Hi Edwin,

      Thank you very much for your answer!

      I have tried with /cluster1_saml2 but I get a "404--Not Found".

      I have just tested it in the simplest environment, one WLS with one AdminServer. Here I have just changed the "Published Site URL" field...

      Perhaps I am missing something...

      Thanks,

      Luis

      Delete
    5. Hi Edwin,

      I think that we get it!

      I have an Apache Web Server with wl_proxy enable. Here you can add the PathTrim parameter (see http://docs.oracle.com/cd/E23943_01/web.1111/e14395/plugin_params.htm). So you should have something like this:


      WebLogicCluster managed.server1.com:8410,managed.server2.com:8412
      PathTrim /dev_A_Cluster

      .../...



      In the WLS you keep the /saml2 context in the "Published site URL".

      Also you will need to say WLS that does not check the Destination field (see in your IdP response) disabling the "Recipient Check Enabled".

      Any thoughts on this, maybe too much hacking around?

      Thanks in advance,

      Luis

      Delete
  61. Hi Edwin,
    I've implemented your tutorial step by step. When I tried to configure SAML2 Authentication
    at second weblogic I got confused about how could I configure it.because when I went to next step at "Federation Services Tab" to configure SAML 2.0 General I got an alert with this message"you must enable SAML 2 ..."
    so how can I solve this problem

    thanks in advance

    ReplyDelete
    Replies
    1. Hi,

      Sometimes you need to restart weblogic between the steps .

      thanks

      Delete
  62. Hi Keivan,

    At that point you are configuring the Service Provider. Before configure the SAML Federation Services you must configured a SAML2 Authenticator Provider. And as Edwin says, you will need to restart the domain (under the hood you a new Mbean has been created). Take a look at http://docs.oracle.com/cd/E23943_01/web.1111/e13707/saml.htm#i1109029

    Hope it helps,

    Luis

    ReplyDelete
  63. Hi Everybody,

    I have a few domains running Weblogic and working and authenticating against our SSO via SAML2 protocol, good!

    But now the issues come, as always, when you have the thing in production...

    I have one WLS that works as a proxy for our Oracle-APEX applications. This proxy gets the user info, custom principal implementation, and adds some headers before redirecting the user to the final APEX-application. The applications perform the user authentication using this headers info, good!

    But the bad news are that the default APEX menu tabs generates POST request with a bunch of parameters in its body-content. Why this is bad? Because the Weblogic SAML2 is not able "to remember" these parameters (it performs a GET actually), so the APEX application crash...

    Anybody knows if there is an option that allows Weblogic to keep the original request parameters?

    Thanks in advance,

    Luis

    ReplyDelete
    Replies
    1. Hi,

      I don't know much about apex etc but do you use the apex listener on weblogic. maybe you can configure some option there.

      good luck

      Delete
    2. Hi Edwin,

      Good suggestion, thanks, I will check it. Unfortunately, even if it works, I will not be able for deploying it in production. The last release of the Apex Listener only allows one database per deployment...

      Thanks and best regards,

      Luis

      Delete
  64. Hi, I have a SOA Suite Managed server on one server and Oracle IPM on another server however I have applied the SSO steps mentioned above on the Admin server. So when I try to call a IPM Viewer with Document Id from a SOA Suite Human Task ADF Application, I m getting directed to the Oracle IPM Login Page. How can we use the following steps with a Managed Server. Thanks in advance. Glen

    ReplyDelete
    Replies
    1. Hi Glen,

      The configuration for a Managed Server is the same as for the AdminServer.

      Hope it helps,

      Luis

      Delete
  65. Hi Edwin,

    Following your blog steps, I had appA deployed on one server (localhost:7001, ssl port 7002), and appB deployed on another server (localhost:7003, ssl port 7004). appA uses form login, appB is configured for CLIENT-CERT.

    I set the Identity Provider general services to a published URL of https://localhost:7002/saml2 and an Entity ID of saml2CMP.

    I set the service provider general services to a published URL of https://localhost:7004/saml2 and an Entity ID of saml2AP.


    When I go to appA, it asked me for a login. There's a link in appA to take me straight to appB's protected resource page of /appB/admin/services.jsp. This page is listed in the Identity Provider Partner configuration page. When I click said link, it gives me 404 unauthorized. So I tried using 127.0.0.1 in place of localhost. My configuration thus looks like:

    Identity Provider published URL: https://127.0.0.1:7002/saml2
    Identity Provider entity ID: saml2CMP
    Service Provider published URL: https://127.0.0.1:7004/saml2
    Service provider entity ID: saml2AP

    This gives me the following error now when I click the link:

    "The webpage at http://127.0.0.1:7001/saml2/idp/sso/artifact?SAMLart=AAQAAApriktiqPxDEvWbV4yOYVVARn3n8HD%2F%2FCFyLwRU%2FokaghAZK%2BqqPAU%3D has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer."

    The https and the port number don't affect this redirect error. It will happen if I use http and the standard listener ports of 7001/7003.

    Since I'm a novice at working with SAML2 and SSO, I'm assuming I messed up a config setting. Particularly because these two applications are the same applications I used to configure a successful SAML1.1 environment. Any ideas on what to check?

    ReplyDelete
  66. As an edit to my previous post, I meant to say I was getting a 401 unauthorized error, not a 404 error.

    I'm not sure why I was getting redirect loops, but I needed to use HTTPS anyway because that's my eventual goal. The problem with HTTPS was I kept getting 401 unauthorized errors, even after verifying each configuration step against the screenshots provided. After many hours of troubleshooting with this, I think I figured out how to set up SAML 2.0 using HTTPS reliably.

    I follow the tutorial settings, but I reverse the SAML 2.0 site configuration steps. When setting up the Identity Provider general services, I save instead of publishing then I fill out the identity provider specific page and save again. Once the provider is enabled, I publish the metadata file.

    For the service provider, I set up the general services and save. I then fill out the service provider page, but I leave "Only Accept Signed Assertions" set to false. I save the service provider settings and publish the metadata.

    I follow the remaining tutorial steps for configuring the identity and service provider partners. I make sure that I have appA and appB deployed and that both domains have a user account with the same username and password. I go to appA, click the link, and get a security certificate warning (which should be ignored because the certificates are self-signed). If I didn't mess up a step, I get a successful SSO login to the protected resource on appB.

    Once I have it working, I go back into the service provider configuration page and set "Only Accept Signed Assertions" to true. I save, republish the metadata, and recreate the service provider partner using the updated metadata file.

    For those that want the apps (appA/appB) I'm using, they are downloadable at the end of Oracle's SAML 1.1 white paper: http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-099684.html

    Hopefully this saves someone else a day of headaches.

    ReplyDelete
    Replies
    1. Hi,

      Great, thanks for the update. So it works now for you.

      thanks

      Delete
  67. Hi,

    Please help me!

    I need only a test authentication with saml 2.0, login and logout.

    How could the easiest way?

    Thanks,

    Joao

    ReplyDelete
  68. Hi,

    I am getting below error when I restart the server after creating new SAML2CredentailMapper and SAML2IdentityAsserter on weblogic10.3.4. I have configured custome keystore and SSL.Can you pls advice what I should i do to avoid this issue?

    java.lang.UnsupportedOperationException: This parser does not support specification "null" version "null"
    at javax.xml.parsers.DocumentBuilderFactory.getSchema(DocumentBuilderFactory.java:483)
    at org.opensaml.xml.parse.ParserPool$DocumentBuilderFactoryState.newState(ParserPool.java:261)
    at org.opensaml.xml.parse.ParserPool$DocumentBuilderFactoryState.enableSchemaValidation(ParserPool.java:255)
    at org.opensaml.xml.parse.ParserPool.parse(ParserPool.java:145)
    at org.opensaml.common.xml.ParserPoolManager.parse(ParserPoolManager.java:139)
    at org.opensaml.common.xml.ParserPoolManager.parse(ParserPoolManager.java:154)
    at org.opensaml.Configuration.init(Configuration.java:54)
    at org.opensaml.xml.Configuration.init(Configuration.java:237)
    at org.opensaml.xml.Configuration.init(Configuration.java:217)
    at com.bea.security.saml2.providers.SAML2SecurityHelper.initOpenSamlLib(SAML2SecurityHelper.java:139)
    at com.bea.security.saml2.providers.SAML2IdentityAsserterProviderImpl.initialize(SAML2IdentityAsserterProviderImpl.java:165)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.security.saml2.cssservice.SAML2IdentityAsserterWrapper$1.invoke(SAML2IdentityAsserterWrapper.java:37)
    at $Proxy10.initialize(Unknown Source)
    at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:60)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
    at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
    at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
    at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
    at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:46)
    at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:299)
    at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1785)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)

    Thanks,
    Charmi

    ReplyDelete
    Replies
    1. Hi Charmi,

      Could it be an issue in a XML headers? Please review both IdP (for the Identity Asserter) and SP (for the credential mapper) metadata.

      Hope it helps,

      Luis

      Delete
  69. Hi, Luis or others,
    The latest Apex Listener 2 allows multiple database connections.

    Has anyone tried SAML2 with this listener or earlier listener and gotten the credential through to Apex applications as a custom login. What do you have to do to get apex to 'find' the userid once authentication takes place?

    Pat

    ReplyDelete
    Replies
    1. Hi Pat,

      Thank you very much for the info, good to know! We will test it and let you know.

      We have tested the earlier version of the listener over Weblogic 10.3.5 working as a Service Provider. The trick is to add a listener (javax.servlet) to the APEX listener that takes the username from the principal (java.security.Principal) and "injects it" as a header. Then in the APEX application you just need to use the "HTTP Header Variable" security schema. In this one you will look for the header that you inject it before.

      In your filter just extend HttpServletRequestWrapper implementing the getHeader methods.


      Hope it helps,

      Luis

      Delete
    2. Luis,
      Thank you very much for the quick reply. This is very helpful since we are just starting to prepare for installing the Apex listener on Weblogic. My prior experience has just been with mod pl/sql gateway.

      Appreciate your help,

      Pat
      University of Notre Dame
      Notre Dame, IN

      Delete
  70. Luis,
    Can you share more info on the javax.servlet and how you get the username and principal to 'inject it' as a header.

    Thanks,
    Pat

    ReplyDelete
    Replies
    1. Hello Pat,

      Of course,

      1. For the developing of the filter I followed this article: http://www.tidytutorials.com/2009/11/adding-headers-to-requests-in-filters.html

      2. Once it was working, just declare the filter in the Apex listener web.xml (apex.war/WEB-INF/web.xml)...


      SsoFilter
      your.SsoFilter


      SsoFilter
      /*


      ... and declare a security-constraint...


      apex
      /*


      FederatedUsers




      Federated Users
      FederatedUsers


      ...and finally mapping this role, i.e. in the weblogic.xml of the apex listener:


      FederatedUsers
      users



      3. For setting up you can add it as a .jar in the lib folder of the Apex Listener, or declaring it as an Optional Package in the apex.war/META-INF/MANIFEST.MF:
      Extension-List: ssoFilters
      ssoFilters-Extension-Name: ssoFilters

      Also, in your library/META-INF/MANIFEST.MF: Extension-Name: ssoFilters

      4. You are almost done! Just setup the HTTP-Header security schema in your APEX app using the same headers that you have "injected".

      Hope it helps,

      Luis



      Delete
    2. Hi, does anyone know of a more complete explanation of exactly how to set this up? (including a copy of the exact filter code required and how to configure this).

      I'm just learning about it now and I think I'm missing a lot of pieces.

      Thanks! Ryan.

      Delete
    3. Hello Ryan,

      In what concern the SAML2 configuration for Weblogic, this post contains everything that you need for the setup.

      For the rest, mappers, filters, etc, yes there is no specific documentation that summarizes it. I will try to write something for summing this up

      Cheers,

      Luis

      Delete
    4. Thanks Luis. I guess the contents of your Step 2 above is missing the actual XML tags, I think I can figure it out..

      Delete
  71. Hi,

    here is my requirement. please suggest.

    User will log in to my web application by entering user credentials and click on workflow link then it should use the same credentials to log in to soa suite bpm worklist and should show the bpm worklist inbox directly in a separate page.

    So I do not want to log in again in bpm worklist. how can I achieve this single sign on?
    what options do I have? Its urgent. So please provide your inputs.

    thanks in advance,
    sri.

    ReplyDelete
  72. I have setup wl as idp as in the post and salesforce as sp. But I am still not clear how these comunicate. what is the url I need to put in my wls app and what is the url salesforce user can use?

    ReplyDelete
    Replies
    1. Hi,

      Are you re-directed from salesforce to weblogic for a login.
      maybe this blog can help
      https://blogs.oracle.com/rangal/entry/saml2_salesforce_com

      thanks

      Delete
  73. Thanks Edwin for providing this wonderful article which helped us to setup a IDP and SP. The SP and IDP are setup and assertions are passed through...We have a requirement to get the post data from SP and make some decisions and we need to pass some custom data to SP along with the saml response.

    I would like to get some advice on
    1) How to get custom post parameters coming in from SP to our IDP in our login application?
    2) How to add custom post data on our IDP post to SP?.

    Thanks in advance...

    ReplyDelete
  74. Following the same post for the custom post paramters, it would be helpful to know if weblogic would only generate if a person is authorized( )

    The reason I ask is because login-return servlet failed to generate samlresponse if the user is not authenticated and we have a requirement to return an error code if the user failed to authenticate like the following.




    Any guidance on how to set the statusCode would be great...

    Thanks guys...

    ReplyDelete
    Replies
    1. Hi,

      Don't know if this possible , I think you need to make your own authenticator who does this

      Thanks

      Delete
  75. Adding custom parameters on the post back to sp was easy. We posted those data in the post and was accessible in the custom jsp configured. But we are still struggling to get the saml request data in the custom login application and also if weblogic would be able to generate auth failed response.

    Can some one help.

    ReplyDelete
    Replies
    1. Hi,

      Can you make a custom saml authenticator and pass on all the data in the saml token and on the other side retrieve the subject and all its principals like in the jax-ws service http://biemond.blogspot.nl/2011/08/do-saml-with-owsm.html

      Thanks

      Delete
  76. Hi,
    One of the contributors to this Blog, Luis, has helped us get CAS authentication almost working perfectly with Apex listener 2.0 in Weblogic--using the SAML2 approach. We have Apex 4.2 running and in Weblogic we have been able to 'inject' the userid into the header variable and get it into an Apex application. However, we are getting 'stuck' at the point where CAS returns the user to Apex. We are getting to the URL with 'my-apex-server/apex/apex_authentication.callback' and are stuck there with error message saying insufficient parameters. We do not know how to configure so that CAS sends the user back to the calling application URI.

    We know that CAS is working because when we manually put in the correct application ID in the URI, (after the CAS login) we are able to get to the application and the correct userid is showing. But it is a bit frustrating to be so close and not quite there yet.

    Any help will be very much appreciated!

    Pat

    ReplyDelete
  77. Hello Pat,

    Thank you very much for the mention, is really good to know that our solution is being useful for somebody else!

    Ok, so you are at the point where:

    1. CAS has sent the SAMLResponse

    2. This SAMLResponse has been "consumed" by Weblogic (saml2 module)

    3. Your filter (defined in the APEX listener) has got the userId and "injected" it in the HTTP-Response

    4. APEX listener 2.0 has redirected you to your apex app (/f?p=apexApplicationId:1....)

    Have you defined the "HTTP Header Variable" authentication scheme for your apex application (Application Builder > Your Application > Shared Components > Authentication Schemes)? Here you should specify the name of the userId header.


    I would suggest you that, as a previous test, check that your apex application is receiving the right headers. For this specify the "NoAuthentication" scheme and setup a simple page that prints all the headers, i.e. using owa_util.print_cgi_env;

    Once you are sure that you are receiving the right headers setup the "HTTP Header Variable" authentication scheme

    Hope it helps,

    Luis

    ReplyDelete
  78. Hello everybody,

    Our SSO solution is starting to be used for our users (APEX & Java developers), so good news!

    But, there is always a but..., we have a couple of issues. One of them is that one of our applications needs to use two authentication providers, SAML2 and LDAP. This is, by default it should use SAML2 and for certain resources use the LDAP.

    Any ideas?

    More details here https://forums.oracle.com/forums/thread.jspa?messageID=10906312&#10906312

    Thanks in advance,

    Luis

    ReplyDelete
    Replies
    1. Hi,

      One of our applications requires both SSO and basic authentications. We would like that the whole application would be protected by the SSO except certain resources, i.e /api

      so / is protected except /api. with java you can define /api and /else in the web.xml and assign roles or not. maybe do a redirect from / to /else
      and in ADF maybe do the same and then with ADF security on pages, task flows.

      Don't know about apex.

      thanks

      Delete
  79. Hi Edwin,

    Thanks very much for your quick answer!

    We have tried something like this:

    / with FederatedUsers role

    /api with no roles

    With this recipe the BASIC authentication is not triggered when you ask for a /api resource...

    Regarding the Oracle docs (http://docs.oracle.com/cd/E24329_01/web.1211/e24422/atn.htm#i1204568), and taking in account the order of my authentication providers (LDAP, SAML2, default), my understanding was that the BASIC authentication against the LDAP should be triggered first... Maybe I am missing something...

    Thanks again!

    Cheers,

    Luis

    ReplyDelete
    Replies
    1. Hi,

      indeed strange , the control flags have sufficient as value.
      and can you temporary remove saml2 and see if that works

      thanks

      Delete
  80. Hello Edwin,

    Remove saml2 make it works. The applications try to authenticated against the LDAPAuthenticator first.

    Finally we have found a recipe that seems to work:

    In the web.xml:

    /basic/* url-pattern with roles. This roles are mapped to principals got (users/groups) from the LDAPAuthenticator

    /secure/* url-pattern mapped to the principal "users"

    In the Redirects URIs field: /mycontext/secure/*

    The only "con" is that now we have to remember to register all the new contexts in the above field.

    Thanks and best regards,

    Luis

    ReplyDelete
  81. Hi,
    We are a University and among higher ed institutions CAS and Shibboleth are the preferred methods for authentication. We have gotten CAS working with Weblogic by passing the authenticated 'remote_user' to the 'HTTP Header' authentication scheme for a new Apex environment being set up here.

    However, now we are trying to figure out how to further limit access to applications to specific AD or LDAP groups. Is there a way at the Web Logic level to further filter for the users of specific groups? I know this can be done with DBMS_ldap query within Apex but would prefer if there is a way to do this at Web Logic layer.

    The other option might be to use Shibboleth since it is supposed to be SAML2 compatible. We will be trying to find schools that have successfully implemented Shibboleth/SAML 2. I understand that Shibb will support group attributes, but then we will have to figure out how to get those attributes as 'filters' in Weblogic before sending 'remote_user' to Apex. Or maybe there is a way to get the group attribute to Apex?

    ReplyDelete
    Replies
    1. Hello Pat,

      I assume that you remain in the configuration explained in above comments: SAML2 protocol, CAS as IdP and Weblogic as SP. Also I am assuming that the CAS SAMLResponse include a "Groups" attribute.

      I have a similar setup (SAML2, ADFS2, Weblogic, APEX), so I think that you could apply the same recipe:

      1. Implement a "Name Mapper Class" (
      Home >Summary of Security Realms >myrealm >Credential Mappings >Providers >yourIdentityAsserter>Configuration>Provider Specific). In this class you will gather all of the user info from the CAS response and transform it in java.security.Principals

      2. Make your custom implementation of weblogic.security.spi.WLSUser and
      weblogic.security.spi.WLSGroup.

      3. In the mapper instantiate one custom.WLSGroup per group element in the SAMLResponse

      Now you can apply security constraints (web.xml) in your web applications (deployed in your WLS SP) mapping your groups via security-role-assignments (weblogic.xml)

      Hope it helps,

      Luis

      Delete
    2. Hi, Luis,
      Sorry for this very late follow up, but we just went to production with out Apex 4.2.2 environment and using CAS authentication. We also implemented Listener 2.0.2 and RESTful web services for a pilot project which has gone very well. We used basic auth for the web services but would like to use Oauth2 capability in future. Thank you so much for the help with CAS.

      Now our architecture group wants us to pursue Shibboleth integration for authorization groups. So we will be in touch!!! Thanks for your feedback above which we will use in trying to implement Shib.

      Delete
    3. Hi Pat,

      Great, these are really good news, congratulations!!! I am very happy to know that my little collaboration helped you in your project.

      All the best,

      Luis

      Delete
    4. Luis,
      Hi, Luis,
      I am 'resurrecting' this thread. Hope you are still watching it! Since we are also asked to use Shibboleth groups attribute, is the complete filtering for groups done in Weblogic and so only the appropriately filtered users come through to Apex from the web.xml? Apex just accepts the user through the http_header_variable correct? If Apex needs to 'know' about groups, not sure how that would be passed to the app. Ideal would be that Weblogic 'filters' the users so only the appropriate group get to the application.

      Is there a chance you can provide an example of web.xml that would include how group attributes or assertions are mapped in Weblogic?

      Thanks,
      Pat

      Delete
    5. Hello Pat,

      Ok, I see you point you want to perform the authorization in the Weblogic side. So for this in the web.xml of your APEX Java listener...

      1. Declare a security constraint:



      secure
      /*


      ApexUsers



      ... and in the weblogic.xml map this role against principals (your groups)




      ApexUsers
      group1
      group2




      In this way you do not need to pass any other header to the APEX application.

      In the other hand if you want to perform the authentication in the APEX application:

      In the filter you just need to get the user's groups and return them to the application in the same way as the userName one (I guess that you are overriding the public String getHeader(String name) and public Enumeration getHeaders(String name) methods in a class that extends extends HttpServletRequestWrapper)

      APEX will accept any header that you add in your filter. You can get it in your application like any other header.

      Hope it helps,

      Luis


      Delete
  82. I have a configuration of a WebLogic domain with Admin Server and two managed servers. Is it possible to use the Admin Server as the Identity Provider and the managed servers as the Service Providers? Thanks,

    Edy

    ReplyDelete
    Replies
    1. Hi,

      I think so, cause most of the configuration is done on the managed server level. For SSO between applications you can also use the same user only both applications need to be careful with the same session beans and both apps need to have the same cookie path.


      Thanks

      Delete
  83. Hello Edwin and others,

    Do you have two or more applications (deployed in Weblogic Service Providers, of course) behind the same domain? This is, something like this:

    - your.domain.com/app1
    - your.domain.com/app2

    As your managed servers are configured as Service Providers, the cookie-path of the session descriptor (JSESSIONID) for both will be "/". See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/saml.htm#autoId25

    The question is how will the client distinguish between those two different sessions?

    Thanks in advance,

    Luis

    ReplyDelete
  84. Hello again,

    I have open a thread in the otn community: https://forums.oracle.com/thread/2558911

    Hope it helps,

    Luis

    ReplyDelete
  85. Hi Luis,
    It would be great if you could verify something with regard to your post regarding the following statement

    "Go back to the SAML2 authentication provider where we will import the identity provider metadata xml."

    Are you referring to the identity server or Service Provider Server when you state SAML2 authentication provider.
    I note that the screenshot states saml2CPM ?

    A few steps later you have the instruction " Now we do the same for metadata xml of the service provider, We need to import this in the Credential Mapper provider of the Identity Provider"

    I would really appreciate it if you could clarify this.
    Many Thanks

    Ann McDonald

    ReplyDelete
  86. Hello Ann,

    Well actually this post belongs to Edwind, I just add comments from time to time, by the way thanks Edwin!

    Ok, it depends in what you want to do. In my case I am configuring Weblogic as a Service Provider, so I need to create an "Authentication Provider" and populate it with the Identity Provider Metadata (importing it).

    So for configuring a Service Provider you have to follow the next three steps:

    Configure Authentication Provider
    Configure Identity Asserter
    Configure Service Provider

    Hope it helps,

    Luis

    ps: is this what you are trying to accomplish?





    ReplyDelete
    Replies
    1. Hi Luis, thanks for the clarification.
      I am trying to use an external identity provider (wso2 identity services) and expose that to accomplish SSO in weblogic server.
      As I understood it I would have to
      Configure authentication provider to use wso2 url, alias, password etc

      Configure Service provider to utilize this.
      Is that correct?

      Ann

      Delete
    2. Hello Ann,

      Ok, now it is much more clear! So you will use wso as IdP and Weblogic as Service Provider. Then the steps that you have to follow are the next:

      - Create a SAML Authentication Provider: Home >Summary of Security Realms >myrealm >Providers, click new and in the form just select SAML Authenticator. Here you just need to adjust the JAAS control flag. For our domains we set it to "SUFFICIENT"

      - Create and configure a SAML2 Identity Provider: Home >Summary of Security Realms >myrealm >Providers, click new and create a SAML2IdentityAsserter. Under the management tab, you will create a Single Sign-On Identity Provider Partner. Here it is where you need to provide the IdP (wso) metadata

      - Configure your federation services: Environment > Servers > ServerName > Configuration > Federation Services > SAML 2.0 General. Once you have configured them you need to publish the metadata (xml file) and register it in your IdP.

      Of course, if you prefer, you can script (WLST) all of these.

      Hope it helps,

      Luis

      Delete
    3. Hi Luis,

      Thanks for the above information.
      I am currently looking into how I can generate the wso2 idp metadata file.

      There doesn't seem to be a way to register an SP in wso2 via an SP metadata file. Its purely by entering the relevant config data. Getting the idp file for wso2 is my first task.

      Many Thanks

      Ann

      Delete
    4. Hello Ann,

      You are welcome!

      I have to confess that I have never configured the wso2 IdP. But I have played a bit with OpenAM (http://forgerock.com/what-we-offer/open-identity-stack/openam/) If I remembered well it was quite straight-forward. If wso2 is not a system requirement maybe you can give it a try...

      Cheers,

      Luis

      Delete
  87. Hi Luis
    I have the following setup
    Weblogic server acting as an SP
    Identity Asserter setup with an IDP partner
    Role information is being returned in the Identity Assertion and the user authenticates successfully on the IDP
    I want to extract roles from the Identity Asserter. And have implemented custom Attribute & Name Mapper Classes.
    I can set them correctly on the Partner and the asserter. I.e they are in the classpath. However they are never called.
    On wso2 you have a consumer Assertion URL that the assertion is returned to. Its a mandatory value.
    The assertion is not being returned to WLS and thus I cannot pull the roles from the assertion and populate the principal
    Is there a default URL that I can use to send the response to the SP directly? or some configuration setting that ensures that all assertion responses are sent back to the Identity Asserter?
    I have checked Enable Virtual User and Process Attributes also by the way

    Any ideas would be greatly appreciated.
    Ann

    I have setup wso2 as an IDP Itsand

    ReplyDelete
    Replies
    1. Hello Ann,

      In your identity asserter (Home >Summary of Security Realms >myrealm >Providers >yourIdentityAsserter) you need to declare your mapper filling the Name Mapper Class Name field of the Configuration > Provider Specific tab. If not it will never be invoked.

      Yes there is an URL that you can invoke, it is the one that you declare in the Published Site URL field of your SAML 2.0 General tab in the Federation Services section of your managed servers. The endpoint would be something like this:

      https://your.domain/saml2/sp/acs/post

      Hope it helps,

      Luis

      Delete
    2. Hello Luis!

      Is it possible to use this same approach of SSO with two apps deployed in the same Weblogic domain? But different managed servers?

      Thanks in advance.

      Delete
    3. Hi Luis, I'm still unable to get the roles from the saml assertion on WLS using an external idp
      The issue I am having is that wso2 returns a response, thats fine I can decode the response in the url and pull out the groups from same
      the subject needs to be added as a principal in WLS so that my application can pick up the login permissions and roles of the user. In the logs I am not seeing any evidence that the assertion is returning to weblogic as the mapper class never kicks in .

      An Ideas?

      Ann

      Delete
    4. Hello Ann,

      mmm, let me think:

      Have you registered your mapper class in "Home >Summary of Security Realms >myrealm >Providers >yourIdentityAsserter" "Name Mapper Class Name" field?

      Is your mapper in the Weblogic system classpath? A good place can be either the $EXT_PRE_CLASSPATH or the $EXT_POST_CLASSPATH (setDomainEnv.sh)

      You can take a look at http://docs.oracle.com/middleware/1212/wls/SCPRG/saml.htm

      Hope it helps,

      Luis

      Delete
  88. Hello guys!

    Is it possible to use this same approach of SSO with two apps deployed in the same Weblogic domain? But different managed servers?

    Thanks in advance.

    ReplyDelete
  89. Hello José,

    Sure it is! You just need to be careful with the cookie-path of your session cookie (JSESSIONID). You must keep the "/" for both. For avoiding mixing the two sessions you could think in put each application in different virtual host:

    your.app1/app1

    your.app2/app2

    Keep in mind that the configuration (Federation Services) of each of the managed servers will be different.

    Hope it helps,

    Luis

    ReplyDelete
    Replies
    1. Hello Luis!

      Indeed it works between Weblogic managed server - same domain. Now I'm facing a new issue, maybe related to what you've said: mixed sessions.

      Here my scenario:
      When I log in appA and then access appB the SSO works fine. But if I try to access appA after it, the login screen shows up. I inspected the JSESSIONID cookie and it is being overwritten.

      I've tried to create a virtual host to each application but then the SSO doesn't work.
      What do you think could be wrong?

      Thanks a lot.
      José Augusto

      Delete
    2. Hello Jose,

      Ok, I forgort if you have your.app1/app1 and your.app2/app2 you need to register both in the IdP side:

      EntityDescriptor entityID="https://your.app1/"

      EntityDescriptor entityID="https://your.app2/"

      Side effect: either you deploy the applications in different managed servers (you will need different saml2 endpoints for each) or put in place several RequestHeader in order to modify the JSESSIONID path and domain.

      Hope it helps,

      Luis

      Delete
    3. Luis, THANKS A LOT!!!!!!!! You are the man!!
      I would never figure out that.. =]

      It really works.. amazing!!!

      José

      Delete
    4. You are welcome! Thanks to you for showing up this issue. It recalls me that I have to gather all the different scenarios that we are facing.

      Cheers,

      Luis

      Delete
    5. Hi Luis,
      I believe the reason why the attribute mapper is not firing is because the assertion is not hitting weblogic server
      My SP Published url is now https://localhost:7004/saml2
      My assertion consumer url is now //localhost:7004/saml2/sp/acs/post

      However I get at 404 error when calling this URL
      Any ideas as to why its not available?

      Rgds,

      Ann McDonald

      Delete
    6. Hello Ann,

      mmm, have you enabled the SAML 2.0 Service Provider in your managed server? Home >Summary of Servers > yourServer >Configuration > Federation Services > SAML 2.0 Service Provider > Enabled check field

      Hope it helps,

      Luis

      ps: the response to that request should be a 400 Error "Bad Request"

      Delete
    7. Hi Luis, it's me again. In the previous scenario that I've described: SSO between managed servers (and same weblogic domain).

      How did you solve the issue of mixing sessions (JSESSIONID overwritten) with 2 apps in the same domain? Like:

      my.domain.com/app1
      my.domain.com/app2

      I saw an old thread of yours: https://forums.oracle.com/thread/2558911
      And I'm facing the same problem.

      Thanks!

      Delete
    8. Hello Jose,

      At the end we apply this solution: http://dino.ciuffetti.info/2011/03/jsessionid-cookie-path-mod_headers/

      So in our apaches we have something like this:

      VirtualHost your.virtual.host:443

      Location ~ ^/your_wls_Cluster

      PathTrim /your_wls_Cluster

      # Rename new cookies (JSESSIONID _WL_AUTHCOOKIE_JSESSIONID) created by weblogic
      # Prepend cookie name with your cluster name
      Header edit Set-Cookie "^(_WL_AUTHCOOKIE_JSESSIONID=.*; [Pp]ath=)/(.*)$" "your_wls_Cluster$1/$2"
      Header edit Set-Cookie "^(JSESSIONID=.*; [Pp]ath=)/(.*)$" "your_wls_Cluster$1/$2"

      # Rename cookie received from browser before handing over to WLS
      # Remove cluster name from cooke name
      RequestHeader edit Cookie "^([ ]*|.*;[ ]*)JSESSIONID=(.*)([;]?[ ]*|;.*)$" "$1legacyJSESSIONID=$2$3"
      RequestHeader edit Cookie "^([ ]*|.*;[ ]*)_WL_AUTHCOOKIE_JSESSIONID=(.*)([;]?[ ]*|;.*)$" "$1legacy_WL_AUTHCOOKIE_JSESSIONID=$2$3"
      RequestHeader edit Cookie "^([ ]*|.*;[ ]*)your_wls_Cluster_JSESSIONID=(.*)([;]?[ ]*|;.*)$" "$1JSESSIONID=$2$3"
      RequestHeader edit Cookie "^([ ]*|.*;[ ]*)your_wls_Cluster_WL_AUTHCOOKIE_JSESSIONID=(.*)([;]?[ ]*|;.*)$" "$1_WL_AUTHCOOKIE_JSESSIONID=$2$3"

      Your IdP you need to register the Weblogic SAML2 endpoints for that "your_wls_Cluster" context. Something like this:


      https://your.weblogic.domain/your_wls_Cluster/saml2/sp/acs/post

      The PathTrim is because you need to declare /saml2 as the published site URL in Weblogic (look in above comments)

      Hope it helps,

      Luis

      Delete
    9. Hi Luis!

      Another question, there is also a feature of Single Log Out for SAML2?

      Thanks a lot.
      José

      Delete
    10. Hello Jose,

      Not for Weblogic. I have implemented a module by myself for our infrastructure. I am waiting for the "green light" for putting under a GPL license...

      In the meantime you can take a look at the "recipe": http://stackoverflow.com/questions/8150096/construct-a-signed-saml2-logout-request

      Hope it helps,

      Luis





      Delete
    11. Hello Luis,
      I'm trying to implement a simple Servlet to provide SLO capabilities on Weblogic.
      Can you explain how to get the SAMLRequest and SAMLResponse attributes ? I've tried using request.getParameter("SAMLResponse" but didn't work. My domain has Artifact binding and I also test with HTTP Post.
      I already saw you post on stackoverflow but it's not clear for me yet.
      Can you clarify this simple point ?

      Delete
    12. Hello Helder,

      In our case we "inform" the IdP (ADFS2) that our preferred binding for logout is HTTP-Redirect. So in the SP (Weblogic) metadata we include something like this:

      .../...
      md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your.weblogic.domain/your/saml2/slo/endpoint"
      .../...

      In this type binding you expect to receive three url query parameters from the IdP for a SLO request:

      - SAMLRequest
      - SigAlg
      - Signature

      My servlet just picks above three values, verify them, performs the SP logout and constructs the response to the Idp:

      /*
      * Check the request parameters We need three SAMLRequest, SigAlg and
      * Signature
      */
      ArrayList parameterNames = Collections.list(request
      .getParameterNames());

      // Check if we are managing a SAMLRequest or a SAMLResponse
      if (parameterNames.contains(Constants.SAML_REQUEST)) {

      if (this.isDebugEnabled)
      nc.notice(Constants.SAML_REQUEST + " is in the URL parameters");

      // Verify the signature
      if(!UrlUtils.verify(request, isDebugEnabled)){
      nc.error(Constants.SIGNATURE_NO_VERIFY_EXCEPTION);
      throw new Exception(Constants.SIGNATURE_NO_VERIFY_EXCEPTION);
      } else {
      if (this.isDebugEnabled)
      nc.notice(Constants.SAML_REQUEST + " signature verified!!!");
      }

      // Generate the redirectUrl with the SAMLResponse
      redirectUrl = UrlUtils.generateSamlResponse(request, this.isDebugEnabled);

      // Local logout
      LogoutUtils.weblogicLogout(request, this.isDebugEnabled);
      }

      The response to the IdP looks like this:

      GET https://your.idp.domain/your/slo/endpoint?SAMLResponse=...&Signature=...&SigAlg=...


      Hope it helps,

      Luis






      Delete
    13. Hello Luis, thank you for your reply, it's help me a lot :)
      One more question, in my scenario I have IdP and Sp on Weblogic, do you know if it's possible to execute the SLO ? In your example you use ADFS2 as IdP correct ?
      If it's not possible probably I should implement a external IdP ( ex :Shibboleth )

      Delete
    14. Hello Helder,

      You are welcome! Very glad to know that it helped you, great!

      Sure, it should not be a problem.

      Yes, Shibboleth is a good choice. Me, for my tests, I have setup OpenAM as IdP. It is very simple.

      Hope it helps,

      Luis

      Delete
  90. Hi Luis, thanks for all your help MyAttributeMapper class is kicking in. I have seen all sorts of examples of creating custom principals. I just need to authorize the user based on role details in the SAML assertion for now. Could you point me to some working code for this please, I've tried a few examples and different means of doing so but none work.
    Thanks
    Ann

    ReplyDelete
  91. Hello Ann,

    My implementation looks like the next:

    package your.custom.principals;

    import weblogic.security.principal.WLSAbstractPrincipal;

    public class YourCustomWlsPrincipal extends WLSAbstractPrincipal {

    /**
    *
    */
    private static final long serialVersionUID = 5500495491990106055L;


    private String commonName;

    public YourCustomWlsPrincipal(String name) {
    super();
    // Feed the WLSAbstractPrincipal.name. Mandatory
    this.setName(name);
    this.setCommonName(name);
    }

    public YourCustomWlsPrincipal() {
    super();
    }

    public String getCommonName() {
    return commonName;
    }

    public void setCommonName(String commonName) {
    // Feed the WLSAbstractPrincipal.name. Mandatory
    super.setName(commonName);
    this.commonName = commonName;
    }

    @Override
    public int hashCode() {
    final int prime = 31;
    int result = super.hashCode();
    result = prime * result
    + ((commonName == null) ? 0 : commonName.hashCode());
    return result;
    }

    @Override
    public boolean equals(Object obj) {
    if (this == obj)
    return true;
    if (!super.equals(obj))
    return false;
    if (getClass() != obj.getClass())
    return false;
    YourCustomWlsPrincipal other = (YourCustomWlsPrincipal) obj;
    if (commonName == null) {
    if (other.commonName != null)
    return false;
    } else if (!commonName.equals(other.commonName))
    return false;
    return true;
    }

    }


    package your.custom.principals;

    import weblogic.security.spi.WLSGroup;

    public class YourCustomWlsGroupPrincipal extends YourCustomWlsPrincipal implements WLSGroup {

    /**
    *
    */
    private static final long serialVersionUID = 5685387360713237532L;

    public YourCustomWlsGroupPrincipal() {
    super();
    }

    public YourCustomWlsGroupPrincipal(String name) {
    super(name);
    }

    }


    package your.custom.principals;

    import java.util.ArrayList;

    import weblogic.security.spi.WLSUser;

    public class YourCustomWlsUserPrincipal extends YourCustomWlsPrincipal implements WLSUser {

    /**
    *
    */
    private static final long serialVersionUID = -7991961538805280317L;

    private String upn;
    private String emailAddress;
    private String role;
    private String displayName;
    private String identityClass;
    private String phoneNumber;
    private String building;
    private String firstName;
    private String lastName;
    private String department;
    private String homeInstitute;
    private String personID;
    private String uidNumber;
    private String gidNumber;
    private String preferredLanguage;
    private ArrayList groups;

    public YourCustomWlsUserPrincipal() {
    super();
    groups = new ArrayList();
    }

    public YourCustomWlsUserPrincipal(String name) {
    super(name);
    groups = new ArrayList();
    }

    // setters, getters, equals, hashcode...
    }


    For the mapper I have two implementations, one that creates an instance of YourCustomWlsUserPrincipal, filling the ArrayList of groups, and a second one that creates one instance of YourCustomWlsUserPrincipal and one instance of YourCustomWlsGroupPrincipal per group taken from the SAMLResponse.

    Hope it helps,

    Luis

    ReplyDelete
  92. Thanks ever so much Luis that worked a treat.

    ReplyDelete
  93. Hi Luis,

    I have configured my Jdev Integrated WLS as SP and deployed a security enabled ADF application. The IdP is the Ping Federate server maintained by my client.
    The setup is all completed by exchanging the metadata files and making all the necessary configurations in the Federation Services -> SAML 2 Service Provider end.

    Now, when I try to access my application, I see that the request is redirected to IdP and even the IdP is responding back with saml response posting it to ../saml2/sp/acs/post.

    The URL looks fine. but the browser is showing 404.

    Any ideas on what must have gone wrong.

    Btw, I have enabled Virtual User on the SP and hence configured SAMLAuthenticator as suggested by Edwin in http://biemond.blogspot.se/2011/09/virtual-users-with-saml-in-weblogic.html

    Thanks,
    Sri.

    ReplyDelete
  94. Hello Sri,

    I can think in a few causes:

    1. The "Published Site URL" in your WLS "Federation Services" is not correctly mapped. It must be refer the /saml2 context

    2. You have not enabled the "POST Binding Enabled" of your "SAML 2.0 Service Provider"

    3. If you have a proxy in front check that the redirections are well configured

    I am assuming that you want to use the POST-BINDING. Try to access the other endpoint (artifact bindng) /saml2/sp/ars/soap... you should get a 500 error. This means that at least your saml2 module is running.

    Finally I would recommend you to enable the SAML2 debug traces (see Edwin's comments above), they are really useful!

    Hope it helps,

    Luis

    ReplyDelete
  95. Hi Luis,

    Thanks for your inputs.

    My application is rightly configured. On keenly observing the logs, I realized that the IdP is returning me a SAML Response with a different Issuer Id. Hence, The SAML Identity Assertion is rejecting it as it is not expecting a response from it.

    Thanks,
    Sri.

    ReplyDelete
    Replies
    1. Hello Sri,

      You are welcome!

      Great! So I do believe that updating your relying party in your IdP the authentication should start working.

      Cheers,

      Luis

      Delete
    2. Hi Luis,

      Yes. Updated the IdP issuer Id and it worked like a charm. :)
      Now, proceeding with Single Logout

      Thanks,
      Sri.

      Delete
  96. HI,

    I have configured weblogic as SP and OPENSSO as idp. I get the below error invalid issuer.

    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1384837211793> <exception info
    org.opensaml.xml.validation.ValidationException: [Security:096536]Invalid issuer format: urn:oasis:names:tc:SAML:2.0:nameid-format:entity.
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl$IssuerValidator.validateFormate(AssertionConsumerServiceImpl.java:377)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl$IssuerValidator.validate(AssertionConsumerServiceImpl.java:368)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl$ResponseValidator.validateIssuer(AssertionConsumerServiceImpl.java:315)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl$ResponseValidator.validate(AssertionConsumerServiceImpl.java:279)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.verifyAttrAndEle(AssertionConsumerServiceImpl.java:260)
    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.process(AssertionConsumerServiceImpl.java:103)
    at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
    at com.sun.proxy.$Proxy27.process(Unknown Source)
    at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)

    ReplyDelete
    Replies
    1. Hello krrish,

      mmm, I can recommend you to check the "entityID", of your IdP (OPENSSO). I am not sure if is mandatory, but we always use urls, like entityID="https://idp.domain/login".

      Hope it helps,

      Luis

      Delete
  97. Hi Luis, Srikanth.

    Can you guys help me with a solution for the above error.

    Krish.

    ReplyDelete
    Replies
    1. Hello Krrish,




      Hi Krrish,

      Please take a look at the response sent by your IdP. It should start by something like this:

      samlp:Response ID="_243bd10b-5481-4521-a8f0-67be7cb5eb04"
      Version="2.0"
      IssueInstant="2013-11-21T07:54:14.156Z"
      Destination="https://your.weblogic.domain/saml2/sp/acs/post"
      Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
      InResponseTo="_0x5f7a685e55b0da9baf5be325a1b1bcfd"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

      Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" https://your.idp/login Issuer
      samlp:Status
      samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
      samlp:Status

      Check the value of the "Issuer" element.

      Hope it helps,

      Luis


      Delete
  98. Luis,

    I changed. It is still the same behaviour. Below is the full stack trace.,

    '> <> <> <> <1384976690462>

    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1384976690498>

    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1384976690500> https://krish.oktapreview.comiR+xCN5Zdqzf+u+yd3+0xow3E0A=j8lT7rFRgtFH3RTEhilBzqAHdO9wipe0HqZp67klJFGu5IlTbJpz2W+ZExgDiH/K80UfDQMIJ0UMFRdMY/HGAsnra6VOOSZi6Y1Ki02HVNDmshmpkQ2/Xb3I0thqwo4p+7vAftI9cBzpYQNr93nwt/xJF2Rr9g5BYqINASbm3Ys=MIIClTCCAf6gAwIBAgIGAUIzpf0GMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBWtyaXNoMRwwGgYJKoZIhvcNAQkBFg1pbmZv
    QG9rdGEuY29tMB4XDTEzMTEwNzE3Mzg0NVoXDTQzMTEwNzE3Mzk0NVowgY0xCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
    a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFa3Jpc2gxHDAaBgkqhkiG9w0BCQEW
    DWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL81yY7pYCwIzYz/OuZG
    trmwtAnd/RhBNwX8m/l3EO/tEEdDw7G/4ICSSBk5HP23OoXqNU7enLGWKK5+nF3pQBzJKhThPY9j
    ARBOBVqyRc2UnMpj5/DABhUERQ1BJQ64/pT1ylGJWWyisFmrbHi5gxrB+x8wz4X3dvFOjMpOMzqZ
    AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAQPH6ZMq8DqfRPG9IUVLLM8qi4ZAFzU7WhZ8jW3ecIyNV
    mctRLe6VEnBDyDeSaq2IhDtsnyMWTQRReVap6UeDXt7oE03Gg7JUv1iaxIhIAhEuEqDCxuOD5WFN
    ejXjxCOxvDD2+A9JrwVEiIst27sOc4gg6UOoHgH/kjoZDx2c52s=https://krish.oktapreview.comwjkMIuF1yRY+C1BvvEjcHYTVMkQ=QLTqhfGAfJdW7W0ZZhOu+xCQb04hrR0f54EbEX57NOmhq18Ic+u3M7ep5fXQUEjI8hPqaue/Jk4gI0j9mCp+91wWIZhcIvmXfNlozLo7YiIYhJN2MAi88gLU1apXD20xITcU/aZJJzqNaw7fW/da70h3hIJtT3/yT52LJ0xwG2Y=MIIClTCCAf6gAwIBAgIGAUIzpf0GMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBWtyaXNoMRwwGgYJKoZIhvcNAQkBFg1pbmZv
    QG9rdGEuY29tMB4XDTEzMTEwNzE3Mzg0NVoXDTQzMTEwNzE3Mzk0NVowgY0xCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
    a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFa3Jpc2gxHDAaBgkqhkiG9w0BCQEW
    DWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL81yY7pYCwIzYz/OuZG
    trmwtAnd/RhBNwX8m/l3EO/tEEdDw7G/4ICSSBk5HP23OoXqNU7enLGWKK5+nF3pQBzJKhThPY9j
    ARBOBVqyRc2UnMpj5/DABhUERQ1BJQ64/pT1ylGJWWyisFmrbHi5gxrB+x8wz4X3dvFOjMpOMzqZ
    AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAQPH6ZMq8DqfRPG9IUVLLM8qi4ZAFzU7WhZ8jW3ecIyNV
    mctRLe6VEnBDyDeSaq2IhDtsnyMWTQRReVap6UeDXt7oE03Gg7JUv1iaxIhIAhEuEqDCxuOD5WFN
    ejXjxCOxvDD2+A9JrwVEiIst27sOc4gg6UOoHgH/kjoZDx2c52s=krish.v@krish.localkrish_domainurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport>

    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1384976691054> <[Security:096536]Invalid issuer format: urn:oasis:names:tc:SAML:2.0:nameid-format:entity.>

    ReplyDelete
  99. HI Luis,

    Here is my response and it sounds good to me.


    http://www.okta.com/km307ixGHHOFSNPKNTBM










    JBjTOEJNVQz8nx1hXq3Nf87eHZc=


    PlCh+/JgbxVJu6EeRduRmpklHcf57G6yeIlZgy5B6v8axpq+igwRyRH7lXQ0OGKCXb3qqSd+29FvjsWHF4DIkn4xLgdywgkwg9l7NibZsPZsvAdn/p7tKgPEPRL/6YL43f3c193Ce+IQ4uXbZBNIILWIBty05dVaG75CYYEGpyE=


    MIIClTCCAf6gAwIBAgIGAUIzpf0GMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBWtyaXNoMRwwGgYJKoZIhvcNAQkBFg1pbmZv
    QG9rdGEuY29tMB4XDTEzMTEwNzE3Mzg0NVoXDTQzMTEwNzE3Mzk0NVowgY0xCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
    a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFa3Jpc2gxHDAaBgkqhkiG9w0BCQEW
    DWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL81yY7pYCwIzYz/OuZG
    trmwtAnd/RhBNwX8m/l3EO/tEEdDw7G/4ICSSBk5HP23OoXqNU7enLGWKK5+nF3pQBzJKhThPY9j
    ARBOBVqyRc2UnMpj5/DABhUERQ1BJQ64/pT1ylGJWWyisFmrbHi5gxrB+x8wz4X3dvFOjMpOMzqZ
    AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAQPH6ZMq8DqfRPG9IUVLLM8qi4ZAFzU7WhZ8jW3ecIyNV
    mctRLe6VEnBDyDeSaq2IhDtsnyMWTQRReVap6UeDXt7oE03Gg7JUv1iaxIhIAhEuEqDCxuOD5WFN
    ejXjxCOxvDD2+A9JrwVEiIst27sOc4gg6UOoHgH/kjoZDx2c52s=







    http://www.okta.com/km307ixGHHOFSNPKNTBM










    ODGlhd4PiM2+EFGyTHGTYr/4BK4=


    nYsHdxGX0MU/W1gjezDb8Tp4zhSiMfKZ93sjxbhwhAvE7bFG9G6ZglANrmQrJf6ElVo8TR0GkrO+r1Q9Fqp0jgoxHnkDWDy6ksZRwtzeC8tFoUXdB0j2jcYpJNOjShT01i/ttWYb+fcFVexQ9QeE6ptzRKrZ8ig3NA2fPdVsp9o=


    MIIClTCCAf6gAwIBAgIGAUIzpf0GMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBWtyaXNoMRwwGgYJKoZIhvcNAQkBFg1pbmZv
    QG9rdGEuY29tMB4XDTEzMTEwNzE3Mzg0NVoXDTQzMTEwNzE3Mzk0NVowgY0xCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
    a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFa3Jpc2gxHDAaBgkqhkiG9w0BCQEW
    DWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL81yY7pYCwIzYz/OuZG
    trmwtAnd/RhBNwX8m/l3EO/tEEdDw7G/4ICSSBk5HP23OoXqNU7enLGWKK5+nF3pQBzJKhThPY9j
    ARBOBVqyRc2UnMpj5/DABhUERQ1BJQ64/pT1ylGJWWyisFmrbHi5gxrB+x8wz4X3dvFOjMpOMzqZ
    AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAQPH6ZMq8DqfRPG9IUVLLM8qi4ZAFzU7WhZ8jW3ecIyNV
    mctRLe6VEnBDyDeSaq2IhDtsnyMWTQRReVap6UeDXt7oE03Gg7JUv1iaxIhIAhEuEqDCxuOD5WFN
    ejXjxCOxvDD2+A9JrwVEiIst27sOc4gg6UOoHgH/kjoZDx2c52s=




    krish.v@krish.local






    SAML2AP




    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport





    I am using weblogic 10.3 with jrocket 1.6.0_45

    ReplyDelete
    Replies
    1. Hi Krrish,

      I am afraid that paste the encoded response is not very helpful for solving this issue. I can recommend you to use https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php for decoding your SAML messages. If you are a Firefox user take a look at the SAML tracer.

      Hope it helps,

      Luis

      Delete
  100. Luis,

    No problem, I figured out the issue. It works now. the IDP initiated flow works.

    Can you give me some guidance how can i do a SP initiated login where i access weblogic and get redirected back to IDP for authentication.

    ReplyDelete
  101. Hello Krrish,

    If you have configured your WLS as a SP (http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm#i1109029) just deploy a web application with a security constraint (http://docs.oracle.com/cd/E24329_01/web.1211/e24485/thin_client.htm)

    Hope it helps,

    Luis

    ReplyDelete
  102. Hi Edwin,

    Thanks for this post. I implemented this for only one weblogic domain which contains The Admin Server , and Cluster that inclues 2 managed Server (m_server1,m_server2) and the three applications App1 ,App2 and App3 which deployed as follows :

    App1 deployed on Admin Server (http://localhost:7001/App1)
    App2 deployed on m_server1 (http://localhost:7003/App2)
    App3 deployed on m_server2 (http://localhost:7005/App3)

    I have Implemented SSO using SAML2 and I have my Source Site is App1 deployed on Admin Server and two destinations App2 ,App3 deplyed on m_server1 and m_server2
    and It works fine from Source site to any these destination Separately

    (example , I try to login to Application App1 http://localhost:7001/App1 and login page appears and typing user name and password for login page then , the welcome page welcome.jsp appears . After that I try to access any of destination sites by clicking on the related link exist on welcome page and it able to go to destination fine ( http://localhost:7003/welcome.jsp or http://localhost:7005/welcome.jsp)

    but I am facing an issue , when I am existing on welecome page for App2 as example and want to go directly to another destination ( from destination site to another destination from App2 to App3
    It redirect to Saml Url http://localhost:7005/saml2/idp/login and 404 Not Found "The requested URL [URL] was not found on this server" and can not continue , how I can deal with situation means how I can access resource page from destination to another destination? from (http://localhost:7003/App2/welcome.jsp) to (http://localhost:7005/App2/welcome.jsp) without facing this issue and does not need for asking user name&password again . Any ideas would be appreciated.

    Thanks&

    Osama Elmongy

    ReplyDelete
    Replies
    1. Hi Edwin,

      Thanks for this post. I implemented this for only one weblogic domain which contains The Admin Server , and Cluster that inclues 2 managed Server (m_server1,m_server2) and the three applications App1 ,App2 and App3 which deployed as follows :

      App1 deployed on Admin Server (http://localhost:7001/App1)
      App2 deployed on m_server1 (http://localhost:7003/App2)
      App3 deployed on m_server2 (http://localhost:7005/App3)

      I have Implemented SSO using SAML2 and I have my Source Site is App1 deployed on Admin Server and two destinations App2 ,App3 deplyed on m_server1 and m_server2
      and It works fine from Source site to any these destination Separately

      (example , I try to login to Application App1 http://localhost:7001/App1 and login page appears and typing user name and password for login page then , the welcome page welcome.jsp appears . After that I try to access any of destination sites by clicking on the related link exist on welcome page and it able to go to destination fine ( http://localhost:7003/welcome.jsp or http://localhost:7005/welcome.jsp)

      but I am facing an issue , when I am existing on welecome page for App2 as example and want to go directly to another destination ( from destination site to another destination from App2 to App3
      It redirect to Saml Url http://localhost:7005/saml2/idp/login and 404 Not Found "The requested URL [URL] was not found on this server" and can not continue , how I can deal with situation means how I can access resource page from destination to another destination? from (http://localhost:7003/App2/welcome.jsp) to (http://localhost:7005/App2/welcome.jsp) without facing this issue and does not need for asking user name&password again . Any ideas would be appreciated.

      Thanks&

      Osama Elmongy

      Delete
    2. Hi,

      do you use auth-method CLIENT-CERT on app2 and app3 , I don't know what goes wrong but I suspect that it should do a re-direct to http://localhost:7001/App1 which has basic authentication and after this go back to app3.

      Can you do a test to access app2 and app3 , without being authenticated, this should do a re-direct to the login page of app1. This should work. Else it is a configuration issue on the saml2 side of app2,app3

      and set these parameters to see the output.

      set EXTRA_JAVA_PROPERTIES=-Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Atn=true %EXTRA_JAVA_PROPERTIES%

      thanks Edwin





      Delete
    3. Hello Osama,

      It seems that m_server2 needs to be configured as Identity Provider. See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/saml.htm#i1107127 "Configuring an Identity Provider Site for SAML 2.0 Single Sign-On"

      For these kind of exercise I would recommend you to have a different Identity Provider, like Shibboleth, OpenAM, ADFS, etc... and let your Weblogic servers be the Service Providers. IMHO it makes the "big picture" of your infrastructure pretty much clean.

      Hope it helps,

      Luis

      Delete
  103. Hi Luis,

    I created a SAML with Hyperion EPM system. The document says me to put the SP initiated protection /interop/*. When i do that, Weblogic goes back and forth to infinite looping. I can see i am authenticated and again it goes back to my IDP with authentication Request. Any idea on this? Below is my log.Spliting into two posts.

    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429368>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429368>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429368>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429368>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429368>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429369>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429369>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429404>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429405>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429405>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429405>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429415>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765429416>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765439704>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765439711>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765439711>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765439711>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765439711>

    ReplyDelete
    Replies
    1. Hello Krrish,

      This issue use to happen to us when we specified the cookie-path in the weblogic.xml of our applications. You can check if this is also the case for you.

      I have took a quick look to your pdf document and we, for our Service Providers, add /saml2 context to the Published Site URL (https://HypOHSServer:HypOHSPort/saml2) Maybe to use https instead of http could be more convenient.

      Hope it helps,

      Luis

      Delete
  104. -000000>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440474>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440474>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440474>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440474>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440525>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440531>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440533>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440552>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7IX6881zYFLrfP8A1J0yIX000020> <1392765440552>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440756>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440756>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440756>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440756>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440756>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440757>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440758>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440765>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440765>
    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440772>
    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440773>
    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440773>
    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440773>
    #### <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392765440774>

    ReplyDelete
  105. I have not put the assertions, since i am not able to post so big. But the reality is, it reads the assertion and mapping the user. going back for the loop. IDP initiated is working fine.

    ReplyDelete
  106. I used the following document to configure.

    http://www.oracle.com/technetwork/middleware/bi-foundation/epm-saml-service-provider-auth-409174.pdf

    In the document i can see SSODiag app works fine. Only interop keeps looping in SP initiated scenario.

    ReplyDelete
  107. Sorry i dont see the log. Here you go.

    #### <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7NmqO81zYFLrfP8A1J0yvz000008> <1392766823836>
    #### <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7NmqO81zYFLrfP8A1J0yvz000008> <1392766823836>
    #### <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7NmqO81zYFLrfP8A1J0yvz000008> <1392766823837>
    #### <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7NmqO81zYFLrfP8A1J0yvz000008> <1392766823837>
    #### <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7NmqO81zYFLrfP8A1J0yvz000008> <1392766823837>
    #### <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000KH7NmqO81zYFLrfP8A1J0yvz000008> <1392766823837>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392766823869>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392766823869>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392766823869>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392766823869>
    #### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1392766823869>

    ReplyDelete
  108. Luis,

    I found this. Actually When i access http://win-citrix.krish.com:9000/interop/ i receive this issue but if i access http://win-citrix.krish.com:9000/interop/index.jsp it works fine. May be after SAML authentication it does not sending to index.jsp and looping. That is what i see an issue, probably an bug.

    ReplyDelete
  109. I have a scenario where I need to configure 2 saml wars in a single weblogic domain. How can I configure 2 saml2 wars for 2 different application in a single weblogic domains.

    ReplyDelete
  110. Dear Biemond,

    I have deployed one IDP and two SP applications in a three independent weblogic domains on its own clusters and then i added the necessary SAML2 configurations in the idp and 2 sp servers. Now, Iam able to login to the SP applications through IDP login screen and able to visit the protected pages (role based) in the individual SP application without any issues.

    But my requirement additionally says that if the user logins in one SP application then he should be able to visit the protected pages of other SP application also. User should not be asked to re-login again for the second SP application. But in reality on my setup/configuration, each service provider asks for the saml2 assertion from the IDP individually. So it asks for the re-login again, if the user moves from one sp application to another sp application using the link provided in the first sp application..

    What is the additional configuration should be done to make it work as a real SSO with the above said feature?

    Your help is very much appreciated. Advance thanks..

    ReplyDelete
  111. Hi Biemond,

    first of all, i would like to thank you for writing great post.
    i have a question, is there an option to disable response signing on identity provider settings ?

    ReplyDelete
  112. Using WLST how to Publish SAML 2.0 Meta Data?

    ReplyDelete
    Replies
    1. Hello Nitish,

      Late answer, sorry...

      ###################################################
      # imports
      import java.lang.Exception as Exception

      ####################################################
      # Get required ENV variables
      # os.environ A mapping object representing the string environment. For example, environ['HOME'] is the pathname of your home directory (on some platforms), and is equivalent to getenv("HOME") in C.
      pwd=os.environ["PASSWORD"]
      uname=os.environ["USERNAME"]
      domainDir=os.environ["DOMAINDIR"]
      serverName=os.environ["SERVERNAME"]
      protocol='t3'
      listenAddress=os.environ["LISTENADDRESS"]
      listenPort=os.environ["LISTENPORT"]

      # The URL must be the managed server one
      url=protocol + '://' + listenAddress + ':' + listenPort

      # Connect WLST to a WebLogic Server instance
      connect(uname,pwd,url)

      # Original published metadata file
      originalMetadataPath = domainDir + '/config/' + serverName + '.xml'

      try:
      #######################################################
      # Navigates to the last MBean to which you navigated in the configuration MBean hierarchy or to the root of the hierarch
      serverRuntime()

      # Cding to your SSO runtime server configuration MBEAN
      cd('/SingleSignOnServicesRuntime/' + serverName)

      # Just export the metadata to the file. WLS must be allowed to write in that location
      cmo.publish(originalMetadataPath)

      except Exception,ex:
      print "ERROR: " + str(ex) + "!"

      ##################################################
      # Closes the current WebLogic Server instance connection and resets all the variables while keeping the interactive shell alive
      disconnect()

      ##################################################
      # See: http://docs.oracle.com/cd/E12839_01/web.1111/e13813/reference.htm#CACDHGAD

      Hope it helps,

      Luis

      Delete
  113. Hi Luis,

    I also have JSESSIONID overriding issue. I tried to rename cookie in mod_wl config file as you described above. But it did not work. Can you please write in more detail about configurations on web server and application side?
    Thanks,
    Ali

    ReplyDelete
  114. Hello Biemond, I have successfully implemented SAML2 with ADFS as the IDP and Weblogic as the SP. The problem is, I cannot retrieve any SAML2 attributes to populate into a HEADER variable so I can log the user into the application, does that make sense? I clearly see my SAML 2 information in the logs but no HEADER variables are being populated. How do I take SAML2 attributes and pass into HEADER variables? servlet filter?

    Thanks in advance for any assistance.

    ReplyDelete
  115. Hello Edwin and others,

    At https://github.com/cerndb/wls-cern-sso you can find two projects:

    - WlsAttributeNameMapper: it extracts the information from the IdP response and transforms it into principals. See http://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2015-02-oracle-weblogic-saml2-authorization
    - saml2slo: implementation of the single logout

    I will document both a bit in the Readme.md.

    Hope it helps,

    Luis

    ReplyDelete
  116. Hi Edwin, Luis and others,

    I am beginner with SAML and Weblogic server. I am doing one POC for single sign on.
    I have created two application on two different domain, deployed on two Weblogic servers on same machine.

    1) Demo_Web_Project - on server1 - Identity provider
    2) Demo_Project_2 - on server2 - Service Provider

    I just have created a static link to go to service provider page and I did all the configurations mentioned in the blog. But when I click to access the page of service provider, it is still asking for credentials. It is not giving single sign on.
    Please let me know what is wrong here.

    I have given below mentioned url as Published site URL in server1(identity provider application) configuration.
    http://localhost:7001/

    I have given below mentioned url as Published site URL in server2 (service provider application) configuration.
    http://localhost:7003/

    my JSP on service side is index.jsp. I have configured below mentioned URL in redirect URLs after importing metadata.xml of IDP.
    Demo_Project_2/saml2

    Thanks in advance guys.

    ReplyDelete
  117. Hi Edwin, Luis and others,

    I am beginner with SAML and Weblogic server. I am doing one POC for single sign on.
    I have created two application on two different domain, deployed on two Weblogic servers on same machine.

    1) Demo_Web_Project - on server1 - Identity provider
    2) Demo_Project_2 - on server2 - Service Provider

    I just have created a static link to go to service provider page and I did all the configurations mentioned in the blog. But when I click to access the page of service provider, it is still asking for credentials. It is not giving single sign on.
    Please let me know what is wrong here.

    I have given below mentioned url as Published site URL in server1(identity provider application) configuration
    http://localhost:7001/

    I have given below mentioned url as Published site URL in server2 (service provider application)
    http://localhost:7003/

    my JSP on service side is index.jsp. I have configured below mentioned URL in redirect URLs after importing metadata.xml of IDP.
    Demo_Project_2/saml2

    Thanks in Advance guys

    ReplyDelete
  118. Hi Edwin, Luis and others,

    I am beginner with SAML and Weblogic server. I have read and understood the oracle article for SAML with weblogic some what and I dong one sample project for single sign on.
    I have created two application on two different domain, deployed on two Weblogic servers on same machine.

    1) Demo_Web_Project - on server1 - Identity provider
    2) Demo_Project_2 - on server2 - Service Provider

    I just have created a static link to go to service provider page and I did all the configurations mentioned in the blog. But when I click to access the page of service provider, it is still asking for credentials. It is not giving single sign on.
    Please let me know what is wrong here.

    I have given below mentioned url as Published site URL in server1(identity provider application)
    http://localhost:7001/

    I have given below mentioned url as Published site URL in server2 (service provider application)
    http://localhost:7003/

    my JSP on service side is index.jsp. I have configured below mentioned URL in redirect URLs after importing metadata.xml of IDP.
    Demo_Project_2/saml2

    Thanks in Advance guys

    ReplyDelete
  119. Hi Everybody,
    Is possible to use SAML in two different domains that using different Authentication Providers?
    1)First domain Active Directory
    2)Second domain Spring security?

    Can I log inside the first domain as userX and access into the second domain that doesn't have the userX?
    I need to login into an application userX password and have a link into the second application that doesn't use Authentication Provider in Weblogic but use a Spring security

    Thanks for your help
    Carlo

    ReplyDelete
  120. Hi Everybody,
    Is possible to use SAML in two different domains that using different Authentication Providers?
    1)First domain Active Directory
    2)Second domain Spring security?

    Can I log inside the first domain as userX and access into the second domain that doesn't have the userX?
    I need to login into an application userX password and have a link into the second application that doesn't use Authentication Provider in Weblogic but use a Spring security

    Thanks for your help
    Carlo

    ReplyDelete
    Replies
    1. Hello Carlo,

      I am not sure to follow you... The answer to your question is yes, nothing stops you to declare different authentication providers in two (or more different domains).

      What I would do to implement your scenario:

      1. Domain one with SAMLAuthenticator

      2. Domain two http://projects.spring.io/spring-security-saml/

      For both domains the authentication will be provided by your IdP.

      Hope it helps,

      Luis

      Delete
  121. HI All,

    We have implemented the SSO using the SAML2 and OBIEE 11.7 successfully .

    We have integrated the OBIEE reports using iframe component in j2ee applications .On click of logout button we are able to logout the application successfully ,but subsequently if any user try to login with different user and try access the OBIEE reports , the reports are displaying related to previous logged in user .
    It means Service provider not destroying the session cookies .

    I have tried below possible options ,but issues still exists .
    1-weblogic.servlet.security.ServletAuthentication.logout(request);
    2-weblogic.servlet.security.ServletAuthentication.invalidateAll(request);
    3-weblogic.servlet.security.ServletAuthentication.killCookie(request);
    4-Also tried to delete the all cookies


    As per the "Luis" comments above ,we have tried to use the custom logout functionality mentioned on "https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo"

    I need some information about the below fields on web.xml mentioned below :

    algorithm:We can use the same algorithm mentioned on web.xml ?
    SigAlg: signature algorithm specified in the logout request/response URL.
    idpEndpoint: SSO endpoint where to send the samlp:LogoutResponse. Can you explain more about this field ?
    keystoreType: JKS.
    keystoreProvider: SUN.
    getPasswdScript: What parameters need to pass on this field ?
    keystorePasswordKey: Which value we need pass on this fields ?
    privateKeyPasswordKey: Which value we need pass on this fields ?
    ssoSignOutUrl: SSO Single Log Out URL. I used it to initialize the redirect URL used by the SAML2sloServlet to redirect the response. It will be override by the idpEndpoint + samlp:LogoutResponse.
    webSSOpartnerName: name of the SAML 2.0 Identity Assertion Provider
    authenticationProviderName: name of the SAML 2.0 identity provider partner

    Note : I have tried to deploy the samlwlo.war file without modifying any , the deployment failing due to the web.xml context-param fields.

    Please provide information about the Web.xml fields which are mentioned above ? and also please confirm us do we need to modify any other files in samlslo.war apart from web.xml ?


    Thanks
    Rajesh

    ReplyDelete
  122. Hi Luis,
    I am trying to run you single logout solution in my environment. In you web.xml, you have mentioned "/ORA/dbs01/syscontrol/projects/systools/bin/get_passwd" for geting the password, but I am not able to find the file anywhere. Can you share a sample file so that I can create a similar one?

    ReplyDelete
    Replies
    1. Hi Rohan,

      Actually I think that I should remove that reference. We use that script to get the password of the JVM keystore.

      E.g. If you want to do a "dummy test" just creates an script that echoes your keystore password.

      Hope it helps,

      Luis



      Delete
  123. Hello Edwin and others, 

    I have successfully configured SP using Web logic,
    I used this class by Luis, to extract the assertions,

    https://github.com/cerndb/wls-cern-sso

    But when my idp decrypt the assertions ( he have to decrypt assertions in order to go from testing to production ) I am not able to get that assertions, I red that Web logic doesn't support encrypted assertions, is that true? In this case what can I do ?
    Thanks
    Mohamed

    ReplyDelete
  124. Hi,

    I have configured SSO for Webcenter Portal in weblogic. When I try login with the SP initiated URL (Webcenter Portal app URL), it will redirect to the Identity provider login page. I have set the Bad password count to 5. On entering the bad password for the 5th time, the browser is redirected to 403 not authorized page in the Weblogic ACS page - http://hostname:port/saml2/sp/acs/post. How this is handled in weblogic? How to cosume the assertion and build a customized error page for this request.

    ReplyDelete