In a previous blog entry I already explained how to setup Single Sign On (SSO) with SAML1.1. In this blogpost I do the same but then with SAML version 2 or SAML2 in Weblogic 10.3.1 server.
First we start with the SAML2 Identity Provider, in SAML1.1 this is called the source site. Because we can't do anything in the federation tab of the serve, we need to create a Credential Mapping Provider ( go to myrealm security, Providers , Credential Mappings. )
and choose the SAML2 credential mapping.
Fill the provider specific details and use the demoidentity keystore ( this is default)
Now we can go the Federation Services tab of the server configuration and create a SAML2 profile for this server, We need to save this to a file and import this later in the other SAML2 Service Providers.
The published site url is very important , choose url of this server , use http or https and add saml2 to this url. SAML needs this url to communicate with the other SAML services.
Second part of the SAML2 profile
Save this profile to a xml
Go the Identity provider tab and fill in these fields
Go to the second Weblogic server, this is called the Service provider or in SAML1.1 the destination. Here we need to create a new SAML2 Authentication provider ( Go to the myrealm Security realm , Providers and then Authentication )
Now we done this we can go the Federation Services Tab of this weblogic server and fill in this SAML2 profile. The published url is very important and it must match with the server url and have to end with saml2
Second part of this SAML profile
Save this metadata to a xml. This needs to be imported in the Credential Mapping Provider of the Identity Provider ( the first weblogic server).
Next step is to go the SAML2 Service Provider tab.
Go back to the SAML2 authentication provider where we will import the identity provider metadata xml.
Select the identity metadata xml.
You have to enable this and most important, fill in all the url's of your applications who needs SAML authentication.
Now we do the same for metadata xml of the service provider, We need to import this in the Credential Mapper provider of the Identity Provider
Select the Service Provider metadata xml
enable this Service Provider.
In this example I use http but it shoud also work with https and when it fails, please check your url's , don't mix localhost or pc name. Same for the domain name.
For more debug information in your server.log and set these java parameters in your setDomainEnv
set EXTRA_JAVA_PROPERTIES=-Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Atn=true %EXTRA_JAVA_PROPERTIES%