To setup SAML 2 with Weblogic 10.3.0 we need to create a security database even before creating domain.
Steps to use a pointbase database provided with Weblogic Installation :
- Copy ” pbembedded.lic ” located in ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\lib ” to ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\tools “
- We need to create two security database – one for the source side domain and another for the destination end domain.
- Now start the PointBase server ( run ” startPointBase.cmd ” located in ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\tools “
- Start the PointBase console ( run ” startPointBaseConsole.cmd ” located in ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\tools “Login using the user name ” EXAMPLES ” and password ” EXAMPLES “, as shown below :
- Now lets create a database table using the sample ” rdbms_security_store_pointbase.sql ” located in ” C:\bea10.3\wlserver_10.3\server\lib “
- Now we need to create another database using the user name ” PUBLIC ” and password ” PUBLIC “
We have successfully created two security database, lets create the domains now, namely :
saml_2_source_post – Admin Server running on 7001 ( http ) and 7002 ( https )
saml_2_destination_post – Admin Server running on 7003 ( http ) and 7004 ( https )
- Run the ” Configuration Wizard ” On the ” Customize Environment and Services Settings ” screen select the option ” Yes “
- Select the option “I want to create, change, or remove RDBMS support” and make the changes as shown in the figure below, and also click on ” Test Connection ” button to make sure that the database is configured properly.
- Configure SSL on both the domians, below is a link which talks about configuring ” Custom Identity and Custom Trust ” :
Link :
http://wls4mscratch.wordpress.com/2010/06/08/steps-to-configure-custom-identity-custom-trust-on-wls/
SAML Souce site configuration :
- We need to configure ” Credential Mapper ” on the IDP end.
- So to ” myrealm ” –> ” Providers ” –> ” Credential Mapping ” –> and add a ” SAML2CredentialMapper ” say ” SAML2_CredentialMapper ” as shown below :
Now click on the newly created SAML2CredentialMapper say ” SAML2_CredentialMapper ” and make the following changes :
- Issuer URI : http://www.souresite.com/saml
- Name Qualifier : sourcesite.com
-
Web Service Assertion Signing Key Alias : cooldragon
- Web Service Assertion Signing Key Pass Phrase : **********
- Please type again To confirm : *********
Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Identity Provider ” and make the following changes :
- Enabled : check
- Only Accept Signed Authentication Request : check
- Preferred Binding : POST
- Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :
Replicated Cache Enabled – Uncheck
Contact Person Given Name
Contact Person Surname
Contact Person Type
Contact Person Company
Contact Person Telephone Number
Contact Person Email Address
Organization Name
Organization URL
Published Site URL : http://<SourceSiteDNSName>:<PORT>/saml2
Entity ID : ( Source Domain name)
Single Sign-on Signing Key Alias
Single Sign-on Signing Key Pass Phrase
Confirm Single Sign-on Signing Key Pass Phrase
- Save the changes and export the IDP metadata into a XML file –> Click on “ Publish Meta Data ” button. ( say idp_metadata.xml ). We need to copy this file to the destination domain later.
Destination Site Configuration :
Now we need to generate the SAML destination site ( SP ) metadata
- Click on ” myrealm ” –> ” Providers ” –> ” Authentication ” –> new ” SAML2IdentityAsserter “ say ” SAML2_IdentityAsserter :
Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Service Provider ” and make the following changes :
- Enabled : check
- Always Sign Authentication Requests : check
- Force Authentication : Check
- Preferred Binding : POST
- Default URL : http://<DestinationSiteDNSName>:<PORT>/samldest01App
- Now click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :
Replicated Cache Enabled : Uncheck
Contact Person Given Name
Contact Person Surname
Contact Person Type
Contact Person Company
Contact Person Telephone Number
Contact Person Email Address
Organization Name
Organization URL
Published Site URL : http://<DestinationSiteDNSName>:<PORT>/saml2
Entity ID : ( Destination Domain name)
Single Sign-on Signing Key Alias
Single Sign-on Signing Key Pass Phrase
Confirm Single Sign-on Signing Key Pass Phrase
- Save the changes and export the IDP metadata into a XML file –> Click on “ Publish Meta Data ” button. ( say SP_metadata.xml ). We need to copy this file to the Source domain later.
- Copy service provider metadata ( SP_metadata.xml ) to Source Domain and identity provider metadata ( idp_metadata.xml ) to the destination Domain as shown below :
- Now configure Service Provider metadata on SAML Identity Provider in Source Site :
- Log in to the source site Admin Console and click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapper ” –> ” SAML2_CredentialMapper ” –> ” Management ” –> ” New ” –> ” New Web Single Sign-On Service Provider Partner ” :
- Name this ”New Web Single Sign-On Service Provider Partner” as “SAML_SSO_SP01″ and select the SP_metadata.xml file.
- Click on the newly created ” SAML_SSO_SP01 ” and enter the following :
Name : SAML_SSO_SP01
Enabled : Checked
Description : SAML_SSO_SP01
Key Info Included : Check
Click on Site info and verify the data :
- Now configure Identity Provider metadata on SAML Service Provider in Destination site :
Login to Destination Site Admin Console :
Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapper ” –> SAML2_IdentityAsserter –> ” Management ” –> ” New ” –> “ New Web Single Sign-On Identity Provider Partner ” say ” SAML_SSO_IDP01 ” and then select ” idp_metadata.xml ” :
- Click on ” SAML_SSO_IDP01 ” and enter the following :
- Deploy the source and destination application
- Ufff..!! the configuration is now complete
Test your SAML SSO now.
I am trying to configure SAML in Weblogic but not using Pointbase.. I want to use embedded LDAP (part of WLS). You can find more details on http://forums.oracle.com/forums/click.jspa?searchID=-1&messageID=9246542
Can you please help me with the issue?
Thanks
Raza
Comment by Raza — February 20, 2011 @ 6:01 pm
Hi I’m also trying to o configure SAML in Weblogic and want to use LDAP. can you please tell me how to configure that?
Comment by ujjwal — December 17, 2012 @ 9:16 pm
We have to use an RDBMS store, as there are issues seen while configuring SAML2 with embedded LDAP.
There is a documentation bug opened with Oracle, because the doc says ” RDBMS is suggested but not required ” — But this is incorrect.
Comment by streethawkz — December 17, 2012 @ 9:29 pm
can u provide the source and destination applications
Comment by George — March 10, 2011 @ 6:43 pm
Sure I can. Please let me know the email id to send the applications.
Thanks
Raza
Comment by Raza — March 11, 2011 @ 1:16 pm
Is database really required for SAML ?? I am planning to use EmbeddedLDAP of Weblogic for storing Credentials. Is that not fine?
Comment by Raza — March 15, 2011 @ 4:59 pm
My Email Id is arumugam_j2005@yahoo.co.in.
Please fwd ur applications to this ID
Comment by George — March 18, 2011 @ 3:49 pm
Thanks for sharing this tutorial!
Can you please send also to me, david.portabella@gmail.com, the source and destination applications?
Just a minor typo in the tutorial:
We need to restart the server after adding/configuring myrealm –> Providers –> Credential Mapping -> SAML2CredentialMapper,
and before configuring the Servers –> Admin Server –> Federation Services->SAML 2.0 Identity Provider.
You mention to “Replicated Cache Enabled – Uncheck”,
but the screenshot shows it “checked”.
On: ‘Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapper ” –> SAML2_IdentityAsserter …’
should be “Authentication” instead of “Providers”.
Best regards,
David
Comment by David Portabella — June 9, 2011 @ 9:46 pm
Hi Raza,
Thank you for the tutorial. Can you please forward the source and destination applications for me too, my email salam_k@rediffmail.com
Thank you.
Comment by Abdul Salam — February 6, 2012 @ 12:37 pm
I tried to do SAML SSO, on desitination site I’m getting exception as : the saml object not signed. What might be the issue for this exception.
Comment by Raj — June 29, 2012 @ 5:02 am
If you are getting an error like :
” <exception info
org.opensaml.xml.validation.ValidationException: the SAML object is not signed.
at com.bea.security.saml2.util.SAML2Utils.verifySamlObjectSignature(SAML2Utils.java:226)
at com.bea.security.saml2.util.SAML2Utils.verifySamlObjectSignature(SAML2Utils.java:210) "
and you are using :
- SAML2.0 service provider (SP) : WebLogic Server 10.3.3
- SAML2.0 Identity provider (IdP): Tivoli
Then this might be a BUG 9913283
Comment by streethawkz — June 29, 2012 @ 8:04 am
I’m trying to use SAML to connect to a .NET application. How do I do destination configuration there? Also both applications share the same Active Directory LDAP.
-Sheelu
Comment by sheelu — March 25, 2011 @ 3:03 am
Hi
I think I did all fine. I have an application deployed on SP, as http://url:port/sample/hello.jsp
I’ve added on the SP in the security realm under ‘redirect uri’s’ “/sample/hello.jsp”. Unfortunately I still can browse this site, without being asked for authentication.
Any tip how I can debug such failure? Do I need to configure something extra?
Cheers for all your effort to document this.
Regards
Peter Daalder
Comment by Peter Daalder — April 8, 2011 @ 2:21 am
Hi David,
I ll mail you the app.
– Puneeth
Comment by streethawkz — June 21, 2011 @ 7:49 pm
I am trying to implement the SP-initiated use case. For this what I have is:
Identity Provider: a Federation Service (Active Directory). For me is a “black box”. The only thing that I am suppose to provide to this service is the name, url and home page of my application. Also I have to provide an XML with the metadata of my Service Provider.
Service Provider: Weblogic Server (10.3.4). Here I have configured a security realm, creating a Authentication Provider and a Credential Mapper Provider. Also I have configured the selected server (AdminServer) for working with the Service Provider role.
It is supposed that everything would be running ok, but I am at the same point than Barry (or at least is that I think…). When I request a “registered resource” (one of the apps that I have registered in our Federated Service system) the IDP doesn’t answer me with the login form.
However with my Shibboleth set-up is working…
Any ideas?
I have been following these articles: http://biemond.blogspot.com/2009/09/sso-with-weblogic-1031-and-saml2.html, http://blogbypuneeth.wordpress.com/2011/01/15/steps-to-configure-saml-2-on-weblogic-server-10-3-0/ They are not the same use-case, but they have helped…
Thanks in advance,
Luis
By the way these are the actions I have done:
Domain: mydomain
Set up SAML2 debug options: EXTRA_JAVA_PROPERTIES=”${EXTRA_JAVA_PROPERTIES} -Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Atn=true”
Configure SSL Weblogic Server (AdminServer). Default port 7002
Deploy app: myHost_domain_com_sample_weblogic_app_2
Note: in the domain SSO System the registered home page of this app is myHost.domain.com:7002/myHost_domain_com_sample_weblogic_app_2/
Test myHost.domain.com:7002/myHost_domain_com_sample_weblogic_app_2/
Test …/myHost_domain_com_sample_weblogic_app_2/default.jsp
Configure Security Realm: myrealm (default)
Create a new Authentication Provider: domain SAML2 AUTH PROVIDER; saml2identityasserter
In theory not necessary: reorder (Default Authentication JASS flag is REQUIRED)
Restart
Create a “New Web Single Sign On Identity Provider Partner” on domain SAML2 AUTH PROVIDER:
domain SSO Identity Provider Partner
/home/luis/Documents/domain_AUTH/FederationMetadata.xml File Descriptor of our Identity Provider. We have removed the element (we have to take a deeper look at the OASIS SAML2 SPEC) At this point we should have got this message in the admin console: Partner created successfully. The partner has been disabled by default. You will need to complete its configuration manually then enable it.
Create a new Credential Mapping provider: SAML2_CMP; SAML2CredentialMapper
Reorder (not strictly necessary)
Restart
SAML2_CMP provider specific:
Issuer URI: myHost.domain.com
Name Qualifier: myHost.domain.com
Web Service Assertion Signing Key Alias: DemoIdentity
… Key Pass Phrase: DemoIdentityKeyStorePassPhrase
Generated Attributes
Restart
Create a New Web Single Sign On Provider Partner: domain SAML2 SERVICE PROVIDER PARTNER
Import /home/luis/Documents/domain_AUTH/FederationMetadata.xml At this point we should have got this message in the admin console: Partner created successfully. The partner has been disabled by default. You will need to complete its configuration manually then enable it.
Configure: Enabled, description, generate attributes
Set settings for domain SAML2 AUTH PROVIDER:
Enabled
Redirect URI’S: /myHost_domain_com_sample_weblogic_app_2/default.jsp
Configure the Server: AdminServer
SAML2 General:
Published Site URL: localhost:7001/saml2
Entity ID: myHost.domain.com
SAML2 Service provider: enabled
Now if I make a request to the Redirect URI nothing happens, I mean, I am able to access the protected resource without being authenticated.
However, if I include the URI of the Weblogic console, “/console/index.jsp”, when I request this resource the Service Provider invokes the Identity Provider and I am asked for authentication (through login form).
Any ideas?
Thanks in advance,
Luis
Comment by Luis — June 24, 2011 @ 7:58 pm
Now, It seems that we have got the right configuration, we are able to sign in our SSO System but we get and error from our Idp. You need to set up the security in your app through your descriptors (web.xml and weblogic.xml). Take a look at the configuration of your weblogic app console: $WEBLOGIC_HOME/wlserver/server/lib/consoleapp/webapp/WEB-INF/web.xml and $WEBLOGIC_HOME/wlserver/server/lib/consoleapp/webapp/WEB-INF/weblogic.xml)
Comment by Luis — June 28, 2011 @ 8:43 pm
I would love to see the sample apps too. Please email them to dbarstad @ hotmail.com .
Thanks!
Comment by dbarstad — July 1, 2011 @ 10:23 pm
Hi,
The sample apps could be any webapp. You only need to configure a (or a few, as you want) security constraints in your web.xml and mapped the role, or roles, in your weblogic.xml. i.e:
web.xml:
sample_weblogic_app
/secure/*
FederatedUsers
FederatedUsers
weblogic.xml:
FederatedUsers
myuser@mydomain.com
and you need a “myuser@mydomain.com” in your IdP datasource (LDAP Database, RDMS…)
Regards,
Luis
Comment by Luis — July 8, 2011 @ 6:58 pm
Better than the weblogic documentation!. Good post.
Comment by Java Coder — July 11, 2011 @ 2:55 am
this is a very good post thanks a lot.It helped me get started. My requirement is different we are service providers we have to integrate saml2 in weblogic , I tried with a sample app ,it worked , ours is a very old application and it does not use jaas or server based authentication , it authenticates by using a servlet which uses a database procedure, please advice me can I configure saml2 on service prodiver or destination side to use custom authentication ?
Comment by fachhoch — July 20, 2011 @ 4:00 am
Hi,
I think you have to configure a Weblogic Server for working as a IdP, being the datasource of this IdP your “servlet which uses a database procedure”. I have to confess that I have not done anything like this, but I am afraid that maybe you are going to need to do a little bit of coding work…
In Source Forge I have found a project that implements a SP and an IdP, using spring-security under the hood. Maybe this implementation could provide you a clue: http://sourceforge.net/projects/spring-saml/files/0.1/ Perhaps you could use this IdP setting up your servlet as a datasource.
Best regards,
Luis
Comment by gauchoproluanco — July 21, 2011 @ 1:25 pm
Hi
Would you please share the source and the destination files. My email id is kumaras@gmail.com
Thanks & Regards
Kumar A S
Comment by Kumar Subramonian — September 13, 2011 @ 3:10 pm
Hi Kumar,
I have uploaded the application to the following URL :
http://blogbypuneeth.files.wordpress.com/2011/09/saml-apps.doc
Note : change the extension of the file to .zip after downloading it.
– Puneeth
Comment by streethawkz — September 13, 2011 @ 10:53 pm
Hi ,
I am using weblogic as an Identity Provider and Oracle Identity federation (OIF) as a service Provider. The federation will be IDP(weblogic) initiated.
I have configured both sides. I have configured both the sides as per your blog (weblogic and OIF) , published metadata and exchanged.
Now the problem we are facing is that we don’t know that any web application need to be deployed in weblogic or any out of box feature is there in weblogic which we can use in order to get SAML working.
Is there any out of box feature of weblogic by which we can use SAML after configuration only or we need to write a separate java code in order to create login page and using the entire configuration which I made in weblogic.
As my requirement is a bit different from the solution in your blog. I am using OIF as service provider and in your blog weblogic is being used on both the places. I used source site configuration part form the blog (cause I am also using weblogic as an IDP). I configured OIF on my own. Exchanged metadata of OIF and weblogic.
IF I had used OIF at both sides in that case my job would be pretty easy (cause OIF is specifically made for this purpose. But our requirement is different as I have to use weblogic as an IDP).
In your blog you you haven’t written about any web application which needs to be deployed on weblogic side .
What URL I need to hit for SAML if there is out of box feature in weblogic for using SAML(after configuring everything in weblogic).
It’s been so long I am doing this task but I am not able to achieve it. Therefore any help regarding this task will be highly appreciated
Thanks.
Comment by piyush — January 3, 2012 @ 2:47 pm
I tried a SAML2 tutorial based on a earlier post (and verified it against this one), where I setup two WL 10.3.5 domains (for Idp, Sp) and deploy the two applications (Idp-appA, Sp-appB). For some reason I can’t go from Idp -> Sp or the other way either.
The only error I see in the Idp’s log is “Security:096565]Artifact requester authentication failed
Any help is appreciated.
Comment by Pradeep Balachandran — February 16, 2012 @ 6:36 am
When I click on the link in the Idp-appA that directs to Sp-appB, I see the following URL with a 403
http://sp.hostname:port/saml2/sp/acs/artifact?SAMLart=AAQAAFhcYe834w0tS5Q1VEYsKSg09V0cd1MfaDvUEN%2F%2B93C9OjNNbEYIgG8%3D
Not sure what to make of it.
Thank you.
Comment by Pradeep Balachandran — February 16, 2012 @ 6:47 am
Hi there,
Anybody know if it is possible to do the “Publish Meta Data” through a WLST script?
I would like to use a different key for the SP metadata XML than the Managed Sever one, so am I wondering if it would be possible to develop an WLST script where I could specify the key.
Thanks in advance,
Luis
Comment by gauchoproluanco — February 16, 2012 @ 2:03 pm
I was able to get the sample App A & B setup working for SAML2.
Comment by Pradeep Balachandran — February 17, 2012 @ 1:22 am
could you send the sample apps to tonyfresh024@hotmail.com. thanks a lot
Comment by Tony F — July 1, 2012 @ 3:03 am
BTW, can some one post the web.xml and weblogic.xmls? I’d like to see how the security constraints are set up.
Comment by Tony F — July 1, 2012 @ 3:04 am
Could I likewise get the source and destination applications please? dgrstlwow AT gmail DOT com
Comment by David — July 18, 2012 @ 6:28 am
Hello! Thanks for a good post.
Having trouble generating the Assertion thou, can anybody help out?
####
#### <SAML2CreateAssertion: SAML name mapper returned no mapping for: Subject: 1
Principal = class weblogic.security.principal.WLSKernelIdentity("”)>
#### <Unable to generate SAML Assertion: No name mapping for 'Subject: 1
Principal = class weblogic.security.principal.WLSKernelIdentity("”)’>
####
#### <> <[Security:096578]Can't generated assertion for the user.
All help appriciated!
Comment by Erik Andersson — August 7, 2012 @ 12:57 pm
ooopps, got filtered out in my prev post.
Principal = class weblogic.security.principal.WLSKernelIdentity(WLS Kernal)>
Comment by Erik Andersson — August 7, 2012 @ 1:17 pm
We don’t have SSO requirement and I am not sure if I need to configure RDBMS Security store. Can you throw some light?
Thanks,
Charmi
Comment by Charmi — September 13, 2012 @ 12:05 am
No, its not a must to create RDBMS store…
– puneeth
Comment by streethawkz — September 13, 2012 @ 5:39 am
Hi,
I have uploaded the application to the following URL :
http://blogbypuneeth.files.wordpress.com/2011/09/saml-apps.doc
Note : change the extension of the file to .zip after downloading it.
– Puneeth
Comment by streethawkz — September 13, 2012 @ 9:04 am
Correction in above doc :
Login to Destination Site Admin Console :
Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> SAML2_IdentityAsserter –> ” Management ” –> ” New ” –> “ New Web Single Sign-On Identity Provider Partner ” say ” SAML_SSO_IDP01 ” and then select ” idp_metadata.xml ” :
Comment by streethawkz — January 30, 2013 @ 8:33 pm
Hello there! Do you use Twitter? I’d like to follow you if that would be ok. I’m undoubtedly enjoying your blog and look forward to
new posts.
Comment by justin beiber — June 7, 2013 @ 1:23 pm