It's all about Weblogic..!!!

January 14, 2011

Steps to configure SAML 1.1 on Weblogic 9.2.x or 10.0.x

Filed under: Security — streethawkz @ 11:11 pm

Below are the steps to configure SAML 1.1 on Weblogic 9.2.4 :

In the example below :

– I have setup two domains namely,

1. Source Domain — >  saml_1.1_source_post

2. Destination Domain –>  saml_1.1_destination_post

Then setup SSL ( Custom Identity and Custom Trust ) on both domains for Admin  server as shown in the link below :

Link :

On Source Domain the Admin Server is running on port 7001 ( http ) and 7002 ( https ).

On Destination Domain the Admin Server is running on port 7003 ( http ) and 7004 ( https ).

SAML Source Site configuration :

  • Login to the Admin Console –> ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapping ” –> Now add a ” SAMLCredentialMapperV2 ” as shown in the fig below ( say ” SAML_CredentialMapper ” ) :

 

 

 

 

 

 

 

  • Now select ” SAML_CredentialMapper ” and click on ” Provider Specific ” tab and enter the following ( as shown in fig below ) :

    Signing Key Alias : cooldragon

    Name Qualifier :  saml_source

    Signing Key Pass Phrase : ********

    Confirm Signing Key Pass : ********

    Issuer URI : http://www.oracle.com/saml

     

     

     

     

     

     

     

    * Restart the Server now

    • Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapping ” –> ” SAML_CredentialMapper ” –> ” Management ”     –> create new ” Relying Party ” ( say ” rp_00001 ” ) and select profile ” Browse/Post “

     

    • Now click on ” rp_00001 ” and enter the following :

    Enabled : check

    Target URL : https://localhost:7004/samldest01App/restricted01/samldest01services.jsp ( Destination site URL for which authentication is required )

    Assertion Consumer URL : https://localhost:7004/samlacs/acs ( URL at which an assertion consumer service ( acs ) for this SAML relying party can be reached )

    Assertion Consumer Parameter : APID=ap_00001 ( Optional query parameters that will be added to acs url when redirecting to destination url )

    Sign Assertions : check

    Include Keyinfo : check

    Include Groups Attribute : check

     

     

     

     

     

     

     

    • Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapping ” –> ” SAML_CredentialMapper ” –> ” Management ”       –> ” Certificates ” :

      Alias : cooldragon

      Certificate File Name : root.cer

       

       

       

       

       

       

      • Now click on ” Servers ” –> ” AdminServer ” –> ” Federation Services ” –> ” SAML 1.1 Source Site ” and enter the following :

        Source Site Enabled : check

        Source Site URL  : https://localhost:7002/samlsourceApp ( url for source site )

        Signing Key Alias : cooldragon

        Signing Key Passphrase : *******

        Intersite Transfer URIS : /samlits_cc/its ( donot change anythin here – leave it as it is (default) )

        ITS Requires SSL : check

        Assertion Retrieval URIs : /samlars/ars ( URIs on which to listen for incoming assertion retrieval requests )

        ARS Requires SSL : check

         

         

         

         

         

         

         

        * Restart server now

        SAML Destination Site Configuration :

        Login to Admin Console on the destination domain and click on ” Security Realms ”  –> ” myrealm ”  –> ” Providers ” –> ” Authentication ”  –> and create a new ” Authentication Provider ” ( say ” SAML_IdentityAsserter ” ) of type ” SAMLIdentityAsserterV2 ”

         

         

         

         

         

         

         

        * Restart your server

        • Click on ” Security Realms ”  –> ” myrealm ”  –> ” Providers ” –> ” Authentication ” –>  ” SAML_IdentityAsserter ” –> ” Management ”              –> ” Certificates “

        Alias : cooldragon

        Certificate File Name : root.cer

        • Click on ” Security Realms ”  –> ” myrealm ”  –> ” Providers ” –> ” Authentication ” –>  ” SAML_IdentityAsserter ” –> ” Management ”                –> ” Asserting Parties ” –> create a new SAML Asserting Party ( say ” ap_00001 ” ) of type ” Browse/Post “

         

         

         

         

         

         

        • Now click on ” ap_00001 ” and fill in the following :

          Enabled : check

          Target URL :  https://localhost:7002/samlsourceApp ( url of this saml asserting party )

          POST Signing Certificate alias : cooldragon

          Source Site Redirect URIs :  /samldest01App/restricted01/samldest01services.jsp ( optional set of URIs from which unauthenticated users will be redirected to the configured ITS url. If this is set Intersite Transfer url must also be set. )

          Source Site ITS URL :  https://localhost:7002/samlits_ba/its ( ITS url for saml source site for this asserting party )

          Source Site ITS Parameters RPID= rp_00001 ( optional query parameter that will be added to ITS url when redirecting to source site )

          Issuer URI : http://www.oracle.com/saml ( Issuer URI for saml authority for issuing assertions for this saml asserting party )

          Signature Required : check

          Asserting Signing Certificate Alias : cooldragon

          Process Groups Attribute : check

           

           

           

           

           

           

           

           

          • Now click on ” Servers ” –> ” AdminServer ” –> ” Federation Services ” –> ” SAML 1.1 Destination Site ” and enter the following :

            Destination Site Enabled : check

            Assertion Consumer URIs : /samlacs/acs

            ACS Requires SSL : check

            SSL Client Identity Alias : cooldragon

            SSL Client Identity Pass Phrase : ********

            POST Recipient Check Enabled : check

            POST one Use Check Enabled : check

            Used Assertion Cache Properties APID = ap_00001

             

             

             

             

             

             

             

            Your SAML 1.1 is now configured 🙂 Deploy source and destination applications and verify if SSO is working fine.

              Advertisements

              5 Comments »

              1. Is it possible to set up single sign on with SAML for applications running on same weblogic domain? I have deployed both of my applications on single weblogic domain. Then i configured the same domain as source and destination as explained here. I was not able to make single sign on work. It looks like ITS is going in to an infinite loop. Any ideas on how to do this?

                Comment by Rama — January 22, 2012 @ 11:25 am

              2. Hi. Followed the steps, but doesnt seem to work. Any idea what’s wrong in the logs below.

                SOURCE
                ======

                TARGET
                ======

                Comment by user2012 — January 30, 2012 @ 1:44 pm

                • SOURCE
                  ======

                  TARGET
                  ======

                  Comment by user2012 — January 30, 2012 @ 1:46 pm

              3. For newest news you have to pay a visit web
                and on web I found this web site as a finest website for latest updates.

                Comment by cod black ops 2 — October 20, 2012 @ 7:53 pm

              4. Hi to all, how is all, I think every one is getting more from this web site,
                and your views are pleasant for new viewers.

                Comment by ES360 — May 15, 2013 @ 6:41 am


              RSS feed for comments on this post. TrackBack URI

              Leave a Reply

              Fill in your details below or click an icon to log in:

              WordPress.com Logo

              You are commenting using your WordPress.com account. Log Out / Change )

              Twitter picture

              You are commenting using your Twitter account. Log Out / Change )

              Facebook photo

              You are commenting using your Facebook account. Log Out / Change )

              Google+ photo

              You are commenting using your Google+ account. Log Out / Change )

              Connecting to %s

              Blog at WordPress.com.

              %d bloggers like this: