{"id":4179,"date":"2012-01-25T00:48:59","date_gmt":"2012-01-25T05:48:59","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=4179"},"modified":"2012-07-19T14:04:17","modified_gmt":"2012-07-19T19:04:17","slug":"weblogic11g-saml1-1","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=4179","title":{"rendered":"WebLogic11g: Single Sign On with SAML1.1"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tSetup a New Security Realm<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tAdd and Configure a New Security Realm<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tChange Default Realm<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tSetup SSL<\/a>\n\t\t\t<\/li>\n\t\t\t
    4. \n\t\t\t\tAdd New User<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    5. \n\t\tConfigure Source Site<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tSetup SAMLCredentialMapperV2<\/a>\n\t\t\t<\/li>\n\t\t\t
      2. \n\t\t\t\tSetup Relying Parties<\/a>\n\t\t\t<\/li>\n\t\t\t
      3. \n\t\t\t\tConfigure SAML 1.1 Source Side Federation Services<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      4. \n\t\tConfigure Destination Site<\/a>\n\t\t
          \n\t\t\t
        1. \n\t\t\t\tImport Source Site Certificate<\/a>\n\t\t\t<\/li>\n\t\t\t
        2. \n\t\t\t\tConfigure Asserting Party Properties<\/a>\n\t\t\t<\/li>\n\t\t\t
        3. \n\t\t\t\tConfigure SAML 1.1 Destination Side Federation Services<\/a>\n\t\t\t\t
            \n\t\t\t\t\t
          1. \n\t\t\t\t\t\tAdd a New SAML Identity Assertion Provider<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
          2. \n\t\t\t\tEnable Virtual Users<\/a>\n\t\t\t\t
              \n\t\t\t\t\t
            1. \n\t\t\t\t\t\tEnable Allow Virtual Users<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t
            2. \n\t\t\t\tEnable Group Attributes<\/a>\n\t\t\t<\/li>\n\t\t\t
            3. \n\t\t\t\tTest<\/a>\n\t\t\t\t
                \n\t\t\t\t\t
              1. \n\t\t\t\t\t\tTurn on Debugging<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
              2. \n\t\t\t\t\t\tTest SSO<\/a>\n\t\t\t\t\t\t
                  \n\t\t\t\t\t\t\t
                1. \n\t\t\t\t\t\t\t\tAccess appA First<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                2. \n\t\t\t\t\t\t\t\tAccess appB First<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t\t\t
                3. \n\t\t\t\t\t\tIssues<\/a>\n\t\t\t\t\t\t
                    \n\t\t\t\t\t\t\t
                  1. \n\t\t\t\t\t\t\t\tLoginException while asserting identity, returning SC_FORBIDDEN<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                  2. \n\t\t\t\t\t\t\t\tError 403--Forbidden<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n\t\t\t\t\t
                  3. \n\t\t\t\t\t\tReferences<\/a>\n\t\t\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                     <\/div>\n

                    * This is the note I took following the steps to setup SAML1.1 SSO solution as described in the references.
                    \n* I used two Oracle virtual boxes downloaded from                     here<\/a>.
                    \n* I named one virtual box wlbox1<\/strong> and function as IdP (i.e. SAML Provider) and the other wlbox<\/strong> as SP (i.e.SAML consumer). <\/p>\n

                    Setup a New Security Realm<\/h2><\/span>\n

                    * This needs to be done on both <\/strong>SAML 1.1 source and destination sites.<\/p>\n

                    Add and Configure a New Security Realm<\/h3><\/span>\n

                    * Add a new realm: saml11realm<\/strong>
                    \n* Add a new Authentication Provider: saml11DefAuthP<\/strong>; set type to DefaultAuthenticator<\/em>.
                    \n* Add a new Authentication Provider: saml11DefIdAsserter<\/strong>; set type to DefualtIdentityAsserter<\/em>; Set its Active Types to AuthenticatedUser<\/em>
                    \n* Add a new Password Validation: saml11SysPassVal<\/strong>; set type to SystemPasswordValidator<\/em>
                    \n* Add a new XACML Authorization Provider: saml11XACMLAuthorizer<\/strong>; set type to XACMLAuthorizer<\/em>
                    \n* Add a new Adjudicator: saml11DefAdj<\/strong>; set type to DefaultAdjudicator<\/em>
                    \n* Add a new XACML Role Mapper: saml11XACMLRoleMapper<\/strong>; set type to XACMLRoleMapper<\/em>
                    \n* Add a new Auditing Provider: saml11DefAuditP<\/strong>; set type to DefualtAuditor<\/em>
                    \n* Add a new SAMLCredentialMapperV2: saml11CredMapperv2<\/strong>; set type to XAMLCredentialMapperV2<\/em>
                    \n* Add a new Certification Path: select type WebLogicCertPathProvider<\/em>; name: saml11WLCertPath<\/strong>; check <\/strong>Current Builder<\/em><\/p>\n

                    Change Default Realm<\/h3><\/span>\n

                    * Set default realm to saml11realm<\/em>: domain > Security > General > Default realm<\/em>
                    \n* Backup config.xml<\/strong> and restart<\/strong> WebLogic<\/p>\n

                    Setup SSL<\/h3><\/span>\n

                    * See this post<\/a><\/p>\n

                    Add New User<\/h3><\/span>\n

                    * Add a new user: ssouser<\/strong>\/welcome1<\/strong><\/p>\n

                    Configure Source Site<\/h2><\/span>\n

                    * The source site uses SAML Credential Mapper V2 to produce SAML assertions<\/p>\n

                    Setup SAMLCredentialMapperV2<\/h3><\/span>\n

                    * Go to domain > Security Realms > saml11realm > Providers > Credential Mapping > saml11CredMapperv2 > Configuration > Provider Specific<\/em>
                    \n* Click Lock & Edit<\/em> and enter:
                    \n– Issuer URI: http:\/\/saml11realm.com\/saml11<\/strong>
                    \n– Name Qualifier: saml11realm.com<\/strong>
                    \n– Default Time To Live: 120<\/strong>
                    \n– Default Time To Live Offset: 5<\/strong>
                    \n– Signing Key Alias: wlbox1<\/strong>
                    \n– Signing Key Pass Phrase: secret<\/strong>
                    \n* Click Save <\/em>and Activate Change<\/em><\/p>\n

                    \"\"<\/a><\/h6><\/span>\n

                    Setup Relying Parties<\/h3><\/span>\n

                    * Go to Security Realms > saml11realm > Providers > Credential Mapping > saml11CredMapperv2 >Management > Relying Parties > New<\/em>
                    \n– Profile: Browser\/POST<\/em>
                    \n– Description: demoSAML<\/strong>
                    \n* Click newly created relying party, i.e. rp_00001<\/em>, and enter:
                    \n– Enabled: true<\/strong>
                    \n– Target URL: http:\/\/wlbox:7001\/appB\/admin\/services.jsp<\/strong>
                    \n– Assertion Consumer URL: https:\/\/wlbox:7002\/samlacs\/acs<\/strong>
                    \n– Assertion Consumer Parameters: APID=ap_00001<\/strong>
                    \n– Assertion Time To Live: 120<\/strong>
                    \n– Assertion Time To Live Offset: -5<\/strong>
                    \n– Sign Assertions: checked<\/strong>
                    \n– Include Keyinfo: checked<\/strong>
                    \n* Click Save<\/em><\/p>\n

                    \"\"<\/a><\/h6><\/span>\n

                    Configure SAML 1.1 Source Side Federation Services<\/h3><\/span>\n

                    * Go to domain > Environment > Servers > examplesServer > Configuration > Federation Services > SAML 1.1 Source Site<\/em>
                    \n* Click Lock & Edit<\/em> and enter:
                    \n– Source Site Enabled: true<\/strong>
                    \n– Source Site URL: http:\/\/wlbox1:7001\/appA<\/strong>
                    \n– Signing Key Alias: wlbox1<\/strong>
                    \n– Signing Key Passphrase: secret<\/strong>
                    \n– Intersite Transfer URIs:<\/p>\n

                    \r\n\/samlits_ba\/its\r\n\/samlits_ba\/its\/post\r\n\/samlits_ba\/its\/artifact\r\n\/samlits_cc\/its\r\n\/samlits_cc\/its\/post\r\n\/samlits_cc\/its\/artifact\r\n<\/pre>\n
                    * ITS Requires SSL: checked<\/strong>
                    \n* Assertion Retrieval URIs:<\/p>\n
                    \r\n\/samlars\/ars\r\n<\/pre>\n
                    * ARS Requires SSL: checked<\/strong>
                    \n* Click Save <\/em>and Activate Changes<\/em><\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Configure Destination Site<\/h2><\/span>\n
                    * Uses SAML Identity Assertion Provider V2<\/em> to consume SAML 1.1 identity assertions to allow SAML SSO.<\/p>\n
                    Import Source Site Certificate<\/h3><\/span>\n
                    * Copy source site (wlbox1) signing certificate to destination site (wlbox)<\/p>\n
                    \r\ncd ~\/identity\r\n[oracle@wlbox identity]$ ls\r\ncacert.pem  wlbox1.pem  wlbox.keystore  wlbox.truststore\r\n<\/pre>\n
                    * Add a new SAMLIdentityAsserterV2: saml11SAMLIdA<\/strong>
                    \n* Restart <\/strong>WebLogic
                    \n* Go to domain > Security Realms > saml11realm > Providers > Authentication > saml11SAMLIdA > Management > Certificate<\/em>
                    \n* Click New <\/em>and enter
                    \n– Alias: cacert<\/strong>
                    \n– Path: \/home\/oracle\/identity\/cacert.pem<\/strong>
                    \n* Click New <\/em>and enter
                    \n– Alias: wlbox1<\/strong>
                    \n– Path: \/home\/oracle\/identity\/wlbox1.pem<\/strong>
                    \n* Click OK<\/strong><\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Configure Asserting Party Properties<\/h3><\/span>\n
                    * This registers parties whose SAML assertions will be accepted
                    \n* Go to domain > Security Realms > saml11realm > Providers > Authentication > saml11SAMLIdA > Management > Asserting Parties<\/em>
                    \n* Click New <\/strong>and enter:
                    \n– Profile: Browser\/POST<\/em>
                    \n– Description: demoSAML<\/strong>
                    \n* Click Save<\/strong>
                    \n* Click the newly created asserting party, e.g. ap_00001, and enter:
                    \n– Enabled: true<\/strong>
                    \n– Target URL: http:\/\/wlbox1:7001\/appA<\/strong>  #Not needed. This is for web services configurations
                    \n– POST Signing Certificate Alias: wlbox1<\/strong>
                    \n– Source Site Redirect URIs: \/appB\/admin\/services.jsp<\/strong>
                    \n– Source Site ITS URL: https:\/\/wlbox1:7002\/samlits_ba\/its<\/strong>
                    \n– Source Site ITS Parameters: RPID=rp_00001<\/strong>
                    \n– Issuer URI: http:\/\/saml11realm.com\/saml11<\/strong>
                    \n– Signature Required: true<\/strong>
                    \n– Asserting Signing Certificate Alias: wlbox1<\/strong>
                    \n* Click Save<\/em><\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Configure SAML 1.1 Destination Side Federation Services<\/h3><\/span>\n
                    * Go to domain > Environment > Servers > examplesServer > Configuration > Federation Services > SAML 1.1 Destination Site<\/em>
                    \n* Click Lock & Edit<\/em> and enter:
                    \n– Destination Site Enabled: true<\/strong>
                    \n– Assertion Consumer URIs: \/samlacs\/acs<\/strong>
                    \n– ACS Requires SSL: true<\/strong>
                    \n– SSL Client Identity Alias: wlbox<\/strong>  #Note: this is the destination machine server key
                    \n– SSL Client Identity Pass Phrase: secret<\/strong>
                    \n– POST Recipient Check Enabled: true<\/strong>
                    \n– POST one Use Check Enabled: true<\/strong>
                    \n– Used Assertion Cache Properties: APID=ap_00001<\/strong>
                    \n* Click Save <\/em>and Activate Changes<\/em><\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Add a New SAML Identity Assertion Provider<\/h4><\/span>\n
                    * Go to domain > Security Realms > saml11realm > Providers > Authentication<\/em>
                    \n* Click Lock & Edit<\/em>
                    \n* Click New and enter:
                    \n– Name: saml11SAMLAuthn<\/strong>
                    \n– Type: SAMLAuthenticator<\/em>
                    \n* Click Save<\/em>
                    \n* Click the newly created saml11SAMLAuthn <\/em>and go to Configuration > Common<\/em>
                    \n* Set
                    \n– Control Flag: SUFFICIENT<\/em>
                    \n* Click Activate Changes<\/em>
                    \n* Restart <\/strong>WebLogic<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Enable Virtual Users<\/h3><\/span>\n
                    * A virtual user is a user who is authenticated on the SAML Identity Provider and this user is transferred ( with all his attributes and roles )  in a SAML Token to the Service Provider.
                    \n* This user does not need to exists on the WebLogic server of the Service Provider.<\/p>\n
                    Enable Allow Virtual Users<\/h4><\/span>\n
                    * Go to domain > Security Realms > saml11realm > Providers > Authentication > saml11SAMLIdA > Management > Asserting Parties > ap_00001<\/em>
                    \n* Click Lock & Edit<\/em>
                    \n* Check Allow Virtual Users<\/em>
                    \n* Click Save<\/em> and Activate Changes<\/em><\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Enable Group Attributes<\/h2><\/span>\n
                    * By default, WebLogic SAML1.1 does not include group attributes in the generated SAML token.
                    \n* To enable it:
                    \n* On source site, go to Home >Summary of Security Realms >saml11realm >Providers >Authentication > saml11CredMapperv2 >Management >rp_00001<\/em>
                    \n– Check Include Groups Attribute<\/em> at the bottom of the page<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    * On target site, go to Home >Summary of Security Realms >saml11realm >Providers >saml11SAMLAuthn >Management >ap_00001<\/em>
                    \n– Check Process Groups Attribute<\/em> at the bottom of the page<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Test<\/h2><\/span>\n
                    * Download sso-with-saml-134555.zip<\/a>and unzip into a temp directory. You’ll see appA.war<\/strong> and appB.war<\/strong> files.
                    \n* Start JDeveloper and create a new application named, e.g.                     test.saml11<\/a><\/strong>
                    \n* Import both appA and appB into the JDev application.
                    \n* Modify URLs containing localhost <\/em>to appropriate host names in following files:
                    \n– appA\/Web Content\/admin\/auth.jsp<\/em>
                    \n* Deploy appA to wlbox1
                    \n* Deploy appB to wlbox<\/p>\n
                    Turn on Debugging<\/h3><\/span>\n
                    * Go to domain > Environment > Servers > examplesServer > Debug<\/em>
                    \n* Click Lock & Edit<\/strong>
                    \n* Go to and check: weblogic > security > saml<\/em>
                    \n* Click Enable <\/strong>and Activate Changes<\/strong><\/p>\n
                    Test SSO<\/h3><\/span>\n
                    Access appA First<\/h4><\/span>\n
                    * Go to http:\/\/wlbox1:7001\/appA\/login.jsp<\/a>
                    \n* Enter
                    \n– Username: ssouser
                    \n– Password: welcome1
                    \n* Once logged in, click Application – appB on domainB<\/strong> link<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    * appB on destination site is shown<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Access appB First<\/h4><\/span>\n
                    * Go to http:\/\/wlbox:7001\/appB\/admin\/services.jsp<\/a>
                    \n* Enter username and password when prompted<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    * appB\/admin\/services.jsp page is shown<\/p>\n
                    \"\"<\/a><\/h6><\/span>\n
                    Issues<\/h2><\/span>\n
                    LoginException while asserting identity, returning SC_FORBIDDEN<\/h3><\/span>\n
                    * Error message:<\/p>\n
                    \r\n####     <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <>  <1327475159603>   \r\n####     <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <>  <1327475159603>   \r\n####     <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <>  <1327475159603>   \r\n####     <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <>  <1327475159603>   \r\n####     <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <>  <1327475159603>   \r\n<\/pre>\n
                    * Cause: there are time differences between source site and destination site
                    \n* Fix: Adjust TTL for both credential mapper and relying party, e.g:
                    \n– Assertion Time To Live: 120
                    \n– Assertion Time To Live Offset: -5<\/p>\n
                    Error 403–Forbidden<\/h3><\/span>\n
                    * Error message:
                    \n####     <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <024170c1c59452c4:-3e5ca8fa:13737be5a14:-8000-00000000000000ed> <1336671778195>  
                    \n####     <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <024170c1c59452c4:-3e5ca8fa:13737be5a14:-8000-00000000000000ed> <1336671778195>  
                    \n####     <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <024170c1c59452c4:-3e5ca8fa:13737be5a14:-8000-00000000000000ed> <1336671778195>  
                    \n* Cause: source site certificate not setup correctly.
                    \n* Fix: see                     Import Source Site Certificate<\/a>.
                    \n– Check expiration date for the trusted certificates. Re-import if necessary.<\/p>\n
                    References<\/h2><\/span>\n
                    * Configuring Single Sign-On with Web Browsers and HTTP Clients <\/a>
                    \n*                     Configuring Single Sign-On using SAML in WebLogic Server 9.2<\/a>
                    \n*                     SSO with WebLogic 10.3 and SAML<\/a>
                    \n*                     http:\/\/htotapally.blogspot.com\/2010\/08\/single-sign-on-using-weblogic-103-and.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                    * This is the note I took following the steps to setup SAML1.1 SSO solution as described in the references. * I used two Oracle virtual boxes downloaded from here. * I named one virtual box wlbox1 and function as … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[119,104],"tags":[],"class_list":["post-4179","post","type-post","status-publish","format-standard","hentry","category-saml","category-weblogic11g"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-15p","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4179"}],"version-history":[{"count":50,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4179\/revisions"}],"predecessor-version":[{"id":5323,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4179\/revisions\/5323"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}