tag:blogger.com,1999:blog-74235395266485442262024-03-13T07:24:21.176-07:00Tech GuidoGuido Campanihttp://www.blogger.com/profile/01535706688313138011noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7423539526648544226.post-25016244097133736242018-07-29T06:50:00.002-07:002018-07-29T06:50:15.573-07:00Using SQL Developer debugger with Oracle DB Cloud Service<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/--rE1PImyfsM/W13ETSeSdKI/AAAAAAAAQSg/8C81Pib5Lis3OkR9ifam1zmPkR2SUVSoACLcBGAs/s1600/SQLDevWithCloud.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="321" data-original-width="626" height="164" src="https://1.bp.blogspot.com/--rE1PImyfsM/W13ETSeSdKI/AAAAAAAAQSg/8C81Pib5Lis3OkR9ifam1zmPkR2SUVSoACLcBGAs/s320/SQLDevWithCloud.jpg" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Oracle Database Cloud Service provides a very agile Cloud environment for your database workload, either as production and development.
In the latter case is a good choice for experienced SQL developer to continue to use their common development environment while connecting to the Cloud Database.
Before doing this you need to perform few configuration steps that are described in this post. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">SQL Developer runs by default in "Remote Debugger" mode. It means that SQL Developer listens on a port for events coming from the Database. This allows the developer to debug a PL/SQL either launching it from the tool or even from a different session, e.g. from a Web Application while watching what is going on in the IDE window.
This is a very smart option but requires SQL Developer to listen and Database to send events to the tool. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">When running the Database in Cloud, the debug session will probably fail because your workstation is not accessible from the internet and the port SQL Developer is listening on is not open on the corporate firewall. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">You then have two solutions: </span><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">ask your network admin to open the firewall and let your IP address to be published on the Internet, or </span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">disable "Remote Debugging". </span></li>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif;">In the latter you'll only be able to debug a PL/SQL if you run it from the IDE, but you'll have all the debug features available. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif; text-align: center;">To disable "Remote Debugging" exit SQL Developer and insert the line:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; text-align: center;"><br /></span>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>DatabaseDebuggerDisableJDWP=true
</b></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">into <b>ide.properties</b> file, which is usually located in: </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>C:\Users\</b></span><user style="font-family: Arial, Helvetica, sans-serif;"><b>AppData\Roaming\SQLDeveloper\system${VERSION}\o.sqldeveloper.${SYSTEM_VERSION} </b>on Windows or in:</user><br />
<user style="font-family: Arial, Helvetica, sans-serif;"><br /></user>
<user style="font-family: Arial, Helvetica, sans-serif;"><b>$HOME/.sqldeveloper/system${VERSION}/o.sqldeveloper.${SYSTEM_VERSION}/ide.properties</b> on Linux.</user><br />
<user style="font-family: Arial, Helvetica, sans-serif;"><br /></user>
<user style="font-family: Arial, Helvetica, sans-serif;">Restart SQL Developer and Happy Debugging. </user><br />
<user style="font-family: Arial, Helvetica, sans-serif;"><br /></user>
<user style="font-family: Arial, Helvetica, sans-serif;"><br /></user>
<user style="font-family: Arial, Helvetica, sans-serif;">Post Scriptum
SQL Developer can connect to Oracle Cloud directly to port 1521 or by SSH tunneling. You can find plenty of resources in Internet on the topic.</user>Guido Campanihttp://www.blogger.com/profile/01535706688313138011noreply@blogger.com1tag:blogger.com,1999:blog-7423539526648544226.post-25520857503939952832017-05-29T06:34:00.000-07:002017-05-31T07:36:19.344-07:00Building a secure architecture for JEE application using Oracle solutions<div dir="ltr" id="Table of Contents1" style="background: transparent;">
<div dir="ltr" id="Table of Contents1_Head">
<div style="line-height: 100%; margin-bottom: 0.08in; margin-top: 0.17in; page-break-after: avoid;">
<span style="font-family: Liberation Sans, Arial, serif;"><span style="font-size: medium;"><b>Table
of Contents</b></span></span></div>
</div>
</div>
<ul>
<li>Summary</li>
<li>Security in dept</li>
<li>Description</li>
<li>What has been left out</li>
</ul>
<br /><br />
<h2 class="western" lang="en-US">
<a name="Summary"></a>
Summary</h2>
<div class="western" lang="en-US">
More and more today is important to
define new applications architecture with security in mind to be able
to reduce the area of possible attacks and to be as efficient as
possible in the detection and reaction to intrusions.</div>
<div class="western" lang="en-US">
I am describing here a possible
secure architecture that can be implemented to protect a JEE
application and the Database where data are stored from malicious
users and external subjects that want to get access to sensible data.</div>
<div class="western" lang="en-US">
While I am not an information
security expert, this paper is the result of my personal experience
in designing and configuring security for JEE systems.
</div><h2 class="western" lang="en-US">
<a name="Security"></a>
Security in dept</h2>
<div class="western" lang="en-US">
The main concept I tried to apply is
to apply several security layers that are indipendent from each
others, thus providing:</div>
<ul>
<li><div class="western" lang="en-US">
the ability to use a different
set of layers, depending of the project type and environment</div>
<li><div class="western" lang="en-US">
the ability to detect and block
intrusion attempts that may have passed a more external security
layer</div>
</li>
</li>
</ul>
<div class="western" lang="en-US">
This approach is useful while
building a new application but also when securing an existing
application that can be secured incrementally adding security
features based on the threats and risks assessment and budget related
considerations.</div>
<h2 class="western" lang="en-US">
<a name="Description"></a>
Description</h2>
<div class="western" lang="en-US">
The following figure describes the
architecture and the component that are part of it. Oracle product
are in red while non Oracle product are in blue.</div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-pIqoEmUcZFc/WSwlFzPVxBI/AAAAAAAALmI/F0tavgMkpngnzNujPzY3O3H2QFU_QTYfwCLcB/s1600/Schema02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-pIqoEmUcZFc/WSwlFzPVxBI/AAAAAAAALmI/F0tavgMkpngnzNujPzY3O3H2QFU_QTYfwCLcB/s400/Schema02.jpg" width="400" height="298" data-original-width="696" data-original-height="519" /></a></div>
<div class="western">
<span lang="en-US">The main components of the
application are WebLogic Server and Oracle Database. I first require
that that users connect to WLS via HTTPS only and that must
authenticate providing a digital certificate (</span><span style="color: navy;"><span lang="zxx"><u><a href="https://docs.oracle.com/cd/E24329_01/web.1211/e24485/thin_client.htm#SCPRG137"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">,
</span><span style="color: navy;"><span lang="zxx"><u><a href="http://www.oracle.com/technetwork/articles/damo-howto-091164.html"><span lang="en-US">blog</span></a></u></span></span><span lang="en-US">)
configuring Two-Ways SSL and X.509 Identity Provider.</span></div>
<div class="western">
<span lang="en-US">An appropriate configuration of
WebLogic Identity Assertion Provider and Authentication Provider will
enable the application to get the user identity from the X.509
Certificate and to map it to user name stored in the user repository,
hereby defined as an LDAP registry. Note that the Security Provider
architecture in WebLogic gives a lot of freedom to the developers:
they can write their application using Java standard security API's
(JAAS) whatever provider will be user later on. (</span><span style="color: navy;"><span lang="zxx"><u><a href="http://docs.oracle.com/middleware/12212/wls/SECMG/ia_atn.htm#SECMG215"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<div class="western">
<span lang="en-US">Application security is
configured using WebLogic Custom Roles model; this means that
developers modify the deployment descriptor to define which resources
have to be protected and the names of roles that can access them.
WebLogic administrator will configure the roles mapping to map users
or groups to roles. (</span><span style="color: navy;"><span lang="zxx"><u><a href="http://docs.oracle.com/middleware/12212/wls/ROLES/secejbwar.htm#ROLES152"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<div class="western" lang="en-US">
Although the use of JPA does not
guarantee from SQL Injection, it makes easier to protect the
application from such types of attacks: the web is full of resources
that can help the developer to get familiar with these techniques.</div>
<div class="western">
<span lang="en-US">Now we get closer to the data
layer; since we are using Oracle Database, we can configure the JDBC
provider to make use of CLIENT_IDENTIFIER. In this way the JDBC
driver will open a pool of connection using a pre-configured user and
(encrypted) password, but when the application makes use of a
connection, the driver will pass the application user name in the
CLIENT_IDENTIFIER parameter. Oracle Database can then use it for
security and accounting operation that I'll describe later on. (</span><span style="color: navy;"><span lang="zxx"><u><a href="http://docs.oracle.com/middleware/12212/wls/JDBCA/ds_security.htm#JDBCA667"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<div class="western">
<span lang="en-US">Between WebLogic and Database I
setup an instance Oracle Database Firewall (full name: Audit Vault
and Database Firewall, ie. AVDF) that will inspect the SQL through
its SQL grammar analysis engine. It is a choice of the administrator
to configure AVDF with a Black List (block or alert when something
matches the rules in the list) or White List (block or alert when
something does not match the rules in the list). In my opinion the
White List is more secure but it is harder to configure. AVDF also
provides more filters and features; please refer to the documentation
for a complete list. (</span><span style="color: navy;"><span lang="zxx"><u><a href="http://www.oracle.com/technetwork/database/database-technologies/audit-vault-and-database-firewall/overview/overview-1877404.html"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<div class="western" lang="en-US">
The database is implementing a set of
Option in order to protect the data from inappropriate access and
usage.</div>
<div class="western" lang="en-US">
As the user identity is sent from the
application server to the database with the CLIENT_IDENTIFIER
parameter, the database is able to map it to the same user repository
used by WebLogic Server. To do this it is necessary to configure
Enterprise User Security.</div>
<div class="western">
<span lang="en-US">The data can be protected from
unwanted access at a very fine granularity using security labels (eg.
Top Secret, Secret, etc) applied to each table or line that requires
it. Oracle Label Security will verify if the label defined on the
database object and the credential owned by the user match before
delivering the data. (</span><span style="color: navy;"><span lang="zxx"><u><a href="https://www.oracle.com/database/label-security/index.html"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<div class="western">
<span lang="en-US">An additional barrier to data
leak is the ability to implement some Separation of Duty rules on
database users. Normally database administrators are able to see and
change the data. I thus suggest the use of Database Vault to
implement preventive controls on privileged user access to
application data. (</span><span style="color: navy;"><span lang="zxx"><u><a href="https://www.oracle.com/database/database-vault/index.html"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<div class="western">
<span lang="en-US">While I assume the Operating
Systems has been hardened, it is a good rule to encrypt the data at
rest ie. on the physical media. This can be done with Oracle
Transparent Data Encryption. The data is encrypted by the database
engine transparently to the client protecting the data files and the
backup files from malicious access by operationg systems users. (</span><span style="color: navy;"><span lang="zxx"><u><a href="https://www.oracle.com/database/advanced-security/index.html"><span lang="en-US">doc</span></a></u></span></span><span lang="en-US">)</span></div>
<h2 class="western">
<a name="What"></a>What
has been left out</h2>
<div class="western">
Since I focused on single application eg. a
department application, I did not cover many important components of
an enterprise architecture, here I list three of them: Access
Manager, Identity Manager and User Repository.</div>
<div class="western">
Oracle Access Manager is used to add a perimetral
access control layer that can authenticate users using multiple
schems, implement a Single Sign On infrastructure and define
coars-grained authorization.
</div>
<div class="western">
Oracle Identity Manager can be added to manage the
lifecycle of identities and roles, regulatory compliance, auditing.</div>
<div class="western">
Finally, the architecture shows a LDAP user
repository but of course the implementation choice is important.
Oracleuser repository is called Oracle Internet Directory.</div>
Guido Campanihttp://www.blogger.com/profile/01535706688313138011noreply@blogger.com1tag:blogger.com,1999:blog-7423539526648544226.post-36912462627335535642017-05-10T01:57:00.001-07:002017-05-10T07:34:47.747-07:00Configuring Single Sign-On using SAML in WebLogic Server 12.2.1<h2 class="western">
Configuring Single Sign-On using SAML in WebLogic
Server 12.2.1</h2>
by Guido Campani, based on <a href="http://www.oracle.com/technetwork/articles/idm/sso-with-saml-099684.html" target="_blank"><i>Configuring Single Sign-On usingSAML in WebLogic Server 9.2</i></a> by Vikrant Sawant.<br />
09/04/2017<br />
<h3 class="western">
Abstract</h3>
This Guide has been tested and revised for WebLogic Server 12.2.1
running on Oracle Linux 6.4. I made few changes to Vikrant Sawant's
work to reflect my tests that included adding a third domain in the
single sign-on architecture. References to WebLogic Server 9.2 still
appears in the document: this is intended as a recognition to the
work of the original author.<br />
BEA WebLogic Server 9.2 provides out-of-the-box support for
Security Assertion Markup Language (SAML) to build single sign-on
(SSO) solutions with minimum or no coding, depending on your security
requirements. Using WebLogic Server 9.2, the single sign-on
capability can be easily added between multiple online applications
running on trusted domains. The SAML standard defines a framework for
exchanging security information between the federation of trusted
servers. The primary function of the security framework is to provide
configuration tools and APIs to secure your applications.<br />
The first part if this tutorial provides step by step instructions
to configure the single sign-on capability between two simple Java EE
Web applications running on two different WebLogic domains.
<br />
The second part describes how to add a third domain in the single
sign-on scenario.<br />
The SAML configuration for single sign-on is performed using the
WebLogic Server 9.2 Administration Console with no programming
involved. The tutorial also briefly introduces the basic interactions
between WebLogic containers, the security providers, and the security
framework during the single sign-on process.<br />
<h3 class="western">
Introduction</h3>
The SAML standard defines a framework for exchanging security
information within the federation of trusted servers. For some
background, read Introduction to SAML by Beth Linker (Dev2Dev, 2006).
This tutorial shows how to set up SAML authorization between two Web
applications. The source for these applications is provided here.<br />
This tutorial looks at a simple example involving two Web
applications; <i>appA</i> deployed on the source (local) site, and
<i>appB</i> deployed on the destination (remote) site. You'll learn
how to configure these applications using the WebLogic Server 9.2
Administration Console and participate in a SSO process using SAML.
<br />
The source site provides an authentication service and securely
passes the authentication details using SAML Inter-site Transfer
Service (ITS) when requested by the destination site. The server on
the source site includes an ITS servlet, which is an addressable
component that provides SAML processing functionality such as
artifact generation and the ability to redirect a user to the
destination site.<br />
Figure 1 shows the basic interaction between source site and
destination site during the SSO process.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/--hRtwUXPd-A/WRLSgwSQd8I/AAAAAAAALcA/cRTOOvKKRIQ9AnOBiQxq1veABPhuzjLowCLcB/s1600/figure01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://1.bp.blogspot.com/--hRtwUXPd-A/WRLSgwSQd8I/AAAAAAAALcA/cRTOOvKKRIQ9AnOBiQxq1veABPhuzjLowCLcB/s320/figure01.jpg" width="221" /></a></div>
<br />
<i>Figure 1. Interaction between source site and destination
site, using SAML, during single sign-on</i>
<br />
<br />
<br />
<br />
<ol>
<li><div style="margin-bottom: 0in;">
The user's browser accesses the
application <i>appA</i>(source site), hosted on a WebLogic Server
domain, called <i>domainA</i>, by supplying user credentials.
</div>
</li>
<li><div style="margin-bottom: 0in;">
The application <i>appA</i>
passes the user credentials to the authentication service provider.
</div>
</li>
<li><div style="margin-bottom: 0in;">
If authentication is successful,
the authenticated session is established, and a welcome page of <i>appA</i>
is displayed.
</div>
</li>
<li><div style="margin-bottom: 0in;">
From the welcome page, the user
then clicks on a link on the page to access a secured Web page of
application <i>appB</i> (destination site), hosted on a different
WebLogic Server domain, called <i>domainB</i>. This triggers a
call to the Inter-Site Transfer Service (ITS) servlet.
</div>
</li>
<li><div style="margin-bottom: 0in;">
The ITS servlet calls the SAML
Credential Mapper to request a caller assertion. The SAML Credential
Mapper returns the assertion. It also returns the URL of the
destination site application Web page (a secured Web page of <i>appB</i>)
and path to the appropriate POST form (if the source site is
configured to use the POST profile).
</div>
</li>
<li><div style="margin-bottom: 0in;">
The SAML ITS servlet generates a
SAML response containing the generated assertion, signs it, base-64
encodes it, embeds it in the HTML form, and returns the form to the
user's browser.
</div>
</li>
<li><div style="margin-bottom: 0in;">
The user's browser POSTs the form
to the destination site's Assertion Consumer Service (ACS).
</div>
</li>
<li><div style="margin-bottom: 0in;">
The assertion is validated.
</div>
</li>
<li><div style="margin-bottom: 0in;">
If the assertion is successful,
the user is redirected to the target—that is, the secured Web page
of the <i>appB</i> application.
</div>
</li>
<li>The user is logged in on the destination site application
<i>appB</i>, without having to reauthenticate at <i>appB</i>.
<br />
</li>
</ol>
The whole single sign-on process listed above requires no coding
by the developer (except for the coding of applications <i>appA</i>
and <i>appB</i>, of course) and can be easily configured using the
Administration Console.
<br />
<h2 class="western">
Part 1</h2>
<h3 class="western">
SAML Configuration Using the WebLogic
Administrative Console</h3>
Before starting the SAML configuration, in the first few steps
you'll create and set up the server environment for the sample
applications <i>appA</i> and <i>appB</i>.
<br />
<h4 class="western">
Step 1: Create SAML source site and destination
site domains and application servers</h4>
The sample applications in this tutorial are hosted on two domains
on the local host, so the first step is to create the domains and
servers running on given ports, as listed below in Table 1.<br />
<table cellpadding="5" cellspacing="0" style="width: 702px;">
<colgroup><col width="246"></col>
<col width="59"></col>
<col width="124"></col>
<col width="118"></col>
<col width="33"></col>
<col width="59"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="246"><br /></th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="59">Host</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="124">Application Server</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="118">Application Name</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="33">Port</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="59">SSL Port</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="246">SAML Source Site Domain: domainA
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="59">localhost</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="124">AdminServer</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="118">appA</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="33">7001</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="59">7002</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="246">SAML Destination Site Domain: domainB
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="59">localhost</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="124">AdminServer</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="118">appB</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="33">7003</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="59">7004</td>
</tr>
</tbody></table>
<i>Table 1. Sample application domains and application servers</i>
<br />
Create domains, as shown in Table 1, using the Domain
Configuration Wizard. I configured them as in Production Mode;
AdminServer is the only server in the domain. No Managed Servers are
configured. Update the appropriate listen ports using the WebLogic
Server 9.2 Administration Console.<br />
<h4 class="western">
Step 2: Create users</h4>
For simplicity, this tutorial uses the default security realms on
each domain, each named with the same default realm name, that is,
<i>myrealm</i>. Create a user <i>ssouser</i> in each domain
separately under the <i>myrealm</i> realm. Alternatively, you could
create this user in a centralized external LDAP store and configure
both domains to use this common store for authentication.
<br />
The user <i>ssouser</i> created here will authenticate with
application <i>appA</i> hosted on <i>domainA</i>, and then access
application <i>appB</i> hosted on <i>domainB</i> directly using
SSO.
<br />
<table cellpadding="5" cellspacing="0" style="width: 486px;">
<colgroup><col width="278"></col>
<col width="58"></col>
<col width="118"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="278"></th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="58">Realm</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="118">User/Password</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="278">SAML Source Site Domain: domainA
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="58">myrealm</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="118">ssouser/welcome1</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="278">SAML Destination Site Domain: domainB
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="58">myrealm</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="118">ssouser/welcome1</td>
</tr>
</tbody></table>
<i>Table 2. The user participating in single sign-on</i>
<br />
Create the user, <i>ssouser</i>, as shown in Table 2, in both
domains under the default security realms, each called <i>myrealm</i>.
<br />
<h4 class="western">
Step 3: Create and deploy the Java EE Web
applications <i>appA</i> and <i>appB</i>
</h4>
The sample application source code for <i>appA</i> can be
downloaded <a href="http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-134555.zip" target="_blank">here</a>.
Import the existing Web application into WebLogic WorkShop Studio or
any other IDE, such as Eclipse.
<br />
Application <i>appA</i> is configured to use FORM-based
authentication. This application is deployed on the SAML source site
domain ( <i>domainA</i>). A JSP page of <i>appA</i> called
<code class="western">auth.jsp</code>, under the <code class="western">admin</code>
folder, requires the authenticated user to have an <code class="western">admin</code>
role in order to access it. The <code class="western">admin</code>
role is mapped to a principal called <code class="western">ssouser</code>
in <code class="western">weblogic.xml</code>. Figure 2 shows the
configuration of the security in <code class="western">web.xml</code>.
<br />
<pre class="western"><display-name>Saml Source Site
Application</display-name></pre>
<pre class="western"><security-constraint></pre>
<pre class="western"> <web-resource-collection></pre>
<pre class="western">
<web-resource-name>SecurePages</web-resource-name></pre>
<pre class="western"> <description>These pages
are only accessible by authorized users.</description></pre>
<pre class="western">
<url-pattern>/admin/*</url-pattern></pre>
<pre class="western"> <http-method>GET</http-method></pre>
<pre class="western"> </web-resource-collection></pre>
<pre class="western"> <auth-constraint></pre>
<pre class="western"> <description>These are the
roles who have access.</description></pre>
<pre class="western"> <role-name>admin</role-name></pre>
<pre class="western"> </auth-constraint></pre>
<pre class="western"> <user-data-constraint></pre>
<pre class="western"> <description>This is how
the user data must be transmitted.</description></pre>
<pre class="western">
<transport-guarantee>NONE</transport-guarantee></pre>
<pre class="western"> </user-data-constraint></pre>
<pre class="western"></security-constraint></pre>
<pre class="western"><login-config></pre>
<pre class="western"> <auth-method><b>FORM</b></auth-method></pre>
<pre class="western"> <realm-name>myrealm</realm-name></pre>
<pre class="western"> <form-login-config></pre>
<pre class="western">
<form-login-page>/login.jsp</form-login-page></pre>
<pre class="western">
<form-error-page>/fail_login.htm</form-error-page></pre>
<pre class="western"> </form-login-config></pre>
<pre class="western"></login-config></pre>
<pre class="western"><security-role></pre>
<pre class="western"> <description>These are the roles
who have access</description></pre>
<pre class="western"> <role-name>admin</role-name></pre>
<pre class="western"></security-role></pre>
<pre class="western">
</pre>
<i>Example 1. Application appA - web.xml snippet</i>
<br />
When the user tries to access the <code class="western">/admin/auth.jsp</code>
page, a configured login page, <code class="western">login.jsp</code>,
will be displayed, asking the user to supply credentials. After
submitting the details, the container will authenticate the user
<code class="western">ssouser</code>. If authentication is
successful, the <code class="western">auth.jsp</code> will be
displayed. Before going on to explore the Web page <code class="western">auth.jsp</code>,
I'll create the application <i>appB</i> on the SAML destination
site domain ( <i>domainB</i>).
<br />
Sample application source code for <i>appB</i> can be downloaded
from the <a href="http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-134555.zip" target="_blank">here</a>. Application <i>appB</i> is configured to use
CLIENT-CERT, so that it will use identity assertion for
authentication. This application should be deployed on the SAML
destination site domain ( <i>domainB</i>). A JSP page of <i>appB</i>,
called <code class="western">services.jsp</code> and located in the
<code class="western">/admin</code> folder, requires the
authenticated user to have the <code class="western">admin</code>
role in order to access it. This role is mapped to a principal called
<code class="western">ssouser</code> in <code class="western">weblogic.xml</code>.
Figure 3 shows an excerpt from <i>appB</i>'s <code class="western">web.xml</code>
configuration:
<br />
<pre class="western"><display-name>SAML Destination Site
Application</display-name></pre>
<pre class="western"> <!-- ... --></pre>
<pre class="western"><security-constraint></pre>
<pre class="western"> <web-resource-collection></pre>
<pre class="western">
<web-resource-name>SecurePages</web-resource-name></pre>
<pre class="western"> <description>These pages
are only accessible by authorized users.</description></pre>
<pre class="western">
<url-pattern>/admin/*</url-pattern></pre>
<pre class="western"> <http-method>GET</http-method></pre>
<pre class="western"> </web-resource-collection></pre>
<pre class="western"> <auth-constraint></pre>
<pre class="western"> <description>These are the
roles who have access.</description></pre>
<pre class="western"> <role-name>admin</role-name></pre>
<pre class="western"> </auth-constraint></pre>
<pre class="western"> <user-data-constraint></pre>
<pre class="western"> <description>This is how
the user data must be transmitted.</description></pre>
<pre class="western">
<transport-guarantee>NONE</transport-guarantee></pre>
<pre class="western"> </user-data-constraint></pre>
<pre class="western"></security-constraint></pre>
<pre class="western"><login-config></pre>
<pre class="western"> <auth-method><b>CLIENT-CERT</b></auth-method></pre>
<pre class="western"> <realm-name>myrealm</realm-name></pre>
<pre class="western"></login-config></pre>
<pre class="western"><security-role></pre>
<pre class="western"> <description>These are the roles
who have access.</description></pre>
<pre class="western"> <role-name>admin</role-name></pre>
<pre class="western"></security-role></pre>
<pre class="western"></pre>
<i>Example 2. Application appB - web.xml snippet</i>
<br />
Compile and build the WAR files ( <i>appA.war,appB.war</i>) for
each application. Use WebLogic Console to deploy <i>appA.war</i>
and <i>appB.war</i>.
<br />
When the SAML configuration has been completed, as described in
the steps to follow, the user <code class="western">ssouser</code>,
authenticated at <i>appA</i> (SAML source site), will be able to
directly access the <code class="western">services.jsp</code> page of
<i>appB</i> (SAML destination site) without being asked to supply
the credentials again.
<br />
<h4 class="western">
Step 4: Generate and register SSL certificates</h4>
To secure communication between the SAML source and destination
sites, communication between the source site and destination site
should be encrypted. Additionally, certificates should be used to
verify the identity of the other party during SAML interaction. In
this step I'll create and register certificates that will be used in
the communication between the source site and the destination site.<br />
Generate a key using the keytool utility (part of your JDK). By
default, a keystore called <i>DemoIdentity.jks</i> will already be
configured for <i>domainA</i> and <i>domainB</i>.
<br />
Now I'll show how to generate a private key and certificate for
test purposes:<br />
<ol>
<li><div style="margin-bottom: 0in;">
Open a terminal window and change
the directory to <code class="western">$DOMAIN_HOME/security</code>
for domainA
</div>
</li>
<li>Run the keytool command to generate the key, as shown below.
<br />
</li>
</ol>
<pre class="western">keytool -genkey -keypass testkeypass -keystore
DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyalg
rsa -alias testalias</pre>
<pre class="western" style="margin-bottom: 0.2in;"></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-l1UiJoFfpRg/WRLSu5_hO4I/AAAAAAAALcE/sjUtGILfnWEsIO3VljLA99sVTcZaEH8HgCLcB/s1600/figure02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://1.bp.blogspot.com/-l1UiJoFfpRg/WRLSu5_hO4I/AAAAAAAALcE/sjUtGILfnWEsIO3VljLA99sVTcZaEH8HgCLcB/s320/figure02.png" width="320" /></a></div>
<br />
<i>Figure 2. Generate test SSL certificate screen shot</i>
<br />
Now run the keytool command with -export option, as shown in
Figure 2, to generate a key file called <code class="western">testalias.der</code>:
<br />
<pre class="western">keytool -export -keypass testkeypass -keystore
DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -alias
testalias -file testalias.der</pre>
<pre class="western" style="margin-bottom: 0.2in;"></pre>
<h3 class="western">
SAML Configuration</h3>
I'll begin with the SAML source site configuration.<br />
<h4 class="western">
Step 5: Configure <i>domainA</i>, acting as a
SAML source site
</h4>
In this step I will create and configure a SAML Credential Mapper
V2 instance. The SAML Credential Mapper acts as a producer of SAML
security assertions, allowing <i>domainA</i> to act as a source
site for using SAML for SSO. <br />
A SAML security assertion is a
package of information that supplies one or more statements made by a
SAML authority (meaning an asserting party). The statements made are
of the following types; authentication statements, attribute
statements, and authorization decision statements.
<br />
I'll start by configuring a SAML Credential Mapper V2 instance
(note that the SAML Credential Mapper V1 is deprecated as of BEA
WebLogic Server 9.2):<br />
<ol>
<li><div style="margin-bottom: 0in;">
Log in to the WebLogic Server
Administration Console on <i>domainA</i><i>
</i>(<code class="western">http://localhost:7001/console</code>).
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the administration console,
select Security Realms in the Domain Structure window
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select a security realm. The
default realm used is <i>myrealm.</i>
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select the Providers tab, and then
select the Credential Mappings tab.
</div>
</li>
<li>If SAMLCredentialMapper doesn't exist, then create a new
SAMLCredentialMapper, as shown in Figure 3.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-zh9SZgPhUxk/WRLS5B-vvyI/AAAAAAAALcI/vJ8Jn00YAzIpnjdvXE2sW11dWxpN8mD8QCLcB/s1600/figure03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://4.bp.blogspot.com/-zh9SZgPhUxk/WRLS5B-vvyI/AAAAAAAALcI/vJ8Jn00YAzIpnjdvXE2sW11dWxpN8mD8QCLcB/s320/figure03.png" width="320" /></a></div>
<br />
<i>Figure 3. Create a new SAML credential mapping provider</i>
<br />
<ol start="6">
<li><div style="margin-bottom: 0in;">
Select SAMLCredentialMapper, and
then select Provider Specific.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Change Center window,
select Lock and Edit; this will allow you to edit the
SAMLCredentialMapper settings.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Edit the issuer URI,
<code class="western">http://www.bea.com/demoSAML</code>. This
unique URI tells the destination site (<i>domainB/appB</i>) the
origin of the SAML message and allows it to match with the key.
Typically, the URL is used to guarantee uniqueness.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Enter the Signing Key Alias
(testalias) and the Signing Key Pass Phrase (testkeypass). You used
these values when you generated the keystore.
</div>
</li>
<li>Set the Default time to Live and Cred Cache Min Viable TTL
and other values, as shown in Figure 4.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-t0YQYhUcMxA/WRLS-hWn5hI/AAAAAAAALcM/SmDO-43qY_Mo9jQOxWk1I8yqx6cmVVQdgCLcB/s1600/figure04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="https://3.bp.blogspot.com/-t0YQYhUcMxA/WRLS-hWn5hI/AAAAAAAALcM/SmDO-43qY_Mo9jQOxWk1I8yqx6cmVVQdgCLcB/s320/figure04.png" width="320" /></a></div>
<br />
<br />
<br />
<i>Figure 4. SAML credential mapping provider settings</i>
<br />
<ol start="11">
<li><div style="margin-bottom: 0in;">
Click Save.
</div>
</li>
<li>In the Change Center window, click Activate Changes.
<br />
</li>
</ol>
At this point the SAML credential mapper provider is configured to
allow <i>domainA</i> to act as a source site (source of SAML
security assertions) and also it is configured to use the keystore
you generated in Step 4.
<br />
<h4 class="western">
Step 6: Configure relying party properties</h4>
In this step I'll create and configure a relying party. When you
configure WebLogic Server to act as a source of SAML security
assertions, you need to register the parties that may request SAML
assertions that will be accepted. For a SAML relying party, you can
specify: the SAML profile used, details about the relying party, and
the attributes expected in assertions for the relying party.<br />
The relying party determines whether it trusts the assertions
provided to it by the asserting party. SAML defines a number of
mechanisms that enable the relying party to trust the assertions
provided to it.<br />
<ol>
<li><div style="margin-bottom: 0in;">
On the Management tab, click
Relying Parties.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Relying Parties table,
click New.
</div>
</li>
<li>In the Profile pull-down menu, select Browser/POST. In the
Description field, enter the name demoSAML to identify the relying
party, as shown in Figure 5.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-tyli4zgCMI0/WRLTEQXdRkI/AAAAAAAALcQ/KeRLJxr0Qrs5r58E0maMIL10Q-Hqh2PfACLcB/s1600/figure05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://3.bp.blogspot.com/-tyli4zgCMI0/WRLTEQXdRkI/AAAAAAAALcQ/KeRLJxr0Qrs5r58E0maMIL10Q-Hqh2PfACLcB/s320/figure05.png" width="305" /></a></div>
<br />
<i>Figure 5. Relying party configuration</i>
<br />
<ol start="4">
<li>Set the relying party values, as listed in Table 3.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 612px;">
<colgroup><col width="207"></col>
<col width="383"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="207">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="383">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Target URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">http://localhost:7003/appB/admin/services.jsp</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Assertion Consumer URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">https://localhost:7004/samlacs/acs</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Assertion Consumer Parameters</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">APID=ap_00001
</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Signature Required</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Include Keyinfo</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">Select the checkbox(true)</td>
</tr>
</tbody></table>
<i>Table 3. Relying Party (rp_00001) Values</i>
<br />
Although a relying party may trust the assertions provided to it
for user <code class="western">ssouser</code>, the local access
policy on the destination site application appB on <i>domainB</i>
defines whether the subject ( <code class="western">ssouser</code>)
may access local resources.
<br />
<h4 class="western">
Step 7: Configure SAML on the source site</h4>
In this step I'll configure various federation services source
site settings for the server instance running the application <i>appA</i>.
These settings enable server instances running on <i>domainA</i> to
serve as a SAML source site, define the source site URIs and service
URIs, add certificate to sign assertions, and configure SSL for
retrieving assertions.
<br />
<ol>
<li><div style="margin-bottom: 0in;">
In the administration console, in
the Domain Structure window, select Environment and then Servers.
</div>
</li>
<li>Select AdminServer, and then in the Settings for AdminServer,
click Federation Services on the SAML 1.1 Source Site tab, as shown
in Figure 6.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Msgfq4Mref0/WRLTKXQ-EiI/AAAAAAAALcU/98ZiGqS6AmMHEq1OyI5xSgtG5PlVmGIYACLcB/s1600/figure06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://4.bp.blogspot.com/-Msgfq4Mref0/WRLTKXQ-EiI/AAAAAAAALcU/98ZiGqS6AmMHEq1OyI5xSgtG5PlVmGIYACLcB/s320/figure06.png" width="251" /></a></div>
<br />
<i>Figure 6. Source site configuration</i>
<br />
<ol start="3">
<li>Set the source site values, as listed in Table 4.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 442px;">
<colgroup><col width="163"></col>
<col width="258"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="163">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="258">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">Source Site Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258">Select the checkbox (true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">Source Site URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258"><code class="western">http://localhost:7001/appA</code>
</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">Signing Key Alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258">testalias</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">Signing Key Passphrase</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258">testkeypass</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">Intersite Transfer URIS</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258"><i>/samlits_cc/its</i><i> </i>(keep the other values)
</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">ITS Requires SSL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258">Select the checkbox (true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">Assertion Retrieval URIs</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258">/samlars/ars</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="163">ARS Requires SSL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="258">Select the checkbox(true)</td>
</tr>
</tbody></table>
<i>Table 4. Source Site Values</i>
<br />
<h4 class="western">
Step 8: Configure <i>domainB</i>, acting as a
SAML destination site
</h4>
I'm ready to begin the SAML destination site configuration. In
this step I'll create and configure a SAML Identity Assertion
Provider V2 instance. The SAML Identity Assertion provider acts as a
consumer of SAML security assertions, allowing WebLogic Server to act
as a destination site for using SAML for single sign-on. The SAML
Identity Assertion provider validates SAML assertions by checking the
signature and validating the certificate for trust in the certificate
registry maintained by the provider. The first thing I need to do
here is to create a SAML Identity Assertion Provider V2 instance and
import the certificate generated in step 4 into the provider's
certificate registry.<br />
Import the certificate:<br />
<ol>
<li><div style="margin-bottom: 0in;">
Copy the key file ( <code class="western">testalias.der</code>)
that you generated previously to the $DOMAIN_HOME<code class="western">/security</code>
directory for domainB.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Log in to the WebLogic Server
Administration Console on <i>domainB.</i>
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select a security realm, <code class="western">myrealm</code>.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select the Providers tab, and then
select the Authentication tab.
</div>
</li>
<li>If a SAMLIdentityAsserter doesn't exist, then create a new
SAMLIdentityAsserter, as shown in Figure 7. An identity asserter
allows WebLogic Server to establish trust by validating a user.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-9EqMlScNgpw/WRLTULPiN1I/AAAAAAAALcY/gEdDwxIKqFQiG2r3EGhD4XHH5K2V09qLACLcB/s1600/figure07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://2.bp.blogspot.com/-9EqMlScNgpw/WRLTULPiN1I/AAAAAAAALcY/gEdDwxIKqFQiG2r3EGhD4XHH5K2V09qLACLcB/s320/figure07.png" width="320" /></a></div>
<br />
<i>Figure 7. Create a new Identity asserter</i>
<br />
<ol start="6">
<li><div style="margin-bottom: 0in;">
Select SAMLIdentityAsserter, click
the Management tab, and then click Certificates.
</div>
</li>
<li>In the Certificates dialog, click New, as shown in Figure 8.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-sPp70B62uPI/WRLTa7RhcJI/AAAAAAAALcc/dGYEzINNBOMzI3OpVPIsojoMqJIWaefAwCLcB/s1600/figure08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="https://3.bp.blogspot.com/-sPp70B62uPI/WRLTa7RhcJI/AAAAAAAALcc/dGYEzINNBOMzI3OpVPIsojoMqJIWaefAwCLcB/s320/figure08.png" width="320" /></a></div>
<br />
<i>Figure 8. Create a new identity asserter certificate</i>
<br />
<ol start="8">
<li><div style="margin-bottom: 0in;">
In the Alias field, enter a name
for the certificate. Good practice is to use the same name you used
when you created the certificate.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Enter the path to the certificate
file in the Certificate File Name field.
</div>
</li>
<li>Click Finish. If there are no problems, the message "The
certificate has been successfully registered." is displayed.
<br />
</li>
</ol>
<h4 class="western">
Step 9: Configure asserting party properties</h4>
In this step I'll create and configure an asserting party. When
you configure WebLogic Server to act as a consumer of SAML security
assertions, you need to register the parties whose SAML assertions
will be accepted. For a SAML asserting party, you can specify the
SAML profile used, details about the asserting party, and the
attributes expected in assertions received from the asserting party.<br />
The asserting party asserts that a user has been authenticated and
given associated attributes. For example, there is a user <code class="western">ssouser</code>,
and he/she is authenticated to this domain using a password
mechanism. Asserting parties are also known as <i>SAML authorities</i>.
<br />
<ol>
<li><div style="margin-bottom: 0in;">
On the Management tab, click
Asserting Parties.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Asserting Parties table,
click New.
</div>
</li>
<li>In the Profile pull-down menu, select Browser/POST. In the
Description field, enter the name demoSAML to identify the asserting
party, as shown in Figure 9.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/--ciLkrF_39Q/WRLTgpDHX_I/AAAAAAAALcg/8Ls3tpLEhrcYnmQX3U9B29dqhAodqnYnwCLcB/s1600/figure09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://3.bp.blogspot.com/--ciLkrF_39Q/WRLTgpDHX_I/AAAAAAAALcg/8Ls3tpLEhrcYnmQX3U9B29dqhAodqnYnwCLcB/s320/figure09.png" width="320" /></a></div>
<br />
<i>Figure 9. Create a new asserting party</i>
<br />
<ol start="4">
<li>Set the asserting party values, as listed in Table 5.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 606px;">
<colgroup><col width="265"></col>
<col width="319"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="265">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="319">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Target URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">http://localhost:7001/appA</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">POST Signing Certificate alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">testalias</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Source Site Redirect URIs</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">/appB/admin/services.jsp</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Source Site ITS URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">https://localhost:7002/samlits_ba/its</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Source Site ITS Parameters</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">RPID=rp_00001</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Issuer URI</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">http://www.bea.com/demoSAML</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Signature Required</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Asserting Signing Certificate Alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">testalias</td>
</tr>
</tbody></table>
<i>Table 5. Asserting Party (ap_00001) Values</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-xLQ8U2XNh0Y/WRLTn3xHJNI/AAAAAAAALck/MsClirtxlzwJP9m8rdxSMyvXCSrd3K0YACLcB/s1600/figure10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://4.bp.blogspot.com/-xLQ8U2XNh0Y/WRLTn3xHJNI/AAAAAAAALck/MsClirtxlzwJP9m8rdxSMyvXCSrd3K0YACLcB/s320/figure10.png" width="242" /></a></div>
<i> </i>
<br />
<i>Figure </i><i>10</i><i>. Asserting Party (ap_00001)
Values</i><br />
<br />
<br />
<br />
<h4 class="western">
Step 10: Configure the SAML 1.1 destination site</h4>
In this step I'll configure various destination site settings for
the server instance running application <i>appB</i>. These settings
enable a server instance running on <i>domainB</i> to serve as a
SAML destination site, define service URIs (for example, Assertion
Consumer Service URI), add a certificate to sign POST profile
responses, and configure SSL for the Assertion Consumer Service.
<br />
<ol>
<li><div style="margin-bottom: 0in;">
In the administration console,
select Environment, and then select Servers in the Domain Structure
window.
</div>
</li>
<li>Select AdminServer, and then in the Settings for AdminServer,
click Federation Services, and then the SAML 1.1 Destination Site
tab, as shown in Figure 10.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-jc2-WYI7pz8/WRLTuKd6nUI/AAAAAAAALco/XWd271qbRwA9KHv8p-p2fgqsUMhlqfT-wCLcB/s1600/figure11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://3.bp.blogspot.com/-jc2-WYI7pz8/WRLTuKd6nUI/AAAAAAAALco/XWd271qbRwA9KHv8p-p2fgqsUMhlqfT-wCLcB/s320/figure11.png" width="320" /></a></div>
<br />
<i>Figure 1</i><i>1</i><i>. SAML destination site
settings</i>
<br />
<ol start="3">
<li>Set the destination site values, as listed in Table 6.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 576px;">
<colgroup><col width="289"></col>
<col width="265"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="289">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="265">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">Destination Site Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">Assertion Consumer URIs</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">/samlacs/acs</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">ACS Requires SSL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">SSL Client Identity Alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">DemoIdentity</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">SSL Client Identity Pass Phrase</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">DemoIdentityPassPhrase</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">POST Recipient Check Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">POST one Use Check Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">Used Assertion Cache Properties</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">APID=ap_00001</td>
</tr>
</tbody></table>
<i>Table 6. Destination Site Values</i>
<br />
<h3 class="western">
Test Single Sign-On</h3>
To test single sign-on, open a browser and point to the URL
<code class="western">http://localhost:7001/appA/</code>. The
FORM-based authentication configured for <i>appA</i> will display
the <code class="western">login.jsp</code> page, as shown in Figure
11. Enter <code class="western">ssouser</code> and <code class="western">demosaml</code>
as the values (created in step 2).
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-dosjm0uOgU4/WRLTzidB0WI/AAAAAAAALcs/CU4-hXeqE3MdnLWAUnhezdA4m82cOxbvwCLcB/s1600/figure12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://4.bp.blogspot.com/-dosjm0uOgU4/WRLTzidB0WI/AAAAAAAALcs/CU4-hXeqE3MdnLWAUnhezdA4m82cOxbvwCLcB/s320/figure12.jpg" width="313" /></a></div>
<br />
<i>Figure 1</i><i>2</i><i>. Browser showing appA login</i>
<br />
This will authenticate the user using the default authenticator
configured for <i>domainA</i>.
<br />
The <code class="western">auth.jsp</code> page will now be
displayed. This page shows a link to <i>appB</i>
(<code class="western">http://localhost:7003/appB/admin/services.jsp</code>),
as shown in Figure 12. Clicking this link will trigger a call to the
ITS servlet and cause the assertion to be generated and the control
to be transferred to the destination site.
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-L4HDdMwbfQo/WRLT5Vb2J7I/AAAAAAAALcw/joF0msW5N-MWzunIUPDVqe7_p4P1_RkAwCLcB/s1600/figure13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://3.bp.blogspot.com/-L4HDdMwbfQo/WRLT5Vb2J7I/AAAAAAAALcw/joF0msW5N-MWzunIUPDVqe7_p4P1_RkAwCLcB/s320/figure13.jpg" width="320" /></a></div>
<br />
<i>Figure 1</i><i>3</i><i>. Browser showing appA
successful login with destination site (appB on domainB) link</i>
<br />
Once the assertion is validated on the destination site, the
<code class="western">ssouser</code> is allowed to access the
<code class="western">services.jsp</code> page, as shown in Figure
13.
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-T3gZHP7Vheg/WRLT-NjZMqI/AAAAAAAALc0/93gPpgYLan8VZp-oo14J0KHH22xgZznGgCLcB/s1600/figure14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://3.bp.blogspot.com/-T3gZHP7Vheg/WRLT-NjZMqI/AAAAAAAALc0/93gPpgYLan8VZp-oo14J0KHH22xgZznGgCLcB/s320/figure14.jpg" width="320" /></a></div>
<br />
<i>Figure 1</i><i>4</i><i>. Browser showing appB
successful login with SSO</i>
<br />
What if <code class="western">ssouser</code> visits the
destination site first? In Step 9, when the asserting party was
configured, the Source Site Redirect URI was set to URI
<code class="western">/appB/admin/services.jsp</code>. This is the
URI from which the unauthenticated user will be redirected to the ITS
URL, <code class="western">https://localhost:7001/samlits_ba/its</code>,
of the source site. This is done to support the destination site
first scenario, whereby a user tries to access a destination site URL
prior to being authenticated and is redirected to the source site to
be authenticated and then obtain a SAML assertion. The ITS servlet at
the source site will challenge the user to supply a username and
password. Upon successful authentication, the redirection to the
destination site is issued, and the <code class="western">/appB/admin/services.jsp</code>
page is displayed.
<br />
<h3 class="western">
Debugging Notes</h3>
You can enable SAML security debugging to see how the source and
destination site interact using the SAML SSO process. To enable SAML
security debugging:<br />
<ol>
<li><div style="margin-bottom: 0in;">
In the administration console,
select Environment, and then select Servers, in the Domain Structure
window.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select AdminServer and then the
Debug tab.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Change Center window,
select Lock and Edit; this will allow you to edit the debug
settings.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Debug Scope and Attributes,
click to open the weblogic > security > saml node. Select the
checkbox to enable SAML debugging, as shown in the Figure 14.
</div>
</li>
<li>In the Change Center window, click Activate Changes.
<br />
</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-NCn3nwPbjMQ/WRLUD-QsKJI/AAAAAAAALc4/fQ3IUGNbwSMnuISMW8OSD_qyVCqJFtTmgCLcB/s1600/figure15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-NCn3nwPbjMQ/WRLUD-QsKJI/AAAAAAAALc4/fQ3IUGNbwSMnuISMW8OSD_qyVCqJFtTmgCLcB/s320/figure15.jpg" width="231" /></a></div>
<br />
<i>Figure 1</i><i>5</i><i>. Showing WebLogic console
enabling SAML debug</i>
<br />
You can then view the AdminServer log file on <i>domainA</i>
(source) and <i>domainB</i> (destination) to debug the SAML-related
issues (Figure 15).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-S7owydJzIz0/WRLUMPqUs-I/AAAAAAAALc8/CA3fnqU86vkjFvZtkYsqQTZyBV9U66bXwCLcB/s1600/figure16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://4.bp.blogspot.com/-S7owydJzIz0/WRLUMPqUs-I/AAAAAAAALc8/CA3fnqU86vkjFvZtkYsqQTZyBV9U66bXwCLcB/s320/figure16.jpg" width="320" /></a></div>
<br />
<i>Figure 1</i><i>6</i><i>. AdminServer log showing SAML
interactions</i>
<br />
<h3 class="western">
<a href="https://www.blogger.com/null" name="download"></a>Download</h3>
<ul>
<li><a href="https://www.blogger.com/null" name="download1"></a><a href="https://www.blogger.com/null" name="download2"></a><a href="https://www.blogger.com/null" name="download3"></a><a href="https://www.blogger.com/null" name="download4"></a>
<a href="http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-134555.zip" target="_blank">Sample code for this tutorial</a> </li>
<li><a href="https://drive.google.com/file/d/0B6bjj_sLUlg3cXFnQWRvNXNNY3c/view?usp=sharing" target="_blank">Sample code modified</a><br />
</li>
</ul>
<h3 class="western">
Summary</h3>
The tutorial shows how SAML source and destination site domains
can be configured to allow Web applications on these domains to
operate in a federation of trust based on successful single sign-on
to the SAML source site Web application. This is a powerful paradigm,
completely configured using the administration console, providing
immediate benefit to users of your many applications.<br />
<h2 class="western">
Part 2</h2>
<h3 class="western">
SAML Configuration Using the WebLogic
Administrative Console</h3>
Before extending the SAML configuration, in the first few steps
you'll create and set up the third Weblogic Server domain containing
a single AdminServer that will host another copy of the sample
application <i>appB</i>.
<br />
<h4 class="western">
Step 1: Create a second SAML destination site
domain and application server</h4>
The sample applications in this tutorial are hosted on two domains
on the local host, so the first step is to create the domains and
servers running on given ports, as listed below in Table 1.<br />
<table cellpadding="5" cellspacing="0" style="width: 678px;">
<colgroup><col width="223"></col>
<col width="61"></col>
<col width="116"></col>
<col width="92"></col>
<col width="56"></col>
<col width="67"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="223"><br /></th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="61">Host</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="116">Application Server</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="92">Application Name</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="56">Port</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="67">SSL Port</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="223">SAML Source Site Domain: domainA
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="61">localhost</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="116">AdminServer</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="92">appA</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="56">7001</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="67">7002</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="223">SAML Destination Site Domain: domainB
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="61">localhost</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="116">AdminServer</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="92">appB</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="56">7003</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="67">7004</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="223">SAML Destination Site Domain: domainC</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="61">localhost</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="116">AdminServer</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="92">appB</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="56">7005</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="67">7006</td>
</tr>
</tbody></table>
<i>Table </i><i>7</i><i>. Sample application domains and
application servers</i>
<br />
Create domainC, as shown in Table 1, using the Domain
Configuration Wizard. Update the appropriate listen ports during
Domain creation or using the WebLogic Server Administration Console.<br />
<h4 class="western">
Step 2: Create users</h4>
<div style="line-height: 100%; margin-bottom: 0in;">
Create a user
<i>ssouser</i> in domainC under the <i>myrealm</i> realm.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="5" cellspacing="0" style="width: 582px;">
<colgroup><col width="313"></col>
<col width="80"></col>
<col width="157"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="313"><br /></th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="80">Realm</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="157">User/Password</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="313">SAML Source Site Domain: domainA
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="80">myrealm</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="157">ssouser/welcome1</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="313">SAML Destination Site Domain: domainB
</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="80">myrealm</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="157">ssouser/welcome1</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="313">SAML Destination Site Domain: domainB</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="80">myrealm</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="157">ssouser/welcome1</td>
</tr>
</tbody></table>
<i>Table </i><i>8</i><i>. The user participating in single
sign-on</i>
<br />
<h4 class="western">
Step 3: Configure relying party properties</h4>
In this step I'll create and configure a new relying party on the
Asserter Provider (domainA).<br />
The relying party determines whether it trusts the assertions
provided to it by the asserting party. SAML defines a number of
mechanisms that enable the relying party to trust the assertions
provided to it.<br />
<ol>
<li value="1"><div style="margin-bottom: 0in;">
Connect to WebLogic
Console for domainA</div>
</li>
<li><div style="margin-bottom: 0in;">
Go to <i>Security Realms</i>,
select <i>myrealm</i></div>
</li>
<li><div style="margin-bottom: 0in;">
<span style="font-style: normal;">Click
on the </span><i>Providers tab</i><span style="font-style: normal;">,
then on the </span><i>Credential Mappers</i><span style="font-style: normal;">
tab</span></div>
</li>
<li><div style="margin-bottom: 0in;">
<span style="font-style: normal;">F</span><span style="font-style: normal;">rom
the list select </span><i>SAMLCredentialMapper</i><span style="font-style: normal;">
(that you previously created)</span></div>
</li>
<li><div style="margin-bottom: 0in;">
On the Management tab, click
Relying Parties.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Relying Parties table,
click New.
</div>
</li>
<li>In the Profile pull-down menu, select Browser/POST. In the
Description field, enter the name demoSAML to identify the relying
party, as shown in Figure 5.
<br />
</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/---EKb1nDL38/WRLUUASHGyI/AAAAAAAALdA/806WSP6QBjMjvwRiMHxfeAkVamw3aoLhACLcB/s1600/figure17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://3.bp.blogspot.com/---EKb1nDL38/WRLUUASHGyI/AAAAAAAALdA/806WSP6QBjMjvwRiMHxfeAkVamw3aoLhACLcB/s320/figure17.png" width="320" /></a></div>
<br />
<i>Figure </i><i>17</i><i>. Relying party configuration</i>
<br />
<ol start="8">
<li>Set the relying party values, as listed in Table 3.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 612px;">
<colgroup><col width="207"></col>
<col width="383"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="207">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="383">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Target URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">http://localhost:7005/appB/admin/services.jsp</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Assertion Consumer URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">https://localhost:7006/samlacs/acs</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Assertion Consumer Parameters</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">APID=ap_00001
</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Signature Required</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="207">Include Keyinfo</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="383">Select the checkbox(true)</td>
</tr>
</tbody></table>
<i>Table </i><i>9</i><i>. Relying Party (rp_0000</i><i>2</i><i>)
Values</i>
<br />
Although a relying party may trust the assertions provided to it
for user <code class="western">ssouser</code>, the local access
policy on the destination site application appB on <i>domainB</i>
defines whether the subject (<code class="western">ssouser</code>)
may access local resources.
<br />
<h4 class="western">
Step 4: Configure <i>domain</i><i>C</i>,
acting as a SAML destination site
</h4>
I'm ready to configure domainC as a SAML destination site as we
did already for domainB. The first thing I need to do here is to
create a SAML Identity Assertion Provider V2 instance and import the
certificate generated in step 4 into the provider's certificate
registry.<br />
Import the certificate:<br />
<ol>
<li value="1"><div style="margin-bottom: 0in;">
Copy the key file (
<code class="western">testalias.der</code>) that you generated
previously to the $DOMAIN_HOME<code class="western">/security</code>
directory for domainC.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Log in to the WebLogic Server
Administration Console on <i>domain</i><i>C</i><i>.</i>
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select a security realm, <code class="western">myrealm</code>.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Select the Providers tab, and then
select the Authentication tab.
</div>
</li>
<li>If a SAMLIdentityAsserter doesn't exist, then create a new
SAMLIdentityAsserter, as shown in Figure 7. An identity asserter
allows WebLogic Server to establish trust by validating a user.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-9RekUkr7iRk/WRLUcCYyBnI/AAAAAAAALdE/61P9D8VQnXckdGh4abdDvE-WBJXfzV7ZACLcB/s1600/figure18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://2.bp.blogspot.com/-9RekUkr7iRk/WRLUcCYyBnI/AAAAAAAALdE/61P9D8VQnXckdGh4abdDvE-WBJXfzV7ZACLcB/s320/figure18.png" width="320" /></a></div>
<br />
<i>Figure </i><i>18</i><i>. Create a new Identity
asserter</i>
<br />
<ol start="6">
<li><div style="margin-bottom: 0in;">
Select SAMLIdentityAsserter, click
the Management tab, and then click Certificates.
</div>
</li>
<li>In the Certificates dialog, click New, as shown in Figure 8.
<br />
</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-y6UXGhI-Ki8/WRLUhqBp4xI/AAAAAAAALdI/fhw5IEnDUioZCXijUlttjhXd062y15eYgCLcB/s1600/figure19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://1.bp.blogspot.com/-y6UXGhI-Ki8/WRLUhqBp4xI/AAAAAAAALdI/fhw5IEnDUioZCXijUlttjhXd062y15eYgCLcB/s320/figure19.png" width="320" /></a></div>
<br />
<i>Figure </i><i>19</i><i>. Create a new identity
asserter certificate</i>
<br />
<ol start="8">
<li><div style="margin-bottom: 0in;">
In the Alias field, enter a name
for the certificate. Good practice is to use the same name you used
when you created the certificate.
</div>
</li>
<li><div style="margin-bottom: 0in;">
Enter the path to the certificate
file in the Certificate File Name field.
</div>
</li>
<li>Click Finish. If there are no problems, the message "The
certificate has been successfully registered." is displayed.
<br />
</li>
</ol>
<h4 class="western">
Step 4: Configure asserting party properties</h4>
In this step I'll create and configure an asserting party. When
you configure WebLogic Server to act as a consumer of SAML security
assertions, you need to register the parties whose SAML assertions
will be accepted. For a SAML asserting party, you can specify the
SAML profile used, details about the asserting party, and the
attributes expected in assertions received from the asserting party.<br />
The asserting party asserts that a user has been authenticated and
given associated attributes. For example, there is a user <code class="western">ssouser</code>,
and he/she is authenticated to this domain using a password
mechanism. Asserting parties are also known as <i>SAML authorities</i>.
<br />
<ol>
<li><div style="margin-bottom: 0in;">
On the Management tab, click
Asserting Parties.
</div>
</li>
<li><div style="margin-bottom: 0in;">
In the Asserting Parties table,
click New.
</div>
</li>
<li>In the Profile pull-down menu, select Browser/POST. In the
Description field, enter the name demoSAML to identify the asserting
party, as shown in Figure 9.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-SJS4BSwx9Ow/WRLUnCwtJjI/AAAAAAAALdM/2b_swP_qj8kOSF6kzRU3sqN7eBAPOb0VACLcB/s1600/figure20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://4.bp.blogspot.com/-SJS4BSwx9Ow/WRLUnCwtJjI/AAAAAAAALdM/2b_swP_qj8kOSF6kzRU3sqN7eBAPOb0VACLcB/s320/figure20.png" width="320" /></a></div>
<br />
<i>Figure </i><i>20</i><i>. Create a new asserting party</i>
<br />
<ol start="4">
<li>Set the asserting party values, as listed in Table 5.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 606px;">
<colgroup><col width="265"></col>
<col width="319"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="265">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="319">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Target URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">http://localhost:7001/appA</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">POST Signing Certificate alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">testalias</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Source Site Redirect URIs</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">/appB/admin/services.jsp</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Source Site ITS URL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">https://localhost:7002/samlits_ba/its</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Source Site ITS Parameters</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">RPID=rp_00002</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Issuer URI</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">http://www.bea.com/demoSAML</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Signature Required</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="265">Asserting Signing Certificate Alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="319">testalias</td>
</tr>
</tbody></table>
<i>Table </i><i>11</i><i>. Asserting Party (ap_0000</i><i>1</i><i>)
Values</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-JGhvGl6y4ds/WRLUtm01vVI/AAAAAAAALdQ/yRYn8R__gfcH6Ws8YB47IG_dPCriVgfNACLcB/s1600/figure21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://1.bp.blogspot.com/-JGhvGl6y4ds/WRLUtm01vVI/AAAAAAAALdQ/yRYn8R__gfcH6Ws8YB47IG_dPCriVgfNACLcB/s320/figure21.png" width="246" /></a></div>
<i> </i>
<br />
<i>Figure </i><i>21</i><i>. Asserting Party (ap_00001)
Values</i><br />
<br />
<br />
<br />
<h4 class="western">
Step 5: Configure the SAML 1.1 destination site</h4>
In this step I'll configure various destination site settings for
the server instance running application <i>appB</i>. These settings
enable a server instance running on <i>domain</i><i>C</i> to
serve as a SAML destination site, define service URIs (for example,
Assertion Consumer Service URI), add a certificate to sign POST
profile responses, and configure SSL for the Assertion Consumer
Service.
<br />
<ol>
<li><div style="margin-bottom: 0in;">
In the administration console,
select Environment, and then select Servers in the Domain Structure
window.
</div>
</li>
<li>Select AdminServer, and then in the Settings for AdminServer,
click Federation Services, and then the SAML 1.1 Destination Site
tab, as shown in Figure 10.
<br />
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-oWEHVmHTHUc/WRLU0MZGdpI/AAAAAAAALdU/DUzIoJb3SX8y9BBI1aPI1Zl8fFimfjx7QCLcB/s1600/figure22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://1.bp.blogspot.com/-oWEHVmHTHUc/WRLU0MZGdpI/AAAAAAAALdU/DUzIoJb3SX8y9BBI1aPI1Zl8fFimfjx7QCLcB/s320/figure22.png" width="320" /></a></div>
<br />
<i>Figure </i><i>22</i><i>. SAML destination site
settings</i>
<br />
<ol start="3">
<li>Set the destination site values, as listed in Table 6.
<br />
</li>
</ol>
<table cellpadding="5" cellspacing="0" style="width: 576px;">
<colgroup><col width="289"></col>
<col width="265"></col>
</colgroup><tbody>
<tr>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: 1px solid #808080; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0.05in;" width="289">Parameter</th>
<th style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: 1px solid #808080; padding: 0.05in;" width="265">Value</th>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">Destination Site Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">Assertion Consumer URIs</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">/samlacs/acs</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">ACS Requires SSL</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">SSL Client Identity Alias</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">DemoIdentity</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">SSL Client Identity Pass Phrase</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">DemoIdentityPassPhrase</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">POST Recipient Check Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289"><div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=7423539526648544226" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
POST one Use Check Enabled</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">Select the checkbox(true)</td>
</tr>
<tr>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: none; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0in; padding-top: 0in;" width="289">Used Assertion Cache Properties</td>
<td style="border-bottom: 1px solid #808080; border-left: 1px solid #808080; border-right: 1px solid #808080; border-top: none; padding-bottom: 0.05in; padding-left: 0.05in; padding-right: 0.05in; padding-top: 0in;" width="265">APID=ap_00001</td>
</tr>
</tbody></table>
<i>Table </i><i>12</i><i>. Destination Site Values</i>
<br />
<h3 class="western">
Test Single Sign-On on domainC</h3>
To test single sign-on, first change appA to add a link to
domainC.<br />
Open a browser and point to the URL <code class="western">http://localhost:7001/appA/</code>.
As in the previous test enter <i>ssouser/welcome1</i>.<br />
The following page appears:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-v6Y1ZMGZHe8/WRLU7is1pfI/AAAAAAAALdY/CZw0qwX8RloQeTjJja8ZSbUJ-INv6LybQCLcB/s1600/figure23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://3.bp.blogspot.com/-v6Y1ZMGZHe8/WRLU7is1pfI/AAAAAAAALdY/CZw0qwX8RloQeTjJja8ZSbUJ-INv6LybQCLcB/s320/figure23.png" width="320" /></a></div>
<i>Figure </i><i>23. Welcome page after login on domainA</i><br />
<br />
You can click on the second link and you will be redirected to
appB in domainC without being asked for authentication any more:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-gBuC12FYIOo/WRLVFssVTuI/AAAAAAAALdc/CkP4ViL2jooSJFFZV3vzpLIYg1WVifOBACLcB/s1600/figure24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="https://2.bp.blogspot.com/-gBuC12FYIOo/WRLVFssVTuI/AAAAAAAALdc/CkP4ViL2jooSJFFZV3vzpLIYg1WVifOBACLcB/s320/figure24.png" width="320" /></a></div>
<i>Figure </i><i>24. Application appB on domainC </i>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
That's all folks!Guido Campanihttp://www.blogger.com/profile/01535706688313138011noreply@blogger.com0