Steps to configure SAML 2.0 with Shibboleth ( deployed on WLS ) as IDP and Weblogic as SP.

In the example below we will see how to configure SAML 2.0 SSO using Shibboleth ( deployed on WLS ) as Identity Provider and Weblogic as Service provider.

* I am using Shibboleth v2.3.8 as identity provider and Weblogic 10.3.6 as Service Provider 

* and Active Directory for LDAP authentication in this example. 

Step 1 :

  • Create two domains in WLS 10.3.6, namely :
    • " shibboleth-idp_domain " --> For Shibboleth IDP --> Admin server http port 7001 and https port 7002.
    • " sp_domain " --> For WLS SP --> Admin server http port 8001 and https port 8002.

Note : In this example I will be using the Weblogic console app for SAML SSO. If you want SAML SSO for any other application like analytics / BI / a custom app, which are deployed on Managed Servers, then make sure you give the port number of the Managed Servers in all the URLs during configuration.

Step 2 :

  • Download Shibboleth IDP from the following link :

Link : http://shibboleth.net/downloads/identity-provider/2.3.8/shibboleth-identityprovider-2.3.8-bin.zip

Step 3 :

  • Unzip and Install Shibboleth.
    • Unzip the downloaded Shibboleth software ( Unzip shibboleth-identityprovider-2.3.8-bin.zip to any location, say Desktop )
    • Open a cmd prompt and run the setDomainEnv.cmd command
    • Now cd to the unzipped folder and run the following command : 

           install.sh   or   install.bat

    • When you run the install.bat file, you would get an option to select the location where you want Shibboleth to be installed.

Note : Give a path which does not have any spaces in between. Ex : Avoid using path like : C:\Program Files\shibboleth-idp

In this example I have installed shibboleth in c:\shibboleth-idp.

    • You would also get an option to create a self signed identity keystore.

Note : You have to use a fully qualified DNS name for the host, ( Ex : FQDN like abcd.oracle.com  ) or else Shibboleth installation will fail 

    • You can provide any password in the password field in cmd prompt.

Note : The password you enter would be your storepass ( password of your keystore ), as well as the keypass ( password of your private key entry ).


Step 4 :

  • Configure Shibboleth as Identity Provider.

To Configure Shibboleth as identity provider you need to edit the following Shibboleth config files and deploy a Shibboleth war file in Weblogic IDP domain.

  1. idp-metadata.xml
  2. login.config
  3. handler.xml
  4. relying-party.xml
  5. attribute-resolver.xml
  6. attribute-filter.xml

Note : It is always good to take a backup of the original Shibboleth config files before editing them. 

Lets edit the above files one after the other :

  1. Edit " C:\shibboleth-idp\metadata\idp-metadata.xml " and make the following changes :

  • Search for " entityID " and " location " in idp-metadata.xml and fix all the URL's to point to the correct port number ( Port number of the server in WLS IDP domain where the shibboleth war file will be targeted ), in our case the port number is 7002 for domain : shibboleth-idp_domain )

....
....
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://test.oracle.com:7002/idp/shibboleth"> 
....
....
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://test.oracle.com:7002/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://test.oracle.com:7002/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://test.oracle.com:7002/idp/profile/Shibboleth/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.oracle.com:7002/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://test.oracle.com:7002/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.oracle.com:7002/idp/profile/SAML2/Redirect/SSO"/>
....
....

  • Comment the following lines in idp-metadata.xml :

<!--
        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://test.oracle.com:7002/idp/profile/Shibboleth/SSO"/>

 -->   

2.   Edit " C:\shibboleth-idp\conf\login.config " and make the following changes :

  • In this file you need to provide the values to connect to your LDAP. ( I am using ActiveDirectory in this example )
....
.... 

ShibUserPassAuth {
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://abc.in.oracle.com:389"
      bindDn="test"
      bindCredential="password"
      ssl="false"
      tls="false"
      baseDn="CN=Users,DC=UP,DC=COM"
      subtreeSearch="true"
      userFilter="sAMAccountName={0}";
}; 

Note :

- If you are connecting to OID then you can change the userFilter to  userFilter="uid={0}"

- JAAS configuration files are loaded into the VM's runtime configuration. Because of this, changes to the login configuration file are NOT reloaded if you stop and restart the IdP web application. You MUST restart the entire web application server. 

  3.  Edit " C:\shibboleth-idp\conf\handler.xml " and make the following changes :

  •  Un-comment Username/password login handler :

....
....
<!--  Username/password login handler -->
    <ph:LoginHandler xsi:type="ph:UsernamePassword" 
                  jaasConfigurationLocation="file://c:\shibboleth-idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>
....
.... 

  • Comment RemoteUser login handler :
....
<!--
    <ph:LoginHandler xsi:type="ph:RemoteUser">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>
-->
....
....
....
<!-- Login Handlers -->

  4.   Edit " C:\shibboleth-idp\conf\relying-party.xml " and make the following changes :

  • Correct the port number in the provider URL for DefaultRelyingParty element, and add a default authentication method.
....
....
<rp:DefaultRelyingParty provider="https://test.oracle.com:7002/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
....
.... 

  • In ProfileConfiguration for type="saml:SAML2SSOProfile" change the encryptAssertions from conditional to never.
....
....
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" 
                                 assertionLifetime="PT5M" assertionProxyCount="0" 
                                 signResponses="never" signAssertions="always" 
                                 encryptAssertions="never" encryptNameIds="never"/>
....
.... 

 5.   Edit " C:\shibboleth-idp\conf\attribute-resolver.xml " and make the following changes :

  •  Comment the AttributeDefinition ( in Name Identifier related attributes ) of type TransientId
....
.... 
    <!-- Name Identifier related attributes -->

<!--
    <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </resolver:AttributeDefinition>
-->
....
.... 

  •  Add  a new AttributeDefinition of type PrincipalName along with its AttributeEncoder

....

.... 
 <resolver:AttributeDefinition id="principalId" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </resolver:AttributeDefinition>
....
.... 

  6.   Edit " C:\shibboleth-idp\metadata\attribute-filter.xml " and make the following changes :

  •  Comment the section " Release the transient ID to anyone " ( i.e we need to comment the AttributeFilterPolicy for transient ID).

....
.... 
     <!--  Release the transient ID to anyone -->
<!--
        <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
        <afp:AttributeRule attributeID="transientId">
        <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
-->
....
.... 

  •  Add a new AttributeFilterPolicy for principal ID ( i.e we need to add a section " Release the principal ID to anyone " )
....
....
<!--  Release the principal ID to anyone -->
    <afp:AttributeFilterPolicy id="releasePrincipalIdToAnyone">
    <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
    <afp:AttributeRule attributeID="principalId">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
    </afp:AttributeRule>
</afp:AttributeFilterPolicy>
....
.... 

Step 5 :

  • Deploy the Shibboleth idp.war file located in " C:\shibboleth-idp\war " onto your Weblogic Server in IDP domain. 

Note : You have to modify the idp application to make it work with WLS in your environemnt.

Click here to download a sample of modified idp.war file ( compiled with JDK 1.6 ).

Please rename the idp.doc file to idp.zip and then unzip the file.

 Note :

 - If you have installed Shibboleth on a UNIX environment then you need to change the path for " internal.xml " and " service.xml " in the web.xml file of idp application.

Eg :

<context-param>
<param-name>contextConfigLocation</param-name> 
        <param-value>file:<shibboleth_home>/conf/internal.xml; file:<shibboleth_home>/conf/service.xml;</param-value> 
    </context-param>

To deploy this app successfully in WLS we need to endorse Xerces and Xalan 

  • Copy all the jar files from endorsed directory of Shibboleth installation ( i.e C:\shibboleth-idp\lib\endorsed ) to <JAVA_HOME>/jre/lib/ext ( i.e C:\oracle\jdk\jre\lib\ext )
  • Login to Weblogic console and create a XML registry :

Login to WLS console --> +services --> XML Registries --> new 

  • Now add the following values : 

Name: Apache Xerces/Xalan Registry
SAX Parser Factory: org.apache.xerces.jaxp.SAXParserFactoryImpl
Transformer Factory: org.apache.xalan.processor.TransformerFactoryImpl
  • Target / Deploy this XML Registry to Admin Server. ( For this example )

  • Restart the servers and deploy the modified idp.war file to Admin Server.
  • Restart the server and check if application is in Active state.

Note : To check if IDP is configured properly access the following URL :

https://localhost:7002/idp/status

You should see an output similar to the one in screenshot below :


NOTE : 

- If you see errors in your WLS logs then check if all the Shibboleth endorsed jars are added to your <JDK_HOME>/jre/lib/ext directory , Also check if you have made all the necessary changes in your IDP application and it is deployed successfully.

- If there are no errors in WLS logs, then check the Shibboleth logs. Located in Ex : C:\shibboleth-idp\logs

- To increase the logging severity to DEBUG in shibboleth, edit logging.xml file ( Located in Ex : C:\shibboleth-idp\conf ).

....
.... 
<!-- Logs IdP, but not OpenSAML, messages -->
    <logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/>
....
.... 

- The logging configuration for the IdP is located at $IDP_HOME/conf/logging.xml. This file is checked for changes every 10 minutes by default and is reloaded if changes have been made. This means a deployer can keep the logging level at WARN until a problem occurs and then change the logging to DEBUG to get more information if the problem persists, all without restarting the IdP. 

Step 6 :

Lets configure the Service provider now. ( Domain : sp_domain )

  • Create a SAML2IdentityAsserter in sp_domain. ( Ex : IdentityAsserter ).
    • Login to Weblogic Console -> SecurityRealms -> myrealm -> providers/Authentication -> new -> SAML2IdentityAsserter
  • Configure Admin Server as a SAML 2.0 Service Provider.
    • Login to Weblogic Console -> +Environment -> servers -> AdminServer -> Federation Services -> SAML 2.0 Service Provider

                Make the following changes :

      • Enabled ( Check )
      • Always Sign Authentication Requests ( Check )
      • Preferred Binding: POST
      • Default URL: http://<sp_domain_server_listenAddress>:<port>/console ( In our Ex : http://test.oracle.com:8001/console )
      • Save and Activate Changes.

  • Configure SAML 2.0 Federation properties for Admin Server.
    • Login to Weblogic Console -> +Environment -> servers -> AdminServer -> Federation Services -> SAML 2.0 General 
               Make the following changes :
      • Replicated Cache Enabled ( Check )
      • Contact Person Given Name:
      • Contact Person Surname:
      • Contact Person Type:
      • Contact Person Company:
      • Contact Person Telephone Number:
      • Contact Person Email Address:
      • Organization Name:
      • Organization URL:
      • Published Site URL: This should in the format http://<sp_domain_server_listenAddress>:<port>/saml2 ( In our Ex : http://test.oracle.com:8001/saml2 )
      • Entity ID: ( Ex : myEntityID )
      • Single Sign-ON --> Single Sign-on Signing Key Alias: DemoIdentity
      • Single Sign-on Signing Key Pass Phrase: DemoIdentityPassPhrase
      • Confirm Single Sign-on Signing Key Pass Phrase: DemoIdentityPassPhrase
      • Save and Activate Changes --> Restart your server. 

  • Lets configure the SAML IdentityAsserter using IDP metadata
    • Login to Weblogic Console -> SecurityRealms -> myrealm -> providers/Authentication -> IdentityAsserter ( This is the SAML2IdentityAsserter we created earlier ) -> Management -> new -> Create a SAML 2.0 Web Single Sign-on Identity Provider Partner 

               Make the following changes :

      • Name : WebSSO-IdP-Partner
      • Path : < Path for the IDP metadata file ( In our Ex : C:\shibboleth-idp\metadata\idp-metadata.xml ).
      • Now click on the newly created partner " WebSSO-IdP-Partner " and make the following changes : 
      • Enabled ( check )
      • Description:  WebSSO-IdP-Partner
      • Virtual User ( uncheck )
      • Redirect URIs: < URI's of protected page in your application > ( In our example it is :
      • /console/*

        /console/*.jsp 

      • Save and Activate changes.
  • Make sure that you application cookie name is set to JSESSIONID, you need to check yours applications weblogic.xml file for the same.
    • In our example we are using the Weblogic console as an application, so make the following changes :
      • Login to Weblogic Console -> <sp_domain_name > -> Configuration -> General -> +Advanced -> Console Cookie Name: JSESSIONID
      • Save and Activate changes --> Restart your server

  • Lets export the SP metadata now.
    • Login to Weblogic Console -> +Environment -> servers -> AdminServer -> Federation Services -> SAML 2.0 General -> Publish Meta Data
      • Path : Give any path and a filename to store the SP metadata aml file. ( In our Eg : C:\shibboleth-idp\metadata\sp-metadata.xml )
      • Click OK

Note : The path should include a file name with an xml extention or else the export of SP metadata will fail.

Step 7 :

Now lets configure Shibboleth Identity Provider to use the SP metadata.

  • You need to add a reference to the sp-metadata file in relying-party.xml file ( Located in Ex : C:\shibboleth-idp\conf )
  • Edit C:\shibboleth-idp\conf\relying-party.xml file and make the following change :
    • In the metadata configuration add a SP metadata configuration as follows :
....
.... 
<!-- Load the SP's own metadata.   -->
        <metadata:MetadataProvider id="SPMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="c:\shibboleth-idp/metadata/sp-metadata.xml"
                                   maxRefreshDelay="P1D" />
....

.... 

  • Restart both IDP and SP domains. 

Step 8 :

  • Create a Weblogic user in AD.
  • Configure an Active Directory provider on both the domains. 
  • Now restart the servers and test SSO.
  • To test SAML SSO with Shibboleth : Access the Weblogic console on SP domain i.e http://test.oracle.com:8001/console
  • This should redirect to a shibboleth login Page.
  • Once you login you will be redirected back to the SP domain console page.

      Comments:

      Error :

      C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8>install.bat
      Buildfile: src\installer\resources\build.xml

      install:
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
      C:\shibboleth-idp
      The directory 'C:\shibboleth-idp' already exists. Would you like to overwrite this Shibboleth configuration? (yes, [no])
      yes
      What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
      localhost
      A keystore is about to be generated for you. Please enter a password that will be used to protect it.
      password
      Updating property file: C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8\src\installer\resource
      s\install.properties
      Created dir: C:\shibboleth-idp\bin
      Created dir: C:\shibboleth-idp\conf
      Created dir: C:\shibboleth-idp\credentials
      Created dir: C:\shibboleth-idp\lib
      Created dir: C:\shibboleth-idp\lib\endorsed
      Created dir: C:\shibboleth-idp\logs
      Created dir: C:\shibboleth-idp\metadata
      Created dir: C:\shibboleth-idp\war

      BUILD FAILED
      java.lang.IllegalStateException: No match found
      at java.util.regex.Matcher.group(Matcher.java:468)
      at edu.internet2.middleware.ant.util.RegexSplit.execute(RegexSplit.java:51)
      at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
      at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
      at org.apache.tools.ant.Task.perform(Task.java:348)
      at org.apache.tools.ant.taskdefs.Sequential.execute(Sequential.java:62)
      at net.sf.antcontrib.logic.IfTask.execute(IfTask.java:197)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
      at org.apache.tools.ant.TaskAdapter.execute(TaskAdapter.java:154)
      at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
      at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
      at org.apache.tools.ant.Task.perform(Task.java:348)
      at org.apache.tools.ant.Target.execute(Target.java:357)
      at org.apache.tools.ant.Target.performTasks(Target.java:385)
      at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1337)
      at org.apache.tools.ant.Project.executeTarget(Project.java:1306)
      at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
      at org.apache.tools.ant.Project.executeTargets(Project.java:1189)
      at org.apache.tools.ant.Main.runBuild(Main.java:758)
      at org.apache.tools.ant.Main.startAnt(Main.java:217)
      at org.apache.tools.ant.Main.start(Main.java:179)
      at org.apache.tools.ant.Main.main(Main.java:268)

      Total time: 3 minutes 44 seconds

      C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8>

      Note : You have to use a fully qualified DNS name for the host, ( Ex : FQDN like abcd.oracle.com ) or else Shibboleth installation will fail

      Expected Output :

      C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8>install.bat
      Buildfile: src\installer\resources\build.xml

      install:
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      Where should the Shibboleth Identity Provider software be installed? [C:\shibboleth-idp]
      c:/shibboleth-idp
      What is the fully qualified hostname of the Shibboleth Identity Provider server?
      test.oracle.com
      A keystore is about to be generated for you. Please enter a password that will b
      e used to protect it.
      password
      Updating property file: C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8\src\installer\resources\install.properties
      Created dir: c:\shibboleth-idp
      Created dir: c:\shibboleth-idp\bin
      Created dir: c:\shibboleth-idp\conf
      Created dir: c:\shibboleth-idp\credentials
      Created dir: c:\shibboleth-idp\lib
      Created dir: c:\shibboleth-idp\lib\endorsed
      Created dir: c:\shibboleth-idp\logs
      Created dir: c:\shibboleth-idp\metadata
      Created dir: c:\shibboleth-idp\war
      Generating signing and encryption key, certificate, and keystore.
      Copying 5 files to c:\shibboleth-idp\bin
      Copying 8 files to c:\shibboleth-idp\conf
      Copying 1 file to c:\shibboleth-idp\metadata
      Copying 51 files to c:\shibboleth-idp\lib
      Copying 5 files to c:\shibboleth-idp\lib\endorsed
      Copying 1 file to C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8\src\installer
      Building war: C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8\src\installer\idp.war
      Copying 1 file to c:\shibboleth-idp\war
      Deleting: C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8\src\installer\web.xml
      Deleting: C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8\src\installer\idp.war

      BUILD SUCCESSFUL
      Total time: 1 minute 55 seconds

      C:\Users\Administrator\Desktop\Shibboleth\shibboleth-identityprovider-2.3.8-bin\shibboleth-identityprovider-2.3.8>

      Posted by Puneeth on April 02, 2014 at 10:23 PM IST #

      hi,,
      your post is really good.
      but, I'm confused what kinds you use OS?
      and do you have video about it?
      or some of picture,
      coz I was try more configuration, but filed, start from shibboleth SAML with windows, ubuntu, etc.

      I want to try, your post.
      but, do you have video like that?

      Posted by php.ini on January 18, 2015 at 08:35 PM IST #

      You can use embedded LDAP with Shibboleth IDP.

      To use Weblogic embedded LDAP do the following :

      1) Login to Admin console -> <domain_name> -> security -> Embedded Ldap ->

      Credential: < say “weblogic1 “>
      Confirm Credential: < say “weblogic1 “>

      2) Make the following changes in login.config file :

      ShibUserPassAuth {

      edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://localhost:7001"
      baseDn="ou=people,ou=myrealm,dc=shibboleth-idp_domain"
      bindDn="cn=Admin"
      bindCredential="weblogic1"
      userFilter="uid={0}";

      };

      Posted by Puneeth on February 19, 2015 at 11:32 PM IST #

      If you see the following errors :

      18:11:39.102 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:170] - Attempting to authenticate user weblogic
      18:11:39.197 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:197] - User authentication for weblogic failed
      java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named ShibUserPassAuth
      at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130) ~[com.oracle.css.common.security.jdkutils_7.0.0.0.jar:CSS 7.0 0.0]
      at javax.security.auth.login.LoginContext.init(LoginContext.java:260) ~[na:1.7.0_15]
      at javax.security.auth.login.LoginContext.<init>(LoginContext.java:418) ~[na:1.7.0_15]
      at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:174) [shibboleth-identityprovider-2.3.8.jar:na]
      at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:123) [shibboleth-identityprovider-2.3.8.jar:na]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:844) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:341) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79) [weblogic.server.merged.jar:12.1.2.0.0]
      at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.8.jar:na]
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79) [weblogic.server.merged.jar:12.1.2.0.0]
      at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.8.jar:na]
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79) [weblogic.server.merged.jar:12.1.2.0.0]
      at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.7.jar:na]
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3367) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3333) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) [com.oracle.css.weblogic.security.wls_7.0.0.0.jar:CSS 7.0 0.0]
      at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2220) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2146) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2124) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1564) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:295) [weblogic.server.merged.jar:12.1.2.0.0]
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:254) [weblogic.server.merged.jar:12.1.2.0.0]

      You can use the following workaround :

      set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config="C:\shibboleth-idp\conf\login.config"

      Posted by Puneeth on February 23, 2015 at 11:02 PM IST #

      How to Access Shibboleth IdP-Initiated Unsolicited SSO Page (Doc ID 1989039.1)

      "
      As per SAML 2.0 standards, we have IdP-Initiated or "unsolicited" SSO and SP-Initiated SSO.

      Usually in Shibboleth, the flow is assumed to be an SP requesting authentication by redirecting the client to the IdP, and then getting back a response.

      Despite the fact that the SAML 2.0 standard requires IdP-initiated SSO as well, Shibboleth IdP prior to version 2.3.0 does not support an equivalent mechanism for SAML 2.0 SSO responses.

      However this feature was added to Shibboleth IdP version 2.3.0 and above.

      The default configuration files for Shibboleth IdP 2.3.0 and later need no further changes to use IdP-initiated SSO.

      If you want to enable IdP-Initiated SSO in Shibboleth version prior to 2.3.0, then we need to make a few changes in the Shibboleth configuration files. Have a look at the following doc which talks more about the same: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO.

      The end point to access a Shibboleth IDP-Initiated page is: /idp/profile/SAML2/Unsolicited/SSO For example: http://localhost:7001/idp/profile/SAML2/Unsolicited/SSO?providerId=myEntityID
      "

      Posted by Puneeth on May 24, 2015 at 08:13 AM IST #

      Post a Comment:
      • HTML Syntax: NOT allowed
      About

      Oracle Fussion Middleware - WebLogic

      Search

      Archives
      « September 2015
      SunMonTueWedThuFriSat
        
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
         
             
      Today