Below are the steps to configure SAML 2.0 with Okta as Identity Provider and Weblogic as a Service Provider.
Log-in to your Okta subdomain homepage to access the Application Dashboard.
Now click on Applications -> Add Application -> Create New App -> select SAML 2.0 -> create
Follow the on-screen instructions.
Create a SAML integration as shown below :
Enter the following :
Single sign on URL : <https://<weblogic_sp_hostname>:<port>/saml2/sp/acs/post
Use this for Recipient URL and Destination URL (check)
Audience URI : This would be the entity ID that you will be specifying in your WLS SP ( Make a NOTE of what you have entered here, we need to use the same in --> WLS console->Federation Services->SAML2 General-> EntityID)
- Unlike other SAML configurations we are not importing the SP metadata into Okta IDP, instead we fill-in the above values manually.
- Hence it is important to make a NOTE of the Audience URI (i.e SP entity ID) and use the same in Weblogic SP configuration.
We have successfully created a SAML Integration, now lets download the IDP metadata (say Okta_IDP_for_WLS-metadata.xml) from the Sign On sub-tab :
Go to People sub-tab and assign users to your application :
Click on the General sub-tab and validate your IDP configuration.
Login to Okta with the user who was assigned this application :
Your Okta IDP configuration is now complete, lets configure Weblogic as a SAML Service Provider.
Login to Weblogic console -> Security Realms -> myrealm -> Providers -> Authentication -> new -> SAML2IdentityAsserter
Click on the newly created SAML2IdentityAsserter (say SAML2IA) -> Management -> new -> "new Web Single Sign-On Identity Provider Partner" (say WebSSO-IdP-Partner-0)
Select the metadata.xml file that you downloaded from Okta (say Okta_IDP_for_WLS-metadata.xml)
Click on the newly created IDP partner and enter the following :
Redirect URIs : /Weblogic_SP_sample_App/restricted/protected_page.jsp
Click on the Server (where the IDP application is deployed) -> Configuration -> Federation Services -> SAML 2.0 General -> and enter the following :
Publish Site URL : https://celbealnx1.us.oracle.com:8002/saml2
Entity ID : WLS_SP_for_Okta
Click on Server (where the IDP application is deployed) -> Configuration -> Federation Services -> SAML 2.0 Service Provider -> and enter the following :
Preferred Binding : POST
Default URL : https://celbealnx1.us.oracle.com:8002/Weblogic_SP_sample_App/restricted/protected_page.jsp
You have successfully configured Okta IDP with Weblogic SP. Time to test it now :)
Deploy the sample application on Weblogic (Weblogic_SP_sample_App.zip)
Now open the Okta page -> click on the application and check if the protected page of application deployed on WLS is accessible.
- Okta sends the login name (i.e email address) by default in the SAML token to Weblogic.
- If you want to retrieve the Firstname of the user to authenticate into the protected page of Weblogic SP application, then make the following changes in Okta :
Login to Okta dashboard as Admin -> Directory -> Profile Editor
Click on "Apps" -> "Mapping" next to your application
Click on "Okta to Okta_IDP_for_WLS" -> Select "firstName" from the dropdown -> "Apply mapping on user create and update" -> "Save mapping"
Now test your application...!!!
Have a look at the following video which shows how to install the sample application and enable Virtual User feature in WebLogic :
NOTE: The video shows a sample application from JCS SAML blog but it holds good for the sample application used in this blog as well.