X

Steps to configure SAML 2.0 with Weblogic Server (using embedded LDAP as a security store - Only for Dev Environment)...

By: Puneeth Prakash | Principal Software Engineer

NOTE :

- A WebLogic Server instance that is configured for SAML 2.0 SSO cannot sent a request to a server instance configured for SAML 1.1, and vice-versa. 

- WebLogic Server does not support encrypted assertions in SAML. 

- It is always recommended to create a domain in which the RDBMS security store is configured. 

- The RDBMS security store is required by the SAML 2.0 security providers in production environments so that the data they manage can be synchronized across all the WebLogic Server instances that share that data. 

- Note that Oracle does not recommend upgrading an existing domain in place to use the RDBMS security store. If you want to use the RDBMS security store, you should configure the RDBMS security store at the time of domain creation. If you have an existing domain with which you want to use the RDBMS security store, create the new domain and migrate your existing security realm to it. 

- If you are configuring SAML 2.0 services in a cluster, each Managed Server in that cluster must be configured individually. 

- You cannot configure SAML 2.0 general services in a WebLogic Server instance until you have first configured either the SAML 2.0 Identity Assertion or SAML 2.0 Credential Mapping provider and restarted the server instance.

- Note that I have not used an RDBMS security store in the following configuration, ( I am using embedded LDAP ) This is only for demonstration purpose and is not recommended for production environments.

- While configuring SAML2 with Weblogic Server in production environment, please make sure you create a domain with RDBMS security store configured.

Prerequisite :

- In the following example I have created two domains " SAML2_IDP_Source_Domain " and " SAML2_SP_Destination_Domain " on Weblogic Server 12.1.1.

- I have created self signed certificates and configured SSL on both the domains.

- Source domain HTTP and HTTPS ports are 7001 and 7002 respectively.

- Destination domain HTTP and HTTPS ports are 7003 and 7004 respectively.

SAML Souce site configuration :

- Create a " Credential Mapper " on Weblogic Source domain, i.e on the IDP end.

- Login to Source domain - Weblogic console --> Click on ” myrealm ” –> ” Providers ” –> ” Credential Mapping ” –> and add a ” SAML2CredentialMapper ” say ” SAML2_CredentialMapper ” as shown below :

Credential Mapper

- Now click on the newly created SAML2CredentialMapper say ” SAML2_CredentialMapper ” and make the following changes :

Issuer URI : http://www.souresite.com/saml

Name Qualifier : sourcesite.com

">

- Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Identity Provider ” and make the following changes :

Enabled : check

Preferred Binding : POST

- Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :

Replicated Cache Enabled – Uncheck / Check

Contact Person Given Name

Contact Person Surname

Contact Person Type

Contact Person Company

Contact Person Telephone Number

Contact Person Email Address

Organization Name

Organization URL

Published Site URL : http://<SourceSiteDNSName>:<PORT>/saml2

Entity ID : ( Source Domain name)

Single Sign-on Signing Key Alias

Single Sign-on Signing Key Pass Phrase

Confirm Single Sign-on Signing Key Pass Phrase

Save the changes and export the IDP metadata into a XML file –> Click on “ Publish Meta Data ” button. ( say idp_metadata.xml ). We need to copy this file to the destination domain later.

Destination Site Configuration : 

- Create an Identity Asserter on the destination domain, i.e SP end.

- Login to Destination domain - Weblogic console --> Click on ” myrealm ” –> ” Providers ” –> ” Authentication ” –> new ” SAML2IdentityAsserter “ say ” SAML2_IdentityAsserter :

Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Service Provider ” and make the following changes :

Enabled : check

Preferred Binding : POST

Default URL : http://<DestinationSiteDNSName>:<PORT>/samldest01App

Now click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :

Replicated Cache Enabled : Uncheck / Check

Contact Person Given Name

Contact Person Surname

Contact Person Type

Contact Person Company

Contact Person Telephone Number

Contact Person Email Address

Organization Name

Organization URL

Published Site URL : http://<DestinationSiteDNSName>:<PORT>/saml2

Entity ID : ( Destination Domain name)

Single Sign-on Signing Key Alias

Single Sign-on Signing Key Pass Phrase

Confirm Single Sign-on Signing Key Pass Phrase

Save the changes and export the IDP metadata into a XML file –> Click on “ Publish Meta Data ” button. ( say SP_metadata.xml ). 

Copy service provider metadata ( SP_metadata.xml ) to Source Domain and identity provider metadata ( idp_metadata.xml ) to the Destination Domain as shown below :

--

Now configure Service Provider metadata on SAML Identity Provider in Source Site :

Log in to the source site Admin Console and click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> ” Credential Mapper ”  –> ” SAML2_CredentialMapper ” –> ” Management ” –> ” New ” –> ” New Web Single Sign-On Service Provider Partner ” :

">

Name this ”New Web Single Sign-On Service Provider Partner” as “SAML_SSO_SP01″ and select the SP_metadata.xml file.

Click on the newly created ” SAML_SSO_SP01 ” and enter the following :

Name :  SAML_SSO_SP01

Enabled :  Checked

Description  : SAML_SSO_SP01

Key Info Included  : Check

">


Click on Site info and verify the data :

------

Now configure Identity Provider metadata on SAML Service Provider in Destination site :

Login to Destination Site Admin Console :

Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> Authentication -> SAML2_IdentityAsserter –> ” Management ” –> ” New ” –> “ New Web Single Sign-On Identity Provider Partner ” say ” SAML_SSO_IDP01 ” and then select ” idp_metadata.xml ” :


Click on ” SAML_SSO_IDP01 ” and enter the following :

Name : SAML_SSO_IDP01

Enabled : Check

Description : SAML_SSO_IDP01

Redirect URIs : /samldest01App/restricted01/samldest01services.jsp


We have successfully configured SAML 2 with Weblogic Server...!!

Deploy the source and destination application and check if SAML 2.0 works fine.

DOWNLOAD : Source Application. ( NEW )

DOWNLOAD : Destination Application. ( NEW )

Note :

- To test this sample application login using " weblogic " user.

The principal I have used in weblogic.xml file of this application is :

<security-role-assignment>
<role-name>SamlTrainee</role-name>
<principal-name>Administrators</principal-name>
</security-role-assignment> 

- So you should be able to login to this application with a user " Administrators " or any user who is part of a group called " Administrators ". 

- When you access the Source application, you will get a challenge, enter username " weblogic " and its password. Now click on the redirect URL and you should not be asked for a challenge while accessing the Destination app.

-  In the application jsp pages I have specified " localhost " in the URL, change it to your respective host / IP address.

- If you have the Source and Destination domain on the same machine, then make sure you edit the jsp page and change the redirect URL to IP / host, donot use " localhost " as it may go into a loop.  


Join the discussion

Comments ( 43 )
  • Anup Friday, September 13, 2013

    Hi Puneeth

    Thanks for the info. I was able to setup and test fine.

    Just to clarify, I found that the test user and the group needs to be setup both on the Source and Destination domains ? It does authenticate (I had created with different passwords) with the setup on the source (IDP) domain. If I did not do that, on entering the credentials, it gives me a 403 error.

    regards

    Anup


  • Puneeth Monday, September 16, 2013

    Hi Anup,

    Yes, your understanding is correct.

    We need to create the test user and the group on both the domains.

    However, you need to login with the username and password just once. On successfull login a token/assertion would be created and this would be used to login to the second application ( without the user entering the username and password again).

    Regards,

    Puneeth


  • guest Wednesday, October 16, 2013

    Puneeth:

    thank you for the detail post. Although I had yet to setup a test system that prototypes saml2 authentication. you had stated that in the note section that " To test this sample application create a user " SAML_SSO_GRP " ( or a group named " SAML_SSO_GRP " and add any user to this group ) in embedded LDAP on both source and destination domain."

    Can you elabrate more on this? how can I create user/group using embeded ldap? How can I accomplish this from a basic installation of wls. Do I enable the ldap from Home >Summary of Security Realms >myrealm >Users and Groups >Providers? TIA

    Ed


  • Puneeth Thursday, October 17, 2013

    Hi Ed,

    To create users/groups in embedded LDAP :

    Login to console -> security realm -> myrealm -> " Users and Groups " tab --> new and create the user.

    Regards,

    Puneeth


  • Gustavo Friday, October 25, 2013

    Hi,

    Just one domain in the Weblogic is possible to configure SSO with SAM?

    Tks


  • Puneeth Monday, October 28, 2013

    It is not recommended to have both the SP and IDP on the same Domain, however it works I have tried it at my end.

    Have a look at the following Oracle KM :

    Can SAML SSO Be Configured In a Single WebLogic Server Domain? (Doc ID 1571946.1)


  • guest Thursday, November 28, 2013

    Hello,

    the source app indeed is protected by a Basic authentication.

    the target app no. There is no restriction for the target app.

    Additionally there is a null for the username when we go from the source app (logged in) to the target app.

    The idea of the SSO is to login once for all apps.

    I made some changes to the web.xml (changed <url-pattern>) of the target app and managed to make it ask for password at both apps. But again both apps require a login :)

    Obviously I made something wrong in the previous steps. Could you please help me?

    Thank you in advance


  • Puneeth Friday, December 6, 2013

    Hi,

    I just tried accessing the source and Dest app separately ( without any SAML SSO configured ) and it asks for challenge.

    There is <security-constraint> defined in web.xml files of both the source and Dest apps.

    and

    <login-config>

    <auth-method>BASIC</auth-method>

    Can you please check again.

    Also, in the above setup, SP initiated SSO and IDP initiated SSO works fine.

    The concept here is :

    IDP Initiated :

    - If you access the source app first it will ask for a challenge

    - Then after providing a valid username and password

    - You will be able able to login to a restricted page in Source app.

    - Now you have link in the restricted page of source app which is actually a URL which points to a restricted page on the Destination app.

    - When you click on this link you will be redirected to the Destination app along with a valid SAML token which is used to login to Destination app and access the page.

    -----

    SP Initiated :

    - Access the Destination app first --> This should ask for a challenge. ( If it doesnt then clear your cache / use a different browser ).

    - Now after you enter the valid username and password - It will be validated and a SAML token will be created at the IDP / source end and this token is used to login to the restricted page in the destination end.

    - Now you will have a link in this page ( Destination page ) which maps to a restricted page in Source app end.

    - When you click on this link the SAML token is used to login to the Source app and you will be able to see the restricted page in Source App.


  • Puneeth Friday, December 6, 2013
  • Imran Shabbir Thursday, January 23, 2014

    Hi Puneeth,

    Thanks for providing the step by step guidance for "Steps to configure SAML 2.0 with Weblogic Server (using embedded LDAP as a security store - Only for Dev Environment".

    I have gone through all the steps given above and Posts as well:

    - Prerequisite

    - SAML Source site configuration

    - SAML Destination Site Configuration

    - Deployed the source and destination applications

    - created a user group "SAML_SSO_GRP" in embedded LDAP on both domain

    - Edited the jsp page and changed the redirect URL to IP

    Apparently, The aforementioned action items have properly been performed but obviously something is still missing. Consequently I am facing the problem in accessing the Source and Destination Application.

    Application Access Error: Error 403--Forbidden

    Could you please help me?

    Thank you in advance.


  • guest Friday, January 24, 2014

    Answer to:

    guest wrote:

    I deploy source and destination application after configuring Source and destination domains. But when i access source/destination application it give me the error below. Can you help me that what is missing.

    10.4.4 403 Forbidden

    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

    Regards

    ----

    Respond to this comment at:

    https://blogs.oracle.com/blogbypuneeth/entry/steps_to_configure_saml_2#comments

    Hi guest,

    please edit the setDomainEnv.bat (or sh) and set the following line:

    set JAVA_PROPERTIES=-Dwls.home=%WLS_HOME% -Dweblogic.home=%WLS_HOME% -Dweblogic.debug.DebugSecuritySAML2Atn=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Lib=true -Dweblogic.debug.DebugSecuritySAML2Service=true

    This will enable the SSO debug properties. You should normally receive an exception. This must be related with the clocks of your IDP and SP servers.

    These clocks must be fully synchronised. Ideally both macines should be in synch with a time server.

    If this is the case then the exception that you will receive will be something like NotBeforeException (or NotValidAfter)

    Regards,

    other guest!


  • Puneeth Friday, January 24, 2014

    Yes, please enable the SAML debugs from console.

    You should get an error trace in the logs. Make sure you have increased the logging severity to DEBUG.

    Login to console --> servers --> logging --> +advanced --> change the logging severity to DEBUG from the drop down menu.

    Login to console --> servers --> debug --> +weblogic --> security --> SAML ( enable ).


  • guest Thursday, March 20, 2014

    how to achieve both SSO and Non SSO user logins in weblogic in a single application


  • guest Tuesday, April 8, 2014

    Hi Puneeth,

    Firstly thank you much for the information.

    Coming straight to the point - as mentioned by 1 of the guests, I am facing the same issue --- on clicking on link to destination site, redirection happens alright but I think that is only because protection in destination site is only for <url-pattern>samldest01App/restricted01/*</url-pattern> and not <url-pattern>/restricted01/*</url-pattern> - this means there is no protection at all - hence redirection happening without asking for credentials is no surprise. Further evidence is user displays as null in the destination page.

    Or I must have got my configuration wrong somewhere. Kindly guide.

    Thank you,

    guest_Karthikeyan


  • Puneeth Tuesday, April 8, 2014

    Yes Karthikeyan, you are right I looked into the app now and yes there seems to be a problem.

    I will fix it as soon as possible...

    Thanks for pointing it out.. And thanks to the other user who initially found this problem..


  • Puneeth Thursday, April 10, 2014

    OK I have fixed the app now...!!! ( Uploaded latest fixed app to the post )

    Two changes I had to make in web.xml file of the destination application were :

    1)

    <url-pattern>/restricted01/*</url-pattern>

    2)

    <login-config>

    <auth-method>CLIENT-CERT,BASIC</auth-method>

    <realm-name>myrealm</realm-name>

    </login-config>


  • Puneeth Thursday, April 10, 2014

    NOte :

    If you have used Demo Identity and Demo Trust to configure SSL for your servers then below is the information you need to provide in SAML 2.0 Federation proerties :

    Single Sign-ON --> Single Sign-on Signing Key Alias: DemoIdentity

    Single Sign-on Signing Key Pass Phrase: DemoIdentityPassPhrase

    Confirm Single Sign-on Signing Key Pass Phrase: DemoIdentityPassPhrase


  • jav1er Tuesday, May 13, 2014

    hi Puneeth,

    I get "Error 403--Forbidden" after login to the samldest01App with a user that exist only in the other domain. In AdminServer.log i see the response with the saml and this:

    <<WLS Kernel>> <> <> <1399946764895> <BEA-000000> <DefaultSAML2NameMapperImpl: mapName: Mapped name: qualifier: null, name: user1>

    <<WLS Kernel>> <> <> <1399946764895> <BEA-000000> <SAMLIACallbackHandler: SAMLIACallbackHandler(true, user1, [Administrators])>

    ......

    <<WLS Kernel>> <> <> <1399946764896> <BEA-000000> <[Security:090304]Authentication Failed: User user1 javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User user1 does not exist>

    <<WLS Kernel>> <> <> <1399946764896> <BEA-000000> <exception info

    javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User user1 javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User user1 does not exist

    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)

    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

    at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)

    at com.sun.proxy.$Proxy18.login(Unknown Source)

    at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)

    at com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity(IdentityAssertionCallbackServiceImpl.java:142)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)

    at com.sun.proxy.$Proxy19.assertIdentity(Unknown Source)

    at com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(IdentityAssertionServiceImpl.java:83)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)

    at com.sun.proxy.$Proxy25.assertIdentity(Unknown Source)

    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.assertIdentity(AssertionConsumerServiceImpl.java:262)

    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.process(AssertionConsumerServiceImpl.java:137)

    at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:26)

    at com.sun.proxy.$Proxy26.process(Unknown Source)

    at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)

    I've set the control flag of DefaultAuthenticator to SUFFICIENT and same problem. Any idea?

    thx for advance!

    regards,

    javier


  • sharath Tuesday, June 10, 2014

    Hi Puneeth,I am stuck at while redirecting from source to destination.I am getting following pop error on clicking the link of the destination from the source page.Plase advice.

    Although this page is encrypted,the information you have entered is to be sent over an unencrypted connection and could be easily read.

    Thanks in advance.

    Sharath


  • guest Tuesday, July 1, 2014

    I received 403 error at both applications. Which user/group I have to add into myrealm? Could you give me an example?


  • guest Tuesday, July 1, 2014

    The pricipal-name in weblogic.xml file of the applications is Administrator.

    So either create a Administrator user or create any user and add it to Administrator group.

    You can use the weblogic user to login to application ( which is by default in the Administrator group ).


  • Puneeth Tuesday, July 1, 2014

    Make sure you have configured SSL for your weblogic servers and are accessing the application over https.

    If you have a webserver behind weblogic, then enable 'WebLogic Plug-In Enabled' on wls server.

    Have a look at this Note :

    E1: WLS: HTTPS URL Is Redirected To HTTP While Setting Up SSL (Doc ID 1553367.1)


  • guest Tuesday, July 1, 2014

    I'm trying to access the applications through the url: "localhost:7002/samlsourceApp/" and "localhost:7004/samldest01App/" over https, but no box asking me to put user to autenticate. I am redirected to the 403 error directly.

    Thanks for your help once again!


  • Puneeth Tuesday, July 1, 2014

    It may be because of cache.

    Use a different browser / try deleting all the cookies and clear the cache and then try again.

    Note : Avoid using localhost. Give the IP / host name to access the application.


  • Bhaskar Tuesday, October 28, 2014

    Dear Puneeth,

    I have deployed one IDP and two SP applications in a three independent weblogic domains on its own clusters and then i added the necessary SAML2 configurations in the idp and 2 sp servers. Now, Iam able to login to the SP applications through IDP login screen and able to visit the protected pages (role based) in the individual SP application without any issues.

    But my requirement additionally says that if the user logins in one SP application then he should be able to visit the protected pages of other SP application also. User should not be asked to re-login again for the second SP application. But in reality on my setup/configuration, each service provider asks for the saml2 assertion from the IDP individually. So it asks for the re-login again, if the user moves from one sp application to another sp application.

    What is the additional configuration should be done to make it work as a real SSO with the above said feature?

    Your help is very much appreciated. Advance thanks..


  • guest Friday, November 21, 2014

    I followed all steps had to redo this twice as it's easy to mistake and all works perfectly. Was using WL 12c. And yes it works with defaultidentity keystore as described in post somewhere above.

    -THX


  • guest Thursday, April 9, 2015

    I appreciate your effort putting up these detailed guides. I will definitely trying this out.


  • guest Friday, August 28, 2015

    Thanks for the explanation!

    I'm wondering if is mandatory to have on both Weblogic'domains(IDP and DP) an Authenticator Provider containing the users.

    I have configured IDP domanin with the DefaultAuthenticator containing the users weblogic and carlo. On DP DefaultAuthenticator I have only the weblogic user.

    When I try to connect from DP domain I get redirect on IDP that ask me to insert user and password that works for the user weblogic but not for the user carlo as it is not present on the DP DefaultAuthenticator.

    Am I doing something wrong or it is the way that SAML on Weblogic works?

    Thanks

    Carlo


  • Puneeth Friday, August 28, 2015

    Hi Carlo,

    No it is not mandatory to have the same users in IDP and SP.

    You can have all the users in IDP and on SP you can configure "Virtual Users" :

    https://blogs.oracle.com/blogbypuneeth/resource/SP_IAManagement4.jpg

    and then create a new provider for "SAML Authenticator".

    Make sure all your authentication providers are either OPTIONAL / SUFFICIENT.

    -- Puneeth


  • guest Friday, August 28, 2015

    Hi Puneeth,

    For me doesn't work... I have Virtual user Enabled

    This is my configuration

    #############SCENARIO 1

    IDP

    myreal--->Providers--->Authentication

    Active Directory (All user) [Optional]

    Default Authenticator (weblogic) [Optional]

    DP

    myreal--->Providers--->Authentication

    Default Authenticator (weblogic) [Optional]

    If I try to connect as Carlo(is in Active Airectory) this scenario fails!!!!

    #############SCENARIO 2

    IDP

    myreal--->Providers--->Authentication

    Active Directory (All user) [Optional]

    Default Authenticator (weblogic) [Optional]

    DP

    myreal--->Providers--->Authentication

    Default Authenticator (weblogic, Carlo) [Optional]

    This scenario pass even the password of Carlo is different for the IDP Active Directory and the DP Default Authenticator.

    What I'm missing?

    Thanks a million

    Carlo


  • Puneeth Friday, August 28, 2015

    "Virtual User" will not take effect without creating a SAML Authenticator.

    Login to console -> security realm -> myrealm -> providers -> new -> SAML Authentication.

    This has to be created at the SP end.


  • Carlo Sunday, August 30, 2015

    Hi Puneeth,

    Sorry if I haven't mentioned on the message before, of course I have created an SAML Authenticator on SP with "Virtual user checked" but after I'm redirect to login on IDP if the same user is not present on SP the login fails...

    It for me doesn't make any sense but I can't see where the mistake is.

    Thanks

    Carlo


  • Puneeth Monday, August 31, 2015

    I quickly tried this at my end and it works.

    REMEMBER, I am not talking about SAML Identity Asserter, you need to create a SAML Authenticator along with it.

    And then make sure that the control flag for all the providers created is either OPTIONAL / SUFFICIENT.

    If you have followed the above steps and still facing an issue I would suggest you to open an SR with Oracle to troubleshoot the issue further.


  • Carlo Monday, August 31, 2015

    Hi Puneeth,

    You are right! I was confused between "SAML Identity Asserter" and "SAML Authenticator".

    I have fixed my issue creating a new "SAML Authenticator" as you previously suggest me.

    Thanks again to helping me and well done for your guide.

    Carlo


  • guest Wednesday, October 21, 2015

    Hi Puneeth,

    Thanks for the information.

    I had set up as per the blog. In my case ,in IDP ,i am getting authenticated,when i click the url,for the service provider,it is again truncating "idp/sso/post",with the IDP provider url and i am getting 401 execption. Could please help me on this?


  • guest Thursday, November 26, 2015

    Hi, Puneeth!

    Thanks for the info. Everything is working fine. WLS 10.3.6.

    I get the message - "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information? This is followed below with two boxes, "continue" and "cancel"".

    Document - "Can SAML SSO Be Configured In a Single WebLogic Server Domain? (Doc ID 1571946.1)" - does not help.

    Please see on Destination Domain - Home >Summary of Security Realms >myrealm >Providers >SAML2_IdentityAsserter >SAML_SSO_IDP01

    See row - "HTTP/POST http://XXX.XXX.XXX.XXX:7001/saml2/idp/sso/post" Why hee http? How to change http to https?

    Thanks.

    Serg


  • Puneeth Thursday, November 26, 2015

    Just make sure you have SSL port enabled and use the https link instead of http and that should take care of it.


  • Puneeth Thursday, November 26, 2015

    For the 401 error, please enable the ATN and SAML2 debugs and check the log for more information.

    Update the error trace here.


  • guest Friday, November 27, 2015
  • guest Friday, January 29, 2016

    Hi Puneeth,

    I am able to configure SSO in In Weblogic 12c with you are example. This site helped me lot in doing the same.

    I am trying to Implement the Destination site with ADF Security. If possible can you provide the steps to configure SSO with SAML2 and ADF Security.

    Thanks,

    Kotesh


  • Puneeth Monday, February 1, 2016
  • guest Wednesday, January 11, 2017

    When iam trying to import the SP metadata xml, into WLS getting following error:

    Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 12631; cvc-elt.4.2: Cannot resolve 'query:AttributeQueryDescriptorType' to a type definition for element 'md:RoleDescriptor'.

    at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:198)

    at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134)

    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:437)

    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:368)

    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:325)

    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:458)

    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3237)

    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.getAndCheckXsiType(XMLSchemaValidator.java:2551)

    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1941)

    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:746)

    at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:379)

    at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2786)

    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)

    at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:117)

    at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)

    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)

    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)

    at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)

    at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:243)

    at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347)

    at weblogic.xml.jaxp.RegistryDocumentBuilder.parse(RegistryDocumentBuilder.java:163)

    at org.opensaml.xml.parse.ParserPool.parse(ParserPool.java:148)

    ... 137 more

    Any idea why this is caused?


  • Puneeth Thursday, January 12, 2017

    RoleDescriptor element is not supported by Weblogic.

    So you need to edit the metadata and remove this tag.

    Check this :

    Parsing Errors while importing Metadata for SAML, Error: Cannot resolve 'ApplicationServiceType' to a type definition for element 'RoleDescriptor' (Doc ID 1662560.1)

    Regards,

    Puneeth


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha