X

Deep dive into various configurations with Oracle Weblogic Server

Steps to configure SAML SSO with ADFS (as IDP) and Weblogic Server (as SP)

Puneeth Prakash
Principal Software Engineer

Below are the steps to configure SAML 2.0 SSO using ADFS as Identity Provider and WLS as Service Provider.

In this example I am using ADFS 2.0 on Windows Server 2008R2.

Let's have a look at the ADFS IDP configuration first :

Step 1 :

Download and install ADFS 2.0

- Create a Federation Server 

Step 2 :

- Create a self signed certificate and configure SSL on IIS 

Step 3 :

- Start ADFS 2.0 Management / Configuration Wizard 

- Create a new Federation Service 

- Select the self-signed certificate you created using IIS from the drop down menu. 

- Lets create a Stand-alone federation server for this example. If you want to use the high-availability / load balancing feature in ADFS then create a Federation server Farm.

We have now completed the configuration of AD FS 2.0.

Step 4 : 

To download the AD FS metadata (i.e IDP metadata in our case) access the following link :

https://<ADFS_hostname>/federationmetadata/2007-06/federationmetadata.xml 

NOTE :

- Metadata downloaded from ADFS contains information about both SP and IDP. It also contains few tags which are not supported by WLS.

- Remove the following tags from federationmetadata.xml  :

(a) <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ..........  </X509Data></KeyInfo></ds:Signature>

(b) <RoleDescriptor xsi:type="fed:ApplicationServiceType" ...........  </EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor>

(c) <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" ...........  </EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor>

(d) <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  ........... </SPSSODescriptor> 



The final edited federationmetadata.xml file is as follows :

Step 5 :  

- Export the self-signed certificate you created in IIS to .pfx file (say adfscert.pfx).

Convert this pfx file to .jks using the following command :

Command :

keytool -importkeystore -srckeystore adfscert.pfx -srcstoretype PKCS12 -srcstorepass password -destkeystore identity.jks -deststoretype JKS -deststorepass password 

- Copy the identity.jks and modified federationmetadata.xml to Weblogic box.

Step 6:

Weblogic SP configuration : 

- Configure "Custom Identity and Custom Trust" on Admin Server using the identity.jks file that you copied from ADFS box.

NOTE : To reduce the complexity of this configuration I am avoiding creation of two separate certificates/keystores on ADFS box and WLS box. 

- Create an Identity Asserter using Weblogic Admin console.

Login to Weblogic console --> Click on ” myrealm ” –> ” Providers ” –> ” Authentication ” –> new ” SAML2IdentityAsserter “ say " saml_IA " :

- Create an AD provider and retrieve the users from Active Directory. (Alternatively, you can create a new SAMLAuthenticator provider and enable the " virtual user " feature in WLS SP). 

- Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Service Provider ” and make the following changes :

Enabled : check

Preferred Binding : POST

Default URL : http://<DestinationSiteDNSName>:<PORT>/console


Now click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :

Replicated Cache Enabled : Uncheck 

Contact Person Given Name

Contact Person Surname

Contact Person Type

Contact Person Company

Contact Person Telephone Number

Contact Person Email Address

Organization Name

Organization URL

Published Site URL : https://<DestinationSiteDNSName>:<PORT>/saml2

Entity ID : ( Destination Domain name)

Single Sign-on Signing Key Alias

Single Sign-on Signing Key Pass Phrase

Confirm Single Sign-on Signing Key Pass Phrase

Recipient Check Enabled : Uncheck

- Save the changes and export SP metadata into an XML file  ( say sp.xml ) –> Click on “ Publish Meta Data ” button.

- Create an IDP partner on Weblogic using the federationmetadata.xml file you copied from ADFS box.

Click on ” Security Realms ” –> ” myrealm ” –> ” Providers ” –> Authentication -> saml_IA –> ” Management ” –> ” New ” –> “ New Web Single Sign-On Identity Provider Partner ” say ” WebSSO-IdP-Partner-1 ” and then select ” federationmetadata.xml ” :

Click on ” WebSSO-IdP-Partner-1 ” and enter the following :

Name : WebSSO-IdP-Partner-1

Enabled : Check

Description : WebSSO-IdP-Partner-1

Redirect URIs : /console/*

Step 7 :

ADFS IDP configuration :

- Add a Replying Party Trust using ADFS 2.0 Management wizard

- Import the replying party data into ADFS IDP using the SP metadata file that you copied from WLS box (i.e sp.xml)

Step 8 : 

- We have completed all the SP and IDP related configuration now. It time to test SSO :)

- To access an SP initiated SSO access the following link :

https://<WLS_hostname>:7002/console

- Once you access the console page you should be redirected to ADFS box asking for a credentials on a browser pop-up :

- To access IDP initiated SSO access the following link :

https://<ADFS_hostname>/adfs/ls/idpinitiatedsignon.aspx

Join the discussion

Comments ( 5 )
  • Puneeth Tuesday, September 8, 2015

    To set NotBeforeSkew at ADFS end run the following commands on PowerShell:

    Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in

    Get-ADFSRelyingPartyTrust –identifier “wls_sp_for_adfs” #Just to see what the values were

    Set-ADFSRelyingPartyTrust –TargetIdentifier “wls_sp_for_adfs” –NotBeforeSkew 2 #Set the skew to 2 minutes


  • Puneeth Tuesday, September 8, 2015

    Error :

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2IdentityAsserterProvider: start assert SAML2 token>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2IdentityAsserterProvider: SAML2IdentityAsserter: tokenType is 'SAML2.Assertion.DOM'>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion signature>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: The assertion is signed.>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion signature>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion attributes>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion attributes>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion issuer>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion issuer>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion conditions>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <[Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096538]Assertion has expired (NotOnOrAfter condition).>

    <Sep 2, 2015 12:48:06 PM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <exception info

    javax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096538]Assertion has expired (NotOnOrAfter condition).

    at com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(IdentityAssertionServiceImpl.java:89)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)

    at $Proxy25.assertIdentity(Unknown Source)

    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.assertIdentity(AssertionConsumerServiceImpl.java:262)

    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.process(AssertionConsumerServiceImpl.java:137)

    at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:26)

    at $Proxy26.process(Unknown Source)

    at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)

    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:352)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:235)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3284)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)

    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)

    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)

    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)

    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)

    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1512)

    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)

    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

    --

    Make sure that the time on IDP and SP are in sync.


  • guest Tuesday, September 8, 2015

    <Sep 2, 2015 1:08:28 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <[Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition).>

    <Sep 2, 2015 1:08:28 AM EDT> <Debug> <SecuritySAML2Service> <BEA-000000> <exception info

    javax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition).

    at com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(IdentityAssertionServiceImpl.java:89)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)

    at $Proxy25.assertIdentity(Unknown Source)

    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.assertIdentity(AssertionConsumerServiceImpl.java:262)

    at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.process(AssertionConsumerServiceImpl.java:137)

    at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:26)

    at $Proxy26.process(Unknown Source)

    at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)

    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:352)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:235)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3284)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)

    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)

    --

    Check if the clock on IDP and SP are in sync.


  • guest Wednesday, October 14, 2015

    Consider the following scenario :

    ADFS -> (configured with SSL) forwards the request to LB (where SSL is

    configured ) -> which in turn forwards the request to WLS SP.

    Note that the WLS SP is on non-SSL.

    Below are the points to keep in mind :

    1) Since SSL is configured on the LB end and no SSL on WLS the following steps

    have to be performed :

    - Set WLProxySSL ON at the loadbalancer or webserver end.

    - Enable Weblogic Plugin Enabled on WLS end. (If the LB or webserver forwards

    the request to an individual server then enable this parameter at the server

    level. If LB is targetted to WLS cluster then enable Weblogic Pugin enabled at

    the cluster level).

    - Configure a ForntEnd host and Port at the Weblogic end.

    Login to console -> +Environemnt -> <server_name> -> Protocol

    -> HTTP ->

    Frontend Host: <LB Hostname>

    Frontend HTTP Port: <LB HTTP Port>

    Frontend HTTPS Port: <LB HTTPS Port>

    2)

    - Even though the WLS SP is on non-SSL port -> When you create an SP

    metadata it has information about the Demo Root certificate.

    - By default the Demo certificates are of 512 bits and will be rejected by most

    browsers and also by ADFS.

    - So it is safe to create a self-signed certificate with a key length greater

    than 1024 bits.

    NOTE that we are not enabling the SSL port on the WLS SP end, we are just

    configured the Custom Identity and Custom Trust with only HTTP port enabled.

    - Now recreate an SP metadata file, you will find that the Custom root

    certificate is added to the metadata now.

    3) Change the Publish Site URL to point to LB host and port from WLS SP console.

    Login to console -> +Environment -> <server_name> -> Federation Services -> SAML 2.0 General ->

    Published Site URL: https://<LB_hostname>:<LB_SSL_Port>/saml2

    4) Import the root certificate of ADFS end to WLS SP trust store.

    5) Import the root certificate of WLS SP to ADFS trust store.


  • guest Friday, August 26, 2016

    Hi Santosh,

    Yes, you can configure SSO with ADFS without SSL on WLS end.

    Just make sure that the certificate provided by your ADFS team is trusted in the Weblogic Server trust store.

    say DemoTrust OR cacerts.

    Regards,

    Puneeth


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.