Below are the steps to configure SAML 2.0 SSO with Azure as Identity Provider (IDP) and Weblogic as Service Provider (SP).
Let's have a look at the Azure Identity Provider configuration first :
Login to Azure portal -> Azure Active Directory -> Enterprise Applications :
Create a new application :
Select Non-gallery application -> add your own application
Select Single Sign-On -> SAML
Download the IDP metadata.
NOTE: User attributes and claims that need to be part of the SAML Token sent to WLS can be edited from this screen.
Azure IDP metadata cannot be used with Weblogic directly as it contains few tags that are not supported by Weblogic.
Edit the IDP metadata downloaded in Azure and remove the <RoleDescriptor> tag.
This tag should be present twice in the metadata. Save the metadata. This will be used to create a partner in Weblogic SP configuration.
You can add users who need access to this application as required.
Create SAML Identity Provider and SAML Authentication provider in Weblogic.
SAML Identity Provider is required to understand/accept the SAML token sent from Azure to WLS.
SAML Authentication Provider is an optional provider which can be created if you want to make use of the "Virtual User" feature in WebLogic.
Restart the servers.
After restart select Adminserver -> Federation Services -> SAML2.0 General :
In this example I am configuring SSO for the WLS console application which is deployed to the Admin Server by default, hence I need to update the SAML2.0 General tab under AdminServer.
If you have your custom application deployed on say MS1 then you need to update the SAML2.0 General tab of the managed server, say MS1.
Publish site URL should have the URL in the following format :
If you have a Load Balancer behind Weblogic then Publish Site URL should contain the Load Balancer host and the port.
Irrespective of what application is deployed on Weblogic the Publish Site URL should always have the context as "/saml2", because saml2.war is an internal application deployed in Weblogic and it cannot be changed.
Entity ID should be a unique name in WLS.
Enable SAML2.0 service provider.
Default URL is optional.
Now go back to "SAML 2.0 General" tab and publish the SP metadata.
NOTE: The file name should have an extension .xml
Now go to Security Realms -> Providers -> SAML Identity Asserter -> Management and create a new partner using the modified Azure IDP metadata.
Enable the partner created and update the Redirect URI.
Redirect URI should be the context of the protected page of your application that needs to participate in SSO.
In our case it is "/console/*"
If you want to bypass SSO and access the WLS console directly use the following URL :
(continued) Azure IDP configuration :
Now use the SP metadata and create a partner in Azure.
Since we are testing SSO using the console application, you need to change the cookie name for console application in Weblogic :
Now when you access the console page you should get redirected to Azure IDP login page :
If you would like to test SSO with a sample application (instead of WLS console), then :
Deploy the following sample application on Weblogic Server (Weblogic_SP_sample_App.zip)
NOTE: You can just unzip the above zip file and deploy the application in an exploded format in WLS.(There is no need to create a war file).
To enable this application to participate in SSO add the redirect URI as shown below :
Login to console -> security realms -> myrealm -> Providers -> <saml_IA> -> management -> <partner_name> ->
Redirect URIs : /Weblogic_SP_sample_App/restricted/protected_page.jsp
Have a look at the following video which shows how to install the sample application and enable Virtual User feature in WebLogic :
NOTE: The video shows a sample application from JCS SAML blog but it holds good for the sample application used in this blog as well.