Wednesday Apr 02, 2014

Steps to configure SAML 2.0 with Shibboleth ( deployed on WLS ) as IDP and Weblogic as SP.

Shibboleth is a free and open source federated identity solutions.

Points to Remember:

The logging configuration for the IdP is located at $IDP_HOME/conf/logging.xml. This file is checked for changes every 10 minutes  by default and is reloaded if changes have been made. 
This means a deployer can keep the logging level at WARN until a problem occurs and then change the logging to DEBUG to get more information if the problem persists, all without restarting the IdP.

By default Shibboleth 2.0 Identity Providers write to three log files :

- idp-access.log contains a log entry for each time the IdP is accessed, whether information was ever sent back or not. These messages include request time, remote host making the request, server host name and port, and the request path. This log is written in the machine parsable format requestTime|remoteHost|serverHost|serverPort|requestPath|.

- idp-audit.log contains a log entry for each time the IdP sends data to a relying party. These messages include the audit event time, IdP and relying party IDs, request and response binding, communication profile ID, request and response ID, principal name, authentication method, and released attribute of the current user. This log is written in the machine parsable format auditEventTime|requestBinding|requestId|relyingPartyId|messageProfileId|assertingPartyId|responseBinding|responseId|principalName|authNMethod|releasedAttributeId1,releasedAttributeId2,|nameIdentifier|assertion1ID,assertion2ID,|
Note the name identifier and assertion IDs were added in V2.1.

- idp-process.log contains messages logged during the normal operation of the IdP. This log is meant to be human readable and contains messages that indicate what the IdP is currently doing, encountered errors, warning messages that may indicate potential problems, etc.

All logging messages are "rolled over" at midnight each night, if the IdP is running, or the next time the IdP starts up after that.

You can test your configuration here :

http://www.testshib.org/

Here are few other sites which might be helpful :

https://sp.testshib.org/

https://shibboleth.usc.edu/docs/sp/install/

NOTE :

SAML2 Assertions encryption is a feature that is not supported by any current version of WebLogic Server, whatever the Identity Provider.

SAML2 Assertions in WebLogic Server are base64 encoded but not encrypted.

In the case of Shibboleth Identity Provider, the default Out-Of-The-Box configuration is to require encryption of the SAML2 Assertions. Thus, this issue is usually raised when using Shibboleth as the Identity Provider.

Shibboleth can be configured to use non-encrypted SAML2 Assertions, for instance check this :

Link : https://wiki.shibboleth.net/confluence/display/SHIB2/IdPXMLSigEnc

The wiki describes the way to configure Shibboleth when used in conjunction with WebLogic Server.

In this post we will see how to configure SAML 2.0 SSO using Shibboleth as IDP ( deployed on WLS ) and Weblogic as SP...

[Read More]

Wednesday Dec 18, 2013

Steps to create a csr ( certificate signing request ) using keytool and get it signed from an external CA ( Certificate Authority - Thawte )

How to create a csr ?

How to get a certificate signed from an external / third party CA ?

How to create a certificate chain ?

-----------

 Defaults for keytool command in Java 1.6 :

-alias "mykey"

-keyalg

    "DSA" (when using -genkeypair)

    "DES" (when using -genseckey)

-keysize

    1024 (when using -genkeypair)

    56 (when using -genseckey and -keyalg is "DES")

    168 (when using -genseckey and -keyalg is "DESede")

-validity 90

In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", -sigalg defaults to "MD5withRSA".

-------------------------------------------

Defaults for keytool command in Java 1.7 :

-alias "mykey"

-keyalg

    "DSA" (when using -genkeypair)

    "DES" (when using -genseckey)

-keysize

    2048 (when using -genkeypair and -keyalg is "RSA")

    1024 (when using -genkeypair and -keyalg is "DSA")

    256 (when using -genkeypair and -keyalg is "EC")

    56 (when using -genseckey and -keyalg is "DES")

    168 (when using -genseckey and -keyalg is "DESede")

-validity 90

If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA"

If the underlying private key is of type "RSA", the -sigalg option defaults to "SHA256withRSA".

If the underlying private key is of type "EC", the -sigalg option defaults to "SHA256withECDSA".

 -------------------------------------------- 

The chaining can be of 2 types :

root……………………….ow = xxx

……………………………..is= xxx

inter ……………………… ow= xxx

………………………………is= yyy

signedcert……………….. ow= yyy

……………………………… is= ppp

and

signedcert ……………… ow= ppp

…………………………….. is= yyy

inter……………………… ow= yyy

…………………………….. is= xxx

root………………………. ow= xxx

…………………………….. is= xxx

In this post we will see how to create a csr and get it signed from a third party CA like Thawte...

[Read More]
About

Oracle Fussion Middleware - WebLogic

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today