saml Archive

Configuring SAML 1.0 in a Clustered Weblogic Server

In this document, we will discuss the configurations required on the Weblogic Server 10.3 source site and destination site for SAML 1.0.

Architecture

On a single machine we have Apache Web server, IIS Web server and 2 Weblogic Server Domains. We have two servers on one domain hosting the source application and two servers on the second domain hosting the destination application.

The servers on the source site are listening on port 7001 and 7003 over HTTP, and the servers on the destination domain are listening on port 7003 and 7005 over HTTP. Apache Web Server proxies the source site and is listening on port 8080 and IIS Web Server proxies the destination site and is listening on port 8090.

Follow the Steps below to configure SAML 1.0 in a Weblogic Cluster.

Configure Apache Plug-in with Weblogic Server

1. Make sure the Apache server runs & serves on port 8080.
This can be done by modifying the httpd.conf present at
D:\Program Files\Apache Group\Apache2\conf
Modify the Listen port to 8080

Listen 8080

2. Copy the mod_wl_20.so from <bea_home>\wlserver_10.3\server\plugin\win\32 to
D:\Program Files\Apache Group\Apache2\modules

3. Apply the plug-n module by adding these in the httpd.conf file

LoadModule weblogic_module modules/mod_wl_20.so

<Location />
SetHandler weblogic-handler
</Location>

<IfModule mod_weblogic.c>
WebLogicCluster
Debug ON
WLLogFile c:/temp/wlproxy.log
WLTempDir c:/temp
</IfModule>

4. Restart the Apache Server.

Configure IIS Plug-in with Weblogic Server

1. Make a directory on the IIS box for the plug-in.
For instance: c:\Inetpub\WLS_IIS_Plugin\

2. Copy iisforward.dll and iisproxy.dll to this new directory.
These files are located at:
10.0: <bea_home>\wlserver_10.0\server\plugin\win\32
10.3: <bea_home>\wlserver_10.3\server\plugin\win\32

3. To install iisforward.dll as an ISAPI filter, do the following:
Go to Start->Administrative Tools->Internet Information Services
(IIS) Manager
In the left pane, drill down to the active website
(like “Default Web Site”)
Right-click the active website and select Properties
Select the ISAPI Filters tab and press the Add button
Filter name: WLS IIS Plugin
Or whatever you want
Executable: C:\Inetpub\WLS_IIS_Plugin\iisforward.dll
Or whatever path you created
Press OK twice
IIS6 does not allow the iisforward.dll ISAPI Extension to run by default.

To enable:
In the left pane of the Internet Information Services (IIS) Manager,
click on Web Service Extension (located under the computer name)
In the right pane, highlight All Unknown ISAPI Extensions and press
the Allow button

4. To map .wlforward to use iisproxy.dll, do the following:
a. In the left pane, drill down to the active website (like
“Default Web Site”)
b. Right-click the active website and select Properties
c. Select Home Directory tab
d. Click the Configuration… button.
e. In the Application Mapping tab, click the Add… button.
a. Executable: C:\Inetpub\WLS_IIS_Plugin\iisproxy.dll
b. Extension: .wlforward
f. Uncheck Verify that file exists
g. IMPORTANT: Ensure .wlforward is *not* mapped to iisforward.dll.
While this seems intuitive, it is wrong. .wlforward maps to
iisproxy.dll.
h. Press OK three times
i. Exit the IIS Manager MMC console.

5. Create a text file named iisproxy.ini and place it in the plug-in
directory (e.g. c:\Inetpub\WLS_IIS_Plugin\iisproxy.ini)

iisproxy.ini

WebLogicCluster=localhost:7001,localhost:7003
WlForwardPath=/
Debug=ALL
DebugConfigInfo=ON
WLLogFile=c:/temp/iisproxy.log

6. Restart IIS using the following CLI statement: iisreset /restart

7. Use a browser to access IIS. This will ‘turn on’ the IIS->WLS
ISAPI filter.

8. Relaunch the IIS Manager and check the ISAPI filter tab to ensure
the iisforward.dll is now ‘turned on’, as evidenced by a green arrow.

Generate Key to sign the assertion:

keytool -genkey -keypass password -keystore DemoIdentity.jks -keyalg rsa -alias faisal_key –storepass DemoIndentityKeyStorePassPhrase

What is your first and last name?
[Unknown]: Faisal
What is the name of your organizational unit?
[Unknown]: BEA
What is the name of your organization?
[Unknown]: Oracle
What is the name of your City or Locality?
[Unknown]: Pune
What is the name of your State or Province?
[Unknown]: MH
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=Faisal, OU=BEA, O=Oracle, L=Pune, ST=MH, C=IN correct?
[no]: y

Export the certificate:

keytool -export -alias faisal_key -keystore DemoIdentity.jks -file faisal.der -storepass DemoIdentityKeyStorePassPhrase
Certificate stored in file <faisal.der>

SOURCE SITE CONFIGURATION (SamlSource)

Security Realms > myrealm > Providers > Credential Mapping
Add a SAML credential mapped V2.

Issuer URI http://www.samlserver.com/samlTraining
Name Qualifier support.samlserver.com
Signing Key Alias faisal_key
Signing Key Pass Phrase password
Confirm Signing Key Pass password

Restart the server

Security Realms > myrealm > Providers > Credential Mapping >
SAMLCredentialMapper > Management and create new Relying Parties and select
“Browser/POST” profile from dropdown menu.

Enabled checkbox (true)
Target URL http://localhost:8090/samldest01App
/restricted01/samldest01services.jsp
Assertion Consumer URL http://localhost:8090/samlacs/acs
Assertion Consumer Parameters APID=ap_00001
Sign Assertions checkbox (true)
Include Keyinfo checkbox (true)
Include Groups Attribute checkbox (true)

Servers > Server1 > Federation Services > SAML 1.1 Source Site

Source Site Enabled checkbox (true)
Source Site URL http://localhost:8080/samlsourceApp
Signing Key Alias faisal_key
Signing Key Passphrase password
Intersite Transfer URIS /samlits_cc/its
(Keep the other values)
ITS Requires SSL checkbox (false)
Assertion Retrieval URIs /samlars/ars
ARS Requires SSL checkbox (true)

Servers > Server2 > Federation Services > SAML 1.1 Source Site

Source Site Enabled checkbox (true)
Source Site URL http://localhost:8080/samlsourceApp
Signing Key Alias faisal_key
Signing Key Passphrase password
Intersite Transfer URIS /samlits_cc/its
(Keep the other values)
ITS Requires SSL checkbox (false)
Assertion Retrieval URIs /samlars/ars
ARS Requires SSL checkbox (false)

DESTINATION SITE CONFIGURATION (SamlDestination)

Security Realms > myrealm > Providers > Authentication> Create a New Authentication Provider > Select SAMLIdentityAsserterV2

Restart the server

Go to “Security Realms > myrealm > Providers > Authentication” Click on newly created SAMLIdentityAsserter’s “Management > Certificates tab and configure the signing certificate

Alias faisal_key
Certificate File Name faisal.der

Go to the newly created SAML Identity Asserter‘s “Management > Asserting Party tab and press new button to create new SAML asserting party and select “Browser/POST” profile from dropdown menu.

Enabled checkbox (true)
Target URL http://localhost:8080/samlsourceApp
POST Signing Certificate alias faisal_key
Source Site Redirect URIs /samldest01App/restricted01/
samldest01services.jsp
Source Site ITS URL http://localhost:8080/samlits_ba/its
Source Site ITS Parameters RPID=rp_00001
Issuer URI http://www.samlserver.com/samlTraining
Signature Required checkbox (true)
Asserting Signing Certificate Alias faisal_key
Process Groups Attribute checkbox (true)

Servers > Server3> Federation Services > SAML 1.1 Destination Site

Destination Site Enabled checkbox (true)
Assertion Consumer URIs /samlacs/acs
ACS Requires SSL checkbox (false)
SSL Client Identity Alias faisal_key
SSL Client Identity Pass Phrase password
POST Recipient Check Enabled checkbox (true)
POST one Use Check Enabled checkbox (true)
Used Assertion Cache Properties APID=ap_00001

Servers > Server4> Federation Services > SAML 1.1 Destination Site

Destination Site Enabled checkbox (true)
Assertion Consumer URIs /samlacs/acs
ACS Requires SSL checkbox (false)
SSL Client Identity Alias faisal_key
SSL Client Identity Pass Phrase password
POST Recipient Check Enabled checkbox (true)
POST one Use Check Enabled checkbox (true)
Used Assertion Cache Properties APID=ap_00001

Deploy and activate the applications

Domain Application

SamlSource samlsourceApp.war
SamlDestination samldest01App.war

Create user and group

The applications are designed to restrict access to its protected resource and only user with principal “SAML_SSO_GRP” has authorized access.So create a group “SAML_SSO_GRP” and user “samluser” and assign it to group “SAML_SSO_GRP” in both the domains.
Access the application with the following url

http://localhost:8080/samlsourceApp/index.jsp

Provide the username and password in the BASIC Authentication window.
Access the destination application by clicking on the destination application link.