In this document, we will discuss the configurations required on the Weblogic Server 10.3 source site and destination site for SAML 1.0.
Architecture
On a single machine we have Apache Web server, IIS Web server and 2 Weblogic Server Domains. We have two servers on one domain hosting the source application and two servers on the second domain hosting the destination application.
The servers on the source site are listening on port 7001 and 7003 over HTTP, and the servers on the destination domain are listening on port 7003 and 7005 over HTTP. Apache Web Server proxies the source site and is listening on port 8080 and IIS Web Server proxies the destination site and is listening on port 8090.
Follow the Steps below to configure SAML 1.0 in a Weblogic Cluster.
Configure Apache Plug-in with Weblogic Server
1. Make sure the Apache server runs & serves on port 8080.
This can be done by modifying the httpd.conf present at
D:Program FilesApache GroupApache2conf
Modify the Listen port to 8080
Listen 8080
2. Copy the mod_wl_20.so from <bea_home>wlserver_10.3serverpluginwin32 to
D:Program FilesApache GroupApache2modules
3. Apply the plug-n module by adding these in the httpd.conf file
LoadModule weblogic_module modules/mod_wl_20.so
<Location />
SetHandler weblogic-handler
</Location>
<IfModule mod_weblogic.c>
WebLogicCluster
Debug ON
WLLogFile c:/temp/wlproxy.log
WLTempDir c:/temp
</IfModule>
4. Restart the Apache Server.
Configure IIS Plug-in with Weblogic Server
1. Make a directory on the IIS box for the plug-in.
For instance: c:InetpubWLS_IIS_Plugin
2. Copy iisforward.dll and iisproxy.dll to this new directory.
These files are located at:
10.0: <bea_home>wlserver_10.0serverpluginwin32
10.3: <bea_home>wlserver_10.3serverpluginwin32
3. To install iisforward.dll as an ISAPI filter, do the following:
Go to Start->Administrative Tools->Internet Information Services
(IIS) Manager
In the left pane, drill down to the active website
(like “Default Web Site”)
Right-click the active website and select Properties
Select the ISAPI Filters tab and press the Add button
Filter name: WLS IIS Plugin
Or whatever you want
Executable: C:InetpubWLS_IIS_Pluginiisforward.dll
Or whatever path you created
Press OK twice
IIS6 does not allow the iisforward.dll ISAPI Extension to run by default.
To enable:
In the left pane of the Internet Information Services (IIS) Manager,
click on Web Service Extension (located under the computer name)
In the right pane, highlight All Unknown ISAPI Extensions and press
the Allow button
4. To map .wlforward to use iisproxy.dll, do the following:
a. In the left pane, drill down to the active website (like
“Default Web Site”)
b. Right-click the active website and select Properties
c. Select Home Directory tab
d. Click the Configuration… button.
e. In the Application Mapping tab, click the Add… button.
a. Executable: C:InetpubWLS_IIS_Pluginiisproxy.dll
b. Extension: .wlforward
f. Uncheck Verify that file exists
g. IMPORTANT: Ensure .wlforward is *not* mapped to iisforward.dll.
While this seems intuitive, it is wrong. .wlforward maps to
iisproxy.dll.
h. Press OK three times
i. Exit the IIS Manager MMC console.
5. Create a text file named iisproxy.ini and place it in the plug-in
directory (e.g. c:InetpubWLS_IIS_Pluginiisproxy.ini)
iisproxy.ini
WebLogicCluster=localhost:7001,localhost:7003
WlForwardPath=/
Debug=ALL
DebugConfigInfo=ON
WLLogFile=c:/temp/iisproxy.log
6. Restart IIS using the following CLI statement: iisreset /restart
7. Use a browser to access IIS. This will ‘turn on’ the IIS->WLS
ISAPI filter.
8. Relaunch the IIS Manager and check the ISAPI filter tab to ensure
the iisforward.dll is now ‘turned on’, as evidenced by a green arrow.
Generate Key to sign the assertion:
keytool -genkey -keypass password -keystore DemoIdentity.jks -keyalg rsa -alias faisal_key –storepass DemoIndentityKeyStorePassPhrase
What is your first and last name?
[Unknown]: Faisal
What is the name of your organizational unit?
[Unknown]: BEA
What is the name of your organization?
[Unknown]: Oracle
What is the name of your City or Locality?
[Unknown]: Pune
What is the name of your State or Province?
[Unknown]: MH
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=Faisal, OU=BEA, O=Oracle, L=Pune, ST=MH, C=IN correct?
[no]: y
Export the certificate:
keytool -export -alias faisal_key -keystore DemoIdentity.jks -file faisal.der -storepass DemoIdentityKeyStorePassPhrase
Certificate stored in file <faisal.der>
SOURCE SITE CONFIGURATION (SamlSource)
Security Realms > myrealm > Providers > Credential Mapping
Add a SAML credential mapped V2.
Issuer URI http://www.samlserver.com/samlTraining
Name Qualifier support.samlserver.com
Signing Key Alias faisal_key
Signing Key Pass Phrase password
Confirm Signing Key Pass password
Restart the server
Security Realms > myrealm > Providers > Credential Mapping >
SAMLCredentialMapper > Management and create new Relying Parties and select
“Browser/POST” profile from dropdown menu.
Enabled checkbox (true)
Target URL http://localhost:8090/samldest01App
/restricted01/samldest01services.jsp
Assertion Consumer URL http://localhost:8090/samlacs/acs
Assertion Consumer Parameters APID=ap_00001
Sign Assertions checkbox (true)
Include Keyinfo checkbox (true)
Include Groups Attribute checkbox (true)
Servers > Server1 > Federation Services > SAML 1.1 Source Site
Source Site Enabled checkbox (true)
Source Site URL http://localhost:8080/samlsourceApp
Signing Key Alias faisal_key
Signing Key Passphrase password
Intersite Transfer URIS /samlits_cc/its
(Keep the other values)
ITS Requires SSL checkbox (false)
Assertion Retrieval URIs /samlars/ars
ARS Requires SSL checkbox (true)
Servers > Server2 > Federation Services > SAML 1.1 Source Site
Source Site Enabled checkbox (true)
Source Site URL http://localhost:8080/samlsourceApp
Signing Key Alias faisal_key
Signing Key Passphrase password
Intersite Transfer URIS /samlits_cc/its
(Keep the other values)
ITS Requires SSL checkbox (false)
Assertion Retrieval URIs /samlars/ars
ARS Requires SSL checkbox (false)
DESTINATION SITE CONFIGURATION (SamlDestination)
Security Realms > myrealm > Providers > Authentication> Create a New Authentication Provider > Select SAMLIdentityAsserterV2
Restart the server
Go to “Security Realms > myrealm > Providers > Authentication” Click on newly created SAMLIdentityAsserter’s “Management > Certificates tab and configure the signing certificate
Alias faisal_key
Certificate File Name faisal.der
Go to the newly created SAML Identity Asserter‘s “Management > Asserting Party tab and press new button to create new SAML asserting party and select “Browser/POST” profile from dropdown menu.
Enabled checkbox (true)
Target URL http://localhost:8080/samlsourceApp
POST Signing Certificate alias faisal_key
Source Site Redirect URIs /samldest01App/restricted01/
samldest01services.jsp
Source Site ITS URL http://localhost:8080/samlits_ba/its
Source Site ITS Parameters RPID=rp_00001
Issuer URI http://www.samlserver.com/samlTraining
Signature Required checkbox (true)
Asserting Signing Certificate Alias faisal_key
Process Groups Attribute checkbox (true)
Servers > Server3> Federation Services > SAML 1.1 Destination Site
Destination Site Enabled checkbox (true)
Assertion Consumer URIs /samlacs/acs
ACS Requires SSL checkbox (false)
SSL Client Identity Alias faisal_key
SSL Client Identity Pass Phrase password
POST Recipient Check Enabled checkbox (true)
POST one Use Check Enabled checkbox (true)
Used Assertion Cache Properties APID=ap_00001
Servers > Server4> Federation Services > SAML 1.1 Destination Site
Destination Site Enabled checkbox (true)
Assertion Consumer URIs /samlacs/acs
ACS Requires SSL checkbox (false)
SSL Client Identity Alias faisal_key
SSL Client Identity Pass Phrase password
POST Recipient Check Enabled checkbox (true)
POST one Use Check Enabled checkbox (true)
Used Assertion Cache Properties APID=ap_00001
Deploy and activate the applications
Domain Application
SamlSource samlsourceApp.war
SamlDestination samldest01App.war
Create user and group
The applications are designed to restrict access to its protected resource and only user with principal “SAML_SSO_GRP” has authorized access.So create a group “SAML_SSO_GRP” and user “samluser” and assign it to group “SAML_SSO_GRP” in both the domains.
Access the application with the following url
http://localhost:8080/samlsourceApp/index.jsp
Provide the username and password in the BASIC Authentication window.
Access the destination application by clicking on the destination application link.
I will try to upload the source app and destination app. The applications are very easy to make, however if anyone still needs them they can mail me at khan.faysal06@gmail.com
Hi Faiz,
Just out of curiosity.
Can we configure Custom SAML Assertions
If yes how can we do it.
As we still have time till WLS 10.3.4 releases.
Providing Support for it.
Lemme know.
Cheers,
TK
In the existing versions – NO we cant
We can however add custom attributes to the assertion, the code for which u already have 🙂
In the later version wat Oracle is going to do, u r in a better position to get that information..
Let me know as well. 🙂
Hi Faisal,
I have a query: 🙂
When we configure SAML can i have different keys to sign assertions for various relying parties?
Can we use different certificates in the
SAMLCredentialMappingV2 and server’s Federation
Services tab,
Where are these certificate involved ? or do we have to use the same certificate at both the places.
Thanks in advance.
-Chetan
Hi,
If this thread is still active – I’m just wondering why there is a difference in the SSL setting for the Federation Services on the source site:
On server1:
ITS Requires SSL checkbox (true)
ARS Requires SSL checkbox (true)
On server2:
ITS Requires SSL checkbox (false)
ARS Requires SSL checkbox (false)
Thanks in advance,
Kristian
thanks for pointing out Kristian. It was a typo.. corrected it!