Saturday, August 14, 2010

Single Sign On Using WebLogic 10.3 and WebLogic 9.2

Introduction
WebLogic Application Server supports Single Sign On(SSO) using SAML Credential Mapper as Identity Provider, and SAML Identity Asserter as Service Provider. Accordingly a minimum of two WebLogic instances, one instance as Identity Provider, and the other instance as Service Provider are required. The two instances could be on the same host using different ports, or on two different hosts. SAML assertion is time sensitive. When the Identity Provider and Service Provider are hosted on different hosts it is critical that clocks on the two hosts are synchronized. Applications to be configured for SSO, and requiring authentication are deployed on a WebLogic instance designated as Service Provider. The sequence of SSO is shown in Figure 1:
Figure 1. Single Sign On Sequence

A web debug proxy can be used to capture the browser events. Fiddler2 is such a web debug proxy, and can be downloaded from http://www.fiddler2.com/fiddler2/. The sequence of events in the browser as captured by Fiddler 2 is shown in Figure 2:

Figure 2. Browser Events Sequence

Details of SSO events combined with the web events as captured from Fiddler2 is summarized below:
  1. End user sends a request for a secured page on the service provider
  2. Service Provider requests its chain of Identity Asserters for a matching assertion party
  3. A matching asserting party configuration is returned to the service provider
  4. Service provider sends a redirect to identity provider’s inter transfer servlet (samlits)with the replying party id, and requested target, https://<IdenityProvider:port>/samlits_ba/its?RPID=rp_00001&TARGET=https://<ServiceProvider:port>/HelloWorldWeb/index.jsp
  5. Identity provider sends an unauthorized response 401.
  6. Browser prompts the user, for authentication 
  7. On successful authentication a respone with a secured browser post to service provider https://<serviceprovider:port>/samlacs/acs is executed as can be seen from the response shown:
  8. <HTML> <HEAD> <TITLE>SAML Post Profile Intersite Transfer Service</TITLE> </HEAD> <BODY onLoad="document.forms[0].submit();"> <FORM METHOD="POST" ACTION="https://<ServicePRovider:port>/samlacs/acs"> <INPUT TYPE="HIDDEN" NAME="TARGET" VALUE="https://<ServiceProvider:port>/<context root>/<requested page>"> <INPUT TYPE="HIDDEN" NAME="APID" VALUE="ap_00001"> <INPUT TYPE="HIDDEN" NAME="SAMLResponse" VALUE=encrypted saml response </FORM> </BODY> </HTML>
  9. Upon successful validation a 302 response to the requested page is presented as can be seen from the following response,
  10. <html> <head> <title>302 Moved Temporarily</title> </head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://<ServiceProvider:port>/<context root>/<requested page>&#59;jsessionid=jBh8Mm5d1RyH32NFHTY3ynYG1tmmyGl61Q7vh1hBfD1R57xvQX4v!1474895519">https://elite.hopeless.home.com:7002/HelloWorldWeb/index.jsp&#59;jsessionid=jBh8Mm5d1RyH32NFHTY3ynYG1tmmyGl61Q7vh1hBfD1R57xvQX4v!1474895519</a>.</p> </body> </html>
  11. The user is then presented with the requested page https://<ServiceProvider:port>/<context root>/<requested page>
Test Environment
Web Single Sign On as supported by WebLogic Application Server was tested using two instances of WebLogic Application Server one WebLogic 103, and the other WebLogic 9.2 deployed on two different hosts and is shown in Figure 3.


Figure 3 SSO Environment

The SSO environment set up consists of creating, and configuring several components both on Identity Provider, and Service Provider, and are listed below
  1. Source Site/Identity Provider
  2. Destination Site/Service Provider
Source Site/Identity Provider
User authentication is executed on the source site. Creating source site consists of creating a SAML Credential Mapper and a relying party. WebLogic 10.3 provides three versions of SAML Credential Providers:
  1. SAMLCredentialMapper
  2. SAML CredentialMapperV2
  3. SAML2CredentialMapper
In view of the requirement that widgets hosted on WebLogic 9.2 be supported, SAMLCredentialMapperV2 is used. Source site configuration is divided into the following sections:
  1. Create SAMLCredentialMapperV2
  2. Configure SAMLCredentialMapperV2
  3. Creating Relying Party
  4. Configuring Relying Party
Create SAMLCredentialMapperV2
WebLogic allows creation of only one instance of SAMLCredentialMapperV2 per source site. SSO from multiple hosts is configured by creating relying party per server, discussed in a later section. Assuming myrealm as the default security realm:

1. Navigate to Security Realms->myrealm->Providers->Credential Mapping

Figure 4
2. Click on New

3. Enter SAMLCredentialMapperV2 against the field labeled Name
4. Click on OK
5. Restart Weblogic Server





Configure SAMLCredentialMapperV2

After restarting the WebLogic Application Server navigate to:
  1. Navigate to Security Realms->myrealm->Providers->Credential Mapping
  2. Click on the newly created SAMLCredentialMapperV2
  3. Navigate to Configuration->Provider Specific
  4. Fill in the form fields as detailed in the following
    Property Value Comments
    Issuer URI Identifying name Identifying name
    Name Qualifier Optional, another identifying name
    Default Time to Live Default value
    Default Time To Live Offset Default value
    Signing Key Alias Certificate created exclusively for signing the message
    Signing Key Pass Phrase Signing Key pass phrase
    Confirm Signing Key Pass Phrase Signing Key pass phrase
    Default Name Mapper Class Name
  5. Click on Save

Creating Relying Party
One relying party can serve multiple applications hosted on the service provider or a dedicated relying party per application can be used.
  1. Navigate to Management->Relying Parties
  2. Click on New
  3. Enter a value for Description
  4. Click on OK
  5. List of relying parties is displayed


Configuring Relying Party

  1. Click on the just created relying party, rp_00001
  2. Enter values as shown in the following table
  3. Property Value Comments
    Enabled Checked Relying party is configured by enabling the Enabled property
    Description Some Good Description Enter a good description describing the relying party
    Target URL https:/// Enter the url for service provider
    Assertion Consumer URL https:///samlacs/acs Replace service provider with the actual url for the service provider
    Assertion Consumer Parameters APID=ap_00001 Assertion parameter identification
    Post Form default
    Audience URI Optional, to serve multiple applications leave it blank
    Name Mapper Class default
    Assertion Time To Live Default Value
    Assertion To Live Offset Default Value
    Sign Assertions Checked To sign assertions check the checkbox
    Include Key Info Checked Check to include key info
    Include DoNotCache Condition default value
    Include Groups Attributes Check to include groups attributes
  4. Click on Save

Enabling Source Site
  1. Navigate to Environment->Servers->Admin Server
  2. Navigate to Configuration->Federation Services->SAML 1.1 Source Site
  3. Enable Source Site, and fill in the required properties
  4. Property Value Comments
    Source Site Enabled Checked The Identity Provider is enabled only by checking this flag
    Signing Key Alias Enter the site’s signing certificate
    Signing Key Passphrase
    Confirm Signing Key Passphrase
    Intersite Transfer URIs /samlits_ba/its
    /samlits_ba/its/post
    /samlits_ba/its/artifact
    /samlits_cc/its
    /samlits_cc/its/post
    /samlits_cc/its/artifact

    Default
    ITS Requires SSL checked
    Assertion Retrieval URIs /samlars/ars default
    ARS Requires SSL checked
    ARS Requires Two-Way SSL Authentication
    Assertion Store Class Name
    Assertion Store Properties
  5. Click on Save, enabling Source Site


Destination Site/Service Provider
Web applications requiring participating in SSO are deployed on the WebLogic instance designated as service provider. The WebLogic instance hosting the web applications is configured as a destination site by the following:
  1. Create SAMLIdentityAsserterV2
  2. Importing IdentityAsserter’s Signing Certificate
  3. Creating Asserting Party
  4. Configuring Asserting Party
  5. Enabling SAML 1.1 Destination Site

Create SAMLIdentityAsserterV2
  1. Assuming myrealm as default security realm navigate to Security
  2. Realms->myrealm
  3. Navigate to Providers->Authentication
  4. Click on Lock & Edit
  5. Click on New
  6. Enter SAMLIdentityAsserterV2 in the Name field
  7. Select SAMLIdentityAsserterV2 for the Type
  8. Click on OK to create a SAMLIdentityAsserterV2
  9. Restart WebLogic Application Server as required by WebLogic Application Server



Importing IdentityAsserter’s Signing Certificate

Asserting party requires source site’s SSL certificate. Accordingly source site’s SSL certificate should be imported. WebLogic accepts certificates with .der or .pem extensions only. Obtain source site’s public certificate(ozonezn.der), and copy it on the Service Provider’s host.
  1. Navigate to Security Realms->myrealm->Providers->Authentication
  2. Click on the newly created SAMLIdentityAsserterV2
  3. Navigate to Management-> Certificates
  4. Click on New
  5. Enter values for Alias, and Certificate File Name(ozonezn.der) including the path
  6. Click on Finish
  7. List displaying the list of imported certificates including the newly imported certificate is displayed.

Creating Asserting Party
  1. Navigate to Management->Asserting Parties
  2. Click on New
  3. Select Browser/POST profile
  4. Enter a description
  5. Click on OK to create a new asserting party



Configuring Asserting Party


  1. Click on the just created Asserting party, ap_00001
  2. Enter the asserting party’s values based on the table shown below:


Property Value Comments
Enabled Checked This is required, so that the site can work as a Service Provider
Description Good description to identify relying party Good description to identify relying party
Target URL https:///
POST Signing Certificate Alias Certificate Alias Imported in the previous step Source site’s SSL alias, imported in the previous step
Source Site Redirect URIs URI's for which SSO is required Web applications’ URIs in the SSO
Source Site ITS URL
Source Site ITS Parameters https://

/samlits_ba/its
This is responsible to redirect the user for authentication to the source site
Issuer URI URI as configured in the source sites configuration
Audience URI Leave blank so that all sites hosted on the destination site can particiapate in the SSO
Name Mapper Class
Signature Required Checked
Assertion Signing Certificate Alias valid alias
Process Groups Attribute Checked
Allow Virtual Users Checked




Enabling SAML 1.1 Destination Site

  1. Navigate to Environment->Servers->Admin Server
  2. Navigate to Configuration->Federation Services->SAML1.1 Destination
  3. Check Destination Site Enabled


Testing Single Sign On

Try to access a secured page on the destination site. Browser's basic authentication window from the source site requesting to enter the userid/pwd as shown below would be displayed:


If the dialog is not displayed, check the settings. You can use weblogic debug to debug the saml components.

5 comments:

  1. Hi Ht,

    Thanks for the post, really well explained, brilliant!

    As you have said at the beginning of the article the hosts synchronisation is critical! At my setup: I am getting the exception: weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition)

    I have synchronised the two hosts (IdP and SP) and I have been playing with the "Default Time To Live Offset:", setting it to 0, -3600, etc...

    Perhaps you have an idea of what it is happening...

    It is happened to me in every distribution of WLS that I have installed, 10.3.4, 10.3.5, 12c...

    Thanks in advance,

    Luis

    ReplyDelete
    Replies
    1. Luis,

      I hope your problem is resolved. I did not get a chance to work with WebLogic 10.3.4, and 10.3.5.

      I used the WebLogic debugging to figure out the issue. The SAML assertions has the time stamps in plain text. To have the assertion valid for two minutes(+ or -60), we set the offset to -60, and that worked well.


      Thanks

      Hara

      Delete
  2. Hi Hara,

    Sorry for the delay in the replay.

    Yes, I solved the issue. The solution was to set the "NotBeforeSkew" parameter in the ADFS (IdP)

    Thanks and best regards,

    Luis

    ReplyDelete
  3. Hi HT,

    How did you generate the passphrase?

    Thanks

    Ann

    ReplyDelete
  4. HI Luis,
    I'm able to login successfully to the wso2 idp but group membership is not being honoured
    The following is the configuration.

    Wso2 is the IDP
    I have One weblogic server instance acting as an SP
    that server has been setup to use Identity Asserter from an IDP partner which is wso2 running on localhost://9443/sso


    Groups have been setup on wso2 server i.e POC,Test,admin

    I've added a user 'ann' to the group POC but not to radiologists
    The applicaiton is authorizating 'ann# despite the fact that the account is not in the group radiologists

    I'm confused about where to go from here to get the idp honour the fact that the user must be in the radiologists group
    before reverting the user back as an authorized user to my application

    1 The assertion coming back is showing the group membership but group membership is not spec its not in the SAML request should it be?
    2 The trace meesages in the wso2 logs specify that no custom attributes are present.
    3 I'm not sure where the validation occurs on where to redirect the user i.e should the SAML2 request specifiy the group membership a user must comply with
    OR does the IDP send it back and it gets resolved by the SP
    4 I would like to know how to resolve this, is it outbound on the reqeust or inbound on the assertion and what implementation is required to achieve this.?
    Thanks in advance,

    Ann


    ==============================================
    web.xml
    ==============================================



    Faces Servlet
    javax.faces.webapp.FacesServlet
    1


    Faces Servlet
    /faces/*


    SAML2 Service Provider Applicaiton

    /index.jsp


    GE SSO Proof of Concept Application

    /index.jsp




    RestrictedPages
    /restricted/*
    GET
    POST


    role-test


    NONE
    c




    role-test



    CLIENT-CERT
    myrealm





    ========================================================================================
    weblogic.xml is
    ==========================================================================================


    /wso2_saml2_sp


    role-test
    radiologists




    =======================================================================================
    decoded SAML2 request
    ================================================================================================
    wso2_saml2_sp









    vMfLhZxjrHYpOvqxqKemqmZ+W8hZdjOQLZNu9VZvXh8=



    gmsBl/6P2ySNEYS5GzZWLXa+i+QJ79g++rB1LfSPcu9CN7RzzyrP1qIkMDlR9Rza85a4wqRifggl
    TRLFxlgPsfmJHnH9C72eK8T7QuSf7oqYbQNjIMkLAY4ELsr2h32nFhmRc9rD9S61EU52LkJZJ14M
    O0KVu6yXvIGUUSLuFd8=



    ============================================================================================
    Decoded partial SAML2 Response
    ==========================================================================================

    302e3b646de1">urn:oasis:names:tc:SAML:2.0:ac:classes:Passwordadmin,POC,Internal/everyone

    ReplyDelete