Summary
Since OpenAM(previously OpenSSO), and WebLogic Application Server 10.x support SAML2.0, Single Sign On can be implemented using SAML 2.0. A simple prototype was developed, and Single Sign On was implemented relatively easily.
Architecture
Open AM was deployed on Tomcat 6.0.20. A basic secured J2EE application using form login, and role based authorization was deployed in WebLogic Application Server. Circle of Trust was configured in Open AM with OpenAM on Tomcat as Identity Asserter, WebLogic Application Server as Service Provider. SAML2Identity Asserter was configured in the realm->security->providers tab for authentication.Since OpenAM(previously OpenSSO), and WebLogic Application Server 10.x support SAML2.0, Single Sign On can be implemented using SAML 2.0. A simple prototype was developed, and Single Sign On was implemented relatively easily.
Architecture
SAML2IdentityAsserterNameMapper
Name Mapper is required to decrypt the userid received from the Identity Asserter, and delegate the authorization to WebLogic Application Server. While Open AM documentation is limited to Open AM implementation of Circle Of Trust, there was no mention of WebLogic Application Server, WebLogic documentation is spread across multiple documents, and is a little challenging to figure out the relevant parts of information. Configuring the Name Mapper was challenging, as the debug messages, and error messages were at best clueless.
WebLogic requires that the Name Mapper class should implement the interface SAML2IdentityAsserterNameMapper. Accordingly created a single class implementing the required interface, SAML2IdentityAsserterNameMapper. The interface consists of single method, and the implementation is shown below:
@Override
public String mapNameInfo(SAML2NameMapperInfo saml2NameMapperInfo, ContextHandler arg1) {
String user = saml2NameMapperInfo.getName();
System.out.println(user);
return user;
}
That provided the userid, inplain text, and was usable by WebLogic Application Server for authorization.public String mapNameInfo(SAML2NameMapperInfo saml2NameMapperInfo, ContextHandler arg1) {
String user = saml2NameMapperInfo.getName();
System.out.println(user);
return user;
}
Jar File Location
While developing code was no brainer with clear documentation, deploying the jar file in the correct location was a little challenging. Tried copying the jar file into various locations with clueless error messages. After digging deep into WebLogic documentation, finally found that the jar file should be placed in WebLogic's system classpath and accordingly modified the file <WL_HOME>\common\bin\commEnv.cmd and included the location of the jar file as part of the environment. This enabled WebLogic to find the Name Mapper class, and specify the Name Mapper while configuring the Identity Asserter.
Incorrect Location of Jar File, and Error Messages
For any other location, the error messages in the console and log files were: