Configuring Single Sign-On using SAML in WebLogic Server 9.2
SAML Configuration Using the WebLogic Administrative Console
Before starting the SAML configuration, in the first few steps you'll create and set up the server environment for the sample applicationsappA and appB.
Step 1: Create SAML source site and destination site domains and application servers
The sample applications in this tutorial are hosted on two domains on the local host, so the first step is to create the domains and servers running on given ports, as listed below in Table 1.
Host | Application Server | Application Name | Port | SSL Port | |
---|---|---|---|---|---|
SAML Source Site Domain: domainA | localhost | AdminServer | appA | 7001 | 7002 |
SAML Destination Site Domain: domainB | localhost | AdminServer | appB | 7003 | 7004 |
Table 1. Sample application domains and application servers
Create domains, as shown in Table 1, using the Domain Configuration Wizard. Update the appropriate listen ports using the WebLogic Server 9.2 Administration Console.
Step 2: Create users
For simplicity, this tutorial uses the default security realms on each domain, each named with the same default realm name, that is, myrealm. Create a user ssouser in each domain separately under the myrealm realm. Alternatively, you could create this user in a centralized external LDAP store and configure both domains to use this common store for authentication.
The user ssouser created here will authenticate with application appA hosted on domainA, and then access application appB hosted on domainB directly using SSO.
Realm | User/Password | |
---|---|---|
SAML Source Site Domain: domainA | myrealm | ssouser/demosaml |
SAML Destination Site Domain: domainB | myrealm | ssouser/demosaml |
Create the user, ssouser, as shown in Table 2, in both domains under the default security realms, each called myrealm.
Step 3: Create and deploy the Java EE Web applications appA and appB
The sample application source code for appA can be downloaded here. Import the existing Web application into WebLogic WorkShop Studio or any other IDE, such as Eclipse.
Application
appA is configured to use FORM-based authentication. This application is deployed on the SAML source site domain (
domainA). A JSP page of
appA called
auth.jsp
, under the
admin
folder, requires the authenticated user to have an
admin
role in order to access it. The
admin
role is mapped to a principal called
ssouser
in
weblogic.xml
. Figure 2 shows the configuration of the security in
web.xml
.
<display-name>Saml Source Site Application</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>These pages are only accessible by authorized users.</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access.</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<description>This is how the user data must be transmitted.</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>
FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/fail_login.htm</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>These are the roles who have access</description>
<role-name>admin</role-name>
</security-role>
Example 1. Application appA - web.xml snippet
When the user tries to access the
/admin/auth.jsp
page, a configured login page,
login.jsp
, will be displayed, asking the user to supply credentials. After submitting the details, the container will authenticate the user
ssouser
. If authentication is successful, the
auth.jsp
will be displayed. Before going on to explore the Web page
auth.jsp
, I'll create the application
appB on the SAML destination site domain (
domainB).
Sample application source code for
appB can be downloaded from the
Download section. Application
appB is configured to use CLIENT-CERT, so that it will use identity assertion for authentication. This application should be deployed on the SAML destination site domain (
domainB). A JSP page of
appB, called
services.jsp
and located in the
/admin
folder, requires the authenticated user to have the
admin
role in order to access it. This role is mapped to a principal called
ssouser
in
weblogic.xml
. Figure 3 shows an excerpt from
appB's
web.xml
configuration:
<display-name>SAML Destination Site Application</display-name>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>These pages are only accessible by authorized users.</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access.</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<description>This is how the user data must be transmitted.</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>
<strong>
CLIENT-CERT</strong></auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>These are the roles who have access.</description>
<role-name>admin</role-name>
</security-role>
Example 2. Application appB - web.xml snippet
Compile and build the WAR files ( appA.war,appB.war) for each application. To deploy, copy appA.war and appB.war files into the autodeploy folders of the domainA and domainB domains respectively. Restart the application servers and test to see how the applications behave without SSO.
When the SAML configuration has been completed, as described in the steps to follow, the user
ssouser
, authenticated at
appA (SAML source site), will be able to directly access the
services.jsp
page of
appB (SAML destination site) without being asked to supply the credentials again.