Configuring Single Sign-On using SAML in WebLogic Server 9.2

Step 7: Configure SAML on the source site

In this step I'll configure various federation services source site settings for the server instance running the application appA. These settings enable server instances running on domainA to serve as a SAML source site, define the source site URIs and service URIs, add certificate to sign assertions, and configure SSL for retrieving assertions.

  1. In the administration console, in the Domain Structure window, select Environment and then Servers.
  2. Select AdminServer, and then in the Settings for AdminServer, click Federation Services on the SAML 1.1 Source Site tab, as shown in Figure 6.

Source Site Configuration
Figure 6. Source site configuration

  1. Set the source site values, as listed in Table 4.
Parameter Value
Source Site Enabled Select the checkbox(true)
Source Site URL http://localhost:7001/appA
Signing Key Alias testalias
Signing Key Passphrase testkeypass
Intersite Transfer URIS   /samlits_cc/its(keep the other values)
ITS Requires SSL Select the checkbox(true)
Assertion Retrieval URIs /samlars/ars
ARS Requires SSL Select the checkbox(true)

Table 4. Source Site Values

Step 8: Configure domainB, acting as a SAML destination site

I'm ready to begin the SAML destination site configuration. In this step I'll create and configure a SAML Identity Assertion Provider V2 instance. The SAML Identity Assertion provider acts as a consumer of SAML security assertions, allowing WebLogic Server to act as a destination site for using SAML for single sign-on. The SAML Identity Assertion provider validates SAML assertions by checking the signature and validating the certificate for trust in the certificate registry maintained by the provider. The first thing I need to do here is to create a SAML Identity Assertion Provider V2 instance and import the certificate generated in step 4 into the provider's certificate registry.

Import the certificate:

  1. Copy the key file ( testalias.der) that you generated previously to the D:\bea\weblogic92\server\lib directory.
  2. Log in to the WebLogic Server Administration Console on domainB.
  3. Select a security realm, myrealm.
  4. Select the Providers tab, and then select the Authentication tab.
  5. If a SAMLIdentityAsserter doesn't exist, then create a new SAMLIdentityAsserter, as shown in Figure 7. An identity asserter allows WebLogic Server to establish trust by validating a user.
  6. Create New SAML Identity Asserter
    Figure 7. Create a new Identity asserter

  7. Select SAMLIdentityAsserter, click the Management tab, and then click Certificates.
  8. In the Certificates dialog, click New, as shown in Figure 8.
  9. Create New Certificate
    Figure 8. Create a new identity asserter certificate

  10. In the Alias field, enter a name for the certificate. Good practice is to use the same name you used when you created the certificate.
  11. Enter the path to the certificate file in the Certificate File Name field.
  12. Click Finish. If there are no problems, the message "The certificate has been successfully registered." is displayed.

Step 9: Configure asserting party properties

In this step I'll create and configure an asserting party. When you configure WebLogic Server to act as a consumer of SAML security assertions, you need to register the parties whose SAML assertions will be accepted. For a SAML asserting party, you can specify the SAML profile used, details about the asserting party, and the attributes expected in assertions received from the asserting party.

The asserting party asserts that a user has been authenticated and given associated attributes. For example, there is a user ssouser, and he/she is authenticated to this domain using a password mechanism. Asserting parties are also known as SAML authorities.

  1. On the Management tab, click Asserting Parties.
  2. In the Asserting Parties table, click New.
  3. In the Profile pull-down menu, select Browser/POST. In the Description field, enter the name demoSAML to identify the asserting party, as shown in Figure 9.
  4. Asserting Party
    Figure 9. Create a new asserting party

  5. Set the asserting party values, as listed in Table 5.
Parameter Value
Enabled Select the checkbox(true)
Target URL http://localhost:7001/appA
POST Signing Certificate alias testalias
Source Site Redirect URIs /appB/admin/services.jsp
Source Site ITS URL https://localhost:7002/samlits_ba/its
Source Site ITS Parameters RPID=rp_00001
Issuer URI  http://www.bea.com/demoSAML
Signature Required  Select the checkbox(true)
Asserting Signing Certificate Alias testalias

Table 5. Asserting Party (ap_00001) Values