Configuring Single Sign-On using SAML in WebLogic Server 9.2
Step 7: Configure SAML on the source site
In this step I'll configure various federation services source site settings for the server instance running the application appA. These settings enable server instances running on domainA to serve as a SAML source site, define the source site URIs and service URIs, add certificate to sign assertions, and configure SSL for retrieving assertions.
- In the administration console, in the Domain Structure window, select Environment and then Servers.
- Select AdminServer, and then in the Settings for AdminServer, click Federation Services on the SAML 1.1 Source Site tab, as shown in Figure 6.
Figure 6. Source site configuration
- Set the source site values, as listed in Table 4.
Parameter | Value |
---|---|
Source Site Enabled | Select the checkbox(true) |
Source Site URL | http://localhost:7001/appA
|
Signing Key Alias | testalias |
Signing Key Passphrase | testkeypass |
Intersite Transfer URIS | /samlits_cc/its(keep the other values) |
ITS Requires SSL | Select the checkbox(true) |
Assertion Retrieval URIs | /samlars/ars |
ARS Requires SSL | Select the checkbox(true) |
Table 4. Source Site Values
Step 8: Configure domainB, acting as a SAML destination site
I'm ready to begin the SAML destination site configuration. In this step I'll create and configure a SAML Identity Assertion Provider V2 instance. The SAML Identity Assertion provider acts as a consumer of SAML security assertions, allowing WebLogic Server to act as a destination site for using SAML for single sign-on. The SAML Identity Assertion provider validates SAML assertions by checking the signature and validating the certificate for trust in the certificate registry maintained by the provider. The first thing I need to do here is to create a SAML Identity Assertion Provider V2 instance and import the certificate generated in step 4 into the provider's certificate registry.
Import the certificate:
- Copy the key file (
testalias.der
) that you generated previously to theD:\bea\weblogic92\server\lib
directory. - Log in to the WebLogic Server Administration Console on domainB.
- Select a security realm,
myrealm
. - Select the Providers tab, and then select the Authentication tab.
- If a SAMLIdentityAsserter doesn't exist, then create a new SAMLIdentityAsserter, as shown in Figure 7. An identity asserter allows WebLogic Server to establish trust by validating a user.
- Select SAMLIdentityAsserter, click the Management tab, and then click Certificates.
- In the Certificates dialog, click New, as shown in Figure 8.
- In the Alias field, enter a name for the certificate. Good practice is to use the same name you used when you created the certificate.
- Enter the path to the certificate file in the Certificate File Name field.
- Click Finish. If there are no problems, the message "The certificate has been successfully registered." is displayed.
Figure 7. Create a new Identity asserter
Figure 8. Create a new identity asserter certificate
Step 9: Configure asserting party properties
In this step I'll create and configure an asserting party. When you configure WebLogic Server to act as a consumer of SAML security assertions, you need to register the parties whose SAML assertions will be accepted. For a SAML asserting party, you can specify the SAML profile used, details about the asserting party, and the attributes expected in assertions received from the asserting party.
The asserting party asserts that a user has been authenticated and given associated attributes. For example, there is a user
ssouser
, and he/she is authenticated to this domain using a password mechanism. Asserting parties are also known as
SAML authorities.
- On the Management tab, click Asserting Parties.
- In the Asserting Parties table, click New.
- In the Profile pull-down menu, select Browser/POST. In the Description field, enter the name demoSAML to identify the asserting party, as shown in Figure 9.
- Set the asserting party values, as listed in Table 5.
Figure 9. Create a new asserting party
Parameter | Value |
---|---|
Enabled | Select the checkbox(true) |
Target URL | http://localhost:7001/appA |
POST Signing Certificate alias | testalias |
Source Site Redirect URIs | /appB/admin/services.jsp |
Source Site ITS URL | https://localhost:7002/samlits_ba/its |
Source Site ITS Parameters | RPID=rp_00001 |
Issuer URI | http://www.bea.com/demoSAML |
Signature Required | Select the checkbox(true) |
Asserting Signing Certificate Alias | testalias |
Table 5. Asserting Party (ap_00001) Values