Configuring Single Sign-On using SAML in WebLogic Server 9.2
Pages: 1, 2, 3, 4, 5

SAML Configuration Using the WebLogic Administrative Console

Before starting the SAML configuration, in the first few steps you'll create and set up the server environment for the sample applications appA and appB.

Step 1: Create SAML source site and destination site domains and application servers

The sample applications in this tutorial are hosted on two domains on the local host, so the first step is to create the domains and servers running on given ports, as listed below in Table 1.

  Host Application Server Application Name Port SSL Port
SAML Source Site Domain: domainA localhost AdminServer appA 7001 7002
SAML Destination Site Domain: domainB localhost AdminServer appB 7003 7004

Table 1. Sample application domains and application servers

Create domains, as shown in Table 1, using the Domain Configuration Wizard. Update the appropriate listen ports using the WebLogic Server 9.2 Administration Console.

Step 2: Create users

For simplicity, this tutorial uses the default security realms on each domain, each named with the same default realm name, that is, myrealm. Create a user ssouser in each domain separately under the myrealm realm. Alternatively, you could create this user in a centralized external LDAP store and configure both domains to use this common store for authentication.

The user ssouser created here will authenticate with application appA hosted on domainA, and then access application appB hosted on domainB directly using SSO.

  Realm User/Password
SAML Source Site Domain: domainA myrealm ssouser/demosaml
SAML Destination Site Domain: domainB myrealm ssouser/demosaml

Table 2. The user participating in single sign-on

Create the user, ssouser, as shown in Table 2, in both domains under the default security realms, each called myrealm.

Step 3: Create and deploy the Java EE Web applications appA and appB

The sample application source code for appA can be downloaded here. Import the existing Web application into WebLogic WorkShop Studio or any other IDE, such as Eclipse.

Application appA is configured to use FORM-based authentication. This application is deployed on the SAML source site domain ( domainA). A JSP page of appA called auth.jsp, under the admin folder, requires the authenticated user to have an admin role in order to access it. The admin role is mapped to a principal called ssouser in weblogic.xml. Figure 2 shows the configuration of the security in web.xml.

<display-name>Saml Source Site Application</display-name>

<security-constraint>

        <web-resource-collection>

                <web-resource-name>SecurePages</web-resource-name>

                <description>These pages are only accessible by authorized users.</description>

                <url-pattern>/admin/*</url-pattern>

                <http-method>GET</http-method>

        </web-resource-collection>

        <auth-constraint>

                <description>These are the roles who have access.</description>

                <role-name>admin</role-name>

        </auth-constraint>

        <user-data-constraint>

                <description>This is how the user data must be transmitted.</description>

                <transport-guarantee>NONE</transport-guarantee>

        </user-data-constraint>

</security-constraint>

<login-config>

        <auth-method>
                        
FORM</auth-method>

        <realm-name>myrealm</realm-name>

        <form-login-config>

                <form-login-page>/login.jsp</form-login-page>

                <form-error-page>/fail_login.htm</form-error-page>

        </form-login-config>

</login-config>

<security-role>

        <description>These are the roles who have access</description>

        <role-name>admin</role-name>

</security-role>
                      

Example 1. Application appA - web.xml snippet

When the user tries to access the /admin/auth.jsp page, a configured login page, login.jsp, will be displayed, asking the user to supply credentials. After submitting the details, the container will authenticate the user ssouser. If authentication is successful, the auth.jsp will be displayed. Before going on to explore the Web page auth.jsp, I'll create the application appB on the SAML destination site domain ( domainB).

Sample application source code for appB can be downloaded from the Download section. Application appB is configured to use CLIENT-CERT, so that it will use identity assertion for authentication. This application should be deployed on the SAML destination site domain ( domainB). A JSP page of appB, called services.jsp and located in the /admin folder, requires the authenticated user to have the admin role in order to access it. This role is mapped to a principal called ssouser in weblogic.xml. Figure 3 shows an excerpt from appB's web.xml configuration:

<display-name>SAML Destination Site Application</display-name>

 <!-- ... -->

<security-constraint>

        <web-resource-collection>

                <web-resource-name>SecurePages</web-resource-name>

                <description>These pages are only accessible by authorized users.</description>

                <url-pattern>/admin/*</url-pattern>

                <http-method>GET</http-method>

        </web-resource-collection>

        <auth-constraint>

                <description>These are the roles who have access.</description>

                <role-name>admin</role-name>

        </auth-constraint>

        <user-data-constraint>

                <description>This is how the user data must be transmitted.</description>

                <transport-guarantee>NONE</transport-guarantee>

        </user-data-constraint>

</security-constraint>

<login-config>

        <auth-method>
                        
CLIENT-CERT</auth-method>

        <realm-name>myrealm</realm-name>

</login-config>

<security-role>

        <description>These are the roles who have access.</description>

        <role-name>admin</role-name>

</security-role>

                      

Example 2. Application appB - web.xml snippet

Compile and build the WAR files ( appA.war,appB.war) for each application. To deploy, copy appA.war and appB.war files into the autodeploy folders of the domainA and domainB domains respectively. Restart the application servers and test to see how the applications behave without SSO.

When the SAML configuration has been completed, as described in the steps to follow, the user ssouser, authenticated at appA (SAML source site), will be able to directly access the services.jsp page of appB (SAML destination site) without being asked to supply the credentials again.

Pages: 1, 2, 3, 4, 5

Next Page »