Oracle Identity Cloud Service: Integrating with Weblogic Server


Options



Before You Begin

Purpose

In this tutorial, you learn to integrate Oracle Identity Cloud Service with WebLogic Server using SAML 2.0, so cloud users can access applications hosted on WebLogic Server without having to log in again (Federated Single Sign-On).

This tutorial is based on this article posted by Paulo Albuquerque.

Time to Complete

90 minutes

Background & Scope

In this tutorial, you implement Federated SSO between Oracle Identity Cloud Service and Employee Dashboard, a web application hosted Weblogic Server. The integration is based on SAML 2.0, an XML-based Federated SSO protocol popularly adopted by enterprise solutions such as WebLogic Server.

The integration is described as follows:

Conceptual illustration of the integration. Description within the tutorial.
Description of this image

In this integration:

  • End-users can access applications hosted on a WebLogic using their Identity Cloud credentials.
  • Oracle Identity Cloud Service acts as SAML Identity Provider (IdP), providing federated SSO for applications hosted on Weblogic.
  • WebLogic Server acts as SAML Service Provider (SP), and trusts the authentication provided by Identity Cloud Service.
  • WebLogic Server enforces the authorization using the group information provided by Identity Cloud Service as part of the federation.

Tip: Oracle Identity Cloud Service also supports Federated SSO and Authorization via OpenID Connect and OAuth 2.0 standards. These standards are typically used by modern cloud applications. To explore this integration, try the Integrating a Custom Client Application tutorial.

What Do You Need?

  • Experience with Java development and WebLogic Administration.
  • Netbeans IDE 8.1 (bundle All or Java EE).
    • Tip: To learn more about how to install Netbeans 8.1, visit the official documentation.
  • Access to Oracle Identity Cloud Service with authorization to manage applications.
    • (Identity Domain Administrator, Security Administrator, or Application Administrator).
  • A WebLogic Server domain with SSL enabled and a public URL.
    • Note: for this tutorial, we are using WebLogic Server 12cR2 (12.2.1.2) with its default configuration (key store, security realm, and embedded LDAP).

  • Clone or Download the idm-samples repository on GitHub:

    View idm-samples on GitHub

    Important: The Employee Dashboard (edashboard) is provided “AS IS” with no express or implied warranty for accuracy or accessibility. The sample code is used solely for educational purposes and does not represent, by any means, the recommended approach nor is it intended to be used in development or productions environments.

Deploying Employee Dashboard

In this task, you deploy the Employee Dashboard (sample code), a Java web application (JAAS/JAZN) that will be used to demonstrate the Federated SSO integration.

Important Notes:

  • Make sure cloned or downloaded the idm-samples repository before starting this section:

    View idm-samples on GitHub

    Important: The Employee Dashboard (edashboard) is provided “AS IS” with no express or implied warranty for accuracy or accessibility. The sample code is used solely for educational purposes and does not represent, by any means, the recommended approach nor is it intended to be used in development or productions environments.

Build edashboard

  1. Access Netbeans and click File > Open Project.
  2. Navigate to the folder where you cloned/downloaded the idm-samples repository. Select the edashboard folder, and then click Open Project.
  3. Right-click edashboard, and then click Build.
    4. edashboard application in Netbeans, right-clicked and with mouse over Build.
    Description of this image
  4. In the Output window, confirm that the message BUILD SUCCESSFUL is displayed.
  5. Navigate to the folder where you cloned the idm-samples repository, and then go to edashboard > dist, and confirm that the file edashboard.war exists.
    6. edashboard.war file displayed in windows explorer with the idm-samples/edashboard/dist folders highlighted.
    Description of this image

Deploy edashboard

In this task, you deploy the Employee Dashboard in WebLogic.

Tips: For this tutorial, we are deploying the application in the managed server mserver1, which has SSL enabled and is exposed in the URL https://admin1.example.com:7502/. Please change the managed server and its URL according to your environment.
  1. Launch the WebLogic Administration console and log in as administrator (for example, weblogic).
  2. Click Lock & Edit.
  3. Under Domain Structure, click Deployments.
  4. Click Install.
  5. Click Upload your file(s).
  6. Click Choose File next to Deployment Archive.
  7. Open the edashboard.war file.
  8. Click Next.
  9. Confirm that edashboard.war is selected and then click Next.
  10. Click Next.
  11. Select the cluster or managed server where edashboard will run (for example, mserver1), and then click Next.
  12. Click Finish.

    13. Weblogic will display the message "The deployment has been successfully installed".

  13. Click Activate Changes.

    14. WebLogic displays a confirmation message. If the message indicates that a server needs to be restarted, restart the WebLogic Server Domain.

  14. Under Domain Structure, click Deployments. In Summary of Deployments, click Control.
  15. Select edashboard and then click Start > Servicing all requests.
  16. Click Yes.
  17. Launch a new browser window and launch the edashboard application URL (For example, https://admin1.example.com:7502/edashboard).
  18. In the login prompt, enter the weblogic administrator credentials (for example, weblogic).
  19. After a successful login, edashboard will return the message "Authorization Error!".
    20. edashboard application with the Authorization Error message displayed.
    Description of this image
    Tip:
    • The edashboard app is configured to display pages only for users that are assigned to the employee, manager, or the security groups. Because your WebLogic domain does not have any of these groups in its identity store, none of your users will be able to get a successful authorization.
    • In the next steps, you integrate your WebLogic Domain with Identity Cloud Service. The configuration includes creating the groups expected by edashboard in Identity Cloud Service.
    • During runtime, Oracle Identity Cloud Service will pass the user membership information to WebLogic as part of the federated SSO. This information will be used by edashboard to apply the authorization constraints.
    • If you want to test how edashboard operates without the Identity Cloud Service integration, you can manually create the employee, manager, and security groups, as well as users associated with those groups in your WebLogic security realm.

You are ready to integrate Oracle Identity Cloud Service with WebLogic.

Enabling SAML in Weblogic

In this section, you enable the support to SAML in your WebLogic Server Domain.

Configure the WebLogic security realm

  1. Access the WebLogic Server Console as administrator (for example, weblogic).
  2. Click Lock & Edit.
  3. Click Security Realm.
  4. Click myrealm.
  5. Click Providers, and then click New.
  6. Enter SAML2IdentityAsserter as Name, select SAML2IdentityAsserter as Type, and then click OK.
    7. The SAML2IdentityAsserter is displayed under the Authentication Providers table.
  7. On the Providers page, click New.
  8. Enter SAMLAuthenticator as Name, select SAMLAuthenticator as Type, and then click OK.
    9. The SAMLAuthenticator is displayed under the Authentication Providers table.
  9. Click Reorder.
  10. Select and reorder the providers in the following order.
    1. SAML2IdentityAsserter
    2. SAMLAuthenticator
    3. DefaultAuthenticator
    4. DefaultIdentityAsserter
  11. Click OK.
    12. WebLogic Console. Identity Providers reordered with mouse over the OK button.
    Description of this image
  12. Click SAMLAuthenticator.
  13. Select OPTIONAL as Control Flag and then click Save.
  14. Return to the Providers page.
  15. Click DefaultAuthenticator.
  16. Select SUFFICIENT as Control Flag and then click Save.
  17. Click Activate Changes.
  18. Restart the domain.

Configure the SAML Service Provider Settings

  1. Access the WebLogic Server Console as administrator.
  2. Click Lock & Edit.
  3. Click Environment > Servers.
  4. Click the manager server that's hosting edashboard (for example, mserver1).
  5. Click Federation Services > SAML 2.0 General.

    6. Tip: You can use this page to define the Site Information and additional settings for the SAML assertion, plus generate the service provider metadata file.

    mserver1 settings menu. Federation Services and SAML 2.0 General options highlighted.
    Description of this image
  6. Modify the General settings as follows, replacing the information according to your company and server.
    7. SAML Settings - Sample Values for General Settings
    Attribute Sample Value
    Contact Person Given Name System
    Contact Person Surname Administrator
    Contact Person Type administrative
    Contact Person Company Example
    Contact Person Telephone Number 12345678901
    Contact Person Email Address admin@example.com
    Organization Name Example
    Organization URL https://www.example.com
    Published Site URL https://admin1.example.com:7502/saml2
    Entity ID wlsentity
    Tip: You can enter any identification value, as long it's unique in Identity Cloud Service and in your Weblogic Domain.
    Recipient Check Enabled Deselected
  7. Click Save.
    8. SAML General settings screenshot with mouse over Save button.
    Description of this image
  8. Click SAML 2.0 Service Provider.
  9. Select Enabled, select POST as Preferred Binding, enter https://admin1.example.com:7502/edashboard/index.jsp as Default URL, and then click Save.
    10. SAML Service Provider settings screenshot with mouse over Save button.
    Description of this image
  10. Click Activate Changes.

Creating users and groups for tests

In this section, you create users and groups to Employee Dashboard as SAML application in Oracle Identity Cloud Service.

Note: The Employee Dashboard application leverages the following groups for authorizing the access inside the application:
Employee Dashboard - Authorization mapping
Identity Cloud Service Group Employee Dashboard JAZN Role Authorized Pages
Employee appemployee Index, My Profile, and Employee Perks
Manager appmanager Index, My Profile, Employee Perks, and Management Watch
Security appsecurity Index, My Profile, Employee Perks, and Security Report
You can modify the Employee Dashboard's group names and dependencies in the web.xml and weblogic.xml files.

Create groups

  1. Access the Identity Cloud Service console and log in as administrator.
  2. In the Identity Cloud Service console, expand the Navigation Drawer , click Applications, and then click Add.
  3. Enter employee as Name and click Finish.
    4. A confirmation message for the group creation is displayed.
  4. Repeat the previous steps to create the manager and the security groups.
    5. Identity Cloud Service UI displaying the employee, manager, and security groups after their creation.
    Description of this image

Assign users to groups

In this section, you assign Identity Cloud Service users to the groups previously created. These users will be used for testing the federated SSO. For this tutorial, we making the following assignments:

Employee Dashboard - Group and User association
User Groups
csaladna@example.com employee.
fredmilson@example.com employee and manager.
xhanel@example.com employee, manager, and security.
  1. In the group page, click employee.
  2. Click Users > Assign.
  3. Search and selected the user for assignment (in this example, csaladna@example.com), and then click OK.
    4. A confirmation message is displayed.
    Identity Cloud Service UI displaying csaladna@example.com under the Users tab, with a confirmation message that the group membership is updated.
    Description of this image
  4. Repeat the previous steps to associate users with the manager and the security groups.

Registering the Employee Dashboard Application in Identity Cloud Service

In this section, you register Employee Dashboard as SAML application in Oracle Identity Cloud Service.

  1. Access the Identity Cloud Service console and log in as administrator.
  2. Expand the Navigation Drawer Navigation Drawer, click Applications, and then click Add.
  3. Click SAML Application.
  4. Provide the information as follows and then click Next.
    5. Employee Dashboard - Details attributes
    Attribute Value(s)
    Name Employee Dashboard
    Description Intranet portal for employees
    Application Icon
    optional    		 Select the icon provided with the edashboard sample code at idm-samples/edashboard/edashboard_logo.gif.
    Application URL https://admin1.example.com:7502/edashboard
    Display in My Apps selected
    Identity Cloud Service. Adding a SAML Application. Detail attributes page with mouse over the Next button.
    Description of this image
  5. In SSO Configuration, modify the General section as follows:
    6. Employee Dashboard - SSO Configuration - General Section attributes
    Attribute Value(s)
    Entity ID wlsentity
    Assertion Consumer URL https://admin1.example.com:7502/saml2/sp/acs/post
    Identity Cloud Service. SSO Configuration - General Section attributes highlighted.
    Description of this image
  6. Expand and modify the Advanced section as follows:
    7. Employee Dashboard - SSO Configuration - Advanced Section attributes
    Include Signing Certificate in Signature selected
    Logout Binding POST
    Single Logout URL https://admin1.example.com:7502/edashboard/logout
    Logout Response URL https://admin1.example.com:7502/edashboard
    Identity Cloud Service. SSO Configuration - Advanced Section attributes highlighted.
    Description of this image
  7. Expand the Attribute Configuration section and click the plus button (+) next to Group Attributes.
  8. Fulfill the Group attributes as follows:
    9. Employee Dashboard - SSO Configuration - Group attribute
    Name Groups
    Format Basic
    Condition All Groups
    Identity Cloud Service. SSO Configuration - Group attribute highlighted.
    Description of this image
  9. Click Finish.
  10. Click Activate, and then click Activate Application. A confirmation message appears.
    11. Identity Cloud Service. Employee Dashboard Activated.
    Description of this image
  11. Click SSO Configuration.
  12. Click Download IDCS Metadata and save the IDCSMetadata.xml file.
    13. Identity Cloud Service. SSO Configuration tab with mouse over Download IDCS Metadata button.
    Description of this image
    This file will be used to register Identity Cloud Service as a SAML Identity Provider in WebLogic.
  13. Click Users and then click Assign.
  14. Search and select users (for example, csaladna@example.com, fredmilson@example.com, and xhanel@example.com) and then click OK.
    15. A confirmation message is displayed.
    Identity Cloud Service. Employee Dashboard application with users assigned.
    Description of this image
    Tip: The Users tab under the Employee Dashboard controls what users will be able to launch the federated SSO to Employee Dashboard via Identity Cloud Service. This assignment takes precedence over the groups (employee, manager, and security) that are used by edashboard to control the authorization inside the application.

Registering Identity Cloud Service as Identity Provider in WebLogic

In this section, you register Oracle Identity Cloud Service as a SAML Identity Provider in WebLogic.

  1. Upload the IDCSMetadata.xml obtained in the previous steps to the server hosting WebLogic (for example, under /tmp/IDCSMetadata.xml).
    2. Using WinSCP to upload the IDCSMetadata.xml file to the server hosting WebLogic.
    Description of this image
  2. Access the WebLogic Administration Server Console as administrator (weblogic).
  3. Click Security Realm.
  4. Click myrealm.
  5. Click Providers, and then click SAML2IdentityAsserter.
  6. Click Management, and then click New > New Web Single Sign-On Identity Provider Partner.
    7. SAML2IdentityAsserter Settings page. Mouse over the 'New Web Single Sign-On Identity Provider Partner' button.
    Description of this image
  7. Enter IDCS_IDP as Name, and /tmp/IDCSMetadata.xml as Path, and then click OK.
    8. Create a SAML 2.0 Web Single Sign-On Identity Provider Partner page. Attributes fulfilled and mouse over the OK button.
    Description of this image

    WebLogic displays the IDCS_IDP entry under the Identity Provider Partners table.

  8. Click IDCS_IDP.
  9. Select Enabled, enter /edashboard/* as Redirect URIs, and then click Save.
    10. Settings page. Attributes fulfilled and mouse over the OK button.
    Description of this image
    WebLogic server displays a confirmation message.
  10. Sign-out of WebLogic Server and close your browser.

Testing the Integration

In this section, you test the federated Single Sign-On.

Test the single sign-on initiated from WebLogic

  1. Sign-out of Oracle Identity Cloud Service console and WebLogic Server.
  2. Access https://admin1.example.com:7502/edashboard/.

    3. The Oracle Identity Cloud Service login URL is displayed:

    Authentication in Identity Cloud Service
    Description of this image
    This indicates that WebLogic is able to delegate the authentication for edashboard to Oracle Identity Cloud Service.
  3. Authenticate with a user assigned only to the employees group (for example, csaladna@example.com).
    4. You will be authenticated against Identity Cloud Service and redirected back to the Employee Dashboard:
    Employee Dashboard home page
    Description of this image
  4. Explore the options available in Employee Dashboard. The application must return an error page when accessing the Management Watch and Security Report options.
    5. Employee Dashboard - Authorization Error page
    Description of this image
    This confirms that the authorization is working properly.
  5. Close your browser.
  6. Optionally, repeat the test with other users (for example, fredmilson@example.com, and xhanel@example.com) to confirm that the authorization is working properly for other groups.

Test the single sign-on initiated from Identity Cloud Service

  1. Access Oracle Identity Cloud Service and log in with a user (for example, xhanel@example.com).

    2. The Oracle Identity Cloud Service My Apps page is displayed with the Employee Dashboard application available:

    Identity Cloud Service My Apps page with Employee Dashboard displayed
    Description of this image
  2. Click Employee Dashboard.
    3. The employee dashboard is displayed for xhanel@example.com:
    Employee Dashboard home page for xhanel@example.com
    Description of this image
    This confirms that the federated SSO started from Identity Cloud Service is working properly.

Optional: Implementing App Links

In this optional section, you implement app links for the Employee Dashboard application.

Note: App links are a useful feature when you want to expose several links from the same application.

  1. Access Oracle Identity Cloud Service as administrator.
  2. Expand the Navigation Drawer , click Applications, and then select Employee Dashboard.
  3. Click Add next to App Links.
  4. Provide the information as follows and click Save.
    5. Employee Dashboard - Add App Link
    Name Link Application Icon
    My Profile https://admin1.example.com:7502/edashboard/myprofile.jsp Select the icon provided with the edashboard sample (idm-samples/edashboard/):
    edash_myprofile_icon.gif
    Employee Dashboard Add App Link dialog fulfilled for My Profile. Mouse over the Save button.
    Description of this image
    The Employee Dashboard My Profile entry will be displayed under app links.
  5. Repeat the previous steps to add the remaining app links.
    6. Employee Dashboard - Add App Link
    Name Link Application Icon
    Employee Perks https://admin1.example.com:7502/edashboard/employee.jsp edash_empperks_icon.gif
    Management Watch https://admin1.example.com:7502/edashboard/manager.jsp edash_mgmtwatch_icon.gif
    Security Reports https://admin1.example.com:7502/edashboard/securityReport.jsp edash_secreport_icon.gif
  6. Click Save and then log out.
  7. Access Oracle Identity Cloud Service and log in with a user with access to Employee Dashboard (for example, xhanel@example.com).

    8. The Oracle Identity Cloud Service My Apps page now displays each of the App links under Employee Dashboard:

    Identity Cloud Service My Apps page with Employee Dashboard displayed
    Description of this image
  8. Click Employee Perks.
    9. The employee perks should be displayed for xhanel@example.com:
    Employee Dashboard home page for xhanel@example.com
    Description of this image
    This confirms that the app links are working.
  9. Optionally, return to My Apps and launch the remaining app links.

Want to Learn More?

To learn more about this SAML integration, including architectural information and tips, visit Paulo Albuquerque's article.

To learn more about integrating applications with Oracle Identity Cloud Service using OpenID Connect and OAuth 2.0 for REST-Based Federated Single Sign-On and authorization, try the following tutorials:

Credits

  • Subject Matter Expert(s): Kiran Thakkar, Paulo Albuquerque, Christopher Johnson, and Olaf Heimburger.
  • Developer(s): Frederico Hakamine.