Pages

Steps to configure SAML 2 on Weblogic Server 10.3.x

1) First we need to create a security database for SAML configuration. This has to be done even before domains are created.
Steps to use a pointbase database provided with Weblogic Installation :
  • Copy ” pbembedded.lic ” located in ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\lib ” to ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\tools “
  • We need to create two security database – one for the source side domain and another for the destination end domain.
  • Now start the PointBase server ( run ” startPointBase.cmd ” located in ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\tools “
  • Start the PointBase console  ( run ” startPointBaseConsole.cmd ” located in ” C:\bea10.3\wlserver_10.3\common\eval\pointbase\tools “
  • Login using the user name ” EXAMPLES ” and password ” EXAMPLES “

  • Now lets create a database table using the sample ” rdbms_security_store_pointbase.sql ” located in ” C:\bea10.3\wlserver_10.3\server\lib “

  • Now we need to create another database using the user name ” PUBLIC ” and password ” PUBLIC “

So now we have successfully created two security database, lets cerate the domains now.
We need to create the following domains on WLS 10.3.x :
Domain1 name : saml_source   ;    non ssl port : 7001 ;  ssl port : 7002
Domain2 name : saml_destination  ;  non ssl port : 7003  ;  ssl port : 7004
Now run the ” Configuration Wizard ” On the ” Customize Environment and Services Settings ” screen select the option ” Yes “

  • Select the option “I want to create, change, or remove RDBMS support” and make the changes as shown in the figure below, and also click on ” Test Connection ” button to make sure that the database is configured properly.

  • We need to configure ” Custom Identity and Custom Trust ” on Weblogic servers.
Refer the link below to know more about configuring ” Custom Identity and Custom Trust ” :
Link : http://wls4mscratch.wordpress.com/2010/06/08/steps-to-configure-custom-identity-custom-trust-on-wls/
  • Now we need to configure ” Credential Mapper ” on the IDP end.
  • So to ” myrealm ” –> ” Providers ” –> ” Credential Mapping ” –> and add a ” SAML2CredentialMapper ” as shown below :

  • Now click on the newly created SAML2CredentialMapper say ” saml_IDP ” and make the following changes :
    • Issuer URI : http://www.souresite.com/saml
    • Name Qualifier : sourcesite.com
    • Web Service Assertion Signing Key Alias : cooldragon
    • Web Service Assertion Signing Key Pass Phrase : **********
    • Please type again To confirm : *********


  • Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Identity Provider ” and make the following changes :
    • Enabled : check
    • Only Accept Signed Authentication Request : check
    • Preferred Binding : POST

  • Now click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :
    • Replicated Cache Enabled – Uncheck
    • Contact Person Given Name
    • Contact Person Surname
    • Contact Person Type
    • Contact Person Company
    • Contact Person Telephone Number
    • Contact Person Email Address
    • Organization Name
    • Organization URL
    • Published Site URL : http://:/saml2
    • Entity ID : ( Source Domain name)
    • Single Sign-on Signing Key Alias
    • Single Sign-on Signing Key Pass Phrase
    • Confirm Single Sign-on Signing Key Pass Phrase
  • Save the changes and export the IDP metadata into a XML file –> Click on “ Publish Meta Data ” button. ( say IDP_Metadata.xml ). We need to copy this file to the destination domain later.



————–
Destination Side :
Now we need to generate the SAML destination site ( SP ) metadata
  • Click on ” myrealm ” –> ” Providers ” –> ” Authentication ” –> new ” SAML2IdentityAsserter “


  • Click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 Service Provider ” and make the following changes :
    • Enabled : check
    • Always Sign Authentication Requests : check
    • Force Authentication : Check
    • Preferred Binding : POST
    • Default URL : http://:/samldest01App

  • Now click on ” Servers ” –> Admin Server –> ” Federation Services ” –> ” SAML 2.0 General ” and make the following changes :
    • Replicated Cache Enabled : Uncheck
    • Contact Person Given Name
    • Contact Person Surname
    • Contact Person Type
    • Contact Person Company
    • Contact Person Telephone Number
    • Contact Person Email Address
    • Organization Name
    • Organization URL
    • Published Site URL : http://:/saml2
    • Entity ID : ( Destination Domain name)
    • Single Sign-on Signing Key Alias
    • Single Sign-on Signing Key Pass Phrase
    • Confirm Single Sign-on Signing Key Pass Phrase


More Here


Courtesy:http://wls4mscratch.wordpress.com/2010/07/22/steps-to-configure-saml-2-on-weblogic-server-10-3-x/

2 comments: