6 Configuring Federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS

This chapter describes how to configure web services federation with Oracle STS as the Identity Provided STS (IP-STS) and Microsoft ADFS 2.0 STS as the Replying Party (RP-STS).

6.1 Use Case: Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS

The use case summary helps you quickly determine whether information in this chapter meets your needs.

The following list summarizes the use case goals, solution, and components. Links to required documentation are also provided.

Use Case

Configure web services federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS.

Solution

Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains.

Components
  • Oracle WebLogic Server

  • Oracle Web Services Manager (OWSM)

  • Oracle STS

  • Microsoft ADFS 2.0 STS

  • Web service and client applications to be secured

This use case demonstrates the steps required to:

  • Attach the appropriate OWSM security policies to enforce message-level protection using SAML holder-of-key (HOK) authentication.

    Specifically, you attach the following policies to the client and service, respectively:

    • oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy and policies based on oracle/sts_trust_config_client_template

    • oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy

  • Configure web services federation using Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS is used as the RP-STS.

6.2 Use Case: Implementing Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS

This use case consists of the following tasks:

6.2.1 Configuring the Web Service

To configure the web service:

  1. Attach oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
  2. Import the signing certificate for the ADFS 2.0 STS /issuedtokensymmetricbasic256 endpoint into the OWSM keystore.
  3. Define the ADFS 2.0 STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6.2.2 Configuring Microsoft ADFS 2.0 STS as the RP-STS

To configure Microsoft ADFS 2.0 STS as the RP-STS, perform the following steps.

For the complete procedure, see the Oracle STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx.

  1. Confirm that the /issuedtokensymmetricbasic256 endpoint is enabled.
  2. Add the service as a relying party using the ADFS 2.0 management console.
  3. Add the Oracle STS instance acting as the IP-STS as a trusted claim provider using the ADFS 2.0 management console.

6.2.3 Configuring Oracle STS as the IP-STS

To configure Oracle STS as the IP-STS, perform the following steps.

For the complete procedure, see the Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html.

  1. Configure the Oracle STS /wss11user endpoint as follows:
    • Attach the policy with the URI sts/wss11_username_token_with message_protection_service_policy.

    • Create an OWSM LRG UN Validation validation template to validate the incoming token and apply it to the endpoint.

  2. In Oracle STS, add the Microsoft ADFS 2.0 STS instance acting as the RP-STS as a relying partner party.
  3. Enable the Audience Restriction Condition in Oracle STS.

    This step is necessary because ADFS 2.0 requires the SAML assertion for a claim provider to have AudienceRestrictionUri set, and assertions issued by Oracle STS do not have this set by default.

  4. Configure a separate issuance template that issues 256 byte proof keys for Oracle STS to use.

6.2.4 Configuring the Web Service Client

To configure the web service client:

  1. Create a policy from oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy, modify it as follows, and attach it to the client:
    • Set Algorithm Suite to Basic256 instead of Basic128.

    • Set Derived Keys to enabled.

    • Set sts.in.order to the URI of the ADFS 2.0 STS endpoint followed by the Oracle STS endpoint. For example:

      http://m1.example.com/adfs/services/trust/13/issuedtokensymmetricbasic256;
      http://m2.example.com:14100/sts/wss11user
      
  2. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:
    • Set Port URI to the ADFS 2.0 STS endpoint. For example:

      http://m1.example.com/adfs/services/trust/13/issuedtokensymmetricbasic256
      
    • Set Client Policy URI to the policy you created in Step 1.

      oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy_adfs
      
  3. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:
    • Set Port URI to the Oracle STS endpoint; for example:

      http://m2.example.com:14100/sts/wss11user
      
    • Set WSDL URI to the Oracle STS endpoint.

6.3 Additional Resources on Oracle Web Services Manager

See the following resources for more information about the technologies and tools used to implement the solutions in this chapter: