Using SAML Token Authentication with WebLogic Portal
To implement single-sign on (SSO) authentication with WebLogic
Portal using SAML tokens, you must configure the WLP WSRP Consumer,
the WSRP Producer, and the remote portlet application.
WebLogic Portal can be configured to send SAML assertions
over WSRP. The SAML token is passed directly to the Remote Portlet
Application as part of the HTTP headers. The SAML token can be accessed
through HTTP Request Headers (Request.Headers["SAMLToken"]). The remote portlet host handles authentication using the Custom
HttpModule "SAMLAuthenticationModule" and sets the user principal
name for the request so that user gain access to remote portlets.
- Add the SAML security policy declaration to the WSRPService.wsdl
and wsrp_v1_bindings.wsdl files.
- Open the wsdl file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\WSRPService.wsdl.
- If it is not already present, add the following policy
declaration to the WSRPService.wsdl file as a child of the root element <wsdl:definitions> and before the <wsdl:service> element. (The WSRPService.wsdl file installed with the WSRP Producer
includes the SAML policy by default.)
<wsp:Policy s1:Id="SAMLAuth.xml" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:s1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
- Open the wsdl bindings file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\wsrp_v1_bindings.wsdl.
- Find the <wsdl:input> elements
with the names “getMarkup” and “performBlockingInteraction”. If not
already present, add the <Policy> element shown
below. (The bindings file installed with the WSRP Producer includes
this code within comments; to enable the code, remove the comment
tags and make sure the URI attribute matches the Id value of the SAML
policy in the WSRPService.wsdl file..) The complete xml should look
as follows:
<wsdl:input name="getMarkup">
<soap:body use="literal"/>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:PolicyReference URI="#SAMLAuth.xml"/>
</wsp:Policy>
</wsdl:input>
<wsdl:input name=" performBlockingInteraction ">
<soap:body use="literal"/>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:PolicyReference URI="#SAMLAuth.xml"/>
</wsp:Policy>
</wsdl:input>
- Add a <securityTokenManager> element
to the WSRP Producer's Web.config file as shown below.
<microsoft.web.services2>
<security>
<securityTokenManager
type="Bea.BasicNoAuthSAMLTokenManager, WSRPService"
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
qname="Assertion"
/>
</security>
</microsoft.web.services2>
- Generate a SAML credential certificate and configure the
WLP WSRP Consumer to use the generated key. For instructions, see Establishing WSRP Security with SAML and Configuring Single Sign-On with Web Browsers and
HTTP Clients in the WLP documentation. You must also configure
the Relying Party properties as described below.
- On the Management tab, click Relying Parties.
- In the Relying Parties table, double click on rp_00001.
- Ensure that Sign Assertions and Include Keyinfo are checked .
- Click Save.
- Configure the remote portlet application to verify the
SAML token.
- Import the certificate used to generate the SAML token
to Local machine store – Enterprise Trusted certificates on the machine that hosts the remote portlet application.
- Configure the Web.config file of the ASP.NET application
to use the SAML authenticator.
- Under the system.web element, update the authentication
node to use “None”.
<authentication mode="None" />
- Configure the SAMLAuthenitcationModule in the httpModule section of system.web as follows:
<httpModules>
<add name="SAMLAuthentication" type="BEA.Portlet.Authentication.SAMLAuthenticationModule, SAMLAuth"/>
</httpModules>