> AquaLogic .NET Portlet Toolkit WSRP Development Guide > > Managing SSO Authentication with WebLogic Portal > Using SAML Token Authentication with WebLogic Portal

AquaLogic .NET Portlet Toolkit WSRP Development Guide

     Previous Next  Open TOC in new window   View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Using SAML Token Authentication with WebLogic Portal

To implement single-sign on (SSO) authentication with WebLogic Portal using SAML tokens, you must configure the WLP WSRP Consumer, the WSRP Producer, and the remote portlet application.

WebLogic Portal can be configured to send SAML assertions over WSRP. The SAML token is passed directly to the Remote Portlet Application as part of the HTTP headers. The SAML token can be accessed through HTTP Request Headers (Request.Headers["SAMLToken"]). The remote portlet host handles authentication using the Custom HttpModule "SAMLAuthenticationModule" and sets the user principal name for the request so that user gain access to remote portlets.

  1. Add the SAML security policy declaration to the WSRPService.wsdl and wsrp_v1_bindings.wsdl files.
    1. Open the wsdl file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\WSRPService.wsdl.
    2. If it is not already present, add the following policy declaration to the WSRPService.wsdl file as a child of the root element <wsdl:definitions> and before the <wsdl:service> element. (The WSRPService.wsdl file installed with the WSRP Producer includes the SAML policy by default.) 
      <wsp:Policy s1:Id="SAMLAuth.xml" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:s1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<wssp:Identity>
		<wssp:SupportedTokens>
			<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
				<wssp:Claims>
					<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
				</wssp:Claims>
			</wssp:SecurityToken>
		</wssp:SupportedTokens>
	</wssp:Identity>
</wsp:Policy>
    3. Open the wsdl bindings file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\wsrp_v1_bindings.wsdl.
    4. Find the <wsdl:input> elements with the names “getMarkup” and “performBlockingInteraction”. If not already present, add the <Policy> element shown below. (The bindings file installed with the WSRP Producer includes this code within comments; to enable the code, remove the comment tags and make sure the URI attribute matches the Id value of the SAML policy in the WSRPService.wsdl file..) The complete xml should look as follows: 
      <wsdl:input name="getMarkup">
	<soap:body use="literal"/>
		<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
			<wsp:PolicyReference URI="#SAMLAuth.xml"/>
		</wsp:Policy>
</wsdl:input>

<wsdl:input name=" performBlockingInteraction ">
	<soap:body use="literal"/>
		<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
			<wsp:PolicyReference URI="#SAMLAuth.xml"/>
		</wsp:Policy>
</wsdl:input>
  2. Add a <securityTokenManager> element to the WSRP Producer's Web.config file as shown below. 
    <microsoft.web.services2>
	<security>
		<securityTokenManager
			type="Bea.BasicNoAuthSAMLTokenManager, WSRPService"
			xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
			qname="Assertion"				
			/>
	</security>
</microsoft.web.services2>
  3. Generate a SAML credential certificate and configure the WLP WSRP Consumer to use the generated key. For instructions, see Establishing WSRP Security with SAML and Configuring Single Sign-On with Web Browsers and HTTP Clients in the WLP documentation. You must also configure the Relying Party properties as described below.
    1. On the Management tab, click Relying Parties.
    2. In the Relying Parties table, double click on rp_00001.
    3. Ensure that Sign Assertions and Include Keyinfo are checked .
    4. Click Save.
  4. Configure the remote portlet application to verify the SAML token.
    1. Import the certificate used to generate the SAML token to Local machine store – Enterprise Trusted certificates on the machine that hosts the remote portlet application.
    2. Configure the Web.config file of the ASP.NET application to use the SAML authenticator.
      1. Under the system.web element, update the authentication node to use “None”.
        <authentication mode="None" />
      2. Configure the SAMLAuthenitcationModule in the httpModule section of system.web as follows:
        <httpModules>
	<add name="SAMLAuthentication" type="BEA.Portlet.Authentication.SAMLAuthenticationModule, SAMLAuth"/>
</httpModules>
Parent topic: Managing SSO Authentication with WebLogic Portal

  Back to Top      Previous Next