Skip navigation.

eDocs Home > BEA WebLogic Server 9.0 Documentation > Securing WebLogic Server > Configuring Single Sign-On with Web Browsers and HTTP Clients

Securing WebLogic Server

  Previous Next vertical dots separating previous/next from contents/index/pdf Contents Index View as PDF   Get Adobe Reader

Configuring Single Sign-On with Web Browsers and HTTP Clients

This section explains how to set up single sign-on (SSO) with Web browsers or other HTTP clients, using authentication based on the Security Assertion Markup Language 1.1 (SAML).

 

Overview of SAML-Based Single Sign-On

You can use Authentication providers based on the Security Assertion Markup Language (SAML) to allow cross-platform authentication between Web applications or Web Services running in a WebLogic Server domain and Web browsers or other HTTP clients. This enables single sign-on (SSO): once users are authenticated in one site that participates in a single sign-on configuration, they don't need to log in separately at the other sites in the SSO configuration.

SAML SSO works as follows:

  1. A Web user authenticates to a SAML source site.
  2. The user then attempts to access a target resource at a destination site.
  3. Through one or more steps (for example, redirection), the user arrives at an Intersite Transfer Service (ITS) at the source site. The WebLogic Server SAML Credential Mapping provider can serve as an ITS.
  4. Through a sequence of HTTP exchanges, the user browser is transferred to an Assertion Consumer Service (ACS) at the SAML destination site. The WebLogic Server SAML Identity Assertion provider can serve as an ACS.
  5. Information about the SAML assertion provided by the source site and associated with the user and the desired target is conveyed from the source site to the destination site by the protocol exchange.
  6. The ACS at the destination site examines both the assertion and the target information to determine whether to allow access to the target resource thereby achieving web SSO for authenticated users originating from a source site.

For a general overview of how WebLogic Server implements SAML, see Single Sign-On: Web Sites and Web Applications and Single Sign-On with the WebLogic Security Framework in Understanding WebLogic Security. For more information about adding security to Web Services, see Configuring Security in Programming WebLogic Web Services.

For more information about SAML, see http://www.oasis-open.org.

 

Single Sign-on with SAML: Main Steps

To configure WebLogic Server to support single sign-on with SAML, you need to configure support for acting as a SAML source site and a SAML destination site. Although SAML support involves a variety of different servlets and services, SAML source site configuration is centralized in the SAML Credential Mapping provider, while SAML destination configuration is centralized in the SAML Identity Assertion provider.

The main steps in configuring SAML SSO in WebLogic Server are:

  1. Determine if you want to support Artifact profile, POST profile, or both. See Single Sign-On with the WebLogic Security Framework for a discussion of how these profiles work.
  2. Configure WebLogic Server as a SAML source site, by creating and configuring a SAML Credential Mapping provider in your security realm. See Configuring a SAML Source Site for Single Sign-On. For a reference-oriented description of SAML Credential Mapping provider configuration, see Configuring a SAML Credential Mapping Provider. As you configure the SAML Credential Mapping provider, you configure:
  3. Configure WebLogic Server as a SAML destination site, by creating and configuring a SAML Identity Assertion provider in your security realm. See Configuring a SAML Destination Site for Single Sign-On. For a reference-oriented description of SAML Identity Assertion provider configuration, see Configuring a SAML Identity Assertion Provider. As you configure the SAML Credential Mapping provider, you configure:
  1. Establish trust by registering the source site's SSL certificate in the certificate registry maintained by the SAML Identity Assertion provider. See Certificate Registry.

 

Configuring a SAML Source Site for Single Sign-On

This section describes how to configure WebLogic Server as a SAML source site. SAML source site configuration is centralized in the SAML Credential Mapping provider. In your security realm, create a SAML Credential Mapping provider instance. The SAML Credential Mapping provider is not part of the default security realm. See Configuring a SAML Credential Mapping Provider.

Configure SAML Authority Attributes

Configure the SAML Credential Mapping provider as a SAML authority, using the Issuer URI, Name Qualifier, and other attributes.

Configure Source Site Attributes

Configure the SAML Credential Mapping provider as a SAML source site, using the Source Site URLs and Intersite Transfer URIs attributes.

Configure Supported Profiles

You can configure the SAML Credential Mapping provider to support Artifact profile, POST profile, or both, for the purposes of SAML SSO. Be sure to configure support for the profiles that the SAML destination sites support.

To configure support for Artifact profile:

  1. In the SAML Credential Mapping provider, set Artifact Enabled to true.
  2. Configure an ITS for Artifact profile in the Intersite Transfer URIs attribute.

To configure support for POST profile:

  1. In the SAML Credential Mapping provider, set POST Enabled to true.
  2. Optionally, create a default form to use in POST profile assertions and set the pathname of that form in the Default POST Form attribute.
  3. Configure an ITS for POST profile in the Intersite Transfer URIs attribute.

Configure Produced Assertions

In the SAML Credential Mapping provider, you can configure the SAML assertions that will be provided by WebLogic Server when it acts as a SAML source site. You can configure any number of assertions, depending on the requirements of the SAML destination sites your users are connecting to. For information about configuring produced assertions, see Produced Assertion Configuration.

 

Configuring a SAML Destination Site for Single Sign-On

Configure WebLogic Server as a SAML destination. SAML destination configuration is centralized in the SAML Identity Assertion provider. See Configuring a SAML Identity Assertion Provider.

In your security realm, create a SAML Identity Assertion provider instance. The SAML Identity Assertion provider is not part of the default security realm.

Configure Supported Profiles

You can configure the SAML Identity Assertion provider to support Artifact profile, POST profile, or both, for the purposes of SAML SSO.

To configure support for Artifact profile, in the SAML Identity Assertion provider, set Artifact Enabled to true.

To configure support for POST profile:

  1. In the SAML Identity Assertion provider, set POST Enabled to true.
  2. Optionally, set the Recipient Check Enabled attribute. If true, this attribute requires that the recipient of the SAML Response must match the URL in the HTTP Request.
  3. Optionally, set the Enforce One Use Policy attribute. See Limiting the Re-use of Assertions.

Configure Consumed Assertions

In the SAML Identity Assertion provider, you can configure how WebLogic Server consumes assertions it receives when it acts as a SAML destination site. You can configure any number of assertions. For information about configuring consumed assertions, see Consumed Assertion Configuration.

 

Skip navigation bar  Back to Top Previous Next