Securing WebLogic Server
This section explains how to set up single sign-on (SSO) with Web browsers or other HTTP clients, using authentication based on the Security Assertion Markup Language 1.1 (SAML).
You can use Authentication providers based on the Security Assertion Markup Language (SAML) to allow cross-platform authentication between Web applications or Web Services running in a WebLogic Server domain and Web browsers or other HTTP clients. This enables single sign-on (SSO): once users are authenticated in one site that participates in a single sign-on configuration, they don't need to log in separately at the other sites in the SSO configuration.
For a general overview of how WebLogic Server implements SAML, see Single Sign-On: Web Sites and Web Applications and Single Sign-On with the WebLogic Security Framework in Understanding WebLogic Security. For more information about adding security to Web Services, see Configuring Security in Programming WebLogic Web Services.
For more information about SAML, see http://www.oasis-open.org.
To configure WebLogic Server to support single sign-on with SAML, you need to configure support for acting as a SAML source site and a SAML destination site. Although SAML support involves a variety of different servlets and services, SAML source site configuration is centralized in the SAML Credential Mapping provider, while SAML destination configuration is centralized in the SAML Identity Assertion provider.
The main steps in configuring SAML SSO in WebLogic Server are:
This section describes how to configure WebLogic Server as a SAML source site. SAML source site configuration is centralized in the SAML Credential Mapping provider. In your security realm, create a SAML Credential Mapping provider instance. The SAML Credential Mapping provider is not part of the default security realm. See Configuring a SAML Credential Mapping Provider.
Configure the SAML Credential Mapping provider as a SAML authority, using the Issuer URI, Name Qualifier, and other attributes.
Configure the SAML Credential Mapping provider as a SAML source site, using the Source Site URLs and Intersite Transfer URIs attributes.
You can configure the SAML Credential Mapping provider to support Artifact profile, POST profile, or both, for the purposes of SAML SSO. Be sure to configure support for the profiles that the SAML destination sites support.
To configure support for Artifact profile:
To configure support for POST profile:
In the SAML Credential Mapping provider, you can configure the SAML assertions that will be provided by WebLogic Server when it acts as a SAML source site. You can configure any number of assertions, depending on the requirements of the SAML destination sites your users are connecting to. For information about configuring produced assertions, see Produced Assertion Configuration.
Configure WebLogic Server as a SAML destination. SAML destination configuration is centralized in the SAML Identity Assertion provider. See Configuring a SAML Identity Assertion Provider.
In your security realm, create a SAML Identity Assertion provider instance. The SAML Identity Assertion provider is not part of the default security realm.
You can configure the SAML Identity Assertion provider to support Artifact profile, POST profile, or both, for the purposes of SAML SSO.
To configure support for Artifact profile, in the SAML Identity Assertion provider, set Artifact Enabled to true.
To configure support for POST profile:
In the SAML Identity Assertion provider, you can configure how WebLogic Server consumes assertions it receives when it acts as a SAML destination site. You can configure any number of assertions. For information about configuring consumed assertions, see Consumed Assertion Configuration.