5 Configuring Federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS

This chapter describes how to configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and Oracle STS as the Replying Party (RP-STS).

Executive Summary

Use Case Configure web services federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS.
Solution Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains.
Components
  • Oracle WebLogic Server

  • Oracle Web Services Manager (OWSM)

  • Oracle STS

  • Microsoft ADFS 2.0 STS

  • Web service and client applications to be secured

This chapter contains the following sections:

5.1 Introduction to the Use Case

This use case demonstrates the steps required to:

  • Attach the appropriate OWSM security policies to enforce message-level protection using SAML bearer authentication.

    Specifically, you attach the following policies to the client and service, respectively:

    • oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy and policies based on oracle/sts_trust_config_client_template

    • oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

  • Configure web services federation using Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS is used as the RP-STS.

Transport security with SSL is used to protect the service, the RP-STS, and the IP-STS

5.2 Implementing the Use Case

This use case consists of the following tasks:

Note:

In the following sections, high-level configuration steps for Oracle STS and Microsoft ADFS 2.0 STS are provided. For detailed information about how to perform these configuration steps, refer to the documentation for the particular STS:

5.2.1 Task 1: Configure the Web Service

To configure the web service:

  1. Attach the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy policy to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Import the signing certificate for the Oracle STS /wssbearer endpoint into the OWSM keystore.

  3. Define the Oracle STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

5.2.2 Task 2: Configure Oracle STS as the RP-STS

To configure Oracle STS as the RP-STS, perform the following steps. For the complete procedure, see the Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html.

  1. Configure WebLogic Server to enable one-way SSL on port 14101.

  2. Configure the Oracle STS /wssbearer endpoint as follows:

    • Attach the policy with the URI sts/wss_sts_issued_saml_bearer_token_over_ssl_service_policy.

    • Create an OWSM LRG SAML Validation validation template to validate the incoming SAML token and apply it to the endpoint.

  3. Add the service as a replying party partner in Oracle STS.

  4. Add the Microsoft ADFS 2.0 STS instance acting as the IP-STS as a trusted identity provider:

    1. Configure an issuing authority partner profile for the Microsoft ADFS 2.0 STS instance.

    2. Add the Microsoft ADFS 2.0 STS instance as an issuing authority partner, giving as the partner name the issuer of the SAML assertion for the instance.

    3. Import the signing certificate for the Microsoft ADFS 2.0 STS instance into the OWSM keystore.

5.2.3 Task 3: Configure Microsoft ADFS 2.0 STS as the IP-STS

To configure Microsoft ADFS 2.0 STS as the IP-STS, perform the following steps. For the complete procedure, see the Microsoft ADFS 2.0 STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx.)

  1. Confirm that the /usernamemixed endpoint is enabled.

  2. Add the Oracle STS instance acting as the IP-STS as a relying party using the ADFS 2.0 management console.

  3. Configure ADFS 2.0 STS to issue SAML bearer tokens for the RP-STS.

5.2.4 Task 4: Configure the Web Service Client

To configure the web service client:

  1. Attach the policy oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy and configure it to refer to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    Additionally, set sts.in.order to the URI of the Oracle STS endpoint followed by the ADFS 2.0 STS endpoint. For example:

    http://m2.example.com:14100/sts/wssbearer;
http://http://m1.example.com/adfs/services/trust/13/usernamemixed

  2. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:

    • Set Port URI to the ADFS 2.0 STS endpoint. For example:

      http://m1.example.com/adfs/services/trust/13/usernamemixed

    • Set Client Policy URI oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy.

    For the complete procedure, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:

    • Set Port URI to the Oracle STS endpoint. For example:

      http://m2.example.com:14100/sts/wssbearer

    For the complete procedure, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

5.3 Additional Resources

See the following resources for more information about the technologies and tools used to implement the solutions in this chapter: