Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Integrate Oracle Banking Digital Experience with Ping for Single Sign-On

Introduction

SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication. Oracle Banking Digital Experience supports SAML2 in order to integrate with IdP (Identity Provider, such as Oracle Identity Cloud Service supporting this technology. Oracle Identity Cloud Service manages user access and entitlements across a wide range of cloud and on-premises applications and services using a cloud-native, identity as a service (IDaaS) platform acting as the front door into Oracle Cloud for external identities.

SAML is an XML based authentication protocol in which Identity Providers (such as Oracle Identity Cloud Service, Ping, Okta) -- entities that manage and store user credentials -- exchange digitally signed XML documents (SAML Assertions) allowing an end-user to access a Service Provider (Oracle Banking Digital Experience). For more information, see SAML and Single Sign-On (SSO).

With SAML, the authentication workflow can be initiated by either the Service Provider (SP) or the Identity Provider (IdP). IdP-initiated authentication occurs if user is logged into their organization dashboard. In this case, the IdP sends a SAML assertion via the web browser to automatically log them in.

SP-initiated authentication occurs if an employee tries to log into that external site - the SP - and the site redirects them to their corporate Single Sign-On (SSO) login page to enter their credentials and authenticate. After authentication, the employee is redirected back to the external site with a SAML assertion proving their identity.

Objectives

This tutorial will help developers and implementation partners to execute the steps in order to integrate Oracle Banking Digital Experience with Identity provider(s).

Prerequisites

a. Oracle Banking Digital Experience installation

b. Identity provider supporting SAML2

Task 1: Configure Security Realm - credential mapping

1. Login to WebLogic admin console and go to below path: Home, Summary of Servers, Summary of Security Realms, myrealm.

2. Click on Providers option.

3. Create a new Authentication provider.

4. Perform configurations as shown in below screenshot.

   

5. Order Providers as shown in the following image.

   

6. Restart the Admin Server.

Task 2: Configure Oracle Banking Digital Experience

1. Go to below path in Managed Server section: Home, Summary of Servers, Managed Server, Federation Services, SAML 2.0 General.

2. Enter Site specific configuration details as below.

   

   Published Site URL: http://<<HOST>>:<<PORT>>/saml2

3. After saving and activating the changes, restart the Managed server.

4. Publish metadata and save in XML file. This metadata file is to be provided to Ping or any other IdP.

   

5. Go to the following path in the Managed Server section: Home, Summary of Servers, Managed Server, Federation Services, SAML 2.0 Service Provider.

6. Enter Site specific configuration details as below.

   

   

Default URL: http://<<HOST>>:<<PORT>>/digx/protected/dashboard.jsp

Task 3: Configure Identity Provider (IdP) - WebLogic

1. Share the following details for IdP configuration and generating IdP metadata.

   • Single Sign On URL: http://<<HOST>>:<<PORT>>/saml2/sp/acs/post

   • Recipient URL: http://<<HOST>>:<<PORT>>/saml2/sp/acs/post

   • Destination On URL: http://<<HOST>>:<<PORT>>/saml2/sp/acs/post

   • Audience URI (SP Entity ID): It should be same as Entity ID configured in SAML 2.0 General configurations, i.e. PING_obdx_ID.

2. After completion of above configurations in IdP (SAML Responder), generate IdP metadata and save in XML file.

Task 4: Configure Security Realm - IdP Provider

1. Copy IdP metadata XML file in Managed Server’s Domain Folder.

2. Go to the following path: Home, Summary of Security Realms, myrealm, Providers, SAML2_IA.

3. Under Management section, perform below configurations to create Identity Provider Partner.

   

4. Select IdP metadata xml copied in managed server Domain path.

   

5. Save the details.

6. Under Identity Provider Partner, complete the following configuration.

   

7. Restart Admin and Managed Servers.

Task 5: Configure Oracle Banking Digital Experience

For obdx.app.rest.idm com.ofss.digx.appx.service.rest.war, configure the following details.

1. /protected/dashboard.jsp: Update JSESSIONID browser cookie changes.

   \<!DOCTYPE HTML\>
   
    \<html lang=\"en-US\"\>
   
    \<head\>
   
    \<meta charset=\"UTF-8\"\>
   
    \<meta http-equiv=\"refresh\" content=\"1;url=../../home.html\"\>
   
    \<script\>
   
    var JSESSIONID = getCookie(\"JSESSIONID\");
   
    if (typeof(JSESSIONID) != \"undefined\" && JSESSIONID != null &&
    JSESSIONID != \"\") {
   
    mydomain.console.log(\"Found JSESSIONID from SSO relocating to: \" +
    JSESSIONID);
   
    setCookie(\"JSESSIONID\", JSESSIONID, -1, \"/\",
    \"webserverhostname:port\");
   
    document.location.href = JSESSIONID;
   
    }
   
    window.location.href = \"../../home.html\"
   
    \</script\>
   
    \<title\>Page Redirection\</title\>
   
    \</head\>
   
    \<body\>
   

2. /WEB-INF/web.xml: In security-constraint role changes.

   \<security-constraint\>
   
    \<display-name\>Constraint-0\</display-name\>
   
    \<web-resource-collection\>
   
    \<web-resource-name\>Constraint-0\</web-resource-name\>
   
    \<url-pattern\>/protected/\*\</url-pattern\>
   
    \</web-resource-collection\>
   
    \<auth-constraint\>
   
    \<role-name\>valid-users\</role-name\>
   
    \</auth-constraint\>
   
    \<user-data-constraint\>
   
    \<transport-guarantee\>NONE\</transport-guarantee\>
   
    \</user-data-constraint\>
   
   \</security-constraint\>
   

3. /WEB-INF/weblogic.xml: Cookie and Role configurations.

   \<?xml version=\"1.0\" encoding=\"UTF-8\"?\>
   
   \<wls:weblogic-web-app
   
   xmlns:wls=\"http://xmlns.oracle.com/weblogic/weblogic-web-app\"
   
   xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
   
   xsi:schemaLocation=\"http://java.sun.com/xml/ns/javaee
   http://java.sun.com/xml/ns/javaee/web-app_2\_5.xsd
   http://xmlns.oracle.com/weblogic/weblogic-web-app
   http://xmlns.oracle.com/weblogic/weblogic-web-app/1.3/weblogic-web-app.xsd\"\>
   
   \<wls:context-root\>digx\</wls:context-root\>
   
   \<wls:library-ref\>
   
   \<wls:library-name\>jax-rs\</wls:library-name\>
   
   \<wls:specification-version\>2.0\</wls:specification-version\>
   
   \<wls:exact-match\>true\</wls:exact-match\>
   
   \</wls:library-ref\>
   
   \<security-role-assignment\>
   
   \<role-name\>valid-users\</role-name\>
   
   \<principal-name\>users\</principal-name\>
   
   \</security-role-assignment\>
   
   \<session-descriptor\>
   
   \<max-save-post-size\>10240\</max-save-post-size\>
   
   \<persistent-store-type\>memory\</persistent-store-type\>
   
   \<sharing-enabled\>true\</sharing-enabled\>
   
   \<cookies-enabled\>true\</cookies-enabled\>
   
   \<cookie-name\>JSESSIONID\</cookie-name\>
   
   \<cookie-domain\>\</cookie-domain\>
   
   \<cookie-path\>/\</cookie-path\>
   
   \<cookie-secure\>false\</cookie-secure\>
   
   \<url-rewriting-enabled\>true\</url-rewriting-enabled\>
   
   \</session-descriptor\>
   
   \<wls:session-descriptor\>
   
   \<wls:persistent-store-type\>replicated_if_clustered\</wls:persistent-store-type\>
   
   \</wls:session-descriptor\>
   
   \</wls:weblogic-web-app\>
   

4. Configure the following settings in obdx.conf.

   1. In Header set X-Frame-Options "ALLOW-FROM”, add IdP domain URL like below.

      **Header set X-Frame-Options \"ALLOW-FROM \<IdP URL\>"

   2. <Location /saml2>

      SetHandler weblogic-handler

      WebLogicCluster <<Managed Server HOST>>:<<Managed Server PORT>>

      </Location>

Task 6: Debug SAML2

In case of any issue with SAML2 request processing, enable the following logs in Managed Server.

1. Go to Managed Server, DebugWeblogic*, Security and enable the following logs.

   • atn

   • atz

   • saml

   • saml2

Error / Exception details will get logged in managed server logs. You can disable these logs if not required.

Note: To configure multiple Identity Provider Partners, repeat steps mentioned in section 5. Create one more copy of dashboard.jsp with different name configured in Redirect URIs section.

Related Links

• What is Security Assertion Markup Language (SAML)?

• Oracle Financial Services

Acknowledgments

• Author: Prashant Bansal (Sr. Principal Consultant, DigX Consulting)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Integrate Oracle Banking Digital Experience with Ping for Single Sign-On

F81979-01

May 2023

Copyright © 2023, Oracle and/or its affiliates.