7 Configuring Federation with Microsoft ADFS 2.0 STS as the IP-STS and OWSM as the RP-STS
You can configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and OWSM as the Relying Party (RP-STS).
- Use Case
-
Configure web service federation with Microsoft ADFS 2.0 STS as the IP-STS and OWSM as the RP-STS.
- Solution
-
Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Microsoft ADFS 2.0 STS to establish trust across security domains.
- Components
-
-
Oracle WebLogic Server
-
Oracle Web Services Manager (OWSM)
-
Microsoft ADFS 2.0 STS
-
Web service and client applications to be secured
-
- Additional Resources on Oracle Web Services Manager
This use case demonstrates the steps required to:
-
Attach the appropriate OWSM security policies to enforce message-level protection using SAML bearer authentication. You must attach the following service policy :
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
-
Configure web services federation using Microsoft ADFS 2.0 STS as the IP-STS and OWSM is used as the RP-STS.
Transport security with SSL is used to protect the service, the RP-STS, and IP-STS.
For more information on how to implement this use case, see Use Case: Implementing Web Services federation with Microsoft ADFS 2.0 STS as IP-STS and OWSM as RP-STS.
7.1 Use Case: Implementing Web Services federation with Microsoft ADFS 2.0 STS as IP-STS and OWSM as RP-STS
To implement the use case, complete the following tasks in sequence: configure OWSM as the RP-STS, configure Microsoft ADFS 2.0 STS as the IP-STS, and configure the Web Service Client.
Note:
In the following sections, high-level configuration steps for Microsoft ADFS 2.0 STS is provided. For detailed information about how to perform these configuration steps, refer to the documentation:http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
7.1.1 Generating Federation Metadata Document for the RP-STS
You must generating a federation metadata document for the RP-STS using the exportFederationMetadata
command or the REST API.
7.1.2 Configuring the Web Service
To implement the use case configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and Web Service as the Relying Party (RP-STS)., first you need to configure the web service.
- Attach the
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
policy to the web service. For the complete procedure, see Attaching Policies in Securing Web Services and Managing Policies with Oracle Web Services Manager. - Import the signing certificate and configure the WS-Trust for the Relying Party (RP-STS) in OWSM. To do so, run the WLST command:
- Define the OWSM endpoint as a trusted issuer and a trusted DN. For the complete procedure, see Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates in Securing Web Services and Managing Policies with Oracle Web Services Manager.
7.1.3 Configuring Microsoft ADFS 2.0 STS as the IP-STS
To implement the use case Web Services federation with Microsoft ADFS2.0 STS, you need to configure Microsoft ADFS 2.0 STS as the IP-STS.
For the complete procedure, see the Microsoft ADFS 2.0 STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
.)
- From the AD FS 2.0 console, expand Trust Relationships, right-click the Relying Party Trusts folder and then select Add Relying Party Trust to open the Add Relying Party Trust Wizard.
- Confirm that the endpoint is enabled.
- Add the OWSM instance acting as the IP-STS as a relying party using the ADFS 2.0 management console.
- On the Select Data Source page, click Import data about the relying party from a file, and then click Next.
- Click Browse and navigate to the directory where the federation metadata file is located.
- Configure ADFS 2.0 STS for claims-based authentication using the ADFS 2.0 management console.
- On the Select Rule Template page, select the optionSend LDAP Attributes as Claims as the rule type.
- On the Configure Rule page, enter Name ID as the Claim rule name, select Active Directory option as the Attribute store, SAM-Account-Name as the LDAP Attribute, and Name ID as the Outgoing Claim Type.