5 Configuring Federation with Microsoft ADFS 2.0 STS as the IP-STS and OWSM as the RP-STS

You can configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and OWSM as the Relying Party (RP-STS).

Use Case

Configure web service federation with Microsoft ADFS 2.0 STS as the IP-STS and OWSM as the RP-STS.

Solution

Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Microsoft ADFS 2.0 STS to establish trust across security domains.

Components
  • Oracle WebLogic Server

  • Oracle Web Services Manager (OWSM)

  • Microsoft ADFS 2.0 STS

  • Web service and client applications to be secured

Additional Resources on Oracle Web Services Manager

This use case demonstrates the steps required to:

  • Attach the appropriate OWSM security policies to enforce message-level protection using SAML bearer authentication. You must attach the following service policy :

    oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

  • Configure web services federation using Microsoft ADFS 2.0 STS as the IP-STS and OWSM is used as the RP-STS.

Transport security with SSL is used to protect the service, the RP-STS, and IP-STS.

For more information on how to implement this use case, see Use Case: Implementing Web Services federation with Microsoft ADFS 2.0 STS as IP-STS and OWSM as RP-STS.

5.1 Use Case: Implementing Web Services federation with Microsoft ADFS 2.0 STS as IP-STS and OWSM as RP-STS

To implement the use case, complete the following tasks in sequence: configure OWSM as the RP-STS, configure Microsoft ADFS 2.0 STS as the IP-STS, and configure the Web Service Client.

Note:

In the following sections, high-level configuration steps for Microsoft ADFS 2.0 STS is provided. For detailed information about how to perform these configuration steps, refer to the documentation:http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx

5.1.1 Generating Federation Metadata Document for the RP-STS

You must generating a federation metadata document for the RP-STS using the exportFederationMetadata command or the REST API.

To generate an unsigned federation metadata document using the WLST command, do the following:
  1. Connect to the running instance of the server in the domain for which you want to generate the document as described in Accessing the Web Services Custom WLST Commands in Administering Web Services.
  2. Run the exportFederationMetadata command to generating an unsigned federation metadata document.
    exportFederationMetadata(federationFile, metadataType, issuer, signMetadata , [signAliases=None], [encAliases=None])
    

    In the following example, unsigned federation metadata document is generated for Service provider and the role descriptor does not have an encryption key.

    wls:/wls-domain/serverConfig> exportFederationMetadata('/home/ABC/Downloads/FederationMetadata.xml','SP','www.example.com')

    This is URL for the service.

    See, exportFederationMetadata in WLST Command Reference for Infrastructure Components

    To generate an unsigned federation metadata document using the REST API, see Export Federation Metadata Document Method in Oracle Fusion Middleware REST API for Managing Credentials and Keystores with Oracle Web Services Manager.

5.1.2 Configuring the Web Service

To implement the use case configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and Web Service as the Relying Party (RP-STS)., first you need to configure the web service.

To configure the web service:
  1. Attach the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy policy to the web service. For the complete procedure, see Attaching Policies in Securing Web Services and Managing Policies with Oracle Web Services Manager.
  2. Import the signing certificate and configure the WS-Trust for the Relying Party (RP-STS) in OWSM. To do so, run the WLST command:
    1. Connect to the running instance of the server in the domain for which you want to generate the document as described in Accessing the Web Services Custom WLST Commands in Administering Web Services.
    2. Run the importFederationMetadata command to import the signing certificate for the Microsoft ADFS 2.0 STS endpoint into the OWSM keystore and configure the WS-Trust for the Relying Party (RP-STS).
      importFederationMetadata(federationFile,nameIdAttribute=None,[filterValues=None],userAttribute=None,userMappingAttribute=None)
      

      For example:

      wls:/wls-domain/serverConfig> importFederationMetadata('https://example.com/FederationMetadata/2007-06/Federation.xml',"Unique_name",['filter'],'mail','uid')

      This is the federation metadata document URL of Microsoft ADFS 2.0 STS.

      For more information see, importFederationMetadata in WLST Command Reference for Infrastructure Components

  3. Define the OWSM endpoint as a trusted issuer and a trusted DN. For the complete procedure, see Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates in Securing Web Services and Managing Policies with Oracle Web Services Manager.

5.1.3 Configuring Microsoft ADFS 2.0 STS as the IP-STS

To implement the use case Web Services federation with Microsoft ADFS2.0 STS, you need to configure Microsoft ADFS 2.0 STS as the IP-STS.

For the complete procedure, see the Microsoft ADFS 2.0 STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx.)

Perform the following steps:
  1. From the AD FS 2.0 console, expand Trust Relationships, right-click the Relying Party Trusts folder and then select Add Relying Party Trust to open the Add Relying Party Trust Wizard.
  2. Confirm that the endpoint is enabled.
  3. Add the OWSM instance acting as the IP-STS as a relying party using the ADFS 2.0 management console.
    1. On the Select Data Source page, click Import data about the relying party from a file, and then click Next.
    2. Click Browse and navigate to the directory where the federation metadata file is located.
  4. Configure ADFS 2.0 STS for claims-based authentication using the ADFS 2.0 management console.
    1. On the Select Rule Template page, select the optionSend LDAP Attributes as Claims as the rule type.
    2. On the Configure Rule page, enter Name ID as the Claim rule name, select Active Directory option as the Attribute store, SAM-Account-Name as the LDAP Attribute, and Name ID as the Outgoing Claim Type.

5.1.4 Configuring the Web Service Client

To implement the use case Web Services federation with Microsoft ADFS2.0 STS, finally you need to configure the web service client.

To configure the web service client:
  1. Ensure that you have create JAX-WS Client Application. For more information, see Creating JAX-WS Web Services and Clients in the Developing Applications with Oracle JDeveloper.
  2. Creating a Web Service Proxy using JDeveloper by completing the following steps:
    1. Right-click the JAX-WS Client Application you have created and select New and then From Gallery .
    2. In the New Gallery, expand the Business Tier node and select Web Services in the Categories list. Select the Web Service Client and Proxy item and click OK.

    3. The Create Web Service Client and Proxy page is displayed.
    4. In the Select Web Service Description page, specify the location of the WSDL service (For example: https://www.example.com:8002/JaxWsWssStsIssuedBearerTokenWithADFSWssUNOverSsl/JaxWsWssStsIssuedBearerTokenWithADFSWssUNOverSslService?WSDL) and select Copy WSDL Into Project and click Next.
    5. In the Asynchronous Methods page, select Don’t generate any asynchronous methods and click Finish.
  3. Attach the policy oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy and configure it to refer to the web service. For the complete procedure, see Attaching Policies in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    Additionally, set sts.in.order to the URI of the ADFS 2.0 STS endpoint. For example:

    http://http://m1.example.com/adfs/services/trust/13/usernamemixed
    
  4. Create a policy from oracle/sts_trust_config_service_template, modify it as follows, and attach it to the client:
    • Set Port URI to the ADFS 2.0 STS endpoint. For example:

      http://m1.example.com/adfs/services/trust/13/usernamemixed
      
    • Set Client Policy URI oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy.

    For the complete procedure, see Creating and Editing Web Service Policies in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  5. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:
    • Set Port URI to the ADFS 2.0 STS endpoint. For example:

      http://m1.example.com/adfs/services/trust/13/usernamemixed
      
    • Set WSDL Uri to the Web Service endpoint. For example:

      http://m2.example.com:14100/sts/wss11user?wsdl
      

    For the complete procedure, see Creating and Editing Web Service Policies in Securing Web Services and Managing Policies with Oracle Web Services Manager.