This chapter describes how to configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and Oracle STS as the Replying Party (RP-STS).
Use Case | Configure web services federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS. |
Solution | Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains. |
Components |
|
This chapter contains the following sections:
This use case demonstrates the steps required to:
Attach the appropriate OWSM security policies to enforce message-level protection using SAML bearer authentication.
Specifically, you attach the following policies to the client and service, respectively:
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
and policies based on oracle/sts_trust_config_client_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
Configure web services federation using Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS is used as the RP-STS.
Transport security with SSL is used to protect the service, the RP-STS, and the IP-STS
This use case consists of the following tasks:
Note:
In the following sections, high-level configuration steps for Oracle STS and Microsoft ADFS 2.0 STS are provided. For detailed information about how to perform these configuration steps, refer to the documentation for the particular STS:For Oracle STS: http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html
For Microsoft ADFS 2.0 STS: http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
To configure the web service:
Attach the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
policy to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Import the signing certificate for the Oracle STS /wssbearer
endpoint into the OWSM keystore.
Define the Oracle STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
To configure Oracle STS as the RP-STS, perform the following steps. For the complete procedure, see the Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html
.
Configure WebLogic Server to enable one-way SSL on port 14101
.
Configure the Oracle STS /wssbearer
endpoint as follows:
Attach the policy with the URI sts/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
.
Create an OWSM LRG SAML Validation
validation template to validate the incoming SAML token and apply it to the endpoint.
Add the service as a replying party partner in Oracle STS.
Add the Microsoft ADFS 2.0 STS instance acting as the IP-STS as a trusted identity provider:
Configure an issuing authority partner profile for the Microsoft ADFS 2.0 STS instance.
Add the Microsoft ADFS 2.0 STS instance as an issuing authority partner, giving as the partner name the issuer of the SAML assertion for the instance.
Import the signing certificate for the Microsoft ADFS 2.0 STS instance into the OWSM keystore.
To configure Microsoft ADFS 2.0 STS as the IP-STS, perform the following steps. For the complete procedure, see the Microsoft ADFS 2.0 STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
.)
Confirm that the /usernamemixed
endpoint is enabled.
Add the Oracle STS instance acting as the IP-STS as a relying party using the ADFS 2.0 management console.
Configure ADFS 2.0 STS to issue SAML bearer tokens for the RP-STS.
To configure the web service client:
Attach the policy oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
and configure it to refer to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Additionally, set sts.in.order
to the URI of the Oracle STS endpoint followed by the ADFS 2.0 STS endpoint. For example:
http://m2.example.com:14100/sts/wssbearer; http://http://m1.example.com/adfs/services/trust/13/usernamemixed
Create a policy from oracle/sts_trust_config_client_template
, modify it as follows, and attach it to the client:
Set Port URI to the ADFS 2.0 STS endpoint. For example:
http://m1.example.com/adfs/services/trust/13/usernamemixed
Set Client Policy URI oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
.
For the complete procedure, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Create a policy from oracle/sts_trust_config_client_template
, modify it as follows, and attach it to the client:
Set Port URI to the Oracle STS endpoint. For example:
http://m2.example.com:14100/sts/wssbearer
For the complete procedure, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
See the following resources for more information about the technologies and tools used to implement the solutions in this chapter: