This chapter describes how to configure web services federation with Oracle STS as the Identity Provided STS (IP-STS) and Microsoft ADFS 2.0 STS as the Replying Party (RP-STS).
Use Case | Configure web services federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS. |
Solution | Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains. |
Components |
|
This chapter contains the following sections:
This use case demonstrates the steps required to:
Attach the appropriate OWSM security policies to enforce message-level protection using SAML holder-of-key (HOK) authentication.
Specifically, you attach the following policies to the client and service, respectively:
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
and policies based on oracle/sts_trust_config_client_template
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
Configure web services federation using Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS is used as the RP-STS.
This use case consists of the following tasks:
To configure the web service:
Attach oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Import the signing certificate for the ADFS 2.0 STS /issuedtokensymmetricbasic256
endpoint into the OWSM keystore.
Define the ADFS 2.0 STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
To configure Microsoft ADFS 2.0 STS as the RP-STS, perform the following steps. For the complete procedure, see the Oracle STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
.
Confirm that the /issuedtokensymmetricbasic256
endpoint is enabled.
Add the service as a relying party using the ADFS 2.0 management console.
Add the Oracle STS instance acting as the IP-STS as a trusted claim provider using the ADFS 2.0 management console.
To configure Oracle STS as the IP-STS, perform the following steps. For the complete procedure, see the Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html
.
Configure the Oracle STS /wss11user
endpoint as follows:
Attach the policy with the URI sts/wss11_username_token_with message_protection_service_policy
.
Create an OWSM LRG UN Validation
validation template to validate the incoming token and apply it to the endpoint.
In Oracle STS, add the Microsoft ADFS 2.0 STS instance acting as the RP-STS as a relying partner party.
Enable the Audience Restriction Condition in Oracle STS.
This step is necessary because ADFS 2.0 requires the SAML assertion for a claim provider to have AudienceRestrictionUri set, and assertions issued by Oracle STS do not have this set by default.
Configure a separate issuance template that issues 256 byte proof keys for Oracle STS to use.
To configure the web service client:
Create a policy from oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
, modify it as follows, and attach it to the client:
Set Algorithm Suite to Basic256 instead of Basic128.
Set Derived Keys to enabled.
Set sts.in.order
to the URI of the ADFS 2.0 STS endpoint followed by the Oracle STS endpoint. For example:
http://m1.example.com/adfs/services/trust/13/issuedtokensymmetricbasic256; http://m2.example.com:14100/sts/wss11user
Create a policy from oracle/sts_trust_config_client_template
, modify it as follows, and attach it to the client:
Set Port URI to the ADFS 2.0 STS endpoint. For example:
http://m1.example.com/adfs/services/trust/13/issuedtokensymmetricbasic256
Set Client Policy URI to the policy you created in Step 1.
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy_adfs
Create a policy from oracle/sts_trust_config_client_template
, modify it as follows, and attach it to the client:
Set Port URI to the Oracle STS endpoint; for example:
http://m2.example.com:14100/sts/wss11user
See the following resources for more information about the technologies and tools used to implement the solutions in this chapter: