5 Configuring Federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS

This chapter describes how to configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and Oracle STS as the Replying Party (RP-STS).

This chapter contains the following sections:

• Use Case: Microsoft ADFS 2.0 STS as IP-STS and Oracle STS as RP-STS

• Use Case: Implementing Web Services federation with Microsoft ADFS2.0 STS

• Additional Resources on Oracle Web Services Manager

5.1 Use Case: Microsoft ADFS 2.0 STS as IP-STS and Oracle STS as RP-STS

The use case summary helps you quickly determine whether information in this chapter meets your needs.

The following list summarizes the use case goals, solution, and components. Links to required documentation are also provided.

Use Case

Configure web services federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS.

Solution

Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains.

Components

• Oracle WebLogic Server

• Oracle Web Services Manager (OWSM)

• Oracle STS

• Microsoft ADFS 2.0 STS

• Web service and client applications to be secured

This use case demonstrates the steps required to:

• Attach the appropriate OWSM security policies to enforce message-level protection using SAML bearer authentication.

  Specifically, you attach the following policies to the client and service, respectively:

  • oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy and policies based on oracle/sts_trust_config_client_template

  • oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

• Configure web services federation using Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS is used as the RP-STS.

Transport security with SSL is used to protect the service, the RP-STS, and IP-STS.

5.2 Use Case: Implementing Web Services federation with Microsoft ADFS2.0 STS

To implement the use case, complete the following tasks:

• Configuring the Web Service

• Configuring Oracle STS as the RP-STS

• Configuring Microsoft ADFS 2.0 STS as the IP-STS

• Configuring the Web Service Client

Note:

In the following sections, high-level configuration steps for Oracle STS and Microsoft ADFS 2.0 STS are provided. For detailed information about how to perform these configuration steps, refer to the documentation for the particular STS:

• For Oracle STS: http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html

• For Microsoft ADFS 2.0 STS: http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx

5.2.1 Configuring the Web Service

To configure the web service:

1. Attach the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy policy to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
2. Import the signing certificate for the Oracle STS /wssbearer endpoint into the OWSM keystore.
3. Define the Oracle STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

5.2.2 Configuring Oracle STS as the RP-STS

To configure Oracle STS as the RP-STS, perform the following steps.

For the complete procedure, see the Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html.

1. Configure WebLogic Server to enable one-way SSL on port 14101.
2. Configure the Oracle STS /wssbearer endpoint as follows:

   • Attach the policy with the URI sts/wss_sts_issued_saml_bearer_token_over_ssl_service_policy.

   • Create an OWSM LRG SAML Validation validation template to validate the incoming SAML token and apply it to the endpoint.

3. Add the service as a replying party partner in Oracle STS.
4. Add the Microsoft ADFS 2.0 STS instance acting as the IP-STS as a trusted identity provider:
   1. Configure an issuing authority partner profile for the Microsoft ADFS 2.0 STS instance.
   2. Add the Microsoft ADFS 2.0 STS instance as an issuing authority partner, giving as the partner name the issuer of the SAML assertion for the instance.
   3. Import the signing certificate for the Microsoft ADFS 2.0 STS instance into the OWSM keystore.

5.2.3 Configuring Microsoft ADFS 2.0 STS as the IP-STS

To configure Microsoft ADFS 2.0 STS as the IP-STS, perform the following steps.

For the complete procedure, see the Microsoft ADFS 2.0 STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx.)

1. Confirm that the /usernamemixed endpoint is enabled.
2. Add the Oracle STS instance acting as the IP-STS as a relying party using the ADFS 2.0 management console.
3. Configure ADFS 2.0 STS to issue SAML bearer tokens for the RP-STS.

5.2.4 Configuring the Web Service Client

To configure the web service client:

1. Attach the policy oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy and configure it to refer to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

   Additionally, set sts.in.order to the URI of the Oracle STS endpoint followed by the ADFS 2.0 STS endpoint. For example:

   http://m2.example.com:14100/sts/wssbearer;
   http://http://m1.example.com/adfs/services/trust/13/usernamemixed
   

2. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:

   • Set Port URI to the ADFS 2.0 STS endpoint. For example:

     http://m1.example.com/adfs/services/trust/13/usernamemixed
     

   • Set Client Policy URI oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy.

   For the complete procedure, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

3. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:

   • Set Port URI to the Oracle STS endpoint. For example:

     http://m2.example.com:14100/sts/wssbearer
     

   • Set WSDL Uri to the Oracle STS endpoint. For example:

     http://m2.example.com:14100/sts/wss11user?wsdl
     

   For the complete procedure, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

5.3 Additional Resources on Oracle Web Services Manager

See the following resources for more information about the technologies and tools used to implement the solutions in this chapter:

• Securing Web Services and Managing Policies with Oracle Web Services Manager

• Understanding Oracle Web Services Manager

• Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html

• Microsoft ADFS 2.0 STS: http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx