21 Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML

This chapter provides background information about setting up single sign-on (SSO) with Web browsers or other HTTP clients by using authentication based on the Security Assertion Markup Language (SAML) versions 1.1 and 2.0. SAML enables cross-platform authentication between Web applications or Web services running in a WebLogic domain and Web browsers or other HTTP clients. WebLogic Server 12.1.3 supports single sign-on (SSO) based on SAML. When users are authenticated at one site that participates in a single sign-on (SSO) configuration, they are automatically authenticated at other sites in the SSO configuration and do not need to log in separately.

Note:

Note the following:

• A WebLogic Server instance that is configured for SAML 2.0 SSO cannot sent a request to a server instance configured for SAML 1.1, and vice-versa.

• WebLogic Server does not support encrypted SAML assertions.

For an overview of SAML-based single sign on, see the following topics in Understanding Security for Oracle WebLogic Server:

• Security Assertion Markup Language (SAML)

• Web Browsers and HTTP Clients via SAML

• Single Sign-On with the WebLogic Security Framework

This chapter includes the following sections:

• Configuring SAML Services

• Configuring Single Sign-On Using SAML White Paper

• SAML for Web Single Sign-On Scenario API Example

Configuring SAML Services

The way to configure SAML services for single sign-on with Web browsers and HTTP clients depends on the specific version of SAML you plan to use. Refer to the following table for more information:

To configure the following version of SAML . . .	. . . see the following chapter
SAML 1.1	Configuring SAML 1.1 Services
SAML 2.0	Configuring SAML 2.0 Services

Configuring Single Sign-On Using SAML White Paper

The Configuring Single Sign-On using SAML in WebLogic Server 9.2 white paper (http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-099684.html) provides step-by-step instructions for configuring the single sign-on capability between two simple Java EE Web applications running on two different WebLogic domains. The SAML configuration for single sign-on is performed using the WebLogic Server 9.2 Administration Console with no programming involved. The tutorial also briefly introduces the basic interactions between WebLogic containers, the security providers, and the security framework during the single sign-on process.

Although it is based on a previous version of WebLogic Server, you may find this tutorial to be a useful resource as you develop your own SAML implementation.

SAML for Web Single Sign-On Scenario API Example

When you install the Server Examples component of WebLogic Server, which is available by performing a custom installation, WebLogic Server installs several API code examples. The Server Examples provide access to code examples and sample applications that offer several approaches to learning about and working with WebLogic Server.

Included among the security API examples is SAML for Web SSO Scenario. This example, which you build, run, and deploy, shows a variety of single sign-on (SSO) configurations for your applications using WebLogic Server and SAML. The following three scenarios are included:

• SAML 2.0 POST binding

• SAML 1.1

• SAML 2.0 Artifact binding with custom attributes

All files needed to build, deploy, and run the example are included, as are the scripts that configure the WebLogic domains that are used. For more information about the examples, including the directories in which they are installed, see Sample Application and Code Examples in Understanding Oracle WebLogic Server.