7 Configuring Federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS

You can refer to the use case description, solution summary, components involved, and the linked documentation resources to configure web services federation with Oracle STS as the Identity Provided STS (IP-STS) and Microsoft ADFS 2.0 STS as the Replying Party (RP-STS).

Use Case

Configure web services federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS.

Solution

Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains.

Components

• Oracle WebLogic Server

• Oracle Web Services Manager (OWSM)

• Oracle STS

• Microsoft ADFS 2.0 STS

• Web service and client applications to be secured

Additional Resources on Oracle Web Services Manager

Additional resources provides more information about the technologies and tools used to implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS.

• Oracle Web Services Manager Predefined Policies

• Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy

• Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html

• Microsoft ADFS 2.0 STS: http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx

This use case demonstrates the steps required to:

• Attach the appropriate OWSM security policies to enforce message-level protection using SAML holder-of-key (HOK) authentication.

  Specifically, you attach the following policies to the client and service, respectively:

  • oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy and policies based on oracle/sts_trust_config_client_template

  • oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy

• Configure web services federation using Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS is used as the RP-STS.

For more information on how to implement this use case, see Use Case: Implementing Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS.

7.1 Use Case: Implementing Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS

To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS: first configure the web service, then configure Microsoft ADFS 2.0 STS as the RP-STS, followed by configuring Oracle STS as the IP-STS, and in the end configure the Web Service Client.

• Configuring the Web Service

• Configuring Microsoft ADFS 2.0 STS as the RP-STS

• Configuring Oracle STS as the IP-STS

• Configuring the Web Service Client

7.1.1 Configuring the Web Service

To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, first you need to configure the web service.

To configure the web service:

1. Attach oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
2. Import the signing certificate for the ADFS 2.0 STS /issuedtokensymmetricbasic256 endpoint into the OWSM keystore.
3. Define the ADFS 2.0 STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

7.1.2 Configuring Microsoft ADFS 2.0 STS as the RP-STS

To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, after configuring the web service, you need to configure Microsoft ADFS 2.0 STS as RP-STS.

For the complete procedure, see the Oracle STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx.

To configure Microsoft ADFS 2.0 STS as the RP-STS, perform the following steps:

1. Confirm that the /issuedtokensymmetricbasic256 endpoint is enabled.
2. Add the service as a relying party using the ADFS 2.0 management console.
3. Add the Oracle STS instance acting as the IP-STS as a trusted claim provider using the ADFS 2.0 management console.

7.1.3 Configuring Oracle STS as the IP-STS

To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, after configuring the web service and RP-STS, you need to configure Oracle STS as the IP-STS.

For the complete procedure, see the Oracle STS documentation at http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oraclests-166231.html.

To configure Oracle STS as the IP-STS, perform the following steps:

1. Configure the Oracle STS /wss11user endpoint as follows:

   • Attach the policy with the URI sts/wss11_username_token_with message_protection_service_policy.

   • Create an OWSM LRG UN Validation validation template to validate the incoming token and apply it to the endpoint.

2. In Oracle STS, add the Microsoft ADFS 2.0 STS instance acting as the RP-STS as a relying partner party.
3. Enable the Audience Restriction Condition in Oracle STS.

   This step is necessary because ADFS 2.0 requires the SAML assertion for a claim provider to have AudienceRestrictionUri set, and assertions issued by Oracle STS do not have this set by default.

4. Configure a separate issuance template that issues 256 byte proof keys for Oracle STS to use.

7.1.4 Configuring the Web Service Client

To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, finally you need to configure the web service client.

To configure the web service client:

1. Create a policy from oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy, modify it as follows, and attach it to the client:

   • Set Algorithm Suite to Basic256 instead of Basic128.

   • Set Derived Keys to enabled.

   • Set sts.in.order to the URI of the ADFS 2.0 STS endpoint followed by the Oracle STS endpoint. For example:

     http://m1.example.com/adfs/services/trust/13/issuedtokensymmetricbasic256;
     http://m2.example.com:14100/sts/wss11user
     

2. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:

   • Set Port URI to the ADFS 2.0 STS endpoint. For example:

     http://m1.example.com/adfs/services/trust/13/issuedtokensymmetricbasic256
     

   • Set Client Policy URI to the policy you created in Step 1.

     oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy_adfs
     

3. Create a policy from oracle/sts_trust_config_client_template, modify it as follows, and attach it to the client:

   • Set Port URI to the Oracle STS endpoint; for example:

     http://m2.example.com:14100/sts/wss11user
     

   • Set WSDL URI to the Oracle STS endpoint.