21 Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML

WebLogic Server supports single sign-on (SSO) based on SAML. You configure single sign-on with Web browsers or other HTTP clients by using authentication based on the Security Assertion Markup Language (SAML) versions 1.1 and 2.0.

SAML enables cross-platform authentication between Web applications or Web services running in an Oracle WebLogic Server domain and Web browsers or other HTTP clients. When users are authenticated at one site that participates in a single sign-on (SSO) configuration, they are automatically authenticated at other sites in the SSO configuration and do not need to log in separately.

Note:

• A WebLogic Server instance that is configured for SAML 2.0 SSO cannot send a request to a server instance configured for SAML 1.1, and vice-versa.

• WebLogic Server supports encrypted SAML assertions for SAML 2.0.

• WebLogic Server supports SAML Single Logout for the WebLogic SAML Service Provider.

For an overview of SAML-based single sign on, see the following topics in Understanding Security for Oracle WebLogic Server:

• Security Assertion Markup Language (SAML)

• Web Browsers and HTTP Clients via SAML

• Single Sign-On with the WebLogic Security Framework

This chapter includes the following sections:

• Configuring SAML Services

• Configuring Single Sign-On Using SAML White Paper

• SAML for Web Single Sign-On Scenario API Example

Configuring SAML Services

The way to configure SAML services for single sign-on with Web browsers and HTTP clients depends on the specific version of SAML you plan to use.

Refer to the following table:

To configure the following version of SAML . . .	See the following chapter . . .
SAML 1.1	Configuring SAML 1.1 Services
SAML 2.0	Configuring SAML 2.0 Services

Configuring Single Sign-On Using SAML White Paper

The Configuring Single Sign-On using SAML in WebLogic Server 9.2 white paper provides step-by-step instructions for configuring the single sign-on capability between two simple Java EE Web applications running on two different WebLogic domains.

The SAML configuration for single sign-on that is described in the Configuring Single Sign-On using SAML in WebLogic Server 9.2 white paper (http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-099684.html) is performed using the WebLogic Server 9.2 Administration Console with no programming involved. The tutorial also briefly introduces the basic interactions between WebLogic containers, the security providers, and the security framework during the single sign-on process.

Although it is based on a previous version of WebLogic Server, you may find this tutorial to be a useful resource as you develop your own SAML implementation.

SAML for Web Single Sign-On Scenario API Example

When you install the Server Examples component of WebLogic Server, which is available by performing a custom installation, WebLogic Server installs several API code examples. Included among the security API examples is SAML for Web single sign-on (SSO) Scenario.

The Web SSO example, which you build, run, and deploy, shows a variety of SSO configurations for your applications using WebLogic Server and SAML. The Server Examples provide access to code examples and sample applications that offer several approaches to learning about and working with WebLogic Server.

The following three scenarios are included:

• SAML 2.0 POST binding

• SAML 1.1

• SAML 2.0 Artifact binding with custom attributes

All files needed to build, deploy, and run the example are included, as are the scripts that configure the WebLogic domains that are used. For more information about the examples, including the directories in which they are installed, see Sample Application and Code Examples in Understanding Oracle WebLogic Server.