Implement SAML 2.0 SSO in WLS using IDM Federation Services

Similar documents
Configure ISE 2.3 Guest Portal with OKTA SAML SSO

Leave Policy. SAML Support for PPO

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Introducing Shibboleth. Sebastian Rieger

Security Assertion Markup Language (SAML) applied to AppGate XDP

Single Sign-On (SSO) Using SAML

Kaltura MediaSpace SAML Integration Guide. Version: 5.0

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Directories Services and Single Sign-On for Collaboration

Oracle Access Manager Configuration Guide

2 Oracle WebLogic Overview Prerequisites Baseline Architecture...6

Oracle WebLogic. Overview. Prerequisites. Baseline. Architecture. Installation. Contents

Suomi.fi e-identification Technical interface description

SAML-Based SSO Solution

All about SAML End-to-end Tableau and OKTA integration

SAML-Based SSO Configuration

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

Big Data analytics in insurance

AdminCamp Christian Henseler, Christian Henseler,

Configuring Alfresco Cloud with ADFS 3.0

Morningstar ByAllAccounts SAML Connectivity Guide

SAML-Based SSO Solution

i-ready Support for Single Sign-On (SSO)

CC13c LifeCycle Management. Infrastructure at your Service.

Web Based Single Sign-On and Access Control

FAS SAML Integration Guide

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Quo Vadis SQLTXPLAIN

Configuration Guide - Single-Sign On for OneDesk

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

Identity Provider for SAP Single Sign-On and SAP Identity Management

CLI users are not listed on the Cisco Prime Collaboration User Management page.

CA SiteMinder Federation

Monitoring WebLogic with WLDF

Oracle WebLogic Server 11g: Administration Essentials

Single Sign-On Implementation Guide

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Warm Up to Identity Protocol Soup

Single Sign-On User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

Configuring SAML-based Single Sign-on for Informatica Web Applications

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Quick Start Guide for SAML SSO Access

Infrastructure Consolidation with OCI

Tuning slow queries after an upgrade

Databases Clone using ACFS. Infrastructure at your Service.

Webthority can provide single sign-on to web applications using one of the following authentication methods:

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Single Sign-On Implementation Guide

1Z Oracle WebLogic Server 12c - Administration I Exam Summary Syllabus Questions

SAML V2.0 EAP GSS SSO Profile Version 1.0

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Quick Start Guide for SAML SSO Access

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

Contents Overview... 5 Downloading Primavera Gateway... 5 Primavera Gateway On-Premises Installation Prerequisites... 6

SAML-Based SSO Configuration

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Microsoft ADFS Configuration

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Building a Well Managed Cloud Application. Okta Inc. 301 Brannan Street San Francisco, CA

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

RSA SecurID Access SAML Configuration for Datadog

Manage SAML Single Sign-On

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Formatted: Font: Century Gothic, 12 pt

ArcGIS Server and Portal for ArcGIS An Introduction to Security

RSA SecurID Access SAML Configuration for StatusPage

About Configuring Oracle Access Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Oracle Fusion Middleware

OIO Bootstrap Token Profile

Okta Integration Guide for Web Access Management with F5 BIG-IP

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Five9 Plus Adapter for Agent Desktop Toolkit

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Setting Up the Server

Mozy. Implementing with Federated Identity

This section includes troubleshooting topics about single sign-on (SSO) issues.

Integrating YuJa Active Learning with ADFS (SAML)

Single Sign-On (SSO)Technical Specification

Box Connector. Version 2.0. User Guide

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Quick Connection Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Oracle Access Manager Integration Oracle FLEXCUBE Payments Release [Feb] [2018]

Introduction to application management

Transcription:

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Who we are Experts At Your Service > Over 60 specialists in IT infrastructure > Certified, experienced, passionate Based In Switzerland > 100% self-financed Swiss company > Over CHF 10.5 mio. Turnover Leading In Infrastructure Services > More than 170 customers in CH, D & F > Over 50 SLAs dbi FlexService contracted Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 2

About me Pascal Brand Senior Consultant Middleware Technical Lead +41 79 796 43 59 pascal.brand[at]dbi-services.com Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 3

Agenda 1.SSO Solution 2.WebLogic Domains requirements 3.WebLogic Domain configuration 4.Troubleshooting 5.Conclusion Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 4

SSO Solution >Challenges and retained solution >Key Concepts of Federation Identity >SSO Flow >SAML 2.0 (Overview) >Architecture 2 4 1 3 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 5

SSO Solution The Challenge > We had to setup and configure a SSO solution for a huge number of environments > 125 WebLogic Domains, ~500 WebLogic Servers or clusters > More then 250 protected applications > 600 Active Linux Servers > Some WebLogic domains host multiple protected applications > Minimize configuration work and time > Avoid additional external Web Tiers Single Sign On retained solution > Identity Management Federation Services Page 6

SSO Solution Key Concepts of Federation Identity > Identity Provider > The organization that authenticates the user and generates the SAML assertion > The organization optionally shares attributes requested by the Service Provider > Service Provider > Accepts SAML assertions to identify the user (as opposed to username & password) > Sometimes referred as a relying partner > Subject > Subject is any entity capable of using a service and capable of acquiring a federated identity > A person (a "user") > A group of users such as a corporation, > A system entity whose identity can be authenticated Page 7

SSO Solution Key Concepts of Federation Identity > SAML Assertion > A message asserting a user s identity and often other attributes, sent over HTTP(S) via browser redirects. > Single Sign-On > Single sign-on enables users to sign on once to a member of a federated group of identity providers > and subsequently use various resources among the group without the need to sign on again > Under the SAML protocols, performing a single sign-on operation between a principal, an SP and an IdP requires that: > A federation exist between the SP and IdP > They have a trusted business relationship > The principal has local identities (or roles) on both the SP and the IdP Page 8

SSO Solution SSO Flow Depending on identity information provided Generate SAML Token Page 9

SSO Solution SAML 2.0 (Short Overview) > Security Assertion Markup Language > Is an XML-based framework for exchanging security information > XML-encoded request/response protocol > security assertions > Authentication > Attribute > Authorization decision > Rules on using assertions with standard transport and messaging frameworks > How providers can offer both authentication and authorization services > Allows security credentials to be shared by multiple security domains > Most important use case is web browser Single Sign On Page 10

SSO Solution SAML 2.0 (Short Overview) > Common information between assertions > Issuer and issuance timestamp > Assertion ID > Subject > Name plus security domain > Confirmation data > Conditions under which assertion is valid > Assertion validity period (NotBefore, NotOnOrAfter) > Audience Restriction Page 11

SSO Solution SAML authentication Request <?xml version="1.0" encoding="utf-8"?> <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" Destination="https://IDP_Server/oamfed/idp/samlv20" ForceAuthn="false" ID="_0xd9d30e6ff2399bd8bc62a68d2b10755c" IsPassive="false" IssueInstant="2018-08-29T12:03:20.074Z" Version="2.0"> <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion">sp_id</saml:issuer> </samlp:authnrequest> Page 12

SSO Solution SAML Response <samlp:response xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol <saml:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://idp_server/oam/fed</saml:issuer> <samlp:status> <samlp:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:status> <saml:assertion ID="id-AqStFZLh E0LaDMtHQAbUZRKqK-8" IssueInstant= <saml:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://idp_server/oam/fed</saml:issuer> <dsig:signature> </dsig:signature> Page 13

SSO Solution SAML Response <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> Allan@doag.com</saml:NameID> <saml:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:subjectconfirmationdata InResponseTo="_0xd9d30e6ff2399bd8bc62a68d2b10755c" NotOnOrAfter="2018-08-29T12:08:54Z" Recipient="https://target_Server/saml2/sp/acs/post"/> </saml:subjectconfirmation> </saml:subject> Page 14

SAML SSO Implementation Solution SAML Response <saml:conditions NotBefore="2018-08-29T12:03:54Z" NotOnOrAfter="2018-08-29T12:08:54Z"> <saml:audiencerestriction> <saml:audience>sp_id</saml:audience> </saml:audiencerestriction> </saml:conditions> <saml:authnstatement </saml:authnstatement> </saml:assertion> </samlp:response> Page 15

SSO Solution Architecture > Service Provider initiated Single Sign On Oracle Identity Management Federation Services > Act as Identity Provider (IDP) > SAML 2.0 WebLogic Server > Act as Service Provider > Accepts SAML assertions to identify the user > SAML 2.0 Identity Asserter > Web Single Sign-On Identity Provider Partner Page 16

SAML SSO Implementation Architecture Security Layer Identity store SAML Response SAML Request Page 17

WebLogic Domains >Requirements >Single Machine deployments >Clusters or Multi-Machines deployments 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 18

WebLogic Domains Requirements Common Requirements to all architectures > An Identity Asserter with WebSSO Identity Provider Partner > An Authenticator Provider > Same External LDAP Server as IDM Federation Services > SAML Authenticator Provider (virtual users) Single Machine deployments > Single Managed WebLogic Server > WebLogic Managed Server acts as Service Provider > Application must keep JSESSIONID session cookie name > Multiple WebLogic Managed Servers > Additionally each WebLogic Managed Server needs to act as Service Provider > Needs to be registered in OAM Federation Services > Saml2 manual deployment (different root context) Page 19

WebLogic Domains Requirements Clusters or Multi-Machines deployments > Requires RDBMS Security Store > Use of JMS Topic > Recommended in Multi-Machines deployments > Security Store cache synchronizations on security changes > Each WebLogic Cluster or independent Managed Server needs to act as Service Provider > Needs to be registered in OAM Federation Services > Saml2 manual deployment (different root context) > Application must keep JSESSIONID session cookie name Page 20

WebLogic Domain Configuration >Configure RDBMS Security Store >Register the Identity Provider >Enable Service Providers and publish Site URL 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 21

WebLogic Domain Configuration RDBMS Security Store > Has to be done at Domain creation time > The Database Schema needs to be created before > rdbms_security_store_<db_type>.sql > Using Admin Console using or WLST > Navigate to the correct page: > Environment > Security Realms > myrealm > Configuration > RDBMS Security Store > Enable RDBMS Security Store > Provide the database schema connection details > Provide the JMS Topic details > No DB connection validation Page 22

WebLogic Domain Configuration Register the Identity Provider > Get the IDM Federation Services IdP metadata > Using Admin Console using or WLST > Navigate to > Environment > Security Realms > myrealm > Providers TAB > Authentication SubTAB > Create a new SAML 2.0 identity Asserter Provider > Requires a WebLogic Domain restart > Back to the SAML 2.0 identity Asserter Provider > Create a new WebSSO Identity Provider Partner > Import IDM Federation Services IdP metadata > Save the configuration Page 23

WebLogic Domain Configuration Authenticator providers > One Authenticator provider is required > Default Authenticator can t be used > SAML 2.0 Authenticator > Virtual users stored in WebLogic memory > No user validity check > External LDAP Authenticator provider > The user ID is validated from the search filter Page 24

WebLogic Domain Configuration Enable Service Providers and publish Site URL > Using Admin Console using or WLST > Navigate to > Environment > Servers > <Server Name> > Configuration TAB > Federation Services Sub TAB > Select the SAML2.0 Service Provider > Enable it checking the box > Set the Preferred Bindings to POST > Select the SAML2.0 General > Provide at least published Site URL and Entity ID > Requires a WebLogic Domain restart Page 25

WebLogic Domain Configuration Enable Service Providers and publish Site URL > Once the WebLogic Domain is restarted > In the Admin Console navigate to > Environment > Servers > <Server Name> > Configuration TAB > Federation Services > Select the SAML2.0 Service Provider > Click on the Publish Meta Data button to export the Service Provider metadata > Send this metadata xml file to the OAM Federation Services administrator to be imported in the Service Provider partner registration Page 26

WebLogic Domain Configuration Enable Service Providers and publish Site URL WebLogic Domain with Multiple Managed Servers > Each WebLogic Managed Server hosting a protected application needs a different Site URL > The saml2 war file has to be manually deployed with a distinct root context each time WebLogic Clusters > The same Entity id and Published Site URL has to be set in all WebLogic Cluster members Page 27

Troubleshooting >How to enable debugging >Other troubleshooting tools >Most current issues 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 28

Troubleshooting How to enable debugging Which layer atn atz Security classe Description Trace the authentication and management of users & groups Trace authorization policy evaluations and access decisions saml Trace the processing and/or generation of SAML 1.1 tokens Saml2 Trace the processing and/or generation of SAML 2.0 tokens ldap Trace embedded ldap accesses Page 29

Troubleshooting How to enable debugging WebLogic Administration Console > Login to the Admin Console using your weblogic account > Navigate to the correct page: > Environment > Servers > ServerName > Debug > Click on the Lock & Edit button > Expand the scope weblogic and then security > Check the components you want to enable: > atn > atz > ldap > saml > Saml2 > Go back to the top and click on the Enable button > Click on the Activate Changes button Page 30

Troubleshooting How to enable debugging WLST > Script to run connect('weblogic','welcome1','t3://vm01.dbi-workshop.com:7005') edit() startedit() cd('servers/wls1/serverdebug/wls1') set('debugsecurityatn','true') set('debugsecurityatz','true') set('debugsecuritysaml2atn','true') set('debugsecuritysaml2service','true') set('debugsecuritysamlcredmap','true') save() activate() Page 31

Troubleshooting How to enable debugging Command line Start arguments -Dweblogic.DebugSecurityAtn=true -Dweblogic.DebugSecurityAtz=true -Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Atn=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Lib=true -Dweblogic.debug.DebugEmbeddedLDAPLogLevel=11 -Dweblogic.debug.DebugEmbeddedLDAP=true Description atn atz saml saml2 Embedded ldap Page 32

Troubleshooting Other troubleshooting tools https://www.samltool.com/decode.php > Use this tool to base64 decode and inflate an intercepted SAML Message > Paste a base64 encoded SAML Message and obtain its plain-text version > Use browser debugger to catch SAML Request and/or SAML Response Page 33

Troubleshooting Most current issues Infinite loop > Application session cookie was renamed > Debugging for Atz shows the adjudication as successful > Application not accessed through the published Site > Typical issue when the publish site is an LBR URL Page 34

Troubleshooting Most current issues Users get HTTP-403 > Conditions not respected > Identity provider and Service Provider not in time sync > Audience not matching the Service Provider Entity ID > Role membership > Application security roles declared in web.xml missing from weblogic.xml > Application security not configured in WebLogic Domain Page 35

Conclusion >Advantages vs Drawbacks >Final Words 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 36

Conclusion Advantages vs Drawbacks Easy to configure Reliable once configured Requires RDBMS Security Store And JMS Topic Take care on certificate expiration Does not require additional Web- Tiers with SSO modules No multiple Site URL access permitted. Page 37

Conclusion Final Words > Simplify SSO deployment on the WebLogic Side > Reduces Cost of the integration > No additional Web Tier needed > Less installation and configuration work > The OAM Federation Service provides our project an end to end, scalable identity federation infrastructure that addresses all needs the federation partners inside the organization Page 38

Basel Delémont Zürich Nyon Any questions? Please do ask! We would love to boost your IT-Infrastructure How about you? Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 39

Let s meet at booth 242

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback