Implement SAML 2.0 SSO in WLS using IDM Federation Services
Who we are Experts At Your Service > Over 60 specialists in IT infrastructure > Certified, experienced, passionate Based In Switzerland > 100% self-financed Swiss company > Over CHF 10.5 mio. Turnover Leading In Infrastructure Services > More than 170 customers in CH, D & F > Over 50 SLAs dbi FlexService contracted Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 2
About me Pascal Brand Senior Consultant Middleware Technical Lead +41 79 796 43 59 pascal.brand[at]dbi-services.com Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 3
Agenda 1.SSO Solution 2.WebLogic Domains requirements 3.WebLogic Domain configuration 4.Troubleshooting 5.Conclusion Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 4
SSO Solution >Challenges and retained solution >Key Concepts of Federation Identity >SSO Flow >SAML 2.0 (Overview) >Architecture 2 4 1 3 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 5
SSO Solution The Challenge > We had to setup and configure a SSO solution for a huge number of environments > 125 WebLogic Domains, ~500 WebLogic Servers or clusters > More then 250 protected applications > 600 Active Linux Servers > Some WebLogic domains host multiple protected applications > Minimize configuration work and time > Avoid additional external Web Tiers Single Sign On retained solution > Identity Management Federation Services Page 6
SSO Solution Key Concepts of Federation Identity > Identity Provider > The organization that authenticates the user and generates the SAML assertion > The organization optionally shares attributes requested by the Service Provider > Service Provider > Accepts SAML assertions to identify the user (as opposed to username & password) > Sometimes referred as a relying partner > Subject > Subject is any entity capable of using a service and capable of acquiring a federated identity > A person (a "user") > A group of users such as a corporation, > A system entity whose identity can be authenticated Page 7
SSO Solution Key Concepts of Federation Identity > SAML Assertion > A message asserting a user s identity and often other attributes, sent over HTTP(S) via browser redirects. > Single Sign-On > Single sign-on enables users to sign on once to a member of a federated group of identity providers > and subsequently use various resources among the group without the need to sign on again > Under the SAML protocols, performing a single sign-on operation between a principal, an SP and an IdP requires that: > A federation exist between the SP and IdP > They have a trusted business relationship > The principal has local identities (or roles) on both the SP and the IdP Page 8
SSO Solution SSO Flow Depending on identity information provided Generate SAML Token Page 9
SSO Solution SAML 2.0 (Short Overview) > Security Assertion Markup Language > Is an XML-based framework for exchanging security information > XML-encoded request/response protocol > security assertions > Authentication > Attribute > Authorization decision > Rules on using assertions with standard transport and messaging frameworks > How providers can offer both authentication and authorization services > Allows security credentials to be shared by multiple security domains > Most important use case is web browser Single Sign On Page 10
SSO Solution SAML 2.0 (Short Overview) > Common information between assertions > Issuer and issuance timestamp > Assertion ID > Subject > Name plus security domain > Confirmation data > Conditions under which assertion is valid > Assertion validity period (NotBefore, NotOnOrAfter) > Audience Restriction Page 11
SSO Solution SAML authentication Request <?xml version="1.0" encoding="utf-8"?> <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" Destination="https://IDP_Server/oamfed/idp/samlv20" ForceAuthn="false" ID="_0xd9d30e6ff2399bd8bc62a68d2b10755c" IsPassive="false" IssueInstant="2018-08-29T12:03:20.074Z" Version="2.0"> <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion">sp_id</saml:issuer> </samlp:authnrequest> Page 12
SSO Solution SAML Response <samlp:response xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol <saml:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://idp_server/oam/fed</saml:issuer> <samlp:status> <samlp:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:status> <saml:assertion ID="id-AqStFZLh E0LaDMtHQAbUZRKqK-8" IssueInstant= <saml:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://idp_server/oam/fed</saml:issuer> <dsig:signature> </dsig:signature> Page 13
SSO Solution SAML Response <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> Allan@doag.com</saml:NameID> <saml:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:subjectconfirmationdata InResponseTo="_0xd9d30e6ff2399bd8bc62a68d2b10755c" NotOnOrAfter="2018-08-29T12:08:54Z" Recipient="https://target_Server/saml2/sp/acs/post"/> </saml:subjectconfirmation> </saml:subject> Page 14
SAML SSO Implementation Solution SAML Response <saml:conditions NotBefore="2018-08-29T12:03:54Z" NotOnOrAfter="2018-08-29T12:08:54Z"> <saml:audiencerestriction> <saml:audience>sp_id</saml:audience> </saml:audiencerestriction> </saml:conditions> <saml:authnstatement </saml:authnstatement> </saml:assertion> </samlp:response> Page 15
SSO Solution Architecture > Service Provider initiated Single Sign On Oracle Identity Management Federation Services > Act as Identity Provider (IDP) > SAML 2.0 WebLogic Server > Act as Service Provider > Accepts SAML assertions to identify the user > SAML 2.0 Identity Asserter > Web Single Sign-On Identity Provider Partner Page 16
SAML SSO Implementation Architecture Security Layer Identity store SAML Response SAML Request Page 17
WebLogic Domains >Requirements >Single Machine deployments >Clusters or Multi-Machines deployments 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 18
WebLogic Domains Requirements Common Requirements to all architectures > An Identity Asserter with WebSSO Identity Provider Partner > An Authenticator Provider > Same External LDAP Server as IDM Federation Services > SAML Authenticator Provider (virtual users) Single Machine deployments > Single Managed WebLogic Server > WebLogic Managed Server acts as Service Provider > Application must keep JSESSIONID session cookie name > Multiple WebLogic Managed Servers > Additionally each WebLogic Managed Server needs to act as Service Provider > Needs to be registered in OAM Federation Services > Saml2 manual deployment (different root context) Page 19
WebLogic Domains Requirements Clusters or Multi-Machines deployments > Requires RDBMS Security Store > Use of JMS Topic > Recommended in Multi-Machines deployments > Security Store cache synchronizations on security changes > Each WebLogic Cluster or independent Managed Server needs to act as Service Provider > Needs to be registered in OAM Federation Services > Saml2 manual deployment (different root context) > Application must keep JSESSIONID session cookie name Page 20
WebLogic Domain Configuration >Configure RDBMS Security Store >Register the Identity Provider >Enable Service Providers and publish Site URL 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 21
WebLogic Domain Configuration RDBMS Security Store > Has to be done at Domain creation time > The Database Schema needs to be created before > rdbms_security_store_<db_type>.sql > Using Admin Console using or WLST > Navigate to the correct page: > Environment > Security Realms > myrealm > Configuration > RDBMS Security Store > Enable RDBMS Security Store > Provide the database schema connection details > Provide the JMS Topic details > No DB connection validation Page 22
WebLogic Domain Configuration Register the Identity Provider > Get the IDM Federation Services IdP metadata > Using Admin Console using or WLST > Navigate to > Environment > Security Realms > myrealm > Providers TAB > Authentication SubTAB > Create a new SAML 2.0 identity Asserter Provider > Requires a WebLogic Domain restart > Back to the SAML 2.0 identity Asserter Provider > Create a new WebSSO Identity Provider Partner > Import IDM Federation Services IdP metadata > Save the configuration Page 23
WebLogic Domain Configuration Authenticator providers > One Authenticator provider is required > Default Authenticator can t be used > SAML 2.0 Authenticator > Virtual users stored in WebLogic memory > No user validity check > External LDAP Authenticator provider > The user ID is validated from the search filter Page 24
WebLogic Domain Configuration Enable Service Providers and publish Site URL > Using Admin Console using or WLST > Navigate to > Environment > Servers > <Server Name> > Configuration TAB > Federation Services Sub TAB > Select the SAML2.0 Service Provider > Enable it checking the box > Set the Preferred Bindings to POST > Select the SAML2.0 General > Provide at least published Site URL and Entity ID > Requires a WebLogic Domain restart Page 25
WebLogic Domain Configuration Enable Service Providers and publish Site URL > Once the WebLogic Domain is restarted > In the Admin Console navigate to > Environment > Servers > <Server Name> > Configuration TAB > Federation Services > Select the SAML2.0 Service Provider > Click on the Publish Meta Data button to export the Service Provider metadata > Send this metadata xml file to the OAM Federation Services administrator to be imported in the Service Provider partner registration Page 26
WebLogic Domain Configuration Enable Service Providers and publish Site URL WebLogic Domain with Multiple Managed Servers > Each WebLogic Managed Server hosting a protected application needs a different Site URL > The saml2 war file has to be manually deployed with a distinct root context each time WebLogic Clusters > The same Entity id and Published Site URL has to be set in all WebLogic Cluster members Page 27
Troubleshooting >How to enable debugging >Other troubleshooting tools >Most current issues 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 28
Troubleshooting How to enable debugging Which layer atn atz Security classe Description Trace the authentication and management of users & groups Trace authorization policy evaluations and access decisions saml Trace the processing and/or generation of SAML 1.1 tokens Saml2 Trace the processing and/or generation of SAML 2.0 tokens ldap Trace embedded ldap accesses Page 29
Troubleshooting How to enable debugging WebLogic Administration Console > Login to the Admin Console using your weblogic account > Navigate to the correct page: > Environment > Servers > ServerName > Debug > Click on the Lock & Edit button > Expand the scope weblogic and then security > Check the components you want to enable: > atn > atz > ldap > saml > Saml2 > Go back to the top and click on the Enable button > Click on the Activate Changes button Page 30
Troubleshooting How to enable debugging WLST > Script to run connect('weblogic','welcome1','t3://vm01.dbi-workshop.com:7005') edit() startedit() cd('servers/wls1/serverdebug/wls1') set('debugsecurityatn','true') set('debugsecurityatz','true') set('debugsecuritysaml2atn','true') set('debugsecuritysaml2service','true') set('debugsecuritysamlcredmap','true') save() activate() Page 31
Troubleshooting How to enable debugging Command line Start arguments -Dweblogic.DebugSecurityAtn=true -Dweblogic.DebugSecurityAtz=true -Dweblogic.debug.DebugSecuritySAMLAtn=true -Dweblogic.debug.DebugSecuritySAMLLib=true -Dweblogic.debug.DebugSecuritySAML2Atn=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Lib=true -Dweblogic.debug.DebugEmbeddedLDAPLogLevel=11 -Dweblogic.debug.DebugEmbeddedLDAP=true Description atn atz saml saml2 Embedded ldap Page 32
Troubleshooting Other troubleshooting tools https://www.samltool.com/decode.php > Use this tool to base64 decode and inflate an intercepted SAML Message > Paste a base64 encoded SAML Message and obtain its plain-text version > Use browser debugger to catch SAML Request and/or SAML Response Page 33
Troubleshooting Most current issues Infinite loop > Application session cookie was renamed > Debugging for Atz shows the adjudication as successful > Application not accessed through the published Site > Typical issue when the publish site is an LBR URL Page 34
Troubleshooting Most current issues Users get HTTP-403 > Conditions not respected > Identity provider and Service Provider not in time sync > Audience not matching the Service Provider Entity ID > Role membership > Application security roles declared in web.xml missing from weblogic.xml > Application security not configured in WebLogic Domain Page 35
Conclusion >Advantages vs Drawbacks >Final Words 2 4 1 3 5 Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 36
Conclusion Advantages vs Drawbacks Easy to configure Reliable once configured Requires RDBMS Security Store And JMS Topic Take care on certificate expiration Does not require additional Web- Tiers with SSO modules No multiple Site URL access permitted. Page 37
Conclusion Final Words > Simplify SSO deployment on the WebLogic Side > Reduces Cost of the integration > No additional Web Tier needed > Less installation and configuration work > The OAM Federation Service provides our project an end to end, scalable identity federation infrastructure that addresses all needs the federation partners inside the organization Page 38
Basel Delémont Zürich Nyon Any questions? Please do ask! We would love to boost your IT-Infrastructure How about you? Implement SAML 2.0 SSO in WLS using IDM Federation Services 21.11.2017 Page 39
Let s meet at booth 242