WebLogic server integration with SAML 2.0

WebLogic server integration with SAML - SP initiated and IDP initiated Single sign on

This post will cover the two scenarios of SSO in SAML Federation, the SP-initiated SSO flow and IdP-initiated SSO flow. Both these flows are part of the SAML Web SSO and valid for various integrations with WebLogic server, PingFederate or Okta.

There are two models for Web SSO - SP-initiated and IdP-initiated.
SP-initiated and IdP-initiated models


The above diagram shows the two models for Web SSO flow. Since there are two options, the first choice is to decide your use case of where the user will start the process of the Web SSO.
The SP-initiated SSO flow is described first and followed by IdP-initiated SSO flow.

SP-initiated SSO flow

In this use case, the user is provided with a published URL which the user accesses via their browser which takes them directly to the Service Provider (SP) Application URL/resource. However since the user is not logged in at the SP, the user request is redirected to the IdP (Identity Provider) to authenticate, before the user request is permitted to access the Protected URL. The IdP builds an assertion representing the user's authentication at the IdP and then sends the user back to the SP with the assertion which contains the details of the authenticated user, time of authentication with a time stamp. The SP receives the assertion and is able to decrypt the contents of the assertion and verify it was indeed sent by the IdP. If the user request is valid the SP grants the user access to the resource. This was a summary of how SP-initiated SSO flow works and is also the common scenario in Web SSO.

IdP-initiated SSO flow

In an IdP-initiated SSO flow, the user is visiting an IdP to begin with and where they are already authenticated and they click on a link to a partner SP. The IdP builds an assertion representing the user's authentication state at the IdP and sends the user's browser over to the SP, specifically the assertion consumer service at SP. The SP receives the assertion, processes the assertion and creates a local security context for the user at the SP. This approach is useful in certain environments, but requires the IdP to be configured with inter-site transfer links to the SP's site. Sometimes a binding-specific field called RelayState is used to coordinate messages and actions of IdPs and SPs, for example, to allow an IdP (with which SSO was initiated) to indicate the URL of a desired resource when communicating with an SP.

Now that we have covered both SP-initiated and IdP-initiated SSO flows, we will describe both the scenarios with diagram and each of the steps in the flow.

                            SP-initiated diagram
Description of Figure 5-9 follows
Above is flow of user authentication request in WebLogic server with SP initiated Single sign on

                           IdP-initiated diagram
 Description of Figure 5-10 follows
Above is user authentication flow with Identity Provider initiated Single sign on

Flow with steps for SP initiated Single sign on

1)From a web browser, a user attempts to access a protected resource running in a WebLogic container that is hosted by a Service Provider.
2)The WebLogic container invokes the WebLogic Security Service to determine if the user is authenticated.
3)Because the user is not authenticated, the Service Provider generates an authentication request that contains information about the unauthenticated user and sends it to the Identity Provider, using the endpoint of the Identity Provider's Single Sign-On Service.
The Service Provider can be configured to use one of the following bindings for transmitting the authentication request:

 HTTP POST - When using the HTTP POST binding, the Service Provider sends an HTTP POST message containing the authentication request to the user's browser. The HTTP POST message is then sent to the Identity Provider's Single Sign-On Service.

HTTP Artifact - The Service Provider sends an HTTP redirect message that includes a SAML artifact to the user's browser. The SAML artifact contains a pointer to the authentication request message, which is maintained by the Service Provider's Artifact Resolution Service (ARS). When the Identity Provider receives the HTTP redirect message, it sends an artifact resolution request to the Service Provider's ARS to obtain the authentication request message.

HTTP Redirect - The Service Provider sends an HTTP redirect message to the user's browser, which sends an HTTP GET message to the Identity Provider's Single Sign-On Service.

 4) The user is presented with a login web application hosted by an Identity Provider that is capable of authenticating that user. The Identity Provider challenges the user for his or her credentials.
5)The user provides his or her username and password to the Identity Provider, which completes the authentication operation.
6)The Single Sign-On Service hosted by the Identity Provider generates an assertion for the user and returns an authentication response to the Service Provider's Assertion Consumer Service (ACS).

 The Identity Provider can be configured to use the following bindings:

 HTTP POST - The Identity Provider sends the authentication response, which contains the assertion, to the user's browser. The authentication response is transmitted to the Service Provider via an HTTP POST message.

HTTP Artifact - The Identity Provider sends an authentication response, which contains a SAML artifact, to the user's browser. The SAML artifact contains a pointer to the assertion, which is handled by the Identity Provider's Artifact Resolution Service (ARS). The authentication response is transmitted to the Service Provider via an HTTP redirect message.When the Service Provider receives the response, it sends an artifact resolution request to the Identity Provider's ARS to obtain the assertion.

 The ACS validates the assertion, extracts the identity information from that assertion, and maps that identity to a subject in the local security realm.

 7)The ACS sends an HTTP redirect message to the browser, passing a cookie containing a session ID and enabling the browser to access the requested resource.
The WebLogic Security Service performs an authorization check to determine whether the browser may access the requested resource. If the authorization check succeeds, access to the resource is granted.

Flow with steps for Identity Provider initiated Single sign on

1)The user is presented with a login web application hosted by an Identity Provider that authenticates the user. The Identity Provider challenges the user for his or her credentials.
2)The user provides his or her username and password to the Identity Provider, which completes the authentication process.
The user issues a request on a resource that is hosted by a Service Provider.
3)The Single Sign-On Service hosted by the Identity Provider sends an unsolicited authentication response to the Service Provider to the Service Provider's Assertion Consumer Service (ACS).
Regardless of how the SSO session is initiated, the Identity Provider uses the same bindings as described in Service Provider Initiated Single Sign-On.
4)The ACS validates the assertion, extracts the identity information, and maps that identity to a subject in the local security realm. The ACS sends an HTTP redirect message to the browser, passing a cookie containing a session ID and enabling the browser to access the requested resource.
5)The WebLogic Security Service performs an authorization check to determine whether the browser may access the requested resource. If the authorization check succeeds, access to the resource is granted.
Note: WebLogic may require Active Directory or another LDAP directory as an authentication provider. Refer to this blog for key settings in integrating WebLogic server with Active Directory.
Reference: Oracle WebLogic Server (WLS) and SAML integration
https://docs.oracle.com/cd/E23943_01/web.1111/e13710/archtect.htm#SCOVR245
Service Provider initiated SSO with WebLogic server
http://oamoim.blogspot.com/2017/05/service-provider-initiated-sso-on.html

Another good reference is this WebLogic configuration as SP and ADFS as the IDP. Although the IDP here is ADFS the steps are relevant for any other IDP provider such as PingFederate.
When using PingFederate as an IDP with WebLogic use this reference with Okta as an example IDP. This blog is relevant when doing integration between PingFederate and WebLogic. Here the use case is WebLogic hosting application as the Service Provider and PingFederate being the IDP/Identity Provider. WebLogic settings have to be done for Active Directory as the Authentication Provider, here WebLogic queries to verify the user attributes which are returned in a SAML Assertion.

Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Image
Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
Read more