Steps to configure SAML 2.0 with Shibboleth deployed on WLS as IDP and Weblogic as SP

https://blogs.oracle.com/blogbypuneeth/steps-to-configure-saml-20-with-shibboleth-deployed-on-wls-as-idp-and-weblogic-as-sp

Steps to configure SAML 2.0 with Shibboleth ( deployed on WLS ) as IDP and Weblogic as SP.

Puneeth Prakash 
PRINCIPAL SOFTWARE ENGINEER

In the example below we will see how to configure SAML 2.0 SSO using Shibboleth ( deployed on WLS ) as Identity Provider and Weblogic as Service provider.

* I am using Shibboleth v2.3.8 as identity provider and Weblogic 10.3.6 as Service Provider 

* and Active Directory for LDAP authentication in this example. 

Step 1 :

• Create two domains in WLS 10.3.6, namely :
• " shibboleth-idp_domain " --> For Shibboleth IDP --> Admin server http port 7001 and https port 7002.
• " sp_domain " --> For WLS SP --> Admin server http port 8001 and https port 8002.

Note : In this example I will be using the Weblogic console app for SAML SSO. If you want SAML SSO for any other application like analytics / BI / a custom app, which are deployed on Managed Servers, then make sure you give the port number of the Managed Servers in all the URLs during configuration.

Step 2 :

• Download Shibboleth IDP from the following link :

Link : http://shibboleth.net/downloads/identity-provider/2.3.8/shibboleth-identityprovider-2.3.8-bin.zip

Step 3 :

• Unzip and Install Shibboleth.
• Unzip the downloaded Shibboleth software ( Unzip shibboleth-identityprovider-2.3.8-bin.zip to any location, say Desktop )
• Open a cmd prompt and run the setDomainEnv.cmd command
• Now cd to the unzipped folder and run the following command : 

           install.sh   or   install.bat

• When you run the install.bat file, you would get an option to select the location where you want Shibboleth to be installed.

Note : Give a path which does not have any spaces in between. Ex : Avoid using path like : C:\Program Files\shibboleth-idp

In this example I have installed shibboleth in c:\shibboleth-idp.

• You would also get an option to create a self signed identity keystore.

Note : You have to use a fully qualified DNS name for the host, ( Ex : FQDN like abcd.oracle.com  ) or else Shibboleth installation will fail 

• You can provide any password in the password field in cmd prompt.

Note : The password you enter would be your storepass ( password of your keystore ), as well as the keypass ( password of your private key entry ).

Step 4 :

• Configure Shibboleth as Identity Provider.

To Configure Shibboleth as identity provider you need to edit the following Shibboleth config files and deploy a Shibboleth war file in Weblogic IDP domain.

1. idp-metadata.xml
2. login.config
3. handler.xml
4. relying-party.xml
5. attribute-resolver.xml
6. attribute-filter.xml

Note : It is always good to take a backup of the original Shibboleth config files before editing them. 

Lets edit the above files one after the other :

1. Edit " C:\shibboleth-idp\metadata\idp-metadata.xml " and make the following changes :

• Search for " entityID " and " location " in idp-metadata.xml and fix all the URL's to point to the correct port number ( Port number of the server in WLS IDP domain where the shibboleth war file will be targeted ), in our case the port number is 7002 for domain : shibboleth-idp_domain )

....

....

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://test.oracle.com:7002/idp/shibboleth"> 

....

....

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://test.oracle.com:7002/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://test.oracle.com:7002/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>

        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://test.oracle.com:7002/idp/profile/Shibboleth/SSO"/>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.oracle.com:7002/idp/profile/SAML2/POST/SSO"/>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://test.oracle.com:7002/idp/profile/SAML2/POST-SimpleSign/SSO"/>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.oracle.com:7002/idp/profile/SAML2/Redirect/SSO"/>

....

....

• Comment the following lines in idp-metadata.xml :

<!--

        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://test.oracle.com:7002/idp/profile/Shibboleth/SSO"/>

 -->   

2.   Edit " C:\shibboleth-idp\conf\login.config " and make the following changes :

• In this file you need to provide the values to connect to your LDAP. ( I am using ActiveDirectory in this example )

....

.... 

ShibUserPassAuth {

   edu.vt.middleware.ldap.jaas.LdapLoginModule required

      ldapUrl="ldap://abc.in.oracle.com:389"

      bindDn="test"

      bindCredential="password"

      ssl="false"

      tls="false"

      baseDn="CN=Users,DC=UP,DC=COM"

      subtreeSearch="true"

      userFilter="sAMAccountName={0}";

}; 

Note :

- If you are connecting to OID then you can change the userFilter to  userFilter="uid={0}"

- JAAS configuration files are loaded into the VM's runtime configuration. Because of this, changes to the login configuration file are NOT reloaded if you stop and restart the IdP web application. You MUST restart the entire web application server. 

  3.  Edit " C:\shibboleth-idp\conf\handler.xml " and make the following changes :

•  Un-comment Username/password login handler :

....

....

<!--  Username/password login handler -->

    <ph:LoginHandler xsi:type="ph:UsernamePassword" 
                  jaasConfigurationLocation="file://c:\shibboleth-idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>
....
.... 

• Comment RemoteUser login handler :

....

<!--

    <ph:LoginHandler xsi:type="ph:RemoteUser">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>
-->
....
....

....

<!-- Login Handlers -->

  4.   Edit " C:\shibboleth-idp\conf\relying-party.xml " and make the following changes :

• Correct the port number in the provider URL for DefaultRelyingParty element, and add a default authentication method.

....

....
<rp:DefaultRelyingParty provider="https://test.oracle.com:7002/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
....
.... 

• In ProfileConfiguration for type="saml:SAML2SSOProfile" change the encryptAssertions from conditional to never.

....

....
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" 
                                 assertionLifetime="PT5M" assertionProxyCount="0" 
                                 signResponses="never" signAssertions="always" 
                                 encryptAssertions="never" encryptNameIds="never"/> 
....
.... 

 5.   Edit " C:\shibboleth-idp\conf\attribute-resolver.xml " and make the following changes :

•  Comment the AttributeDefinition ( in Name Identifier related attributes ) of type TransientId

....

.... 

    <!-- Name Identifier related attributes -->

<!--

    <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">

        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>

        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

    </resolver:AttributeDefinition>

-->

....

.... 

•  Add  a new AttributeDefinition of type PrincipalName along with its AttributeEncoder

....

.... 
 <resolver:AttributeDefinition id="principalId" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </resolver:AttributeDefinition>
....
.... 

  6.   Edit " C:\shibboleth-idp\metadata\attribute-filter.xml " and make the following changes :

•  Comment the section " Release the transient ID to anyone " ( i.e we need to comment the AttributeFilterPolicy for transient ID).

....

.... 

     <!--  Release the transient ID to anyone -->
<!--
        <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
        <afp:AttributeRule attributeID="transientId">
        <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
-->
....

.... 

•  Add a new AttributeFilterPolicy for principal ID ( i.e we need to add a section " Release the principal ID to anyone " )

....

....

<!--  Release the principal ID to anyone -->

    <afp:AttributeFilterPolicy id="releasePrincipalIdToAnyone">

    <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

    <afp:AttributeRule attributeID="principalId">

    <afp:PermitValueRule xsi:type="basic:ANY"/>

    </afp:AttributeRule>

</afp:AttributeFilterPolicy>

....
.... 

Step 5 :

• Deploy the Shibboleth idp.war file located in " C:\shibboleth-idp\war " onto your Weblogic Server in IDP domain. 

Note : You have to modify the idp application to make it work with WLS in your environemnt.

Click here to download a sample of modified idp.war file ( compiled with JDK 1.6 ).

Please rename the idp.doc file to idp.zip and then unzip the file.

 Note :

 - If you have installed Shibboleth on a UNIX environment then you need to change the path for " internal.xml " and " service.xml " in the web.xml file of idp application.

Eg :

<context-param>
<param-name>contextConfigLocation</param-name> 
        <param-value>file:<shibboleth_home>/conf/internal.xml; file:<shibboleth_home>/conf/service.xml;</param-value> 
    </context-param>

To deploy this app successfully in WLS we need to endorse Xerces and Xalan 

• Copy all the jar files from endorsed directory of Shibboleth installation ( i.e C:\shibboleth-idp\lib\endorsed ) to <JAVA_HOME>/jre/lib/ext ( i.e C:\oracle\jdk\jre\lib\ext )
• Login to Weblogic console and create a XML registry :

Login to WLS console --> +services --> XML Registries --> new 

• Now add the following values : 

Name: Apache Xerces/Xalan Registry

SAX Parser Factory: org.apache.xerces.jaxp.SAXParserFactoryImpl
Transformer Factory: org.apache.xalan.processor.TransformerFactoryImpl

• Target / Deploy this XML Registry to Admin Server. ( For this example )

• Restart the servers and deploy the modified idp.war file to Admin Server.
• Restart the server and check if application is in Active state.

Note : To check if IDP is configured properly access the following URL :

https://localhost:7002/idp/status

You should see an output similar to the one in screenshot below :

NOTE : 

- If you see errors in your WLS logs then check if all the Shibboleth endorsed jars are added to your <JDK_HOME>/jre/lib/ext directory , Also check if you have made all the necessary changes in your IDP application and it is deployed successfully.

- If there are no errors in WLS logs, then check the Shibboleth logs. Located in Ex : C:\shibboleth-idp\logs

- To increase the logging severity to DEBUG in shibboleth, edit logging.xml file ( Located in Ex : C:\shibboleth-idp\conf ).

....
.... 
<!-- Logs IdP, but not OpenSAML, messages -->
    <logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/> 
....
.... 

- The logging configuration for the IdP is located at $IDP_HOME/conf/logging.xml. This file is checked for changes every 10 minutes by default and is reloaded if changes have been made. This means a deployer can keep the logging level at WARN until a problem occurs and then change the logging to DEBUG to get more information if the problem persists, all without restarting the IdP. 

Step 6 :

Lets configure the Service provider now. ( Domain : sp_domain )

• Create a SAML2IdentityAsserter in sp_domain. ( Ex : IdentityAsserter ).
• Login to Weblogic Console -> SecurityRealms -> myrealm -> providers/Authentication -> new -> SAML2IdentityAsserter

• Configure Admin Server as a SAML 2.0 Service Provider.

• Login to Weblogic Console -> +Environment -> servers -> AdminServer -> Federation Services -> SAML 2.0 Service Provider

            Make the following changes :

• Enabled ( Check )
• Always Sign Authentication Requests ( Check )
• Preferred Binding: POST
• Default URL: http://<sp_domain_server_listenAddress>:<port>/console ( In our Ex : http://test.oracle.com:8001/console )
• Save and Activate Changes.

• Configure SAML 2.0 Federation properties for Admin Server.

• Login to Weblogic Console -> +Environment -> servers -> AdminServer -> Federation Services -> SAML 2.0 General 

           Make the following changes :

• Replicated Cache Enabled ( Check )
• Contact Person Given Name:
• Contact Person Surname:
• Contact Person Type:
• Contact Person Company:
• Contact Person Telephone Number:
• Contact Person Email Address:
• Organization Name:
• Organization URL:
• Published Site URL: This should in the format http://<sp_domain_server_listenAddress>:<port>/saml2 ( In our Ex : http://test.oracle.com:8001/saml2 )
• Entity ID: ( Ex : myEntityID )
• Single Sign-ON --> Single Sign-on Signing Key Alias: DemoIdentity
• Single Sign-on Signing Key Pass Phrase: DemoIdentityPassPhrase
• Confirm Single Sign-on Signing Key Pass Phrase: DemoIdentityPassPhrase
• Save and Activate Changes --> Restart your server. 

• Lets configure the SAML IdentityAsserter using IDP metadata
• Login to Weblogic Console -> SecurityRealms -> myrealm -> providers/Authentication -> IdentityAsserter ( This is the SAML2IdentityAsserter we created earlier ) -> Management -> new -> Create a SAML 2.0 Web Single Sign-on Identity Provider Partner 

               Make the following changes :

• Name : WebSSO-IdP-Partner
• Path : < Path for the IDP metadata file ( In our Ex : C:\shibboleth-idp\metadata\idp-metadata.xml ).
• Now click on the newly created partner " WebSSO-IdP-Partner " and make the following changes : 
• Enabled ( check )
• Description:  WebSSO-IdP-Partner
• Virtual User ( uncheck )
• Redirect URIs: < URI's of protected page in your application > ( In our example it is :

/console/*

/console/*.jsp 

• Save and Activate changes.

• Make sure that you application cookie name is set to JSESSIONID, you need to check yours applications weblogic.xml file for the same.
• In our example we are using the Weblogic console as an application, so make the following changes :
• Login to Weblogic Console -> <sp_domain_name > -> Configuration -> General -> +Advanced -> Console Cookie Name: JSESSIONID
• Save and Activate changes --> Restart your server

• Lets export the SP metadata now.
• Login to Weblogic Console -> +Environment -> servers -> AdminServer -> Federation Services -> SAML 2.0 General -> Publish Meta Data
• Path : Give any path and a filename to store the SP metadata aml file. ( In our Eg : C:\shibboleth-idp\metadata\sp-metadata.xml )
• Click OK

Note : The path should include a file name with an xml extention or else the export of SP metadata will fail.

Step 7 :

Now lets configure Shibboleth Identity Provider to use the SP metadata.

• You need to add a reference to the sp-metadata file in relying-party.xml file ( Located in Ex : C:\shibboleth-idp\conf )
• Edit C:\shibboleth-idp\conf\relying-party.xml file and make the following change :
• In the metadata configuration add a SP metadata configuration as follows :

....
.... 

<!-- Load the SP's own metadata.   -->

        <metadata:MetadataProvider id="SPMD" xsi:type="metadata:FilesystemMetadataProvider"

                                   metadataFile="c:\shibboleth-idp/metadata/sp-metadata.xml"

                                   maxRefreshDelay="P1D" />

....

.... 

• Restart both IDP and SP domains. 

Step 8 :

• Create a Weblogic user in AD.
• Configure an Active Directory provider on both the domains. 
• Now restart the servers and test SSO.
• To test SAML SSO with Shibboleth : Access the Weblogic console on SP domain i.e http://test.oracle.com:8001/console
• This should redirect to a shibboleth login Page.
• Once you login you will be redirected back to the SP domain console page.