In a previous blog, I explained how it is possible to create an LDAP/LDAPs Authentication Provider on WebLogic. My initial goal wasn’t just to setup an LDAP/LDAPs on WebLogic Server. That was only a first step needed in order to automate the setup of a SAML2 Single Sign-On linked with the authentication from a LDAPs. Therefore, in this blog, we will take a look at that second part. Just like for the LDAP Authentication Provider, there are plenty of examples on the internet to do just that but they are all always using the GUI. When I searched for it, I didn’t find even a single one explaining how it could be done without. Maybe there are some but if so, it looks like they are pretty well hidden. In addition to that, you might think about just recording the steps in the WebLogic Administration Console so that it would create you the needed WLST scripts (just like for the LDAPs provider creation). Unfortunately, it’s not that simple. Indeed, it doesn’t work for everything and in addition to that, most of the steps that will be needed are outside of an edit session and therefore can’t be recorded.
In this blog, I will SAML 2.0 and I will assume that there is already an Identity Provider (“Server side“) that has been configured and I will configure a WebLogic Server (“Client side” = Service Provider) to use this Identity Provider using a WebSSO partner. In the WebLogic examples provided with the OFM full installation, there is a complete example for SAML2 on both Server and Client sides. For the Client side, they are however using a manual creation of the IdP Partner, importing the SSL Certificate, defining the URLs, aso… A simpler & faster approach is to use a metadata file that can be extracted/exported from the Server side which contains all these information and then imported into the Client side. That’s what I will show below, so it is pretty different to what is done in the example.
Alright, so the first thing to be done is to create a new Authentication Provider using the SAML2IdentityAsserter type. Because this change requires a full restart of the WebLogic Server, I usually do it with the LDAP Authentication Provider but for this example, I will split things and only talk about the SAML2 part. Just like in the previous blog, I will use a properties file and a WLST script. You can disregard the LDAP Authentication Providers parameters, they are only used for the LDAP part in the other blog, except ATN_NAME which I still used below but that’s only in case you do have a LDAP/LDAPs Authentication Provider in addition to the SAML2 one that you want to create:
[weblogic@weblogic-server-0 ~]$ cat domain.properties # AdminServer parameters CONFIG_FILE=/home/weblogic/secure/configfile.secure KEY_FILE=/home/weblogic/secure/keyfile.secure ADMIN_URL=t3s://weblogic-server-0.domain.com:8443 # LDAP Authentication Providers parameters ATN_NAME=Internal_LDAP ATN_FLAG=SUFFICIENT ATN_HOST=ldap.domain.com ATN_PORT=636 ATN_PRINCIPAL=ou=APP,ou=applications,ou=intranet,dc=dbi services,dc=com ATN_CREDENTIAL=T3stP4ssw0rd ATN_SSL=true ATN_BASE_DN=ou=people,ou=intranet,dc=dbi services,dc=com ATN_USER_FILTER=(&(uid=%u)(objectclass=person)) ATN_USER_CLASS=person ATN_USER_AS_PRINCIPAL=true ATN_GROUP_FILTER=(&(cn=%g)(objectclass=groupofuniquenames)) ATN_TIMEOUT=30 # IdP Partner parameters IDA_NAME=APP_SAML2_IDAsserter IDP_NAME=APP_SAML2_IDPartner IDP_METADATA=/home/weblogic/idp_metadata.xml IDP_ENABLED=true IDP_REDIRECT_URIS=['/D2-01/*','/D2-02/*'] # Managed Servers SSO parameters SSO_MS=msD2-01,msD2-02 SSO_URLS=https://lb_url1/saml2,https://lb_url2/saml2 SSO_ENTITY_IDS=APP_SAML2_Entity_ID_01,APP_SAML2_Entity_ID_02 SSO_SP_ENABLED=true SSO_SP_BINDING=HTTP/POST [weblogic@weblogic-server-0 ~]$ [weblogic@weblogic-server-0 ~]$ [weblogic@weblogic-server-0 ~]$ cat createSAML2AuthenticationProviders.wlst ################################################################## # # Authors: Morgan Patou # Version: 1.4 - 30/08/2019 # # File: createSAML2AuthenticationProviders.wlst # Purpose: Script to create SAML2 Authentication Providers # Parameters: input properties file (optional) # Output: # ################################################################## # Get operating system (for vars) import os # Read the domain properties file try: if len(sys.argv) == 2: domainProperties=sys.argv[1] else: domainProperties=os.path.realpath(os.path.dirname(sys.argv[0])) + "/domain.properties" loadProperties(domainProperties) print ">>> Loaded the properties file: " + domainProperties print except: exit(exitcode=1) try: redirect('/dev/null','false') # Connect to AdminServer connect(userConfigFile=CONFIG_FILE,userKeyFile=KEY_FILE,url=ADMIN_URL) print ">>> Connected to the AdminServer." # Start Edit Session edit() startEdit() stopRedirect() print ">>> Edit Session started." # Get default Realm realm=cmo.getSecurityConfiguration().getDefaultRealm() # Create Authentication Providers saml2IdA=realm.lookupAuthenticationProvider(IDA_NAME) if saml2IdA != None: realm.destroyAuthenticationProvider(saml2IdA) saml2IdA=realm.createAuthenticationProvider(IDA_NAME,'com.bea.security.saml2.providers.SAML2IdentityAsserter') print ">>> Authentication Provider created." # Reorder Authentication Providers defaultAtn=realm.lookupAuthenticationProvider('DefaultAuthenticator') defaultIdA=realm.lookupAuthenticationProvider('DefaultIdentityAsserter') iplanetAtn=realm.lookupAuthenticationProvider(ATN_NAME) realm.setAuthenticationProviders(jarray.array([saml2IdA,iplanetAtn,defaultAtn,defaultIdA],weblogic.management.security.authentication.AuthenticationProviderMBean)) print ">>> Authentication Providers re-ordered." except Exception, e: print "ERROR... check error messages for cause." print e exit(exitcode=1) redirect('/dev/null','false') save() activate() disconnect() exit(exitcode=0) [weblogic@weblogic-server-0 ~]$
So let’s execute this script then:
[weblogic@weblogic-server-0 ~]$ ls configServiceProviders.wlst createSAML2AuthenticationProviders.wlst createWebSSOIdPPartners.wlst domain.properties idp_metadata.xml [weblogic@weblogic-server-0 ~]$ [weblogic@weblogic-server-0 ~]$ $ORACLE_HOME/oracle_common/common/bin/wlst.sh createSAML2AuthenticationProviders.wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands >>> Loaded the properties file: /home/weblogic/domain.properties >>> Connected to the AdminServer. >>> Edit Session started. >>> Authentication Provider created. >>> Authentication Providers re-ordered. [weblogic@weblogic-server-0 ~]$
As mentioned previously, you will need to restart the WebLogic Domain at this point. Once done, you can continue with the next part which is to create the IdP Partner. Using the same properties file and another WLST script:
[weblogic@weblogic-server-0 ~]$ cat createWebSSOIdPPartners.wlst ################################################################## # # Authors: Morgan Patou # Version: 1.4 - 30/08/2019 # # File: createWebSSOIdPPartners.wlst # Purpose: Script to create a WebSSO IdP Partner # Parameters: input properties file (optional) # Output: # ################################################################## # Get operating system (for vars) import os # Read the domain properties file try: if len(sys.argv) == 2: domainProperties=sys.argv[1] else: domainProperties=os.path.realpath(os.path.dirname(sys.argv[0])) + "/domain.properties" loadProperties(domainProperties) print ">>> Loaded the properties file: " + domainProperties print except: exit(exitcode=1) try: redirect('/dev/null','false') # Connect to AdminServer connect(userConfigFile=CONFIG_FILE,userKeyFile=KEY_FILE,url=ADMIN_URL) print ">>> Connected to the AdminServer." stopRedirect() # Get default Realm realm=cmo.getSecurityConfiguration().getDefaultRealm() # Config Web SSO IdP Partner saml2IdA=realm.lookupAuthenticationProvider(IDA_NAME) if saml2IdA != None: if saml2IdA.idPPartnerExists(IDP_NAME): saml2IdA.removeIdPPartner(IDP_NAME) idpPartner=saml2IdA.consumeIdPPartnerMetadata(IDP_METADATA) idpPartner.setName(IDP_NAME) idpPartner.setEnabled(Boolean(IDP_ENABLED)) idpPartner.setRedirectURIs(array(eval(IDP_REDIRECT_URIS),java.lang.String)) saml2IdA.addIdPPartner(idpPartner) print ">>> Web SSO IdP Partner created." except Exception, e: print "ERROR... check error messages for cause." print e exit(exitcode=1) redirect('/dev/null','false') disconnect() exit(exitcode=0) [weblogic@weblogic-server-0 ~]$
As you can see above, this one doesn’t require an edit session and therefore can’t be recorded. The key part above is the “consumeIdPPartnerMetadata(…)” method which is loading the metadata file that was generated by the Identity Provider (“Server side“). It will take care of setting up the SSL Certificate for the Identity Provider as well as all the usable URLs, aso… The path and name of this input metadata file can be found in the properties file. The execution of the WLST is simple and smooth:
[weblogic@weblogic-server-0 ~]$ $ORACLE_HOME/oracle_common/common/bin/wlst.sh createWebSSOIdPPartners.wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands >>> Loaded the properties file: /home/weblogic/domain.properties >>> Connected to the AdminServer. >>> Web SSO IdP Partner created. [weblogic@weblogic-server-0 ~]$
The next step is then to configure your Managed Servers by creating the Service Providers, defining the published URL, the Entity ID and other parameters. Then generate an output metadata file for each of your Managed Servers. These output metadata files will need to be imported into the Identity Provider to close the SAML2 SSO chain. Again a new WLST script for this last part:
[weblogic@weblogic-server-0 ~]$ cat configServiceProviders.wlst ################################################################## # # Authors: Morgan Patou # Version: 1.4 - 30/08/2019 # # File: configServiceProviders.wlst # Purpose: Script to configure SSO Service Providers # Parameters: input properties file (optional) # Output: # ################################################################## # Get operating system (for vars) import os # Read the domain properties file try: if len(sys.argv) == 2: domainProperties=sys.argv[1] else: domainProperties=os.path.realpath(os.path.dirname(sys.argv[0])) + "/domain.properties" loadProperties(domainProperties) print ">>> Loaded the properties file: " + domainProperties print except: exit(exitcode=1) try: redirect('/dev/null','false') # Connect to AdminServer connect(userConfigFile=CONFIG_FILE,userKeyFile=KEY_FILE,url=ADMIN_URL) print ">>> Connected to the AdminServer." # Start Edit Session edit() startEdit() stopRedirect() print ">>> Edit Session started." # Config SSO Service Providers publishedSiteURLs=SSO_URLS.split(',') entityIDs=SSO_ENTITY_IDS.split(',') id=0 for ssoServerName in SSO_MS.split(','): ssoServer=cmo.lookupServer(ssoServerName) ssoService=ssoServer.getSingleSignOnServices() ssoService.setPublishedSiteURL(publishedSiteURLs[id]) ssoService.setEntityID(entityIDs[id]) ssoService.setServiceProviderEnabled(Boolean(SSO_SP_ENABLED)) ssoService.setServiceProviderPreferredBinding(SSO_SP_BINDING) id=id+1 print ">>> SSO Service Providers configured." except Exception, e: print "ERROR... check error messages for cause." print e exit(exitcode=1) redirect('/dev/null','false') save() activate() try: # Start Runtime Session domainRuntime() stopRedirect() print ">>> Runtime Session started." # Export Service Providers metadata for ssoServerName in SSO_MS.split(','): cd('/ServerRuntimes/'+ssoServerName) cmo.getSingleSignOnServicesRuntime().publish('/tmp/'+ssoServerName+'_sp_metadata.xml',false) print ">>> Service Providers metadata files exported." except Exception, e: print "ERROR... check error messages for cause." print e exit(exitcode=1) redirect('/dev/null','false') disconnect() exit(exitcode=0) [weblogic@weblogic-server-0 ~]$
So as mentioned above, the first section is looping on the Managed Servers list from the parameters to configure the SAML2 SSO for all of them. This part requires an edit session. The second section is doing the export of the Service Providers metadata files under /tmp and this doesn’t need any edit session, it needs to be done with a runtime session instead. Again, the execution:
[weblogic@weblogic-server-0 ~]$ $ORACLE_HOME/oracle_common/common/bin/wlst.sh configServiceProviders.wlst Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands >>> Loaded the properties file: /home/weblogic/domain.properties >>> Connected to the AdminServer. >>> Edit Session started. >>> SSO Service Providers configured. >>> Runtime Session started. >>> Service Providers metadata files exported. [weblogic@weblogic-server-0 ~]$ [weblogic@weblogic-server-0 ~]$ ls /tmp/*metadata.xml /tmp/msD2-01_sp_metadata.xml /tmp/msD2-02_sp_metadata.xml [weblogic@weblogic-server-0 ~]$
At that point, the WebLogic Server acting as Service Provider is fully configured. You can now transfer these metadata files to the Identity Provider side and import them there.
There is one last thing that I didn’t talk about and that’s the configuration of the Application itself, if needed, to use the SAML2 SSO. In the case of Documentum D2, it does support the LDAP + SAML2 SSO, you just have to have some basic configuration in the web.xml and weblogic.xml. There is an example I wrote a little bit more than two years ago: here.