White Paper - SAML Configuration Between Lombardi Teamworks and Weblogic Portal

SAML Configuration between
Lombardi Teamworks and

Weblogic Portal
White Paper
<Mahesh Kotike>
< Banking & Financial Services 4.2>
TCS Confidential
SAML Configuration between Lombardi TW and WLP
Confidentiality Statement
Include the confidentiality statement within the box provided. This has to be legally
approved.
The information contained in this document is confidential and proprietary to TATA

Consultancy Services. This information may not be disclosed, duplicated or used for
any other purposes. The information contained in this document may not be
released in whole or in part outside TCS for any purpose without the express
written permission of TATA Consultancy Services.
@TATA Consultancy Services Ltd 2008
Confidential
Abstract
SAML (Security Assertion Markup Language) is an XML based standard language for
exchanging the authentication and authorization data between two secure domains i.e.
between identity provider (a producer of assertion) and a service provider (a consumer of
assertion. The most important problem that SAML is trying to resolve is SSO (Single
Sign -On) from web browser. SAML assumes the principal often called as user has to
enroll in at least one identity provider. This identity provider is expected to provide local
authentication to services to principal. Thus a service provider relies on the identity
provider for identifying the principal. At the principal's request the identity provider will
pass the SAML token to the service provider. On the basis of this token only the services
provider will make an access control decision.
Teamworks is Lombardi product which is running on weblogic 9.2 and it has provided
JSR 168 compliance portlets. To consume those portlets in weblogic portal, we need to
have a SAML trust between weblogic portal domain and Teamworks domain for SSO.
Objective here is to establish the SAML trust between weblogic portal domain and
Teamworks domain for SSO. For achieving this, BEA has provided configuration set up.
All the configurations can be done through weblogic console.
This paper explains the approach to taken for configuring the SAML at source and
destination sites between weblogic portal and Teamworks. In this document we are
discussing how to establish the SAML trust and how to configure the SAML source and
SAML destination and how to generate the identity and trust files.
The intended audience for this paper will be BEA weblogic portal developers who are
looking to consume Teamworks JSR 168 compliance portlets into their portal application.
Confidential
About the Author

Mahesh Kotike is a portal module leader working in BFS 4.2. Currently he works in
Weblogic Portal team for BART-FSA project. The project is about providing a Business
Process Modeling (BPM) solution to one of the financial regulatory bodies in Europe. He
has got experience in Telecom Domain and has worked on different frameworks like
spring, struts and on java, j2ee using multiple application servers like weblogic,
websphere, iplanet in British Telecom Plc.
Mahesh holds a masters degree in Computer Science.
Email ID: mahesh.kotike@tcs.com
Phone: +44 2070 660086
Designation: AST
About the Domain

BFS 4.2 is Banking and Financial Services and FSA is part of BFS 4.2 ISU. FSA is
Financial Services Authority and which is regulatory authority body for all financial firms
in UK. BART is Business Automation for Regulatory Transactions.
Confidential
CONTENTS
INTRODUCTION..........................................................................................................................................6
USE CASE.......................................................................................................................................................7
SINGLE SIGN-ON USING SAML...............................................................................................................8
CHECKLIST..................................................................................................................................................8
KEYSTORES..................................................................................................................................................8
PRE-REQUISITES..........................................................................................................................................8
CONFIGURING SSL.....................................................................................................................................9
SOURCE SITE SSL CONFIGURATION..................................................................................................12
DESTINATION SITE SSL CONFIGURATION.......................................................................................16
INTEGRATING TEAMWORKS PORTLETS INTO WEBLOGIC PORTAL.....................................20
CONFIGURING THE SAML SOURCE SITE.........................................................................................23
CONFIGURE FEDERATION SERVICE AT SAML SOURCE SITE....................................................28
CONFIGURING THE SAML DESTINATION SITE..............................................................................29
CONFIGURE FEDERATION SERVICE AT SAML DESTINATION SITE.........................................31
RUN THE PORTAL TO TEST SSO USING SAML.................................................................................31
CONCLUSION.............................................................................................................................................36
ACKNOWLEDGEMENTS.........................................................................................................................37
REFERENCES.............................................................................................................................................38
Confidential
Introduction
This document describes how to use SAML with BEA WebLogic 9.2 to accomplish
Single Sign-On (SSO) and web service security using SAML.
For the purposes of this document we assume we have the following machines
configured on local box : But you need to use your source and destination host/ipaddress
and ports accordingly. We have used the below entries in the entire document. So you
have to supply your values where ever is required.
Description
SAML Source
Site (includes
portal)
SAML
Destination Site
Hostname/IP
Address
localhost
Server
HTTP
HTTPS
AdminServer
7111
7112
localhost
AdminServer
Twprocsvr
8101
7101
N/A
7002
Confidential
Use Case
User attempts to access portal page

Portal domain redirects user to the authentication page hosted by the SAML
source site (which might be part of the portal domain)
User logs in
Source site redirects user back to portal page, which includes the Teamworks
portlet
Teamworks portlet invokes some Web API operations using SAML (WSS/SenderVouches) to retrieve the task list and renders it
User clicks the link to start a task
Teamworks portlet renders an IFRAME containing a link to
http://<server>/teamworks/process.lsw to display the coach
Browser attempts to load the contents of the IFRAME
Teamworks domain redirects request to SAML source site to verify identity
Source site redirects browser back to the /teamworks/process.lsw page
Browser renders coach
SSO!
The important configuration bits here are getting the Sender/Vouchers and
Browser/POST configurations correct. The two critical bits (beyond the normal
SAML/SSO config) are: Target URL this should be the URL of the portal that is hosting
and the portlet Source Site Redirect URIs this should be "/teamworks/process.lsw" (the
relative URI on the Teamworks Process Server that is responsible for coaches). The APs
and RPs for Browser/Post have to align.
Confidential
Single Sign-On using SAML

This is a description of how to configure WebLogic 9.2.2 to do SSO using SAML. SSO
using SAML requires a source site and one or more destination sites. The source site is
the centralized authentication authority. Whenever a resource (asserting party) on a
destination site is accessed by an unauthenticated client, that client is first redirected to
the source site for authentication (as a relying party). After the client has authenticated,
the source site redirects the client back to the requested resource with the SAML token
indicating that the client has been authenticated. The user of the client (a web browser)
will notice the redirects as this process occurs, but they will not have to authenticate
multiple times.
Before proceeding further, check out the link in the References section to a SSO using
SAML tutorial for BEA WebLogic Server 9.2.2.
Checklist
All domains configured properly for SSL

Custom identity and trust certs should use - demoidentity/trust don't work
SAML source site properly configured (SAMLAuthenticator,
SAMLIdentityAsserter, SAMLCredentialMapper, PKICredentialMapper )
SAML destination sites properly configured
Weblogic Portal configured as SAML source site
Requires relying party in weblogic portal domain
Requires asserting parties in teamworks process server domain (destination site)
Teamworks configured as SAML destination site (/teamworks/process.lsw)
Requires asserting party in the Teamworks process server domain (destination
site)
Requires relying party in SAML source site
asserting party and relying party ids have to be cross linked (assertion consumer
parameters) in the relying party configuration
Keystores
Comment: By default, WebLogic Server is configured with two keystores. The Identity
keystore is created during Key Generation and contains the private key and signed SSL
certificate. The Trust keystore contains the trusted Root CA and Intermediate CA
Certificates and is created during the installation of the Root CA.
Pre-requisites
Confidential

SSL must be configured for the source and destination sites using custom
identity and trust certificate stores because DemoIdentity.jks and
DemoTrust.jks will not work.
The source and destination sites should share definitions of users and groups - probably
by utilizing the same LDAP provider. Based on this, you won't want to use the
Teamworks internal security provider since that would require creating the users and
groups on the source site. But in this exercise we used default authenticator provided by
weblogix I'e SQLAuthenticator. In this we created users and groups on both domains
(source & destination)
Configuring SSL
SSL Steps
We will perform the following 5 steps:
1.
2.
3.
4.
5.
Create private key cert

Create identity key store
Create trust key store
Import the cert
Configure WLS to use the custom identity and custom trust stores
Steps 1 - 4:
We perform the first 4 steps as part of a script we put together to semi-automate the
creation of the source site and destination site SSL keys/certs and the SAML key/cert -see TestIdentityAndTrust.sh in attachment.
C:\Documents and
Settings\mkotike\Desktop\TW6SP1-SAML\testrun\TestIdentityAndTrust.sh
NOTE: This script should be executed only ONCE on EITHER the source site
OR destination site, NOT BOTH hosts.
a) Copy TestIdentityAndTrust.sh to an empty directory
b) Modify the '-cn' values to match hostnames for your source site and
destination site
c) Setup the WLS environment by running:
/usr/bea/weblogic92/server/bin/setWLSEnv.sh
d) Run TestIdentityAndTrust.sh only once .
You will be prompted at a few points.
Confidential

To any
Trust this certificate? [no]:
prompts, type "yes".
After creating the keys, certs, and stores, TestIdentityAndTrust.sh will run the
keytool list option. When keytool prompts for the passwords for the each
keystore, reply with the keystore's name:
> keytool -list -keystore TestIdentity.jks
Enter keystore password: TestIdentity
> keytool -list -keystore TestTrust.jks
Enter keystore password: TestTrust
If any part of TestIdentityAndTrust.sh fails for any reason, you should remove
all files that were created in the empty directory, and start over after correcting
the problem.
e) The TestIdentityAndTrust.sh script should produce the following files:
destsslcert.der
destsslcert.pem
destsslcerts.pem
destsslkey.der
destsslkey.pem
samlsigncert.der
samlsigncert.pem
samlsigncerts.pem
samlsignkey.der
samlsignkey.pem
sourcesslcert.der
sourcesslcert.pem
sourcesslcerts.pem
sourcesslkey.der
sourcesslkey.pem
TestIdentity.jks
TestTrust.jks
which you should copy above files on both source site and destination site
hosts in the following location :
Confidential
10

/usr/bea/weblogic92/server/lib
TestIdentityAndTrust.sh
(-cn values should change which are highlighted)
java -cp /usr/bea922/weblogic92/server/lib/weblogic.jar utils.der2pem

/usr/bea922/weblogic92/server/lib/CertGenCA.der
java -cp /usr/bea922/weblogic92/server/lib/weblogic.jar utils.CertGen -keyfilepass
mykeypass -certfile sourcesslcert -keyfile sourcesslkey -cn localhost
mykeypass -certfile destsslcert -keyfile destsslkey -cn localhost
chmod 777 *
cat sourcesslcert.pem /usr/bea922/weblogic92/server/lib/CertGenCA.pem >>
sourcesslcerts.pem
cat destsslcert.pem /usr/bea922/weblogic92/server/lib/CertGenCA.pem >>
destsslcerts.pem
java -cp /usr/bea922/weblogic92/server/lib/weblogic.jar utils.ImportPrivateKey -keystore
TestIdentity.jks -storepass TestIdentity -keyfile sourcesslkey.pem -keyfilepass mykeypass
-certfile sourcesslcerts.pem -alias sourcessl
TestIdentity.jks -storepass TestIdentity -keyfile destsslkey.pem -keyfilepass mykeypass
-certfile destsslcerts.pem -alias destssl
mykeypass -certfile samlsigncert -keyfile samlsignkey
chmod 777 *
cat samlsigncert.pem /bea922/weblogic92/server/lib/CertGenCA.pem >>
samlsigncerts.pem
TestIdentity.jks -storepass TestIdentity -keyfile samlsignkey.pem -keyfilepass mykeypass
-certfile samlsigncerts.pem -alias samlsign
keytool -import -keystore TestTrust.jks -storepass TestTrust -file
/usr/bea922/weblogic92/server/lib/CertGenCA.pem -alias self_ca
keytool -list -keystore TestIdentity.jks
keytool -list -keystore TestTrust.jks
Confidential
11

Step 5: Configure WLS to use the custom identity and custom trust stores
We need to configure both source site and destination site.
Source site SSL configuration

1.
2.
3.
4.
5.
6.
Open the WebLogic Server Administration Console.

In the left nav pane, expand "Environment", then click "Servers".
In the right pane, click "AdminServer (admin)".
Click on the "Keystores" tab of the AdminServer's "Configuration" tab.
Click the "Lock & Edit" button to prepare to modify settings.
Keystores Settings:
Keystores
Custom Identity and Custom Trust
Custom Identity Keystore
/usr/bea/weblogic92/server/lib/TestIdentity.jks
Custom Identity Keystore Type
JKS

Passphrase
TestIdentity
Custom Trust Keystore
/usr/bea/weblogic92/server/lib/TestTrust.jks
Custom Trust Keystore Type
JKS

Passphrase
TestTrust
Confidential
12
7. Click "Save"
8. Click on the "SSL" tab
9. SSL Settings:
Private Key Alias
sourcessl
Private Key Passphrase
mykeypass
Confidential
13
10. Click "Save"

11. Click "General" tab of your AdminServer's "Configuration" tab
12. Check "SSL Listen Port Enabled" checkbox
13. Click "Save"
14. Click "Activate Changes" (no restart should be required)
15. You should now be able to login to the https: port of your AdminServer. Try going
to the WebLogic Server Administration Console:
https:// localhost:7112/console
Confidential
14
Confidential
15
Success !
Destination site SSL configuration

1.
2.
3.
4.
5.
6.
Open the Weblogic Server Administration Console.

In the left nav pane, expand "Environment", then click "Servers".
In the right pane, click "twprocsvr".
Click on the "Keystores" tab of the twprocsvr's "Configuration" tab.
Keystores Settings:
Keystores
Custom Identity and Custom Trust
Custom Identity Keystore Type
JKS

Passphrase
TestIdentity
/usr/bea/weblogic92/server/lib/TestTrust.jks
Confidential
16

Custom Trust Keystore Type
JKS

Passphrase
TestTrust
7. Click "Save"
8. Click on the "SSL" tab
9. SSL Settings:
Private Key Alias
destssl
Private Key Passphrase
mykeypass
Confidential
17
10. Click "Save"

11. Click "Activate Changes" (no restart should be required)
12. You should be able to login to the https: port of your twprocsvr (assuming you
have "SSL Listen Port Enabled" checked in the "General" tab of your twprocsvr's
"Configuration" tab). Try going to the Teamworks Process Server Console:
https:// localhost:7002/teamworks
Confidential
18
Confidential
19
Success !
Note :- Make sure admin and twprocsvr ssl ports should not be the same. If it same ,
then it will be a problem.
Integrating Teamworks portlets into Weblogic

portal
This section will explain modifications required in Teamworks portlet source and how to
deploy teamworks portlets into portal server and how to consume teamworks services
from consumer portlet.
1. Take the teamworks portlets code from <teamworks-installationdirectory>/portlets folder.
2. Copy the portlets folder into your local box
3. Open "portlet.xml" which is located at <your
localdir>/portlets/jsr168/web/WEB_INF
4. Remove all the portlet preferences from the portlet.xml and save it.
Confidential
20
5.
6.
7.
8.
9.

Open "WebAPIFactory.properties" which is located at <your
localdir>/portlets/jsr168/resources
Edit the value for the property "javax.xml.rpc.service.endpoint.address" to
/webapi/services/WebAPIService and save it.
Open "SAMLWebAPIFactory.properties" which is located at <your
localdir>/portlets/jsr168/resources
Comment " javax.xml.rpc.security.auth.username=teamworks " and "
javax.xml.rpc.security.auth.password=teamworks".
Edit the below mentioned properties in the table in
SAMLWebAPIFactory.properties and save it.
Property Name
Property Value
Example Entry
javax.xml.rpc.service.endpoint.address
/webapi/services/SecureWebAPIService
/webapi/services
teamworks.portlets.client.saml.issuer
Any issuer uri. This should be the same

you need to configure when creating a
relying party and asserting parties
http://XPA03365
teamworks.portlets.client.saml.subject.qualifier Any qualifier name. This should be the

same you need to configure when you
creating a relying party
XPA033659.tcs.c
10. Edit weblogic.xml file which is located at <your

localdir>/portlets/jsr168/deploy/weblogic/web/WEB_INF. Replace the below
entry
<wls:security-role-assignment>
<wls:role-name>teamworks</wls:role-name>
<wls:principal-name>teamworks</wls:principal-name>
</wls:security-role-assignment>
with
<wls:security-role-assignment>
<wls:role-name>teamworks</wls:role-name>
<wls:principal-name>everyone</wls:principal-name>
</wls:security-role-assignment>
<wls:session-descriptor>
<wls:cookie-name>JSESSIONID</wls:cookie-name>
<wls:cookie-path>/</wls:cookie-path>
<wls:persistent-store-type>memory</wls:persistent-store-type>
</wls:session-descriptor>
11. Copy " p13n_ejb.jar" from "
C:\bea\weblogic92\integration\lib\console\worklistconsoleEar\APP-INF\lib" to
<your localdir>/portlets/jsr168/lib
Confidential
21

12. Delete the .portal file
13. Enable local proxy setting in file wsrp-producer-registry.xml
14. Run build.xml ant build script which is located at <your localdir>/portlets/jsr168.
This will create "teamworks-portlets.ear" file.
15. Open weblogic console and click on deployments on left panel
16. Click on Lock & Edit and at right side panel click on Install. Choose teamworksportlet.ear file and click on finish.
17. You need to activate the changes. No restart is required. After deployment is done
you need to make sure deployment is in Active state. If it is in prepare mode, then
select the teamworks-portlet application and click on start -> Servicing all
requests
18. Open the portal admin console like http://localhost:7111/teamworks-portletsadmin. Login into portal admin console.
19. Goto Portal Management -> Library -> portlets. Select Teamworks Saved Search
Portlet. Click on preferences tab and add below mentioned preferences and update
the web app.
Attribute Name
Description
Value
processServerURL
process
server url
http://<teamworks- True
installed-processserver-ip>:<port>
http://localhost:7101
http://<teamworks- True
installed-processserverip>:<port>/portal
http://localhost:7101/po
processServerPortalWebAppURL process
server web
url
Is
Example Entry
Modifiable
user
Default user tw_admin
True
No example entry
password
Default
password
tw_admin
True
No example entry
maxRowsPerPage
Max rows
20
True
20
ssoEnabled
For sso
true
True
No example entry
savedSearchName
Default
Inbox
saved
search name
True
No example entry
organizeByTask
Task
true
organization
True
No example entry
taskWindowWidth
Window
width
720
True
720
taskWindowHeight
Window
height
600
True
600
Confidential
22

20. Make sure values with of type "No example entry" should be case sensitive. Once
preferences is done, click on propogate to instances button at the bottom of the
portlet.
21. Create a new portal EAR and Web application. Here we considered it as
BARTEar and BARTPortalWeb
22. Create proxy portlet for teamworks by supplying WSDL url
http://localhost:7111/teamworks-portlets/producer/WSDL
23. Create a .portal file and include the portlet which we have created above.
24. Make a .ear file and deploy on to the server.
25. Then create a role "teamworks" under global roles. For this you need to goto
Security Realms on left panel. Click on the link.
26. At right side you can fine "myrealm". Click on this.
27. Click on "Roles and Policies" tab. Then expand Global Roles. Then click on
Roles link under Global Role.
28. Click on New. Then supply name as "teamworks" and click on Save.
29. Then open teamworks role and add the role condition , it should be under group
Administrator (or) Portal Administrator
Configuring the SAML source site
Confidential
23

Add PKICredentialMapper
1.
2.
3.
4.
5.
6.
Open the Weblogic Server Administration Console

In the left nav pane, click "Security Realms"
In the right pane click "myrealm"
Click "Providers" tab
Click "Credential Mapping" (under the "Providers" tab -- NOT "Credential
Mappings" tab at the same level as the "Providers" tab)
Comment: On our Source Site, there was already a PKICredentialMapper and

SAMLCredentialMapper configured for WSRP ... we deleted those before proceeding
Click "New"
Select Type "PKICredentialMapper"
Specify Name "PKICredentialMapper"
Click "OK"
Click "PKICredentialMapper"
Click "Configuration" tab
Click "Provider Specific"
Provider Specific Settings:
Keystore Pass Phrase
TestIdentity
Keystore File Name
7. Click "Save"
Add SAMLCredentialMapper
1.
2.
3.
4.
5.

6.
Click "New"
7.
Select Type "SAMLCredentialMapperV2"
8.
Specify Name "SAMLCredentialMapper"
9.
Click "OK"
10.
Click "SAMLCredentialMapper"
11.
Click "Configuration" tab
12.
Click "Provider Specific"
13.
Provider Specific Settings:
Signing Key Alias
samlsign
Name Qualifier
XPA033659.tcs.com
Signing Key Pass Phrase
mykeypass
Issuer URI
http://XPA033659.tcs.com/demosaml
Confidential
24

14.
15.
16.
17.
Click "Save"
Click "Activate Changes" (AdminServer restart should be required)
Activate Changes at this point and possibly restart the AdminServer
If so, after restart, you will need to navigate back to this point before
proceeding below
18.
Click "Management" tab
19.
Click "Certificates"
20.
Click "New"
21.
Trusted Certificate Properties:
Alias
samlsign
Certificate File Name
/usr/bea/weblogic92/server/lib/samlsigncert.der
Click "Finish"
Add the Teamworks Relying Party

22.
23.
24.
25.

Confidential
25

26.
27.
Click the "Lock & Edit" button to prepare to modify settings
28.
Click " SAMLCredentialMapper "
29.
30.
Click "Relying Parties"
31.
Click "SAMLCredentialMapper"
32.
Check the checkbox next to "rp_00001" in the Relying Parties table and click
"Delete"
33.
Click "New"
34.
New Relying Party Settings:
Profile
Browser/Post
Description
Teamworks
35.
36.
Click "Ok"
You should see a relying party with a Description of "Teamworks" in the
Relying Parties table (we are going to assume it is "rp_00001" for this
document). Click "rp_00001".:
Partner ID
rp_00001
Profile
Browser/POST
Enabled
checked
Description
Teamworks
Target URL
http:// localhost:7101/teamworks/process.lsw
Assertion Consumer URL
https://localhost:7002/samlacs/acs
Assertion Consumer Parameters
APID=ap_00002
Sign Assertions
checked
Include Keyinfo
checked
needs to match AP in samldest for Browser/POST (and not WSS/Sender-Vouches)
Add the Relying Party for communication between Teamworks Proxy Portlet to
Teamworks Remote Portlet for getting portlet preferences
37.
38.
39.
40.
41.

42.
43.
Click " SAMLCredentialMapper "
44.
45.
Click "Relying Parties"
46.
Click "New"
47.
New Relying Party Settings:
Profile
WSS/Sender-Vouches
Description
WsrpDefault
Confidential
26

48.
49.
Click "Ok"
You should see a relying party with a Description of "WsrpDefault" in the
Relying Parties table (we are going to assume it is "rp_00002" for this
document). Click "rp_00002".:
Partner ID
rp_00002
Profile
WSS/Sender-Vouches
Enabled
Checked
Description
WsrpDefault
Target URL
default
Sign Assertions
checked
Add the Asserting Party for communication between Teamworks Proxy Portlet to
Teamworks Remote Portlet for getting portlet preferences
50.
51.
52.
53.
54.
Click "Authentication"
55.
56.
Click "SAMLIdentityAsserter"
57.
58.
Click "Asserting Parties"
59.
Click "New"
60.
New Asserting Party Settings:
Profile
WSS/Sender-Vouches
Description
demosaml
61.
62.
Click "Ok"
You should see a relying party with a Description of "demosaml" in the
Asserting Parties table (we are going to assume it is "ap_00002" for this
document). Click "ap_00002".:
63.
After creating this asserting party, enable SAML Destination Federation
Service
Partner ID
ap_00002
Profile
WSS/Sender-Vouches
Enabled
Checked
Description
demosaml
Target URL
default
Issuer URI
Signature Required
Checked
Assertion Signinign ALias
samlsign
Confidential
27

Note :- Here Portal server will act as both source and destination
Configure Federation Service at SAML Source

Site
1.
2.
3.
4.
5.
6.
7.

In the left nav pane, expand "Environment", and then click "Servers".
Click on the "Federation Services" tab of the AdminServer's "Configuration"
tab.
Click on "SAM 1.1 Source Site"
Federation Services Source Site Settings:
Source Site Enabled

Source Site URL
Signing Key Alias
Signing Key Pass
Phrase
Intersite Transfer
URIs
ITS Requires SSL
Assertion Retrieval
URIs
ARS Requires SSL
8.
9.
10.
11.
12.
13.
14.
15.
checked
http://
localhost:7111/BARTPortalWeb/appmanager/myportal/mydesktop
samlsign
mykeypass
/samlits_ba/its
/samlits_ba/its/post
/samlits_ba/its/artifact
/samlits_cc/its
Click "Save".
Click "Activate Changes" and then restart Admin Server.
Once the server is up and running follow to till step 4
Click on "SAM 1.1 Destination Site"
Federation Services Destination Site Settings:
After settings are done, activate the changes and restart the admin server
Destination
Site Enabled
Assertion
Consumer
URIs
ACS
Requires SSL
SSL Client
Identity Alias
SSL Client
checked
/samlacs/acs
checked
samlsign
mykeypass
Confidential
28

Identity Pass
Phrase
POST
Recipient
Check
Enabled
POST OneUse Check
Enabled
Used
Assertion
Cache
Properties
checked
checked
APID=ap_00002
Configuring the SAML Destination Site

Add SAMLIdentityAsserter
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

In the right pane click "TWRealm"
Click " SAMLIdentityAsserverV2"
Click "Certificates"
Click "New"
Trusted Certificate Properties:
Alias
Certificate File Name
samlsign
/usr/bea/weblogic92/server/lib/samlsigncert.der
Click "Save"
Add the Teamworks Asserting Party
1.
2.
3.
4.
5.
6.
7.
8.
9.

In the right pane click "TWRealm"
Click " SAMLIdentityAsserverV2"
Click "Asserting Parties"
Confidential
29

10.
11.
Profile
Description
12.
13.
14.
Partner ID
Profile
Enabled
Description
Target URL
Issuer URI
15.
16.
Profile
Description
Click "New"
New Asserting Party Settings:
WSS/Sender-Vouches
Secure WebAPIService
Click "Ok"
You should see an asserting party with a Description of "
SecureWebAPIService " in the Asserting Parties table (we are going to
assume it is "ap_00001" for this guide. Click "ap_00001".
Setting for ap_00001 with the below details
ap_00001
WSS/Sender-Vouches
Checked
SecureWebAPIService
http://localhost:7101/webapi/services/SecureWebAPIService
Click on save and come to Asserting Parties tab and click on new
New Asserting Party settings
Browser/Post
Teamworks
17.
18.
Click "Ok"
You should see an asserting party with a Description of " Teamworks " in
the Asserting Parties table (we are going to assume it is "ap_00002" for
this guide. Click "ap_00002".
19.
Setting for ap_00001 with the below details
Partner ID
ap_00002
Profile
Browser/POST
Enabled
checked
Description
Teamworks
Target URL
http://localhost:7111/BARTPortaWeb/appmanager/myportal/mydesktop
POST Signing samlsign
Certificate
Alias
Source Site
/teamworks/process.lsw
Redirect URIs
Source Site
https://localhost:7112/samlits_ba/its
ITS URL
Source Site
RPID=rp_00001
ITS Parameter
Issuer URI
Signature
checked
Required
Assertion
samlsign
Signing
Confidential
30

Certificate
Alias
needs to match RP in samlsource for Browser/POST
Configure Federation Service at SAML

Destination Site
1.
2.
3.
4.
5.
6.
7.
Destination
Site Enabled
Assertion
Consumer
URIs
ACS
Requires SSL
SSL Client
Identity Alias
SSL Client
Identity Pass
Phrase
POST
Recipient
Check
Enabled
POST OneUse Check
Enabled
Used
Assertion
Cache
Properties
8.
9.

In the left nav pane, expand "Environment", and then click "Servers".
In the right pane, click "twprocsvr".
Click on the "Federation Services" tab
Click on "SAM 1.1 Destination Site"
Federation Services Destination Site Settings:
checked
/samlacs/acs
checked
sourcessl
mykeypass
checked
checked
APID=ap_00002
Click "Save".
Click "Activate Changes" and then restart Admin Server.
Run the portal to test SSO using SAML
Confidential
31
1.
2.
3.
4.

Open a new browser and type the url
http://sourceip:port/BARTPortalWeb/appmanager/myportal/mydesktop
Supply user name and password. Make sure what ever the user you are supplying,
that user has to configure on both domains I'e on source as well as on destination
with same password. If something is wrong it won't work
Next screen will display saved searches of the user. Click on run, it will display
coach data
Here we go. SSO ! is done.
Confidential
32
Confidential
33
Confidential
34
SSO ! is done.
Confidential
35
Conclusion
Teamworks do not work for default keystores. So we have to create custom keystores.
The issuer URI could be anything but it should be unique across the domains
Confidential
36
Acknowledgements
My team members Rajeev Ramachandran, Shekar Sankaran & Anish Ramjee from
Lombardi Teamworks development team has contributed in understanding the process
flow. Rishi Shaw from middleware team has contributed in approach following and in
publishing the paper. Swaroopa Murthy from portal development team has contributed in
achieving the SAML things. Shashi Ranjan from BA team has contributed in
requirements gathering and understanding the business. Some contribution from BEA and
Lombardi consultants as well.
Confidential
37
References
SAML
http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
Configuring SSL:
http://e-docs.bea.com/wls/docs92/secmanage/ssl.html
Configure keystores:
http://edocs.bea.com/wls/docs92/ConsoleHelp/taskhelp/security/ConfigureKeystoresAndSSL.ht
ml
Configuring Identity and Trust

http://edocs.bea.com/wls/docs92/secmanage/identity_trust.html
Other
http://developers.sun.com/identity/reference/techart/sso.html
http://help.sap.com/saphelp_nw2004s/helpdata/en/54/8384a1907cea418a9f6f82759b386b
/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/c
ontent.htm
http://www.theserverside.com/tt/articles/article.tss?l=SAML
http://support.evidian.com/data/downloads/sso_xpress_web_and_sam_web/version_6.3/d
ocumentation/39a295lrrev00us_jaas_login_module.pdf
Teamworks-6-Enterprise-SP1-Beta1-Developers_Guide.pdf
Confidential
38

White Paper - SAML Configuration Between Lombardi Teamworks and Weblogic Portal

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

White Paper - SAML Configuration Between Lombardi Teamworks and Weblogic Portal

Uploaded by

Copyright:

Available Formats

SAML Configuration between

Lombardi Teamworks and

SAML Configuration between Lombardi TW and WLP

The information contained in this document is confidential and proprietary to TATA

@TATA Consultancy Services Ltd 2008

SAML Configuration between Lombardi TW and WLP

SAML Configuration between Lombardi TW and WLP

About the Author

About the Domain

SAML Configuration between Lombardi TW and WLP

SAML Configuration between Lombardi TW and WLP

SAML Configuration between Lombardi TW and WLP

User attempts to access portal page

SAML Configuration between Lombardi TW and WLP

Single Sign-On using SAML

All domains configured properly for SSL

SAML Configuration between Lombardi TW and WLP

Create private key cert

SAML Configuration between Lombardi TW and WLP

SAML Configuration between Lombardi TW and WLP

java -cp /usr/bea922/weblogic92/server/lib/weblogic.jar utils.der2pem

SAML Configuration between Lombardi TW and WLP

Source site SSL configuration

Open the WebLogic Server Administration Console.

Custom Identity and Custom Trust

Custom Identity Keystore

Custom Identity Keystore Type

Custom Identity Keystore

Custom Trust Keystore

Custom Trust Keystore Type

Custom Trust Keystore

SAML Configuration between Lombardi TW and WLP

Private Key Passphrase

SAML Configuration between Lombardi TW and WLP

10. Click "Save"

SAML Configuration between Lombardi TW and WLP

SAML Configuration between Lombardi TW and WLP

Destination site SSL configuration

Open the Weblogic Server Administration Console.

Custom Identity and Custom Trust

Custom Identity Keystore

Custom Identity Keystore Type

Custom Identity Keystore

Custom Trust Keystore

SAML Configuration between Lombardi TW and WLP

Custom Trust Keystore

Private Key Passphrase

SAML Configuration between Lombardi TW and WLP

10. Click "Save"

SAML Configuration between Lombardi TW and WLP

SAML Configuration between Lombardi TW and WLP

Integrating Teamworks portlets into Weblogic

SAML Configuration between Lombardi TW and WLP

Any issuer uri. This should be the same

teamworks.portlets.client.saml.subject.qualifier Any qualifier name. This should be the

10. Edit weblogic.xml file which is located at <your

SAML Configuration between Lombardi TW and WLP

Default user tw_admin

SAML Configuration between Lombardi TW and WLP

Configuring the SAML source site

SAML Configuration between Lombardi TW and WLP

Open the Weblogic Server Administration Console

Comment: On our Source Site, there was already a PKICredentialMapper and

Open the Weblogic Server Administration Console