Professional Documents
Culture Documents
White Paper
<Mahesh Kotike>
< Banking & Financial Services 4.2>
TCS Confidential
Confidentiality Statement
Include the confidentiality statement within the box provided. This has to be legally
approved.
Confidential
Abstract
SAML (Security Assertion Markup Language) is an XML based standard language for
exchanging the authentication and authorization data between two secure domains i.e.
between identity provider (a producer of assertion) and a service provider (a consumer of
assertion. The most important problem that SAML is trying to resolve is SSO (Single
Sign -On) from web browser. SAML assumes the principal often called as user has to
enroll in at least one identity provider. This identity provider is expected to provide local
authentication to services to principal. Thus a service provider relies on the identity
provider for identifying the principal. At the principal's request the identity provider will
pass the SAML token to the service provider. On the basis of this token only the services
provider will make an access control decision.
Teamworks is Lombardi product which is running on weblogic 9.2 and it has provided
JSR 168 compliance portlets. To consume those portlets in weblogic portal, we need to
have a SAML trust between weblogic portal domain and Teamworks domain for SSO.
Objective here is to establish the SAML trust between weblogic portal domain and
Teamworks domain for SSO. For achieving this, BEA has provided configuration set up.
All the configurations can be done through weblogic console.
This paper explains the approach to taken for configuring the SAML at source and
destination sites between weblogic portal and Teamworks. In this document we are
discussing how to establish the SAML trust and how to configure the SAML source and
SAML destination and how to generate the identity and trust files.
The intended audience for this paper will be BEA weblogic portal developers who are
looking to consume Teamworks JSR 168 compliance portlets into their portal application.
Confidential
Confidential
CONTENTS
INTRODUCTION..........................................................................................................................................6
USE CASE.......................................................................................................................................................7
SINGLE SIGN-ON USING SAML...............................................................................................................8
CHECKLIST..................................................................................................................................................8
KEYSTORES..................................................................................................................................................8
PRE-REQUISITES..........................................................................................................................................8
CONFIGURING SSL.....................................................................................................................................9
SOURCE SITE SSL CONFIGURATION..................................................................................................12
DESTINATION SITE SSL CONFIGURATION.......................................................................................16
INTEGRATING TEAMWORKS PORTLETS INTO WEBLOGIC PORTAL.....................................20
CONFIGURING THE SAML SOURCE SITE.........................................................................................23
CONFIGURE FEDERATION SERVICE AT SAML SOURCE SITE....................................................28
CONFIGURING THE SAML DESTINATION SITE..............................................................................29
CONFIGURE FEDERATION SERVICE AT SAML DESTINATION SITE.........................................31
RUN THE PORTAL TO TEST SSO USING SAML.................................................................................31
CONCLUSION.............................................................................................................................................36
ACKNOWLEDGEMENTS.........................................................................................................................37
REFERENCES.............................................................................................................................................38
Confidential
Introduction
This document describes how to use SAML with BEA WebLogic 9.2 to accomplish
Single Sign-On (SSO) and web service security using SAML.
For the purposes of this document we assume we have the following machines
configured on local box : But you need to use your source and destination host/ipaddress
and ports accordingly. We have used the below entries in the entire document. So you
have to supply your values where ever is required.
Description
SAML Source
Site (includes
portal)
SAML
Destination Site
Hostname/IP
Address
localhost
Server
HTTP
HTTPS
AdminServer
7111
7112
localhost
AdminServer
Twprocsvr
8101
7101
N/A
7002
Confidential
Use Case
The important configuration bits here are getting the Sender/Vouchers and
Browser/POST configurations correct. The two critical bits (beyond the normal
SAML/SSO config) are: Target URL this should be the URL of the portal that is hosting
and the portlet Source Site Redirect URIs this should be "/teamworks/process.lsw" (the
relative URI on the Teamworks Process Server that is responsible for coaches). The APs
and RPs for Browser/Post have to align.
Confidential
Checklist
Keystores
Comment: By default, WebLogic Server is configured with two keystores. The Identity
keystore is created during Key Generation and contains the private key and signed SSL
certificate. The Trust keystore contains the trusted Root CA and Intermediate CA
Certificates and is created during the installation of the Root CA.
Pre-requisites
Confidential
Configuring SSL
SSL Steps
We will perform the following 5 steps:
1.
2.
3.
4.
5.
Steps 1 - 4:
We perform the first 4 steps as part of a script we put together to semi-automate the
creation of the source site and destination site SSL keys/certs and the SAML key/cert -see TestIdentityAndTrust.sh in attachment.
C:\Documents and
Settings\mkotike\Desktop\TW6SP1-SAML\testrun\TestIdentityAndTrust.sh
NOTE: This script should be executed only ONCE on EITHER the source site
OR destination site, NOT BOTH hosts.
a) Copy TestIdentityAndTrust.sh to an empty directory
b) Modify the '-cn' values to match hostnames for your source site and
destination site
c) Setup the WLS environment by running:
/usr/bea/weblogic92/server/bin/setWLSEnv.sh
d) Run TestIdentityAndTrust.sh only once .
You will be prompted at a few points.
Confidential
10
Confidential
11
Keystores
/usr/bea/weblogic92/server/lib/TestIdentity.jks
JKS
TestIdentity
/usr/bea/weblogic92/server/lib/TestTrust.jks
JKS
TestTrust
Confidential
12
7. Click "Save"
8. Click on the "SSL" tab
9. SSL Settings:
Private Key Alias
sourcessl
mykeypass
Confidential
13
Confidential
14
Confidential
15
Success !
Keystores
/usr/bea/weblogic92/server/lib/TestIdentity.jks
JKS
TestIdentity
/usr/bea/weblogic92/server/lib/TestTrust.jks
Confidential
16
JKS
TestTrust
7. Click "Save"
8. Click on the "SSL" tab
9. SSL Settings:
Private Key Alias
destssl
mykeypass
Confidential
17
Confidential
18
Confidential
19
Success !
Note :- Make sure admin and twprocsvr ssl ports should not be the same. If it same ,
then it will be a problem.
Confidential
20
5.
6.
7.
8.
9.
Property Name
Property Value
Example Entry
javax.xml.rpc.service.endpoint.address
/webapi/services/SecureWebAPIService
/webapi/services
teamworks.portlets.client.saml.issuer
http://XPA03365
XPA033659.tcs.c
Confidential
21
Description
Value
processServerURL
process
server url
http://<teamworks- True
installed-processserver-ip>:<port>
http://localhost:7101
http://<teamworks- True
installed-processserverip>:<port>/portal
http://localhost:7101/po
processServerPortalWebAppURL process
server web
url
Is
Example Entry
Modifiable
user
True
No example entry
password
Default
password
tw_admin
True
No example entry
maxRowsPerPage
Max rows
20
True
20
ssoEnabled
For sso
true
True
No example entry
savedSearchName
Default
Inbox
saved
search name
True
No example entry
organizeByTask
Task
true
organization
True
No example entry
taskWindowWidth
Window
width
720
True
720
taskWindowHeight
Window
height
600
True
600
Confidential
22
Confidential
23
Confidential
24
Click "Save"
Click "Activate Changes" (AdminServer restart should be required)
Activate Changes at this point and possibly restart the AdminServer
If so, after restart, you will need to navigate back to this point before
proceeding below
18.
Click "Management" tab
19.
Click "Certificates"
20.
Click "New"
21.
Trusted Certificate Properties:
Alias
samlsign
Certificate File Name
/usr/bea/weblogic92/server/lib/samlsigncert.der
Click "Finish"
Confidential
25
Click "Ok"
You should see a relying party with a Description of "Teamworks" in the
Relying Parties table (we are going to assume it is "rp_00001" for this
document). Click "rp_00001".:
Partner ID
rp_00001
Profile
Browser/POST
Enabled
checked
Description
Teamworks
Target URL
http:// localhost:7101/teamworks/process.lsw
Assertion Consumer URL
https://localhost:7002/samlacs/acs
Assertion Consumer Parameters
APID=ap_00002
Sign Assertions
checked
Include Keyinfo
checked
needs to match AP in samldest for Browser/POST (and not WSS/Sender-Vouches)
Add the Relying Party for communication between Teamworks Proxy Portlet to
Teamworks Remote Portlet for getting portlet preferences
37.
38.
39.
40.
41.
Confidential
26
Click "Ok"
You should see a relying party with a Description of "WsrpDefault" in the
Relying Parties table (we are going to assume it is "rp_00002" for this
document). Click "rp_00002".:
Partner ID
rp_00002
Profile
WSS/Sender-Vouches
Enabled
Checked
Description
WsrpDefault
Target URL
default
Sign Assertions
checked
Add the Asserting Party for communication between Teamworks Proxy Portlet to
Teamworks Remote Portlet for getting portlet preferences
50.
Open the Weblogic Server Administration Console
51.
In the left nav pane, click "Security Realms"
52.
In the right pane click "myrealm"
53.
Click "Providers" tab
54.
Click "Authentication"
55.
Click the "Lock & Edit" button to prepare to modify settings
56.
Click "SAMLIdentityAsserter"
57.
Click "Management" tab
58.
Click "Asserting Parties"
59.
Click "New"
60.
New Asserting Party Settings:
Profile
WSS/Sender-Vouches
Description
demosaml
61.
62.
Click "Ok"
You should see a relying party with a Description of "demosaml" in the
Asserting Parties table (we are going to assume it is "ap_00002" for this
document). Click "ap_00002".:
63.
After creating this asserting party, enable SAML Destination Federation
Service
Partner ID
ap_00002
Profile
WSS/Sender-Vouches
Enabled
Checked
Description
demosaml
Target URL
default
Issuer URI
http://XPA033659.tcs.com/demosaml
Signature Required
Checked
Assertion Signinign ALias
samlsign
Confidential
27
checked
http://
localhost:7111/BARTPortalWeb/appmanager/myportal/mydesktop
samlsign
mykeypass
/samlits_ba/its
/samlits_ba/its/post
/samlits_ba/its/artifact
/samlits_cc/its
Click "Save".
Click "Activate Changes" and then restart Admin Server.
In the right pane, click "AdminServer (admin)".
Once the server is up and running follow to till step 4
Click on "SAM 1.1 Destination Site"
Click the "Lock & Edit" button to prepare to modify settings.
Federation Services Destination Site Settings:
After settings are done, activate the changes and restart the admin server
Destination
Site Enabled
Assertion
Consumer
URIs
ACS
Requires SSL
SSL Client
Identity Alias
SSL Client
checked
/samlacs/acs
checked
samlsign
mykeypass
Confidential
28
checked
checked
APID=ap_00002
Alias
Certificate File Name
samlsign
/usr/bea/weblogic92/server/lib/samlsigncert.der
Click "Save"
Add the Teamworks Asserting Party
1.
2.
3.
4.
5.
6.
7.
8.
9.
29
Click "New"
New Asserting Party Settings:
WSS/Sender-Vouches
Secure WebAPIService
Click "Ok"
You should see an asserting party with a Description of "
SecureWebAPIService " in the Asserting Parties table (we are going to
assume it is "ap_00001" for this guide. Click "ap_00001".
Setting for ap_00001 with the below details
ap_00001
WSS/Sender-Vouches
Checked
SecureWebAPIService
http://localhost:7101/webapi/services/SecureWebAPIService
http://XPA033659.tcs.com/demosaml
Click on save and come to Asserting Parties tab and click on new
New Asserting Party settings
Browser/Post
Teamworks
17.
18.
Click "Ok"
You should see an asserting party with a Description of " Teamworks " in
the Asserting Parties table (we are going to assume it is "ap_00002" for
this guide. Click "ap_00002".
19.
Setting for ap_00001 with the below details
Partner ID
ap_00002
Profile
Browser/POST
Enabled
checked
Description
Teamworks
Target URL
http://localhost:7111/BARTPortaWeb/appmanager/myportal/mydesktop
POST Signing samlsign
Certificate
Alias
Source Site
/teamworks/process.lsw
Redirect URIs
Source Site
https://localhost:7112/samlits_ba/its
ITS URL
Source Site
RPID=rp_00001
ITS Parameter
Issuer URI
http://XPA033659.tcs.com/demosaml
Signature
checked
Required
Assertion
samlsign
Signing
Confidential
30
checked
APID=ap_00002
Click "Save".
Click "Activate Changes" and then restart Admin Server.
Confidential
31
1.
2.
3.
4.
Confidential
32
Confidential
33
Confidential
34
SSO ! is done.
Confidential
35
Conclusion
Teamworks do not work for default keystores. So we have to create custom keystores.
The issuer URI could be anything but it should be unique across the domains
Confidential
36
Acknowledgements
My team members Rajeev Ramachandran, Shekar Sankaran & Anish Ramjee from
Lombardi Teamworks development team has contributed in understanding the process
flow. Rishi Shaw from middleware team has contributed in approach following and in
publishing the paper. Swaroopa Murthy from portal development team has contributed in
achieving the SAML things. Shashi Ranjan from BA team has contributed in
requirements gathering and understanding the business. Some contribution from BEA and
Lombardi consultants as well.
Confidential
37
References
SAML
http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
Configuring SSL:
http://e-docs.bea.com/wls/docs92/secmanage/ssl.html
Configure keystores:
http://edocs.bea.com/wls/docs92/ConsoleHelp/taskhelp/security/ConfigureKeystoresAndSSL.ht
ml
Other
http://developers.sun.com/identity/reference/techart/sso.html
http://help.sap.com/saphelp_nw2004s/helpdata/en/54/8384a1907cea418a9f6f82759b386b
/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/c
ontent.htm
http://www.theserverside.com/tt/articles/article.tss?l=SAML
http://support.evidian.com/data/downloads/sso_xpress_web_and_sam_web/version_6.3/d
ocumentation/39a295lrrev00us_jaas_login_module.pdf
Teamworks-6-Enterprise-SP1-Beta1-Developers_Guide.pdf
Confidential
38