This discussion is archived
3 Replies Latest reply: Jan 17, 2013 12:06 PM by 962905 RSS

Weblogic SSO - Negotiate identity Assertion Provider and CLIENT-CERT

773052 Newbie
Currently Being Moderated
I have setup SSO authentication on Weblogic 10.3 and it works fine with a simple test application. However, I have a small query as to the behaviour of SSO when you have a Web application configured for "BASIC", versus "CLIENT-CERT,BASIC".

When the web application has the following in the web.xml

<login-config>
<auth-method>CLIENT-CERT,BASIC</auth-method>
<login-config>

The first request recieves a www-authenticate: negotiate challenge back. If this fails, the second request will recieve a www-authenticate: basic challenge back. As per my understanding this is exactly how the fallback authentication should work.

However, when the web application's web.xml is configured as follows:

<login-config>
<auth-method>BASIC</auth-method>
<login-config>

The first request recieves both a negotiate and a basic challenge back. e.g.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic

To me, this makes a lot more sense. It allows the client to choose the authentication mechanism which it supports and would be the prefered way for my application to work.

Can anyone explain to me why it works this way (and is it a valid configuration) dispite the weblogic 10.3 documentation saying that the Negotiate Identity Assertion Provider will only work when you have CLIENT-CERT in the web.xml. (http://download-llnw.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1213694):

"If the authentication type in a Web application is set to CLIENT-CERT, the Web Application container in WebLogic Server performs identity assertion on values from request headers and cookies. If the header name or cookie name matches the active token type for the configured Identity Assertion provider, the value is passed to the provider. "

I noticed that between the SSO guide for 8.3 (http://edocs.weblogicfans.net/wls/docs81/secmanage/sso.html#1101448) and 10.3 (http://download-llnw.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/sso.html) there is lo longer a section requiring you to put in CLIENT-CERT.
  • 1. Re: Weblogic SSO - Negotiate identity Assertion Provider and CLIENT-CERT
    757265 Newbie
    Currently Being Moderated
    Actually, It shouldn't ask negotiation token when you set only BASIC authentication method in your web.xml. I'm quite positive that Negotiate Identity Assertion Provider would not work for your app, if you set only BASIC authentication in your web.xml. So, this negotiate token should be coming from some where else. Can you please check the following steps ?

    1-Can you please double check that your latest version of your web application is deployed ?

    2-I believe there is no intermediary web server (like IIS) between your client and WLS ? A third part may add additional authentication request in the http header. If there is an intermediary exist, can you please avoid it for your tests.

    3-Can you please check "weblogic.security.enableNegotiate" system parameter value. If it is true can you please set it to false and test your app again ?

    3-Although I'm quite sure that Negotiate Identity Assertion Provider would not work for your app, can you please remove it and repeat your tests again. If you detect that it's because of the Negotiate Identity Assertion Provider, that you can consider open a bug request in Oracle Support system.

    I hope this would help .

    Cheers.
  • 2. Re: Weblogic SSO - Negotiate identity Assertion Provider and CLIENT-CERT
    773052 Newbie
    Currently Being Moderated
    *1-Can you please double check that your latest version of your web application is deployed ?*

    I have checked the application and can confirm that the correct application is deployed. With the auth-method as just BASIC (no CLIENT-CERT) I see the following behaviour:
    - With a Negotiate Identity Asserter Provider I see both WWW-Authenticate: Negotiate and WWW-Authenticate: Basic
    - Without a Negotiate Identity Asserter Provider I see just WWW-Authenticate: Basic

    *2-I believe there is no intermediary web server (like IIS) between your client and WLS ? A third part may add additional authentication request in the http header. If there is an intermediary exist, can you please avoid it for your tests.*

    I can confirm that there is no intermediary server between me and Weblogic.

    *3-Can you please check "weblogic.security.enableNegotiate" system parameter value. If it is true can you please set it to false and test your app again ?*

    I have weblogic.security.enableNegotiate set to true. I tried setting it to false and it seems I still see the same behaviour I described above in my answer to question 1.

    *3-Although I'm quite sure that Negotiate Identity Assertion Provider would not work for your app, can you please remove it and repeat your tests again. If you detect that it's because of the Negotiate Identity Assertion Provider, that you can consider open a bug request in Oracle Support system.*

    When I remove the Negotiate Identity Assertion Provider, I no longer see a WWW-Authenticate: Negotiate challenge in the response.

    Edited by: user1992925 on 16/05/2010 17:06
  • 3. Re: Weblogic SSO - Negotiate identity Assertion Provider and CLIENT-CERT
    962905 Newbie
    Currently Being Moderated
    Hey I have a requirement to pass WWW-Authenticate: Negotiate, WWW-Authenticate: Basic both headers in first request and let the browser chose one of them.

    I tried giving just BASIC instead of CLIENT-CERT,BASIC but result were still the same ie first request included WWW-Authenticate: Negotiate and on refreshing it falls back to WWW-Authenticate: Basic .

    Can you please provide any pointers for it?

    Thanks

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points