We are developing a WebCenter Portal Framework application (184.108.40.206). It uses CA SiteMinder (authenticating against Active Directory) for general SSO into the Portal and for application popup links. We need to consume web services that are exposed from Oracle SOA Suite 11g and protected with SAML 2.0. The SAML token provider is Active Directory Federation Services.
The flow should essentially be:
1) User attempts to access Portal and is directed to SiteMinder login
2) User logs in with AD credentials and is allowed in the Portal
3) Portal retrieves a long running SAML token from AD FS for this user (user is already logged in so we want this process to be automatic and behind the scenes)
4) User clicks application links and is SSO'd into legacy applications
5) User accesses functionality that is web service driven and Portal passes the SAML token to each service request
Steps 1, 2, 4 are working fine. We are researching all the documentation on SAML are looking for guidance on step 3 in particular. For instance, should this be a development effort or configuration in WebLogic? Can we set up a different SSO solution just for web service security (SAML via AD FS) than the SSO we use in general (SiteMinder)? Since the user is already logged into Portal via SiteMinder can we retrieve a SAML token from AD FS without asking for credentials again?