We have a requirement where we have to be configured as a IDP for one of the service provider partner and we are planning to use Weblogic to act as the IDP as we have recently added weblogic to our architecture. So the SAML request from SP/Relying party would hit the weblogic server. Weblogic would do all the formalities with the meta data and call our login application to authenticate the user. Unfortunately
1) Our Login application is hosted on Apache/Tuxedo platform. We have configured the Customized Login URL on the Identity Provider configuration to be the URL of our login application. So the redirection works fine. We are able to reach the login URL of the customized application..
2) We are still struggling to find out how to redirect the user's browser back to weblogic once the authentication is complete. Weblogic does provide a return URL but when we post to the URL we see the following error"
com.bea.security.saml2.service.SAML2Exception: [Security:096570]The user is accessing the login return URL of SAML2 service, however, this user is not authenticated."..
We understand that the weblogic operates on subjects identified by the authorization but what we are struggling is when and how to add the subjects because the authentication is not done on weblogic.
1) Would like to know if some one has implemented custom login on another application. If so any help on how to configure the Identity provider to accept the authentication completion from the other application.
2) Also if the SAML response servlet(saml2/idp/sso/login-return) would only produce the SAML response for authenticated response, how do we generate a SAML response for users who failed authentication..Is there a different servlet?
I successfully setup configuration where Weblogic works as IDP and JBoss as SP. But in my case Weblogic IDP hosts custom login web application. As I know after you call saml2/idp/sso/login-return url Weblogic verify whether user authenticated on Weblogic. If authenticated then SAML response will be generated. So the only thing you need to do is to authenticate user on Weblogic IDP and call saml2/idp/sso/login-return.
If you have separate server and web application for login you need to create custom authentication provider which can authenticate user by some data which is generated from login server and trusted by weblogic.
From my point of view your login server should be IDP. Otherwise the only reason to use Weblogic is SAML engine. But it is possible to create IDP on your own. For example Weblogic SAML based on OpenSAML library.