0 Replies Latest reply on Jul 24, 2014 2:52 PM by 2719902

    How to use third party idp/sts (ADFS 2.0) for authenticating saml bearer tokens in weblogic 12c

    2719902

      Dear all,

      im new to weblogic and would like to implement a webservice (helloworld) by adding security policy that verifies the saml tokens got from third party idp/sts ( in my case ADFS2.0 installed on other machine).

       

      below steps i followed to implement the same.

      1) created a simple helloworld webservice (JAX RPC) and added ws-policy - "policy:Wssp1.2-2007-Saml2.0-Bearer-Wss1.1.xml" from admin console. (Used Bearer confirmartion as it requires less configuration)

      2) got the concrete wsdl from browser "http://10.123.123.123:7001/SecureHelloWorldService/SecureHelloWorldService?WSDL" (above ws-policy is reflecting in the concrete wsdl )

      3) configured the adfs2.0 to issue saml bearer tokens that can be used by my webservice ( i.e. Audience address is 10.123.123.123     )

      4) added  Authentication provider "SAML 2.0 Identity Assertion Provider. Supports Security Assertion Markup Language v2.0" in myrelm (securityrealm).

      adfs.png

      5) tested the service with below soap request from SOAPUI.

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bea="http://www.bea.com">

         <soapenv:Header>

            <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

               <Assertion ID="_9d789c3c-00c0-41bf-b95b-f63092297855" IssueInstant="2014-07-24T12:57:59.080Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

                  <Issuer>urn:federation:10.12.12.1</Issuer>

                  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                     <ds:SignedInfo>

                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

                        <ds:Reference URI="#_9d789c3c-00c0-41bf-b95b-f63092297855">

                           <ds:Transforms>

                              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                           </ds:Transforms>

                           <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

                           <ds:DigestValue>wW4cymfJxDfwqPjetldz19G+o1QHzPhzKelil+pNH4Q=</ds:DigestValue>

                        </ds:Reference>

                     </ds:SignedInfo>               <ds:SignatureValue>lp7GbsV1+RijrEq1pFtuKLG5Sd4mBFjZzDSXUnIthrvQVvjZeG4qkopFyQaAlwpeO01SdwKn+g53Qb5WZ9gEkGsgg3TXYThdypEZjIXwMmrviPm07jl0BOVk32nWKsz/V0qUB4zuMUAOWxxCB8kZ/BdwN7RM2qHo4Mqru0ZXl91Y/ZIehv6c/+UfA==</ds:SignatureValue>

                     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                        <ds:X509Data>                     <ds:X509Certificate>MIIFPjCCBCagAwIBAgIKYTxE9AAAAAAABDANBgkqhkiG9w0BAQUFADBGMRMwEQYKCZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGaGNsbm92MRcwFQYDVQQDEw5OT1ZBUlRJUy1EQy1DQTAeFw0xNDA3MDMxMzQ5MTRaFw0xNjA3MDIxMzQ5MTRaMCYxJDAiBgNVBAMTG0ZTLkhDTE5PVi5ORVQuVE9LRU4uU0lHTklORzCCASIwDQYJKoZIhvcNAQEx2Nykd199FJmgb5I+u9ophIvJSwLPkc/M5gFeR5sMrYkrilv8JdB2PlqtukrTaaH5SZbgiBA8u0sJk3XcKcaq501ywmwlx9KELFOUduNXPOvEjEhwijojqc6annTMS3NhLcKSX6XsPsLOx6PrzVzFGh6oviqp1mE8YIAHPxmI5a0Z809lCcUkfI7qqjEHxQLh9OG9/VTgBclzhgz8QQo5Vw5YviiZ9M7VJK6/e6Y96l9zDBoc3YLk8Wli6BMcIlRPCGBgXjs+/IHH3aD+CuXh6Z0r66ohONSs0InVP1TFDDcRVjO5CyJb9XyrrsztGDwGbb7vuaf9A7kU=</ds:X509Certificate>

                        </ds:X509Data>

                     </KeyInfo>

                  </ds:Signature>

                  <Subject>

                     <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                        <SubjectConfirmationData NotOnOrAfter="2014-07-24T13:02:59.080Z"/>

                     </SubjectConfirmation>

                  </Subject>

                  <Conditions NotBefore="2014-07-24T12:57:59.070Z" NotOnOrAfter="2014-07-24T13:57:59.070Z">

                     <AudienceRestriction>

                        <Audience>http://10.123.123.123</Audience>

                     </AudienceRestriction>

                  </Conditions>

                  <AttributeStatement>

                     <Attribute Name="E-Mail">

                        <AttributeValue>weblogic@email.com</AttributeValue>

                     </Attribute>

                     <Attribute Name="5-2-1 ID">

                        <AttributeValue>weblogic</AttributeValue>

                     </Attribute>

                  </AttributeStatement>

                  <AuthnStatement AuthnInstant="2014-07-24T12:57:58.994Z">

                     <AuthnContext>

                        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>

                     </AuthnContext>

                  </AuthnStatement>

               </Assertion>

            </wsse:Security>

         </soapenv:Header>

         <soapenv:Body>

            <bea:sayHello>

               <bea:s>sree</bea:s>

            </bea:sayHello>

         </soapenv:Body>

      </soapenv:Envelope>

      ------------------------------------------------------------------------

       

      The response/soap fault i got is:

       

           <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

               <faultcode>wsse:InvalidSecurityToken</faultcode>

               <faultstring>Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@ba01fb[status: false][msg The SAML token is not valid, it is rejected by CSS ]</faultstring>

            </env:Fault>

       

      Can you please suggest what is wrong with the above approach and resolution for the same.

       

      Thanks,

      Sree