Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

20180605 sso with apex and adfs the weblogic way

195 views

Published on

Explanation on how to implement SAML2 based SSO for Apex with ADFS as an IdentityProvider and leveraging the Weblogic authenticators.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

20180605 sso with apex and adfs the weblogic way

  1. 1. DARWIN IT-PROFESSIONALS IT Driven Evolution SSO with Apex and ADFS the WebLogic Way Martien van den Akker 2018
  2. 2. Who I am 2© Darwin IT-Professionals B.V.
  3. 3. Per november ‘17: OracleACE 3© Darwin IT-Professionals B.V.
  4. 4. Introduction Architecture Prerequisites Steps Tips, Tricks and Thoughts 1 2 3 4 6 Agenda 7 5 4© 2018 Darwin IT-Professionals B.V.
  5. 5. DarwinIT-Professionals INTRODUCTION 5© 2018 Darwin IT-Professionals B.V.
  6. 6. Introduction– Why? • Projects – WebLogic and SurfConext using SAML2.0 (2014 on 11g, and 2017 on 12c) – Apex and ADFS, using WebLogic/ORDS and SAML2.0 (2017 & 2018) • SAML2.0 allows for Single Sign On in Cloud environments 6© 2018 Darwin IT-Professionals B.V.
  7. 7. Security AssertionMarkupLanguage • SAML: XML based standard for exchange of authentication and authorization data between parties: – Identity Provider, e.g. SurfConext or ADFS – Service Provider • IdP sends Security Assertions to SP that contains info – Is principal authenticated? – What roles does the principal have? • SAML 2.0 became an OASIS Standard in March 2005 • WebLogic 11g+ have proper, but basic, support for SAML1 and 2.0 7© 2018 Darwin IT-Professionals B.V.
  8. 8. Authenticationvs. Authorisation • Authentication: process to identify the user -> Who is this user? • Authorisation: process to determine the access rights of identified user -> Is this user allowed to access this page? • Apex supports several authentication schemes: – Application Express Accounts – Custom Authentication – Database Accounts – HTTP Header Variable • WebLogic adds authentication capabilities to Apex 8© 2018 Darwin IT-Professionals B.V. – LDAP Directory Verification – No Authentication (using DAD) – Open Door Credentials – Oracle Application Server SSO Server – Social sign in (since 18.1) Allows for authentication outside of Apex: sounds great!
  9. 9. Introduction– What is ORDS? • Oracle REST Data Services (ORDS) – Develop REST interfaces for relation data in Oracle Database – Maps HTTP(s) verbs (GET, POST, PUT, DELETE) to db transactions, returning JSON – Included with Oracle Database and SQL Developer • Supported to run in – WebLogic – Tomcat – Glassfish – Or as stand alone application with Jetty in embedded mode • Can function as ‘Apex Listener’ 9© 2018 Darwin IT-Professionals B.V.
  10. 10. SAMLandWebLogic • SAML between WebLogic and ADFS works schematically as follows: 10© 2018 Darwin IT-Professionals B.V. Service Provider Identity Provider (ADFS) WebLogic Security Service Browser Assertion Consumer Service WebLogic Server Protected Resource ORDS 4 Login Page 2 No Token detected Security Service Single Sign-On Service 1 User requests Page 5 User submits login 3 User redirected to IdP ADFS Provides SAML 2.0 token6 7 Requested Page returned
  11. 11. Apex Authorisation • Apex authorisation strictly separated from authentication • For Authorisation the application must map users or roles to page grants • Therefor application needs to ‘know’ the users and/or roles 11© 2018 Darwin IT-Professionals B.V.
  12. 12. Introduction Architecture Prerequisites Steps Tips, Tricks and Thoughts 1 2 3 4 6 Agenda 7 5 12© 2018 Darwin IT-Professionals B.V.
  13. 13. DarwinIT-Professionals ARCHITECTURE: LAYOUT OHS, WEBLOGIC, ORDS, APEX AND ADFS 13© 2018 Darwin IT-Professionals B.V.
  14. 14. Internet DataCenterDeMilitarized Zone Oracle 12c Database Simple Architecture 14© 2018 Darwin IT-Professionals B.V. APEX Oracle HTTP Server 12c ORDS FKA Apex Listener Standalone or on AppServer Firewall FirewallBrowser Reversed Proxy
  15. 15. Internet DataCenterDeMilitarized Zone Oracle 12c Database Apex User Directory More ‘Enterprise-like’Architecture 15© 2018 Darwin IT-Professionals B.V. APEX Oracle HTTP Server 12c WebLogic 12c Service Provider Firewall FirewallBrowser Reversed Proxy ORDS WebLogic 12c AdminServer Microsoft Active Directory Federation Services SAML 2.0
  16. 16. Introduction Architecture Prerequisites Steps Tips, Tricks and Thoughts 1 2 3 4 6 Agenda 7 5 16© 2018 Darwin IT-Professionals B.V.
  17. 17. DarwinIT-Professionals PREREQUISITES FOR SAML2.0 BASED AUTHENTICATION WITH APEX+WLS+ADFS 17© 2018 Darwin IT-Professionals B.V.
  18. 18. Prerequisites • Certificates for Reversed Proxy and WebLogic – Think about the CN/host names and possible Subject Alternative Names – WebLogic expects a Keystore, generate CSR from Keystore – Auto-login wallet (I first create a JKS and import it into the wallet) • DNS configuration on the CN and SANs • It helps if Rev Proxy server can reach the WebLogic server vv. • Firewall and network configuration done properly • Access from Internet 18© 2018 Darwin IT-Professionals B.V.
  19. 19. Ingredients • A working APEX installation/application • A reversed proxy with WebLogic Proxy plugin, preferably Oracle HTTP Server, but Apache and IIS will do • WebLogic 12c • ORDS • ADFS configured (and supported…) • A certificate signing procedure 19© 2018 Darwin IT-Professionals B.V.
  20. 20. Introduction Architecture Prerequisites Steps Tips, Tricks and Thoughts 1 2 3 4 6 Agenda 7 5 20© 2018 Darwin IT-Professionals B.V.
  21. 21. DarwinIT-Professionals INSTALLATIONANDCONFIGURATION STEPS 21© 2018 Darwin IT-Professionals B.V.
  22. 22. Step 1a – Installsoftware • Install OHS 12c on Reversed Proxy Server – Configure OHS 12c Standalone Domain – Configure “Nodemanager as a Service” – Create Start & Stop scripts • Install WebLogic 12c on Application Server Host – Configure Domain – Configure “Nodemanager as a Service” – Create Start & Stop scripts 22© 2018 Darwin IT-Professionals B.V.
  23. 23. Step 1b –InstallORDS • Install ORDS 3.0.9+ (currently 18.1) on WebLogic Host – Perform an in place install, following the wizards using one of: – This creates database connection configuration files. No datasources on WLS are used… – Copy apex images to an images folder in the ords home: – Create an i.war using: – i.war is a simple webapp that creates a folder mapping for WebLogic and Glassfish 23© 2018 Darwin IT-Professionals B.V. java -jar ords.war static <ords directory>images java -jar ords.war install java -jar ords.war install advanced
  24. 24. Step 2 – Create Certificates • Create Certificate Signing requests for OHS and WLS – Keystore for WLS and another one as base for OHS wallet • Have Certificates signed • Import Root Certificates and Certificates • Create Truststore with Roots and Public Keys • Set Custom Identity and Trust Keystores in WLS • Use ORAPKI to create an auto_login wallet in: • Import OHS keystore in wallet 24© 2018 Darwin IT-Professionals B.V. ${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default Convenient: already configured in ssl.conf
  25. 25. Step 3a: Modifyords.war • ORDS (ords.war) doesn’t do authentication: Apex does it by itself, normally. • But ords.war needs to hand it over to WebLogic • To do so web.xml and WebLogic.xml need to be adapted – <security-constraint> on <url-pattern>/f/*</url-pattern> – <auth-method> BASIC on <realm-name> myrealm – <security-role> <role-name> Anonymous, with role assignment in WebLogic.xml • Repackage ords.war with updated descriptors 25© 2018 Darwin IT-Professionals B.V.
  26. 26. Step 3b:Installords.war andi.war • Install ords.war and i.war as an application, using Custom Roles 26© 2018 Darwin IT-Professionals B.V.
  27. 27. Step 4: Add Saml2Identity Asserter • Add a SAML2Identity Asserter • Bounce the Domain (Admin + SP Server) • This enables Federation Services tabs in Server Config 27© 2018 Darwin IT-Professionals B.V.
  28. 28. Step 5: Configure SAML2 Service Provider • On Managed Server – Check Enabled – Preferred Binding: POST – Default URL: accessible URL 28© 2018 Darwin IT-Professionals B.V.
  29. 29. Step 6a: Configure SAML2.0 General • Fill in the contact properties • Published Site URL: WebLogic expects /saml2 as URI – Servlet to listen for Assertions from IdP • EntityID: ADFS expects a connectable URL • Recipient Check Enabled: uncheck • Provide SSO Key Alias and Passphrase from JKS 29© 2018 Darwin IT-Professionals B.V.
  30. 30. Step 6b:PublishSAMLMetadata • Restart Server • Publish Meta Data – WebLogic saves this as a xml file – Save it with a standard filename to a standard folder – Create and deploy SamlMetaData.war based on i.war with a folder mapping – Provide resulting URL (folder mapping + MetaData file name) to ADFS 30© 2018 Darwin IT-Professionals B.V.
  31. 31. Step 7: Create SSO IdP • Navigate to SAML2IdentityAsserter • Create a “Web Single Sign-On Identity Provider Partner” • Remove SP parts from ADFS Metadata file (see blog) • Import resulting file 31© 2018 Darwin IT-Professionals B.V.
  32. 32. Step 7b:EditSSOIdP Edit the created SAML_SSO_ADFS • Enable it • Provide a description • And provide a redirect url – For APEX this should be /ords/f 32© 2018 Darwin IT-Professionals B.V.
  33. 33. Step 8: Identity Mapper • The Identity of the principle needs to be filtered from the SAML Token • This is done using an Identity Mapper • Deploy WLSSamlIdentityMapper.jar file in ${DOMAIN_HOME}/lib • Add it to the classpath in setUserOverrides.sh/.cmd (bounce domain!) • Set it on the class in the SAML_SSO_ADFS IdP: 33© 2018 Darwin IT-Professionals B.V.
  34. 34. Step 9: Set Apex AuthenticationScheme 34© 2018 Darwin IT-Professionals B.V. • In Apex Set Authentication Scheme to Header Variable After Login 1 2 3
  35. 35. Finalconsiderations • WebLogic needs to know that it is (reversed) proxied – Set WebLogic Proxy Plugin to yes – Also set frontend host/port • In OHS use PathTrim/PathPrepend to get ‘nice URLs’: – add /ords/f in URL – Redirect something like /MyServiceAppSaml2 to /saml2 (WebLogic listens on /saml2 for Assertions, see Published Site URL) • 35© 2018 Darwin IT-Professionals B.V.
  36. 36. Introduction Architecture Prerequisites Steps Tips, Tricks and Thoughts 1 2 3 4 6 Agenda 7 5 36© 2018 Darwin IT-Professionals B.V.
  37. 37. DarwinIT-Professionals TIPS, TRICKS ANDTHOUGHTS 37© 2018 Darwin IT-Professionals B.V.
  38. 38. Thoughts aboutCertificates • I prefer using a Java Keystore also as a base for wallet – WebLogic expects a Keystore, and it makes the generation standard – JKS expect key-pairs: private keys can’t be imported so obviously – Create CSR from JKS and have that one signed: asures importability • MS ADFS brings you to the Windows world: people may be surprised that things aren’t ‘that obvious’ in java world • Certificates as delivered can’t always be imported as easy in JKS: have to use tools as Keytool, ORAPKI, and OpenSSL 38© 2018 Darwin IT-Professionals B.V.
  39. 39. Wallet • Default location • Pre 12.2.1.3 can be placed in FMW home for instance. • OHS 12.2.1.3 apparently expects it in default location, for instance: 39© 2018 Darwin IT-Professionals B.V. ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/ ${COMPONENT_NAME}/keystores/default ${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default
  40. 40. WebLogic and ADFS • Pre 12.2.1.3 WebLogic apparently had difficulties with SHA-256 signed Assertions. ADFS should be configured to use SHA-1. • Seems soveld in 12.2.1.3 • Make sure ADFS provides the right ‘Claims’in the token: – urn:mace:dir:attribute-def:uid – NameID (expected by WebLogic) – May need to test and adapt the IdentityMapper class for your situation 40© 2018 Darwin IT-Professionals B.V.
  41. 41. Links • My First one on WebLogic 11g and SAML2 – https://blog.darwin-it.nl/2014/04/service-provider-initiated-sso-on.html • Apex, ORDS & ADFS findings on SAML2 and WebLogic 12c: – http://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html • How to redirect URLs for the /saml2 Servlet and /ords/f URI’s – http://blog.darwin-it.nl/2017/05/http-server-redirects-for-WebLogic-12c.html • URL Rewrite to have a ‘nice’ application URL (without /ords/f) – http://blog.darwin-it.nl/2017/06/ohs-url-rewrite.html • A basic one on WebLogic and ADFS – https://blogs.oracle.com/blogbypuneeth/steps-to-configure-saml-sso-with-adfs-as-idp-and-WebLogic-server- as-sp 41© 2018 Darwin IT-Professionals B.V.
  42. 42. DarwinIT-Professionals THANKYOU FORYOUR ATTENDANCE, PATIENCE AND ATTENTION 42© 2018 Darwin IT-Professionals B.V.
  43. 43. Q & A 43© Darwin IT-Professionals B.V.

×