Neil Smithline's Blog: Quick WLS 9.0 SAML overview

GET INVOLVED

New to Java?
Blogs
CodeShare
Newsgroups
User Groups
Submit Content/Code

PRODUCT CENTERS

BEA AquaLogic
AquaLogic BPM Suite
AquaLogic Service Bus
WebLogic Platform
WebLogic Server
BEA Workshop
WebLogic Portal
WebLogic Integration
BEA JRockit
WebLogic Event Server
BEA WLCP
More Product Centers

TECHNOLOGY CENTERS

Controls
Web Services
Eclipse
XML
EJB
Persistence
JMS
Vertical Markets
Dev Toolbox

BROWSE BY ROLE

Platform Admin

RESOURCES

Dev2Dev Media Center
Article Index
Open Source
Security Advisories
Utilities & Tools
Events Calendar
About Dev2Dev

Dev2Dev Newsletter
RSS/XML Feeds

Dev2Dev > Community > Blogs

«New WLS 9.0 Security Feature: Servlet Authentication Filter | Main | WS-Security Blog entries »

Quick WLS 9.0 SAML overview

Bookmark Blog Post

	del.icio.us
	Digg
	DZone
	Furl
	Reddit

Neil Smithline's Blog | August 8, 2005 3:41 PM | Comments (3)

Single sign-on at the web tier across multiple domains or multiple servers within a domain is now supported within WLS 9.0. This has been an oft requested feature and I just wanted to take a few minutes to describe how it works.

Consider the Web site mysite.mycompany.com running a typical Web application. At some later point in time mycompany adds myothersite.mycompany.com as a separate WLS domain. While mysite and myothersite are different domains, users wish to have single sign-on (SSO) between them. Pre-WLS 9.x, a separate SSO solution needed to be added. In 9.0, the solution is to configure both sites to use SAML. While there are many strategies to do this, here is one strategy:

1) Configure the security for mysite as you would without SSO in mind.

2) Enable mysite to be a "SAML Source". Configuring a SAML Source Site for Single Sign-On describes how to do this. Once this is done, mysite becomes enabled to perform authentication not only for mysite, but for other sites as well.

3) Configure myothersite to be a "SAML Destination" that uses mysite for SSO. Configuring a SAML Destination Site for Single Sign-On describes this process.

To illustrate how this works, let me give a few use cases:

- JoeUser visits mysite only. When visiting mysite, JoeUser will be prompted for credentials, authenticated, and will establish a standard WLS Web session with mysite (likely cookie based).

- JoeUser visits myothersite only. When JoeUser visits myothersite he will be redirected to mysite's SAML Source URL (called the Intersite Transfer Service or ITS). mysite will request credentials, authenticate JoeUser, setting up a standard Web session and redirect back to myothersite passing a SAML assertion or artifact (depending on configuration settings). myothersite will recognize the incoming SAML assertion or artifact, validate it, and authenticate JoeUser, and establish a second Web session, this one with myothersite. JoeUser will then be able to use myothersite as if he had logged into myothersite directly.

- JoeUser visits mysite then visits myothersite. As in the "mysite only" case, when visiting mysite a Web session will be created for JoeUser on mysite. When JoeUser visits myothersite, he will be redirected to mysite. On mysite JoeUser already has a Web session so will not be asked to authenticate a second time. JoeUser will be redirected back to myothersite passing a SAML assertion or artifact and JoeUser will be authenticated to myothersite and get a second Web session. Notice that JoeUser is now authenticated to both mysite and myothersite while only having provided credentials a single time.

- JoeUser visits myothersite then visits mysite. This begins the same as the "myothersite only" case. After having established the Web session with myothersite, JoeUser then visits mysite. JoeUser already has a Web session with mysite and is not prompted for credentials. Once again, two Web sessions with only providing credentials once.

This is just a quick overview of SAML's functionality in WLS 9.0. Besides what is described here, SAML can be used for Web Services (see Using Security Assertion Markup Language (SAML) Tokens for Identity). SAML requires some slightly more complex configuration than standard security but, in exchange for that effort, provides true SSO, within a domain, between domains, and even across different vendor's products as SAML is a standard.

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

Hi, The steps you explained above is like a normal use case. Can you explain in more detail how to achieve this with WLS. I have gone through the links "Configuring a SAML Source Site for Single Sign-On" and "Configuring a SAML Destination Site for Single Sign-On". Unfortunately I was unable to make anything out of it. These links are not very much clear and there is no step by step approach. I tried configuring the WLS as Source Site. I am unsure which values I need to provide as Name Qualifier, Issuer URI etc. Can you please explain me with some example values (if you have congirued it already)? Thanks and Regards, Kris.
Posted by: teluguniceguy on September 4, 2006 at 12:05 AM

Hi! I'm subscribing to the above opinion. I was unable to configure SAML on WLS 9.1 after I have read the documentation.
Posted by: kit_ on October 5, 2006 at 2:21 AM

Ditto. Any help would be greatly appreciated. The documentation is not very helpful. It is too scattered and vague. Details and examples are needed.
Posted by: so88lom on December 11, 2006 at 9:08 AM