Configure Single Sign-On with APEX, ORDS and ADFS

DARWIN IT-PROFESSIONALS
IT Driven Evolution
Single Sign-On
withApex andADFS
the WebLogic Way
Martien van den Akker
2019

martien.van.den.akker@darwin-it.nl @Makker_nl
Who I am
copyright ©2019 Darwin IT-Professionals B.V. 2

Introduction
Architecture
Prerequisites
Steps
Tips, Tricks and Thoughts
1
2
3
4
6
Agenda
7
5

DarwinIT-Professionals
INTRODUCTION

Introduction– Why?
• Projects
– WebLogic and SurfConext using SAML2.0
(2014 on 11g, and 2017 on 12c)
– Apex and ADFS, using WebLogic/ORDS and SAML2.0 (2017 &
2018)
• SAML2.0 allows for Single Sign On in Federated
environments

Security AssertionMarkupLanguage
(SAML)
• SAML: XML based standard for exchange of authentication and
authorization data between parties:
– Identity Provider, e.g. SurfConext or ADFS
– Service Provider
• IdP sends Security Assertions to SP that contains info
– Is principal authenticated?
– What roles does the principal have?
• SAML 2.0 became an OASIS Standard in March 2005
• WebLogic 11g+ has proper, but basic, support for SAML1 and 2.0

SAMLandWebLogic
• SAML between WebLogic and ADFS works schematically as
follows:
copyright ©2019 Darwin IT-Professionals B.V.
Service Provider Identity Provider (ADFS)
WebLogic Security Service
Browser
Assertion Consumer
Service
WebLogic Server
Protected Resource
ORDS
4 Login Page
2 No Token detected
Security Service
Single Sign-On
Service
1 User requests Page
5 User submits login
3 User redirected to IdP
ADFS Provides SAML 2.0 token6
7 Requested Page returned
7

Authenticationvs. Authorisation
• Authentication: process to identify the user -> Who is this user?
• Authorisation: process to determine the access rights of identified
user -> Is this user allowed to access this page?
• APEX supports several authentication schemes:
– Application Express Accounts
– Custom Authentication
– Database Accounts
– HTTP Header Variable
– LDAP Directory Verification
• WebLogic adds authentication capabilities to Apex
– No Authentication (using DAD)
– Open Door Credentials
– Oracle Application Server SSO Server
– Social sign in (since 18.1)
Allows for authentication outside of Apex:
sounds great!
8

Introduction– What is ORDS?
• Oracle REST Data Services (ORDS)
– Develop REST interfaces for relation data in Oracle Database
– Maps HTTP(s) verbs (GET, POST, PUT, DELETE) to db transactions,
returning JSON
– Included with Oracle Database and SQL Developer
• Supported to run in
– WebLogic
– Tomcat
– Glassfish
– Or as stand alone application with Jetty in embedded mode
• Can function as ‘Apex Listener’

Apex Authorisation
• Apex authorisation is strictly separated from authentication
• For Authorisation the application must map users or roles to page
grants
• Therefor application needs to ‘know’ the users and/or roles

Introduction
Architecture
Prerequisites
Steps
1
2
3
4
6
Agenda
7
5

ARCHITECTURE:
LAYOUT OHS, WEBLOGIC, ORDS, APEX AND ADFS

Internet DataCenterDeMilitarized Zone
Oracle 12c Database
Simple Architecture
APEX
Oracle
HTTP
Server
12c
ORDS
FKA Apex
Listener
Standalone or
on AppServer
Firewall FirewallBrowser Reversed Proxy
13

Internet DataCenterDeMilitarized Zone
Oracle 12c Database
Apex User Directory
More ‘Enterprise-like’Architecture
APEX
Oracle
HTTP
Server
12c
WebLogic 12c
Service
Provider
Firewall FirewallBrowser Reversed Proxy
ORDS
WebLogic 12c
AdminServer
Microsoft
Active Directory
Federation
Services
SAML 2.0
14

Introduction
Architecture
Prerequisites
Steps
1
2
3
4
6
Agenda
7
5

PREREQUISITES FOR SAML2.0 BASED
AUTHENTICATION WITH APEX+WLS+ADFS

Prerequisites
• Certificates for Reversed Proxy and WebLogic
– Think about the CN/host names and possible Subject Alternative
Names
– WebLogic expects a Keystore, generate CSR from Keystore
– Auto-login wallet (first create a JKS and import it into the wallet)
• DNS configuration on the CN and SANs
• It helps if Rev Proxy server can reach the WebLogic server vv.
• Firewall and network configuration done properly
• Access from Internet

Ingredients
• A working APEX installation/application
• A reversed proxy with WebLogic Proxy plugin, preferably
Oracle HTTP Server, but Apache and IIS will do
• WebLogic 12c
• ORDS
• ADFS configured (and supported…)
• A certificate signing procedure

Introduction
Architecture
Prerequisites
Steps
1
2
3
4
6
Agenda
7
5

INSTALLATION AND CONFIGURATION STEPS

Installationand Configurationsteps
21copyright ©2019 Darwin IT-Professionals B.V.
1: Install and configure software (Weblogic, OHS, etc.)
2: Create & Sign Certificates for OHS and Weblogic
3: Modify and deploy ords.war to Weblogic
4: Add SAML2 Identity Asserter
5: Configure SAML2 Service Provider
6: Configure & SAML2.0 General
7: Create SSO IdP
8: Identity Mapper
9: Set Apex Authentication Scheme
Weblogic SAML2 configuration

Step 1a: Installsoftware
• Install OHS 12c on Reversed Proxy Server
– Configure OHS 12c Standalone Domain
– Configure “Nodemanager as a Service”
– Create Start & Stop scripts
• Install WebLogic 12c on Application Server Host
– Configure Domain
– Configure “Nodemanager as a Service”
– Create Start & Stop scripts

Step 1b:Install ORDS
• Install ORDS 3.0.9+ (currently 19.1) on WebLogic Host
– Perform an in place install, following the wizards using one of:
– This creates database connection configuration files. No
datasources on WLS are used…
– Copy apex images to an images folder in the ords home:
– Create an i.war using:
– i.war is a simple webapp that creates a folder mapping for
WebLogic and Glassfish
java -jar ords.war static <ords directory>images
java -jar ords.war install java -jar ords.war install advanced
23

Step 2: Create Certificates
• Create Certificate Signing requests for OHS and WLS
– Keystore for WLS and another one as base for OHS wallet
• Have Certificates signed
• Import Root Certificates and Certificates
• Create Truststore with Roots and Public Keys
• Set Custom Identity and Trust Keystores in WLS
• Use ORAPKI to create an auto_login wallet in:
• Import OHS keystore in wallet
${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default
Convenient:
already configured in ssl.conf
24

Step 3a: Modifyords.war
• ORDS (ords.war) doesn’t do authentication: Apex does it by itself,
normally.
• But ords.war needs to hand it over to WebLogic
• To do so web.xml and WebLogic.xml need to be adapted
– <security-constraint> on <url-pattern>/f/*</url-pattern>
– <auth-method> BASIC on <realm-name> myrealm
– <security-role> <role-name> Anonymous, with role assignment in
webLogic.xml
• Repackage ords.war with updated descriptors

Step 3a: web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>These pages are only accessible by authorized users.</description>
<url-pattern>/f/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access.</description>
<role-name>Anonymous</role-name>
</auth-constraint>
<user-data-constraint>
<description>This is how the user data must be transmitted.</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
</security-role>
26

Step 3a: weblogic.xml
<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app
http://xmlns.oracle.com/weblogic/weblogic-web-app/1.6/weblogic-web-app.xsd">

<container-descriptor>
<prefer-web-inf-classes>true</prefer-web-inf-classes>
</container-descriptor>
<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
</session-descriptor>
<security-role-assignment>

<principal-name>users</principal-name>
</security-role-assignment>
<context-root>/ords</context-root>
</weblogic-web-app>
27

Step 3b:Deploy ords.war andi.warto WLS
• Install ords.war and
i.war as an application,
using Custom Roles

Step 4: Add SAML2 Identity Asserter
• Add a SAML2Identity Asserter
• Bounce the Domain (Admin + SP
Server)
• This enables Federation Services
tabs in Server Config

Step 5: Configure SAML2 Service Provider
• On Managed Server
– Check ‘Enabled’
– Preferred Binding: POST
– Default URL: accessible URL

Step 6a: Configure SAML2.0 General
• Fill in the contact properties
• Published Site URL: WebLogic expects /saml2 as URI
– Servlet to listen for Assertions from IdP
• EntityID: ADFS expects a connectable URL
• Recipient Check Enabled: uncheck
• Provide SSO Key Alias and Passphrase from JKS

Step 6b:PublishSAMLMetadata
• Restart Server
• Publish Meta Data
– WebLogic saves this as a xml file
– Save it with a standard filename to a standard folder
– Create and deploy SamlMetaData.war based on i.war with a
folder mapping
– Provide resulting URL (folder mapping + MetaData file name) to
ADFS
https://blog.darwin-it.nl/2018/02/weblogic-12c-saml2-publish-your.html
32

Step 7: Create SSO IdP
• Navigate to SAML2IdentityAsserter
• Create a “Web Single Sign-On
Identity Provider Partner”
• Remove SP parts from ADFS
Metadata file (see blog)
• Import resulting file

Step 7b:EditSSOIdP
Edit the created SAML_SSO_ADFS
• Enable it
• Provide a description
• And provide a redirect url
– For APEX this should be /ords/f

Step 8: Identity Mapper
• The Identity of the principle needs to be filtered from the SAML Token
• This is done using an Identity Mapper
• Deploy WLSSamlIdentityMapper.jar file in ${DOMAIN_HOME}/lib
• Add it to the classpath in setUserOverrides.sh/.cmd (bounce domain!)
• Set it on the class in the SAML_SSO_ADFS IdP:
https://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html
35

Step 9: Set Apex AuthenticationScheme
• In Apex Set Authentication Scheme to Header Variable
After Login
1
2
3
36

Finalconsiderations
• WebLogic needs to know that it is (reversed) proxied
– Set WebLogic Proxy Plugin to yes
– Also set frontend host/port
• In OHS use PathTrim/PathPrepend to get ‘nice URLs’:
– add /ords/f in URL
– Redirect something like /MyServiceAppSaml2 to /saml2
(WebLogic listens on /saml2 for Assertions, see Published Site
URL)

Introduction
Architecture
Prerequisites
Steps
1
2
3
4
6
Agenda
7
5

TIPS, TRICKS AND THOUGHTS

Thoughts aboutCertificates
• I prefer using a Java Keystore also as a base for wallet
– WebLogic expects a Keystore, OHS a wallet that can be created from
JKS.
– JKS expect key-pairs: private keys can’t be imported so obviously
– Create CSR from JKS and have that signed: assures importability
• MS ADFS brings you to the Windows world: people may be
surprised that things aren’t “that obvious” in the java world
• Certificates as delivered can’t always be imported easily in JKS: you
have to use tools like Keytool, ORAPKI, and OpenSSL

Wallet
• Default location
• Pre 12.2.1.3 can be placed in FMW home for instance.
• OHS 12.2.1.3 apparently expects it in default location, for instance:
${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/
${COMPONENT_NAME}/keystores/default
${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default
41

WebLogic and ADFS
• Pre 12.2.1.3 WebLogic apparently had difficulties with SHA-256
signed Assertions. ADFS was configured to use SHA-1.
• This has been solved in 12.2.1.3,
so ADFS SHA-256 is ok now
• Make sure ADFS provides the right ‘Claims’in the token:
– urn:mace:dir:attribute-def:uid
– NameID (expected by WebLogic)
– May need to test and adapt the IdentityMapper class for your situation
• ADFS expects TLS v1.0, OHS defaults to TLSv1.2, so adapt ssl.conf:
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
42

SpecialOHSRoutings – ExtraRequirement

SpecialOHSRoutings – VirtualHost
• Customer required that requests from http://portal.customer.nl
should route to Weblogic/SSO, but all other routes to Tomcat.
• VirtualHost definition in ssl.conf, so you can’t select on server name.
• SNI: Server Name Indication could help. Apache supports SNI
since, 2.2.12. Oracle HTTP 12.2.1.3 is based on Apache 4.5
• But, in this case a deployment plan is used to redeploy ORDS in
weblogic on another context-root (apex in stead of ords). Then route
on base of URI.
https://en.wikipedia.org/wiki/Server_Name_Indication
https://docs.oracle.com/middleware/1221/webtier/administer-ohs/whats_new.htm#CHDJJAEC
44

Links
• My First blog on WebLogic 11g and SAML2
– https://blog.darwin-it.nl/2014/04/service-provider-initiated-sso-on.html
• Apex, ORDS & ADFS findings on SAML2 and WebLogic 12c:
– http://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html
• How to redirect URLs for the /saml2 Servlet and /ords/f URI’s
– http://blog.darwin-it.nl/2017/05/http-server-redirects-for-WebLogic-12c.html
• URL Rewrite to have a ‘nice’ application URL (without /ords/f)
– http://blog.darwin-it.nl/2017/06/ohs-url-rewrite.html
• A basic one on WebLogic and ADFS
– https://blogs.oracle.com/blogbypuneeth/steps-to-configure-saml-sso-with-adfs-as-idp-and-WebLogic-server-
as-sp
• Publish metadata over URL
– https://blog.darwin-it.nl/2018/02/weblogic-12c-saml2-publish-your.html
• About weblogic and SHA-1/SHA-256 signing of SAML requests/responses
– https://blog.darwin-it.nl/2019/06/weblogic-12213-signs-saml2-requests-and.html

THANK YOU FOR YOUR ATTENDANCE, PATIENCE AND
ATTENTION

Q & A

Configure Single Sign-On with APEX, ORDS and ADFS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Configure Single Sign-On with APEX, ORDS and ADFS

Similar to Configure Single Sign-On with APEX, ORDS and ADFS (20)

Recently uploaded

Recently uploaded (20)

Configure Single Sign-On with APEX, ORDS and ADFS