Submit Search
Upload
Configure Single Sign-On with APEX, ORDS and ADFS
•
Download as PPTX, PDF
•
0 likes
•
293 views
AI-enhanced title
M
makker_nl
Follow
My presentation for the juli 2019 UK OUG Southern Tech Summit
Read less
Read more
Technology
Report
Share
Report
Share
1 of 47
Download now
Recommended
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
makker_nl
Oracle Drivers configuration for High Availability, is it a developer's job?
Oracle Drivers configuration for High Availability, is it a developer's job?
Ludovico Caldara
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Niels de Bruijn
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
mfrancis
OpenStack Tutorial
OpenStack Tutorial
Bret Piatt
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
Monitor Azure HDInsight with Azure Log Analytics
Monitor Azure HDInsight with Azure Log Analytics
Ashish Thapliyal
Web API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
Recommended
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
makker_nl
Oracle Drivers configuration for High Availability, is it a developer's job?
Oracle Drivers configuration for High Availability, is it a developer's job?
Ludovico Caldara
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Niels de Bruijn
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
mfrancis
OpenStack Tutorial
OpenStack Tutorial
Bret Piatt
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
Monitor Azure HDInsight with Azure Log Analytics
Monitor Azure HDInsight with Azure Log Analytics
Ashish Thapliyal
Web API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
Oracle 12c PDB insights
Oracle 12c PDB insights
Kirill Loifman
RabbitMQ y Symfony
RabbitMQ y Symfony
Miquel Company Rodriguez
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDS
Doug Gault
Api design best practice
Api design best practice
Luca Mattia Ferrari
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
Opennaru, inc.
OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
AWS CDK Introduction
AWS CDK Introduction
Kasun Dilunika
WebLogic 12c & WebLogic Mgmt Pack
WebLogic 12c & WebLogic Mgmt Pack
DLT Solutions
ORDS - Oracle REST Data Services
ORDS - Oracle REST Data Services
Justin Michael Raj
React
React
중운 박
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Glen Hawkins
Anil nair rac_internals_sangam_2016
Anil nair rac_internals_sangam_2016
Anil Nair
Facebook & Twitter API
Facebook & Twitter API
Fabrice Delhoste
Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
Amazon Web Services
NGSIv1 を知っている開発者向けの NGSIv2 の概要 (Orion 1.14.0対応)
NGSIv1 を知っている開発者向けの NGSIv2 の概要 (Orion 1.14.0対応)
fisuda
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
Ceph Introduction 2017
Ceph Introduction 2017
Karan Singh
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
Maria Colgan
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
VMware Tanzu
More Related Content
What's hot
Oracle 12c PDB insights
Oracle 12c PDB insights
Kirill Loifman
RabbitMQ y Symfony
RabbitMQ y Symfony
Miquel Company Rodriguez
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDS
Doug Gault
Api design best practice
Api design best practice
Luca Mattia Ferrari
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
Opennaru, inc.
OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
AWS CDK Introduction
AWS CDK Introduction
Kasun Dilunika
WebLogic 12c & WebLogic Mgmt Pack
WebLogic 12c & WebLogic Mgmt Pack
DLT Solutions
ORDS - Oracle REST Data Services
ORDS - Oracle REST Data Services
Justin Michael Raj
React
React
중운 박
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Glen Hawkins
Anil nair rac_internals_sangam_2016
Anil nair rac_internals_sangam_2016
Anil Nair
Facebook & Twitter API
Facebook & Twitter API
Fabrice Delhoste
Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
Amazon Web Services
NGSIv1 を知っている開発者向けの NGSIv2 の概要 (Orion 1.14.0対応)
NGSIv1 を知っている開発者向けの NGSIv2 の概要 (Orion 1.14.0対応)
fisuda
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
Ceph Introduction 2017
Ceph Introduction 2017
Karan Singh
What's hot
(20)
Oracle 12c PDB insights
Oracle 12c PDB insights
RabbitMQ y Symfony
RabbitMQ y Symfony
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDS
Api design best practice
Api design best practice
Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Building secure applications with keycloak
Building secure applications with keycloak
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
OAuth 2.0
OAuth 2.0
AWS CDK Introduction
AWS CDK Introduction
WebLogic 12c & WebLogic Mgmt Pack
WebLogic 12c & WebLogic Mgmt Pack
ORDS - Oracle REST Data Services
ORDS - Oracle REST Data Services
React
React
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Anil nair rac_internals_sangam_2016
Anil nair rac_internals_sangam_2016
Facebook & Twitter API
Facebook & Twitter API
Introduction to OpenID Connect
Introduction to OpenID Connect
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
NGSIv1 を知っている開発者向けの NGSIv2 の概要 (Orion 1.14.0対応)
NGSIv1 を知っている開発者向けの NGSIv2 の概要 (Orion 1.14.0対応)
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Ceph Introduction 2017
Ceph Introduction 2017
Similar to Configure Single Sign-On with APEX, ORDS and ADFS
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
Maria Colgan
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
VMware Tanzu
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
makker_nl
Simplify DevOps with Microservices and Mobile Backends.pptx
Simplify DevOps with Microservices and Mobile Backends.pptx
ssuser5faa791
DevCon5 (July 2014) - Acision SDK
DevCon5 (July 2014) - Acision SDK
Crocodile WebRTC SDK and Cloud Signalling Network
Sitecore on containers and AKS
Sitecore on containers and AKS
Bart Plasmeijer
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
Simon Haslam
Oracle database in cloud, dr in cloud and overview of oracle database 18c
Oracle database in cloud, dr in cloud and overview of oracle database 18c
AiougVizagChapter
Oracle SOA Cloud - Skanska Customer Journey
Oracle SOA Cloud - Skanska Customer Journey
Simon Haslam
Running Business-Critical Applications on the AWS Cloud
Running Business-Critical Applications on the AWS Cloud
Amazon Web Services
Oracle SOA Suite Everywhere
Oracle SOA Suite Everywhere
Rupesh Das
Securing your Applications for the Cloud Age
Securing your Applications for the Cloud Age
Artur Alves
Oracle Blockchain Platform
Oracle Blockchain Platform
Juarez Junior
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
Nik Patel
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Cisco DevNet
Oracle GoldenGate on Docker
Oracle GoldenGate on Docker
Bobby Curtis
Soa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
Simon Haslam
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
DataWorks Summit
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the Future
Frank Greco
Similar to Configure Single Sign-On with APEX, ORDS and ADFS
(20)
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
Simplify DevOps with Microservices and Mobile Backends.pptx
Simplify DevOps with Microservices and Mobile Backends.pptx
DevCon5 (July 2014) - Acision SDK
DevCon5 (July 2014) - Acision SDK
Sitecore on containers and AKS
Sitecore on containers and AKS
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
Oracle database in cloud, dr in cloud and overview of oracle database 18c
Oracle database in cloud, dr in cloud and overview of oracle database 18c
Oracle SOA Cloud - Skanska Customer Journey
Oracle SOA Cloud - Skanska Customer Journey
Running Business-Critical Applications on the AWS Cloud
Running Business-Critical Applications on the AWS Cloud
Oracle SOA Suite Everywhere
Oracle SOA Suite Everywhere
Securing your Applications for the Cloud Age
Securing your Applications for the Cloud Age
Oracle Blockchain Platform
Oracle Blockchain Platform
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Oracle GoldenGate on Docker
Oracle GoldenGate on Docker
Soa And Web Services Security
Soa And Web Services Security
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the Future
Recently uploaded
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Recently uploaded
(20)
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Configure Single Sign-On with APEX, ORDS and ADFS
1.
DARWIN IT-PROFESSIONALS IT Driven
Evolution Single Sign-On withApex andADFS the WebLogic Way Martien van den Akker 2019
2.
martien.van.den.akker@darwin-it.nl @Makker_nl Who I
am copyright ©2019 Darwin IT-Professionals B.V. 2
3.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 3
4.
DarwinIT-Professionals INTRODUCTION copyright ©2019 Darwin
IT-Professionals B.V. 4
5.
Introduction– Why? • Projects –
WebLogic and SurfConext using SAML2.0 (2014 on 11g, and 2017 on 12c) – Apex and ADFS, using WebLogic/ORDS and SAML2.0 (2017 & 2018) • SAML2.0 allows for Single Sign On in Federated environments copyright ©2019 Darwin IT-Professionals B.V. 5
6.
Security AssertionMarkupLanguage (SAML) • SAML:
XML based standard for exchange of authentication and authorization data between parties: – Identity Provider, e.g. SurfConext or ADFS – Service Provider • IdP sends Security Assertions to SP that contains info – Is principal authenticated? – What roles does the principal have? • SAML 2.0 became an OASIS Standard in March 2005 • WebLogic 11g+ has proper, but basic, support for SAML1 and 2.0 copyright ©2019 Darwin IT-Professionals B.V. 6
7.
SAMLandWebLogic • SAML between
WebLogic and ADFS works schematically as follows: copyright ©2019 Darwin IT-Professionals B.V. Service Provider Identity Provider (ADFS) WebLogic Security Service Browser Assertion Consumer Service WebLogic Server Protected Resource ORDS 4 Login Page 2 No Token detected Security Service Single Sign-On Service 1 User requests Page 5 User submits login 3 User redirected to IdP ADFS Provides SAML 2.0 token6 7 Requested Page returned 7
8.
Authenticationvs. Authorisation • Authentication:
process to identify the user -> Who is this user? • Authorisation: process to determine the access rights of identified user -> Is this user allowed to access this page? • APEX supports several authentication schemes: – Application Express Accounts – Custom Authentication – Database Accounts – HTTP Header Variable – LDAP Directory Verification • WebLogic adds authentication capabilities to Apex copyright ©2019 Darwin IT-Professionals B.V. – No Authentication (using DAD) – Open Door Credentials – Oracle Application Server SSO Server – Social sign in (since 18.1) Allows for authentication outside of Apex: sounds great! 8
9.
Introduction– What is
ORDS? • Oracle REST Data Services (ORDS) – Develop REST interfaces for relation data in Oracle Database – Maps HTTP(s) verbs (GET, POST, PUT, DELETE) to db transactions, returning JSON – Included with Oracle Database and SQL Developer • Supported to run in – WebLogic – Tomcat – Glassfish – Or as stand alone application with Jetty in embedded mode • Can function as ‘Apex Listener’ copyright ©2019 Darwin IT-Professionals B.V. 9
10.
Apex Authorisation • Apex
authorisation is strictly separated from authentication • For Authorisation the application must map users or roles to page grants • Therefor application needs to ‘know’ the users and/or roles copyright ©2019 Darwin IT-Professionals B.V. 10
11.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 11
12.
DarwinIT-Professionals ARCHITECTURE: LAYOUT OHS, WEBLOGIC,
ORDS, APEX AND ADFS copyright ©2019 Darwin IT-Professionals B.V. 12
13.
Internet DataCenterDeMilitarized Zone Oracle
12c Database Simple Architecture copyright ©2019 Darwin IT-Professionals B.V. APEX Oracle HTTP Server 12c ORDS FKA Apex Listener Standalone or on AppServer Firewall FirewallBrowser Reversed Proxy 13
14.
Internet DataCenterDeMilitarized Zone Oracle
12c Database Apex User Directory More ‘Enterprise-like’Architecture copyright ©2019 Darwin IT-Professionals B.V. APEX Oracle HTTP Server 12c WebLogic 12c Service Provider Firewall FirewallBrowser Reversed Proxy ORDS WebLogic 12c AdminServer Microsoft Active Directory Federation Services SAML 2.0 14
15.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 15
16.
DarwinIT-Professionals PREREQUISITES FOR SAML2.0
BASED AUTHENTICATION WITH APEX+WLS+ADFS copyright ©2019 Darwin IT-Professionals B.V. 16
17.
Prerequisites • Certificates for
Reversed Proxy and WebLogic – Think about the CN/host names and possible Subject Alternative Names – WebLogic expects a Keystore, generate CSR from Keystore – Auto-login wallet (first create a JKS and import it into the wallet) • DNS configuration on the CN and SANs • It helps if Rev Proxy server can reach the WebLogic server vv. • Firewall and network configuration done properly • Access from Internet copyright ©2019 Darwin IT-Professionals B.V. 17
18.
Ingredients • A working
APEX installation/application • A reversed proxy with WebLogic Proxy plugin, preferably Oracle HTTP Server, but Apache and IIS will do • WebLogic 12c • ORDS • ADFS configured (and supported…) • A certificate signing procedure copyright ©2019 Darwin IT-Professionals B.V. 18
19.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 19
20.
DarwinIT-Professionals INSTALLATION AND CONFIGURATION
STEPS copyright ©2019 Darwin IT-Professionals B.V. 20
21.
Installationand Configurationsteps 21copyright ©2019
Darwin IT-Professionals B.V. 1: Install and configure software (Weblogic, OHS, etc.) 2: Create & Sign Certificates for OHS and Weblogic 3: Modify and deploy ords.war to Weblogic 4: Add SAML2 Identity Asserter 5: Configure SAML2 Service Provider 6: Configure & SAML2.0 General 7: Create SSO IdP 8: Identity Mapper 9: Set Apex Authentication Scheme Weblogic SAML2 configuration
22.
Step 1a: Installsoftware •
Install OHS 12c on Reversed Proxy Server – Configure OHS 12c Standalone Domain – Configure “Nodemanager as a Service” – Create Start & Stop scripts • Install WebLogic 12c on Application Server Host – Configure Domain – Configure “Nodemanager as a Service” – Create Start & Stop scripts copyright ©2019 Darwin IT-Professionals B.V. 22
23.
Step 1b:Install ORDS •
Install ORDS 3.0.9+ (currently 19.1) on WebLogic Host – Perform an in place install, following the wizards using one of: – This creates database connection configuration files. No datasources on WLS are used… – Copy apex images to an images folder in the ords home: – Create an i.war using: – i.war is a simple webapp that creates a folder mapping for WebLogic and Glassfish copyright ©2019 Darwin IT-Professionals B.V. java -jar ords.war static <ords directory>images java -jar ords.war install java -jar ords.war install advanced 23
24.
Step 2: Create
Certificates • Create Certificate Signing requests for OHS and WLS – Keystore for WLS and another one as base for OHS wallet • Have Certificates signed • Import Root Certificates and Certificates • Create Truststore with Roots and Public Keys • Set Custom Identity and Trust Keystores in WLS • Use ORAPKI to create an auto_login wallet in: • Import OHS keystore in wallet copyright ©2019 Darwin IT-Professionals B.V. ${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default Convenient: already configured in ssl.conf 24
25.
Step 3a: Modifyords.war •
ORDS (ords.war) doesn’t do authentication: Apex does it by itself, normally. • But ords.war needs to hand it over to WebLogic • To do so web.xml and WebLogic.xml need to be adapted – <security-constraint> on <url-pattern>/f/*</url-pattern> – <auth-method> BASIC on <realm-name> myrealm – <security-role> <role-name> Anonymous, with role assignment in webLogic.xml • Repackage ords.war with updated descriptors copyright ©2019 Darwin IT-Professionals B.V. 25
26.
Step 3a: web.xml copyright
©2019 Darwin IT-Professionals B.V. <security-constraint> <web-resource-collection> <web-resource-name>SecurePages</web-resource-name> <description>These pages are only accessible by authorized users.</description> <url-pattern>/f/*</url-pattern> </web-resource-collection> <auth-constraint> <description>These are the roles who have access.</description> <role-name>Anonymous</role-name> </auth-constraint> <user-data-constraint> <description>This is how the user data must be transmitted.</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <role-name>Anonymous</role-name> </security-role> 26
27.
Step 3a: weblogic.xml copyright
©2019 Darwin IT-Professionals B.V. <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.6/weblogic-web-app.xsd"> <!-- Weblogic 12c --> <container-descriptor> <prefer-web-inf-classes>true</prefer-web-inf-classes> </container-descriptor> <session-descriptor> <persistent-store-type>replicated_if_clustered</persistent-store-type> </session-descriptor> <security-role-assignment> <!--<role-name>valid-users</role-name> --> <role-name>Anonymous</role-name> <principal-name>users</principal-name> </security-role-assignment> <context-root>/ords</context-root> </weblogic-web-app> 27
28.
Step 3b:Deploy ords.war
andi.warto WLS • Install ords.war and i.war as an application, using Custom Roles copyright ©2019 Darwin IT-Professionals B.V. 28
29.
Step 4: Add
SAML2 Identity Asserter • Add a SAML2Identity Asserter • Bounce the Domain (Admin + SP Server) • This enables Federation Services tabs in Server Config copyright ©2019 Darwin IT-Professionals B.V. 29
30.
Step 5: Configure
SAML2 Service Provider • On Managed Server – Check ‘Enabled’ – Preferred Binding: POST – Default URL: accessible URL copyright ©2019 Darwin IT-Professionals B.V. 30
31.
Step 6a: Configure
SAML2.0 General • Fill in the contact properties • Published Site URL: WebLogic expects /saml2 as URI – Servlet to listen for Assertions from IdP • EntityID: ADFS expects a connectable URL • Recipient Check Enabled: uncheck • Provide SSO Key Alias and Passphrase from JKS copyright ©2019 Darwin IT-Professionals B.V. 31
32.
Step 6b:PublishSAMLMetadata • Restart
Server • Publish Meta Data – WebLogic saves this as a xml file – Save it with a standard filename to a standard folder – Create and deploy SamlMetaData.war based on i.war with a folder mapping – Provide resulting URL (folder mapping + MetaData file name) to ADFS copyright ©2019 Darwin IT-Professionals B.V. https://blog.darwin-it.nl/2018/02/weblogic-12c-saml2-publish-your.html 32
33.
Step 7: Create
SSO IdP • Navigate to SAML2IdentityAsserter • Create a “Web Single Sign-On Identity Provider Partner” • Remove SP parts from ADFS Metadata file (see blog) • Import resulting file copyright ©2019 Darwin IT-Professionals B.V. 33
34.
Step 7b:EditSSOIdP Edit the
created SAML_SSO_ADFS • Enable it • Provide a description • And provide a redirect url – For APEX this should be /ords/f copyright ©2019 Darwin IT-Professionals B.V. 34
35.
Step 8: Identity
Mapper • The Identity of the principle needs to be filtered from the SAML Token • This is done using an Identity Mapper • Deploy WLSSamlIdentityMapper.jar file in ${DOMAIN_HOME}/lib • Add it to the classpath in setUserOverrides.sh/.cmd (bounce domain!) • Set it on the class in the SAML_SSO_ADFS IdP: copyright ©2019 Darwin IT-Professionals B.V. https://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html 35
36.
Step 9: Set
Apex AuthenticationScheme copyright ©2019 Darwin IT-Professionals B.V. • In Apex Set Authentication Scheme to Header Variable After Login 1 2 3 36
37.
Finalconsiderations • WebLogic needs
to know that it is (reversed) proxied – Set WebLogic Proxy Plugin to yes – Also set frontend host/port • In OHS use PathTrim/PathPrepend to get ‘nice URLs’: – add /ords/f in URL – Redirect something like /MyServiceAppSaml2 to /saml2 (WebLogic listens on /saml2 for Assertions, see Published Site URL) copyright ©2019 Darwin IT-Professionals B.V. 37
38.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 38
39.
DarwinIT-Professionals TIPS, TRICKS AND
THOUGHTS copyright ©2019 Darwin IT-Professionals B.V. 39
40.
Thoughts aboutCertificates • I
prefer using a Java Keystore also as a base for wallet – WebLogic expects a Keystore, OHS a wallet that can be created from JKS. – JKS expect key-pairs: private keys can’t be imported so obviously – Create CSR from JKS and have that signed: assures importability • MS ADFS brings you to the Windows world: people may be surprised that things aren’t “that obvious” in the java world • Certificates as delivered can’t always be imported easily in JKS: you have to use tools like Keytool, ORAPKI, and OpenSSL copyright ©2019 Darwin IT-Professionals B.V. 40
41.
Wallet • Default location •
Pre 12.2.1.3 can be placed in FMW home for instance. • OHS 12.2.1.3 apparently expects it in default location, for instance: copyright ©2019 Darwin IT-Professionals B.V. ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/ ${COMPONENT_NAME}/keystores/default ${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default 41
42.
WebLogic and ADFS •
Pre 12.2.1.3 WebLogic apparently had difficulties with SHA-256 signed Assertions. ADFS was configured to use SHA-1. • This has been solved in 12.2.1.3, so ADFS SHA-256 is ok now • Make sure ADFS provides the right ‘Claims’in the token: – urn:mace:dir:attribute-def:uid – NameID (expected by WebLogic) – May need to test and adapt the IdentityMapper class for your situation • ADFS expects TLS v1.0, OHS defaults to TLSv1.2, so adapt ssl.conf: copyright ©2019 Darwin IT-Professionals B.V. SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2 42
43.
SpecialOHSRoutings – ExtraRequirement copyright
©2019 Darwin IT-Professionals B.V. 43
44.
SpecialOHSRoutings – VirtualHost •
Customer required that requests from http://portal.customer.nl should route to Weblogic/SSO, but all other routes to Tomcat. • VirtualHost definition in ssl.conf, so you can’t select on server name. • SNI: Server Name Indication could help. Apache supports SNI since, 2.2.12. Oracle HTTP 12.2.1.3 is based on Apache 4.5 • But, in this case a deployment plan is used to redeploy ORDS in weblogic on another context-root (apex in stead of ords). Then route on base of URI. copyright ©2019 Darwin IT-Professionals B.V. https://en.wikipedia.org/wiki/Server_Name_Indication https://docs.oracle.com/middleware/1221/webtier/administer-ohs/whats_new.htm#CHDJJAEC 44
45.
Links • My First
blog on WebLogic 11g and SAML2 – https://blog.darwin-it.nl/2014/04/service-provider-initiated-sso-on.html • Apex, ORDS & ADFS findings on SAML2 and WebLogic 12c: – http://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html • How to redirect URLs for the /saml2 Servlet and /ords/f URI’s – http://blog.darwin-it.nl/2017/05/http-server-redirects-for-WebLogic-12c.html • URL Rewrite to have a ‘nice’ application URL (without /ords/f) – http://blog.darwin-it.nl/2017/06/ohs-url-rewrite.html • A basic one on WebLogic and ADFS – https://blogs.oracle.com/blogbypuneeth/steps-to-configure-saml-sso-with-adfs-as-idp-and-WebLogic-server- as-sp • Publish metadata over URL – https://blog.darwin-it.nl/2018/02/weblogic-12c-saml2-publish-your.html • About weblogic and SHA-1/SHA-256 signing of SAML requests/responses – https://blog.darwin-it.nl/2019/06/weblogic-12213-signs-saml2-requests-and.html copyright ©2019 Darwin IT-Professionals B.V. 45
46.
DarwinIT-Professionals THANK YOU FOR
YOUR ATTENDANCE, PATIENCE AND ATTENTION copyright ©2019 Darwin IT-Professionals B.V. 46
47.
Q & A copyright
©2019 Darwin IT-Professionals B.V. 47
Download now