Members | Sign In
Weblogic Wonders > Security
avatar

SAML2 SP-initiated use case with Weblogic 10.3.4.

posted Jul 05, 2011 13:24:31 by uo67113
Hi everybody,

I am implementing this use case. For this I have configured a Weblogic server working as a Service Provider, and I have a third party Identity Provider.

Everything seems to work fine. I have registered a Web application in my server and I have add its URI to the "Redirect Uris" of my "SAML 2.0 Web Single Sign-on Identity Provider Partner's General Properties". Now, when I ask for this application I am being redirected to the Identity Provider partner login page.

Now I need to limit the access just to a group of users, so I set up the next access control policies and roles in my Web application:

web.xml
.../...
<security-constraint>
<web-resource-collection>
<web-resource-name>sample_weblogic_app</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>FederatedUsers</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>FederatedUsers</role-name>
</security-role>
.../...

weblogic.xml
.../...
<security-role-assignment>
<role-name>FederatedUsers</role-name>
<principal-name>myGroupName</principal-name>
</security-role-assignment>
.../...

When I logged in my Identity Provider I can see that my user, really belongs to "myGroupName":

.../...
<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
.../...
<AttributeValue>Domain Users</AttributeValue>
.../...
</Attribute>
.../...

The problem is that I am getting a "Error 403--Forbidden"

In the server log I can see that my user is being authenticated:
<SAMLIALoginModule: login(): User name is 'myUserName@mydomain.com'>

But it seems that the SAMLIALoginModule is not being able to getting my groups from the assertion:
<SAMLIALoginModule: login(): Got groups: null>

And finally my requested is being denied by the server:

<SecurityAtz>...<Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(FederatedUsers,Anonymous) -> false>
<urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Esample_weblogic_app@M@OcontextPath@E@Uweblogic_app@M@Ouri@E@Usecure@U@K, 1.0 evaluates to Deny>
<XACML Authorization isAccessAllowed(): returning DENY>
<com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>

I have turn on all the security debug options (http://weblogic-wonders.com/weblogic/2010/11/18/weblogic-server-debug-flags/ thank you very much guys!!!)

Any ideas?

Thanks in advance,

Luis




page   1
2 replies
avatar
uo67113 said Jul 21, 2011 07:23:22
Hi everybody,

I get an answer in the OTN Discussion Forums, thanks!!!

http://forums.oracle.com/forums/thread.jspa?messageID=9745589#9745589

Thanks and best regards,

Luis
avatar
uo67113 said Sep 19, 2011 10:17:28
Hi everybody,

Finally solved, see: https://forums.oracle.com/forums/click.jspa?searchID=-1&messageID=9685014

Best regards,

Luis
Login below to reply: