I am implementing this use case. For this I have configured a Weblogic server working as a Service Provider, and I have a third party Identity Provider.
Everything seems to work fine. I have registered a Web application in my server and I have add its URI to the "Redirect Uris" of my "SAML 2.0 Web Single Sign-on Identity Provider Partner's General Properties". Now, when I ask for this application I am being redirected to the Identity Provider partner login page.
Now I need to limit the access just to a group of users, so I set up the next access control policies and roles in my Web application:
When I logged in my Identity Provider I can see that my user, really belongs to "myGroupName":
The problem is that I am getting a "Error 403--Forbidden"
In the server log I can see that my user is being authenticated:
<SAMLIALoginModule: login(): User name is 'myUserName@mydomain.com'>
But it seems that the SAMLIALoginModule is not being able to getting my groups from the assertion:
<SAMLIALoginModule: login(): Got groups: null>
And finally my requested is being denied by the server:
<SecurityAtz>...<Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(FederatedUsers,Anonymous) -> false>
<urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Esample_weblogic_app@M@OcontextPath@E@Uweblogic_app@M@Ouri@E@Usecure@U@K, 1.0 evaluates to Deny>
<XACML Authorization isAccessAllowed(): returning DENY>
<com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
I have turn on all the security debug options (http://weblogic-wonders.com/weblogic/2010/11/18/weblogic-server-debug-flags/
thank you very much guys!!!)
Thanks in advance,