Soumettre la recherche
Mettre en ligne
SSO With APEX and ADFS the weblogic way
•
Télécharger en tant que PPTX, PDF
•
0 j'aime
•
293 vues
M
makker_nl
Suivre
My presentation for the juli 2019 UK OUG Southern Tech Summit
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 47
Télécharger maintenant
Recommandé
Custom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker example
Royston Lobo
REST API debate: OData vs GraphQL vs ORDS
REST API debate: OData vs GraphQL vs ORDS
Sumit Sarkar
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Niels de Bruijn
Aruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation Guide
Aruba, a Hewlett Packard Enterprise company
UNYOUG - APEX 19.2 New Features
UNYOUG - APEX 19.2 New Features
msewtz
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administrators
Srinivasa Pavan Marti
Oracle High Availabiltity for application developers
Oracle High Availabiltity for application developers
Alexander Tokarev
Multi-Tenancy
Multi-Tenancy
Halil İbrahim Kalkan
Recommandé
Custom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker example
Royston Lobo
REST API debate: OData vs GraphQL vs ORDS
REST API debate: OData vs GraphQL vs ORDS
Sumit Sarkar
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Niels de Bruijn
Aruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation Guide
Aruba, a Hewlett Packard Enterprise company
UNYOUG - APEX 19.2 New Features
UNYOUG - APEX 19.2 New Features
msewtz
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administrators
Srinivasa Pavan Marti
Oracle High Availabiltity for application developers
Oracle High Availabiltity for application developers
Alexander Tokarev
Multi-Tenancy
Multi-Tenancy
Halil İbrahim Kalkan
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Ludovico Caldara
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clustering
ib_cims
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
Hidetsugu Sugiyama
OpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Sandeep Deshmukh
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
REST Enabling Your Oracle Database
REST Enabling Your Oracle Database
Jeff Smith
Container Networking Deep Dive
Container Networking Deep Dive
Open Networking Summit
Cisco Application Centric Infrastructure
Cisco Application Centric Infrastructure
islam Salah
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Ameen Wayok
Introduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Jose Liste
Oracle Real Application Clusters (RAC) 12c Rel. 2 - Operational Best Practices
Oracle Real Application Clusters (RAC) 12c Rel. 2 - Operational Best Practices
Markus Michalewicz
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
17 palo alto threat prevention concept
17 palo alto threat prevention concept
Mostafa El Lathy
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
Palo alto networks product overview
Palo alto networks product overview
Belsoft
Oracle 12c PDB insights
Oracle 12c PDB insights
Kirill Loifman
Docker Container
Docker Container
Seung-Hoon Baek
FIWARE Generic Enablers introduction
FIWARE Generic Enablers introduction
Miguel García González
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
makker_nl
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
Maria Colgan
Contenu connexe
Tendances
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Ludovico Caldara
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clustering
ib_cims
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
Hidetsugu Sugiyama
OpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Sandeep Deshmukh
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
REST Enabling Your Oracle Database
REST Enabling Your Oracle Database
Jeff Smith
Container Networking Deep Dive
Container Networking Deep Dive
Open Networking Summit
Cisco Application Centric Infrastructure
Cisco Application Centric Infrastructure
islam Salah
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Ameen Wayok
Introduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Jose Liste
Oracle Real Application Clusters (RAC) 12c Rel. 2 - Operational Best Practices
Oracle Real Application Clusters (RAC) 12c Rel. 2 - Operational Best Practices
Markus Michalewicz
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
17 palo alto threat prevention concept
17 palo alto threat prevention concept
Mostafa El Lathy
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Andrejs Karpovs
Palo alto networks product overview
Palo alto networks product overview
Belsoft
Oracle 12c PDB insights
Oracle 12c PDB insights
Kirill Loifman
Docker Container
Docker Container
Seung-Hoon Baek
FIWARE Generic Enablers introduction
FIWARE Generic Enablers introduction
Miguel García González
Tendances
(20)
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clustering
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenvSwitch Deep Dive
OpenvSwitch Deep Dive
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
REST Enabling Your Oracle Database
REST Enabling Your Oracle Database
Container Networking Deep Dive
Container Networking Deep Dive
Cisco Application Centric Infrastructure
Cisco Application Centric Infrastructure
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Introduction to Kong API Gateway
Introduction to Kong API Gateway
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Oracle Real Application Clusters (RAC) 12c Rel. 2 - Operational Best Practices
Oracle Real Application Clusters (RAC) 12c Rel. 2 - Operational Best Practices
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
17 palo alto threat prevention concept
17 palo alto threat prevention concept
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Palo alto networks product overview
Palo alto networks product overview
Oracle 12c PDB insights
Oracle 12c PDB insights
Docker Container
Docker Container
FIWARE Generic Enablers introduction
FIWARE Generic Enablers introduction
Similaire à SSO With APEX and ADFS the weblogic way
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
makker_nl
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
Maria Colgan
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
VMware Tanzu
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
makker_nl
Simplify DevOps with Microservices and Mobile Backends.pptx
Simplify DevOps with Microservices and Mobile Backends.pptx
ssuser5faa791
DevCon5 (July 2014) - Acision SDK
DevCon5 (July 2014) - Acision SDK
Crocodile WebRTC SDK and Cloud Signalling Network
Sitecore on containers and AKS
Sitecore on containers and AKS
Bart Plasmeijer
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
Simon Haslam
Oracle database in cloud, dr in cloud and overview of oracle database 18c
Oracle database in cloud, dr in cloud and overview of oracle database 18c
AiougVizagChapter
Oracle SOA Cloud - Skanska Customer Journey
Oracle SOA Cloud - Skanska Customer Journey
Simon Haslam
Running Business-Critical Applications on the AWS Cloud
Running Business-Critical Applications on the AWS Cloud
Amazon Web Services
Oracle SOA Suite Everywhere
Oracle SOA Suite Everywhere
Rupesh Das
Securing your Applications for the Cloud Age
Securing your Applications for the Cloud Age
Artur Alves
Oracle Blockchain Platform
Oracle Blockchain Platform
Juarez Junior
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
Nik Patel
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Cisco DevNet
Oracle GoldenGate on Docker
Oracle GoldenGate on Docker
Bobby Curtis
Soa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
Simon Haslam
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
DataWorks Summit
Similaire à SSO With APEX and ADFS the weblogic way
(20)
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
Simplify DevOps with Microservices and Mobile Backends.pptx
Simplify DevOps with Microservices and Mobile Backends.pptx
DevCon5 (July 2014) - Acision SDK
DevCon5 (July 2014) - Acision SDK
Sitecore on containers and AKS
Sitecore on containers and AKS
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
Oracle database in cloud, dr in cloud and overview of oracle database 18c
Oracle database in cloud, dr in cloud and overview of oracle database 18c
Oracle SOA Cloud - Skanska Customer Journey
Oracle SOA Cloud - Skanska Customer Journey
Running Business-Critical Applications on the AWS Cloud
Running Business-Critical Applications on the AWS Cloud
Oracle SOA Suite Everywhere
Oracle SOA Suite Everywhere
Securing your Applications for the Cloud Age
Securing your Applications for the Cloud Age
Oracle Blockchain Platform
Oracle Blockchain Platform
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid De...
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Oracle GoldenGate on Docker
Oracle GoldenGate on Docker
Soa And Web Services Security
Soa And Web Services Security
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Dernier
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Jago de Vreede
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
Dernier
(20)
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
SSO With APEX and ADFS the weblogic way
1.
DARWIN IT-PROFESSIONALS IT Driven
Evolution Single Sign-On withApex andADFS the WebLogic Way Martien van den Akker 2019
2.
martien.van.den.akker@darwin-it.nl @Makker_nl Who I
am copyright ©2019 Darwin IT-Professionals B.V. 2
3.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 3
4.
DarwinIT-Professionals INTRODUCTION copyright ©2019 Darwin
IT-Professionals B.V. 4
5.
Introduction– Why? • Projects –
WebLogic and SurfConext using SAML2.0 (2014 on 11g, and 2017 on 12c) – Apex and ADFS, using WebLogic/ORDS and SAML2.0 (2017 & 2018) • SAML2.0 allows for Single Sign On in Federated environments copyright ©2019 Darwin IT-Professionals B.V. 5
6.
Security AssertionMarkupLanguage (SAML) • SAML:
XML based standard for exchange of authentication and authorization data between parties: – Identity Provider, e.g. SurfConext or ADFS – Service Provider • IdP sends Security Assertions to SP that contains info – Is principal authenticated? – What roles does the principal have? • SAML 2.0 became an OASIS Standard in March 2005 • WebLogic 11g+ has proper, but basic, support for SAML1 and 2.0 copyright ©2019 Darwin IT-Professionals B.V. 6
7.
SAMLandWebLogic • SAML between
WebLogic and ADFS works schematically as follows: copyright ©2019 Darwin IT-Professionals B.V. Service Provider Identity Provider (ADFS) WebLogic Security Service Browser Assertion Consumer Service WebLogic Server Protected Resource ORDS 4 Login Page 2 No Token detected Security Service Single Sign-On Service 1 User requests Page 5 User submits login 3 User redirected to IdP ADFS Provides SAML 2.0 token6 7 Requested Page returned 7
8.
Authenticationvs. Authorisation • Authentication:
process to identify the user -> Who is this user? • Authorisation: process to determine the access rights of identified user -> Is this user allowed to access this page? • APEX supports several authentication schemes: – Application Express Accounts – Custom Authentication – Database Accounts – HTTP Header Variable – LDAP Directory Verification • WebLogic adds authentication capabilities to Apex copyright ©2019 Darwin IT-Professionals B.V. – No Authentication (using DAD) – Open Door Credentials – Oracle Application Server SSO Server – Social sign in (since 18.1) Allows for authentication outside of Apex: sounds great! 8
9.
Introduction– What is
ORDS? • Oracle REST Data Services (ORDS) – Develop REST interfaces for relation data in Oracle Database – Maps HTTP(s) verbs (GET, POST, PUT, DELETE) to db transactions, returning JSON – Included with Oracle Database and SQL Developer • Supported to run in – WebLogic – Tomcat – Glassfish – Or as stand alone application with Jetty in embedded mode • Can function as ‘Apex Listener’ copyright ©2019 Darwin IT-Professionals B.V. 9
10.
Apex Authorisation • Apex
authorisation is strictly separated from authentication • For Authorisation the application must map users or roles to page grants • Therefor application needs to ‘know’ the users and/or roles copyright ©2019 Darwin IT-Professionals B.V. 10
11.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 11
12.
DarwinIT-Professionals ARCHITECTURE: LAYOUT OHS, WEBLOGIC,
ORDS, APEX AND ADFS copyright ©2019 Darwin IT-Professionals B.V. 12
13.
Internet DataCenterDeMilitarized Zone Oracle
12c Database Simple Architecture copyright ©2019 Darwin IT-Professionals B.V. APEX Oracle HTTP Server 12c ORDS FKA Apex Listener Standalone or on AppServer Firewall FirewallBrowser Reversed Proxy 13
14.
Internet DataCenterDeMilitarized Zone Oracle
12c Database Apex User Directory More ‘Enterprise-like’Architecture copyright ©2019 Darwin IT-Professionals B.V. APEX Oracle HTTP Server 12c WebLogic 12c Service Provider Firewall FirewallBrowser Reversed Proxy ORDS WebLogic 12c AdminServer Microsoft Active Directory Federation Services SAML 2.0 14
15.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 15
16.
DarwinIT-Professionals PREREQUISITES FOR SAML2.0
BASED AUTHENTICATION WITH APEX+WLS+ADFS copyright ©2019 Darwin IT-Professionals B.V. 16
17.
Prerequisites • Certificates for
Reversed Proxy and WebLogic – Think about the CN/host names and possible Subject Alternative Names – WebLogic expects a Keystore, generate CSR from Keystore – Auto-login wallet (first create a JKS and import it into the wallet) • DNS configuration on the CN and SANs • It helps if Rev Proxy server can reach the WebLogic server vv. • Firewall and network configuration done properly • Access from Internet copyright ©2019 Darwin IT-Professionals B.V. 17
18.
Ingredients • A working
APEX installation/application • A reversed proxy with WebLogic Proxy plugin, preferably Oracle HTTP Server, but Apache and IIS will do • WebLogic 12c • ORDS • ADFS configured (and supported…) • A certificate signing procedure copyright ©2019 Darwin IT-Professionals B.V. 18
19.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 19
20.
DarwinIT-Professionals INSTALLATION AND CONFIGURATION
STEPS copyright ©2019 Darwin IT-Professionals B.V. 20
21.
Installationand Configurationsteps 21copyright ©2019
Darwin IT-Professionals B.V. 1: Install and configure software (Weblogic, OHS, etc.) 2: Create & Sign Certificates for OHS and Weblogic 3: Modify and deploy ords.war to Weblogic 4: Add SAML2 Identity Asserter 5: Configure SAML2 Service Provider 6: Configure & SAML2.0 General 7: Create SSO IdP 8: Identity Mapper 9: Set Apex Authentication Scheme Weblogic SAML2 configuration
22.
Step 1a: Installsoftware •
Install OHS 12c on Reversed Proxy Server – Configure OHS 12c Standalone Domain – Configure “Nodemanager as a Service” – Create Start & Stop scripts • Install WebLogic 12c on Application Server Host – Configure Domain – Configure “Nodemanager as a Service” – Create Start & Stop scripts copyright ©2019 Darwin IT-Professionals B.V. 22
23.
Step 1b:Install ORDS •
Install ORDS 3.0.9+ (currently 19.1) on WebLogic Host – Perform an in place install, following the wizards using one of: – This creates database connection configuration files. No datasources on WLS are used… – Copy apex images to an images folder in the ords home: – Create an i.war using: – i.war is a simple webapp that creates a folder mapping for WebLogic and Glassfish copyright ©2019 Darwin IT-Professionals B.V. java -jar ords.war static <ords directory>images java -jar ords.war install java -jar ords.war install advanced 23
24.
Step 2: Create
Certificates • Create Certificate Signing requests for OHS and WLS – Keystore for WLS and another one as base for OHS wallet • Have Certificates signed • Import Root Certificates and Certificates • Create Truststore with Roots and Public Keys • Set Custom Identity and Trust Keystores in WLS • Use ORAPKI to create an auto_login wallet in: • Import OHS keystore in wallet copyright ©2019 Darwin IT-Professionals B.V. ${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default Convenient: already configured in ssl.conf 24
25.
Step 3a: Modifyords.war •
ORDS (ords.war) doesn’t do authentication: Apex does it by itself, normally. • But ords.war needs to hand it over to WebLogic • To do so web.xml and WebLogic.xml need to be adapted – <security-constraint> on <url-pattern>/f/*</url-pattern> – <auth-method> BASIC on <realm-name> myrealm – <security-role> <role-name> Anonymous, with role assignment in webLogic.xml • Repackage ords.war with updated descriptors copyright ©2019 Darwin IT-Professionals B.V. 25
26.
Step 3a: web.xml copyright
©2019 Darwin IT-Professionals B.V. <security-constraint> <web-resource-collection> <web-resource-name>SecurePages</web-resource-name> <description>These pages are only accessible by authorized users.</description> <url-pattern>/f/*</url-pattern> </web-resource-collection> <auth-constraint> <description>These are the roles who have access.</description> <role-name>Anonymous</role-name> </auth-constraint> <user-data-constraint> <description>This is how the user data must be transmitted.</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <role-name>Anonymous</role-name> </security-role> 26
27.
Step 3a: weblogic.xml copyright
©2019 Darwin IT-Professionals B.V. <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.6/weblogic-web-app.xsd"> <!-- Weblogic 12c --> <container-descriptor> <prefer-web-inf-classes>true</prefer-web-inf-classes> </container-descriptor> <session-descriptor> <persistent-store-type>replicated_if_clustered</persistent-store-type> </session-descriptor> <security-role-assignment> <!--<role-name>valid-users</role-name> --> <role-name>Anonymous</role-name> <principal-name>users</principal-name> </security-role-assignment> <context-root>/ords</context-root> </weblogic-web-app> 27
28.
Step 3b:Deploy ords.war
andi.warto WLS • Install ords.war and i.war as an application, using Custom Roles copyright ©2019 Darwin IT-Professionals B.V. 28
29.
Step 4: Add
SAML2 Identity Asserter • Add a SAML2Identity Asserter • Bounce the Domain (Admin + SP Server) • This enables Federation Services tabs in Server Config copyright ©2019 Darwin IT-Professionals B.V. 29
30.
Step 5: Configure
SAML2 Service Provider • On Managed Server – Check ‘Enabled’ – Preferred Binding: POST – Default URL: accessible URL copyright ©2019 Darwin IT-Professionals B.V. 30
31.
Step 6a: Configure
SAML2.0 General • Fill in the contact properties • Published Site URL: WebLogic expects /saml2 as URI – Servlet to listen for Assertions from IdP • EntityID: ADFS expects a connectable URL • Recipient Check Enabled: uncheck • Provide SSO Key Alias and Passphrase from JKS copyright ©2019 Darwin IT-Professionals B.V. 31
32.
Step 6b:PublishSAMLMetadata • Restart
Server • Publish Meta Data – WebLogic saves this as a xml file – Save it with a standard filename to a standard folder – Create and deploy SamlMetaData.war based on i.war with a folder mapping – Provide resulting URL (folder mapping + MetaData file name) to ADFS copyright ©2019 Darwin IT-Professionals B.V. https://blog.darwin-it.nl/2018/02/weblogic-12c-saml2-publish-your.html 32
33.
Step 7: Create
SSO IdP • Navigate to SAML2IdentityAsserter • Create a “Web Single Sign-On Identity Provider Partner” • Remove SP parts from ADFS Metadata file (see blog) • Import resulting file copyright ©2019 Darwin IT-Professionals B.V. 33
34.
Step 7b:EditSSOIdP Edit the
created SAML_SSO_ADFS • Enable it • Provide a description • And provide a redirect url – For APEX this should be /ords/f copyright ©2019 Darwin IT-Professionals B.V. 34
35.
Step 8: Identity
Mapper • The Identity of the principle needs to be filtered from the SAML Token • This is done using an Identity Mapper • Deploy WLSSamlIdentityMapper.jar file in ${DOMAIN_HOME}/lib • Add it to the classpath in setUserOverrides.sh/.cmd (bounce domain!) • Set it on the class in the SAML_SSO_ADFS IdP: copyright ©2019 Darwin IT-Professionals B.V. https://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html 35
36.
Step 9: Set
Apex AuthenticationScheme copyright ©2019 Darwin IT-Professionals B.V. • In Apex Set Authentication Scheme to Header Variable After Login 1 2 3 36
37.
Finalconsiderations • WebLogic needs
to know that it is (reversed) proxied – Set WebLogic Proxy Plugin to yes – Also set frontend host/port • In OHS use PathTrim/PathPrepend to get ‘nice URLs’: – add /ords/f in URL – Redirect something like /MyServiceAppSaml2 to /saml2 (WebLogic listens on /saml2 for Assertions, see Published Site URL) copyright ©2019 Darwin IT-Professionals B.V. 37
38.
Introduction Architecture Prerequisites Steps Tips, Tricks and
Thoughts 1 2 3 4 6 Agenda 7 5 copyright ©2019 Darwin IT-Professionals B.V. 38
39.
DarwinIT-Professionals TIPS, TRICKS AND
THOUGHTS copyright ©2019 Darwin IT-Professionals B.V. 39
40.
Thoughts aboutCertificates • I
prefer using a Java Keystore also as a base for wallet – WebLogic expects a Keystore, OHS a wallet that can be created from JKS. – JKS expect key-pairs: private keys can’t be imported so obviously – Create CSR from JKS and have that signed: assures importability • MS ADFS brings you to the Windows world: people may be surprised that things aren’t “that obvious” in the java world • Certificates as delivered can’t always be imported easily in JKS: you have to use tools like Keytool, ORAPKI, and OpenSSL copyright ©2019 Darwin IT-Professionals B.V. 40
41.
Wallet • Default location •
Pre 12.2.1.3 can be placed in FMW home for instance. • OHS 12.2.1.3 apparently expects it in default location, for instance: copyright ©2019 Darwin IT-Professionals B.V. ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/ ${COMPONENT_NAME}/keystores/default ${DOMAIN_HOME}/config/fmwconfig/components/OHS/instances/ohs1/keystores/default 41
42.
WebLogic and ADFS •
Pre 12.2.1.3 WebLogic apparently had difficulties with SHA-256 signed Assertions. ADFS was configured to use SHA-1. • This has been solved in 12.2.1.3, so ADFS SHA-256 is ok now • Make sure ADFS provides the right ‘Claims’in the token: – urn:mace:dir:attribute-def:uid – NameID (expected by WebLogic) – May need to test and adapt the IdentityMapper class for your situation • ADFS expects TLS v1.0, OHS defaults to TLSv1.2, so adapt ssl.conf: copyright ©2019 Darwin IT-Professionals B.V. SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2 42
43.
SpecialOHSRoutings – ExtraRequirement copyright
©2019 Darwin IT-Professionals B.V. 43
44.
SpecialOHSRoutings – VirtualHost •
Customer required that requests from http://portal.customer.nl should route to Weblogic/SSO, but all other routes to Tomcat. • VirtualHost definition in ssl.conf, so you can’t select on server name. • SNI: Server Name Indication could help. Apache supports SNI since, 2.2.12. Oracle HTTP 12.2.1.3 is based on Apache 4.5 • But, in this case a deployment plan is used to redeploy ORDS in weblogic on another context-root (apex in stead of ords). Then route on base of URI. copyright ©2019 Darwin IT-Professionals B.V. https://en.wikipedia.org/wiki/Server_Name_Indication https://docs.oracle.com/middleware/1221/webtier/administer-ohs/whats_new.htm#CHDJJAEC 44
45.
Links • My First
blog on WebLogic 11g and SAML2 – https://blog.darwin-it.nl/2014/04/service-provider-initiated-sso-on.html • Apex, ORDS & ADFS findings on SAML2 and WebLogic 12c: – http://blog.darwin-it.nl/2017/05/single-sign-on-for-apex-with-adfs-with.html • How to redirect URLs for the /saml2 Servlet and /ords/f URI’s – http://blog.darwin-it.nl/2017/05/http-server-redirects-for-WebLogic-12c.html • URL Rewrite to have a ‘nice’ application URL (without /ords/f) – http://blog.darwin-it.nl/2017/06/ohs-url-rewrite.html • A basic one on WebLogic and ADFS – https://blogs.oracle.com/blogbypuneeth/steps-to-configure-saml-sso-with-adfs-as-idp-and-WebLogic-server- as-sp • Publish metadata over URL – https://blog.darwin-it.nl/2018/02/weblogic-12c-saml2-publish-your.html • About weblogic and SHA-1/SHA-256 signing of SAML requests/responses – https://blog.darwin-it.nl/2019/06/weblogic-12213-signs-saml2-requests-and.html copyright ©2019 Darwin IT-Professionals B.V. 45
46.
DarwinIT-Professionals THANK YOU FOR
YOUR ATTENDANCE, PATIENCE AND ATTENTION copyright ©2019 Darwin IT-Professionals B.V. 46
47.
Q & A copyright
©2019 Darwin IT-Professionals B.V. 47
Télécharger maintenant