IdP initiated SAML2 SSO in webLogic - Passing data from IdP to SP

Pushing custom attributes in Custom AttributeStatement (part of SAML assertion, see OASIS SAML2 specification for details), from WebLogic based Identity Provider (IdP) towards a Service Provider (SP) isis not possible in weblogic 10.3.3-). This effectively means that we will not be able to transfer additional user information (for instance email address or some token number) in the form of custom SAML2 attributes in SAML assertion.

Here I describe a workaround where-in we will be able to pass data (that ideally should be in the form of AttributeStatement that goes in the SAML assertion generated at IdP end) from WebLogic IdP towards any SP in IdP initiated SSO.


If we want to send across any information from IdP end to SP end, what we can do is embed that information into the form which is used to hit the initiator servlet. This information should be available through hidden field. Take following JSP page into consideration (in consistent with discussion at Configuring WebLogic IdP initiated SAML2 based SSO ):


"services.jsp"
<html>
<head>
<h2>Services Available</h2>

</head>

<body>

<form method="post" action="http://localhost:27001/saml2/idp/sso/initiator">

<br>Service -1 (at localhost:37001/appB)<br>

<input type="hidden" name="SPName" value="sp1"/>

<input type="hidden" name="RequestURL" value="http://localhost:37001/appB/admin/services.jsp"/>

<input type="hidden" name="acnum" value="<%=session.getAttribute("acnum")%>"/>

<input type="submit" value="submit"/>

</form>

</body>

</html>



Here:

- IdP is running at localhost:27001
- SP is running at localhost:37001


The initiator servlet will get hold of the additional request attribute ("acnum" in above example) and append it to the relayState parameter as a querry parameter. When the post form posts the relay state to ACS, ACS will consume the assertion, get hold of the target URL (=relayState) and redirect the browser to it. Once we land on this URL, all we need is to get the parameter as a normal request parameter (in SP application), like:
request.getParameter("acnum")

The implications of this workaround are:
  1. the additional data will be sent as a query parameter (and not in the response assertion).
  2. HTTP Redirect Binding has to be used instead of post
  3. even if the assertion or response is signed, it will have no effect on query string.

Comments

Post a Comment

Popular posts from this blog

Replacing expired certificates on SSL Server that uses JKS based keystore

Replacing an expired identity certificate in a JKS based keystore is pretty easy stuff, unless you have forgot to keep a backup of your private key. This post discusses the use-case where we don't have a backup copy of the private key outside the JKS keystore, and we wish to replace the expired/going-to-expire identity certificate There are two ways that I know of: Portecle (easy) - this is a tool available out on internet OpenSSL-Keytool combination (lengthy one) I will discuss 2nd one, and would only provide commands (and not discuss each switch as you can always refer relevant product docs for it) 1. Backup the JKS keystore, suppose original is  "keystore.jks" 2. JKS -> PKCS12 conversion (pkcs12 obtained in this step would be run through OpenSSL in next step, to separate the private key from the expired certificates)          keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS
Read more

Giving non-admin users the permission to access MBeans

Sometimes it might be a requirement that a JEE application, deployed on WebLogic, needs an access to MBeans (Server, domain  or custom MBeans). With WebLogic default administrator user and other users who belong to default administrator group “Administrators” such a thing is possible quite easily. However it is not a good practice as the admin credentials would unnecessarily get exposed to application (and it may in-turn have security consequences). So, the question comes up - can we avoid using these admin credentials and instead use appropriate credentials, in our application, based on role access? The answer is yes - this requirement involves working with JMX policies. WebLogic provides a way for creating new as well as modifying existing (default) JMX policies. So what you can do is use the JMX policy editor to grant non-admin user/group a write access to the required MBean. JMX policy editor is described here . Also refer this to enable the JMX policy editor if it i
Read more

Modifying the "supported" attributes of embedded ldap users/groups

Image
WLS Admin console provides limited access to modify the attributes of users and groups that are located in its embedded ldap. This is primarily because embedded ldap is not supposed to hold any application users/groups on a large scale and probably this is one of the reasons why WLS does not provide any dedicated GUI to to modify the user/group attributes inside embedded ldlap. Neverthless, we can store these users/groups and we can modify the attributes as well. There are two approaches: 1) Using an external LDAP browser utility . My favorite as of today is jxplorer . I use such a utility against WLS embedded ldap for various purposes - testing the connectivity, the bind operation, search queries, etc Using such ldap browser utilities against WLS embedded ldap requires one to explicitly open embedded ldap for "outside WLS" access.This involves resetting the password of embedded ldap's super user "Admin" to a known value. Note that when WLS domain is creat
Read more