SAML2IdentityAsserter Identity Provider Partners SSO wdt setup.

[brieucolivier]

We are trying to setup a Web Single Sign-on Identity Provider Partner for our SAML2IdentityAsserter.

We were using this WSLT before to setup this :

mbeanPath='/SecurityConfiguration/'+domainName+'/Realms/myrealm/AuthenticationProviders/SAML2IdentityAsserter'
print('CDing to mbean : '+mbeanPath)
cd(mbeanPath)
partner = cmo.consumeIdPPartnerMetadata(partnerMetadataPath)
partner.setName(partnerName)
partner.setDescription(partnerDescription)
partner.setEnabled(toBool(partnerEnabled))
partner.setIdentityProviderNameMapperClassname(nameMapperClassName)
partner.setVirtualUserEnabled(toBool(virtualUserEnabled))
partner.setProcessAttributes(toBool(processAttributes))
print('Redirect URIs : <'+redirectUris+'>')
if redirectUris != '[]':
    partner.setRedirectURIs(splitAndStrip(redirectUris, ','))
partner.setWantArtifactRequestSigned(toBool(onlyAcceptSignedAssertions))
partner.setArtifactBindingUsePOSTMethod(toBool(artifactBindingUsePOSTMethod))
partner.setArtifactBindingPostForm(artifactBindingPostForm)
partner.setPostBindingPostForm(postBindingPostForm)
partner.setClientUsername(clientUsername)
partner.setClientPassword(clientPassword)

cmo.addIdPPartner(partner)

So far we were able to have this validated in the model : in the yaml file:

topology:
    Name: test-env01
    AdminServerName: admin-server
    ProductionModeEnabled: true
    NMProperties:
        JavaHome: /u01/jdk
    Cluster:
        test-env01-cluster:
[...]
    Server:
        admin-server:
[...]
    ServerTemplate:
[...]
    SecurityConfiguration:
        NodeManagerUsername: admin
        UseKSSForDemo: true
        Realm:
            myrealm:
                AuthMethods: CLIENT-CERT,BASIC
                AuthenticationProvider:
[...]
                    SAML2IdentityAsserter:
                        SAML2IdentityAsserter: {}

Then in the wlsdeploy/security/saml2/ we have the following: -- The idp metadata mock-idp-metadata.xml file. (which is the one that was consumed in the WSLT code) -- The saml2idppartner.properties whith the following format :

saml2.idp.partners=WAM-Mock
WAM-Mock.metadata.file=mock-idp-metadata.xml
WAM-Mock.redirectUris=/company1app/target.jsp
WAM-Mock.virtualUserEnabled=true
WAM-Mock.enabled=true
WAM-Mock.description=Company1 IDP Partner
WAM-Mock.processAttributes=false
WAM-Mock.wantAssertionsSigned=false
WAM-Mock.mapperClassname=com.bea.security.saml2.providers.SAML2IdentityAsserterNameMapper

The SAML2IdentityAsserter is correctly generated in the Providers of myrealm. But the Identity Provider Partners does not generated in the Management tab of the SAML2IdentityAsserter.

What would we miss to add the IDP Partner in the SAML2IdentityAsserter? Is this even possible to set this in 3.2.2 version?

Best regards.

[robertpatrick]

@brieucolivier You must have a version of WebLogic Server that supports initializing the IdP data at startup for this feature to work (i.e., you will need a patch). WDT is only placing the files for the server to load at startup. Without the patch, WLS will not load the data. Back ports of this new feature should be available in the upcoming October PSUs.

[brieucolivier]

@robertpatrick, thanks for your answer but I did not get some parts. We are using the version WebLogic Server 12.2.1.4.0 Thu Sep 12 04:04:29 GMT 2019 1974621. Which version would be compatible with what we are trying to achieve? Or what would be the patch to be applied?

I am not sure I understood what is upcoming in October. A new patch? A WDT version that would not need this patch/version mentioned above?

Thanks, BR.

[robertpatrick]

@brieucolivier The ability to load SAML2 SP/IdP data at AdminServer startup feature was added to WebLogic Server 14.1.2 (which is still in development). This new feature is being backported to 12.2.1.4 and 14.1.1 in the yet-to-be-released October 2023 PSU patches. Once those patches become available, you will need to apply that patch and follow the documentation (which will also be updated at that time) for how to leverage this new feature.

WDT simply released support for this yet-to-be-release feature before it was generally available to the public.

[brieucolivier]

@robertpatrick Thanks for the input, I saw the October PSU Patches were released, but i cannot find whether or not this support has been introduced. Also, would it be possible to provide a link to the updated documentation? (Mainly for the properties names of the saml2idppartner.properties) BR

[robertpatrick]

@mriccell do we have this new SAML2 data initialization feature documented now that the PSU containing the feature is available?

[robertpatrick]

@brieucolivier See https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/wlstg/configuring-saml-single-sign.html#GUID-826AE506-5D74-4892-8CB3-F66C99BF1D5F