Configure SAML 2 for SSO with Oracle BAM Dashboard

Introduction

In a recent customer POC, there is requirement for SSO between an OBIEE dashboard and an Oracle BAM dashboard. SAML is a potential candidate for this kind of point to point SSO. After some googling, I was able to find blogs on configuring SAML1.1 SSO by Vikrant Sawant and SAML 2.0 SSO by Puneeth, but nothing with BAM. So with the guidance of these blogs, I started my own tests with BAM. After several trial and error attempts, I managed to get SAML2 SSO working between a simple web application, deployed in one WLS domain as an identity provider, and a BAM dashboard, in a different domain as a service provider.

This article documents the key configuration steps I performed in my tests to make SAML2 SSO work properly. I skipped details in some steps because I want to make this article concise. You should be able to google how-to instructions online easily if you don’t how to perform these steps.

 

Create a Simple WLS Domain (wlsdomain1)

In my case, it is on localhost:7001.

Create a BAM Domain (bamdomain)

In my case, it is on localhost:7201.

Create Two Key Pairs in Two Custom Key Stores

One for each domain. They need to be configured in WLS console.

Create Two Custom Trust Stores

One for each domain. wlsdomain1 trust store should contain certificate exported from bamdomain key store and vise versa. This is only necessary if HTTPS is used. In this test, only HTTP is used.

Configure the trust store in WLS console and restart all servers.

Create testuser in Both Domains

In bamdomain, add testuser to groups BAMContectViewer and BAMUsers.

Create a BAM Project and a Dashboard

Login to BAM Composer as a BAM administrator (weblogic). Create a BAM project named “TestProject”. Add necessary artifacts such as data objects, business queries and business views. Finally create a BAM dashboard named “TestDashboard”.

Deploy mywebapp1 to wlsdomain1

Edit the JSP files to make sure the host names and port numbers reflect your own environment. Test mywebapp1 (http://hostname:port/mywebapp1/index.jsp) with testuser.

The JSP page admin/services.jsp has links to BAM Composer home page and the BAM Dashboard “TestDashboard” in the BAM project “TestProject”. If you click the link now, you will be prompted with a login page to BAM. So there is no SSO at this point.

Configure Identity Provider in wlsdomain1

Create a SAML2CredentialMapper provider and Restart wlsdomain1

Complete SAML2CredentialMapper Provider Specific Configuration

SAML2Credentialmapper-ProviderSpecificConfiguration

Configure SAML 2.0 Identity Provider

Environment -> Servers -> AdminServer -> Configuration Tab -. Federation Services Tab -> SAML 2.0 Identity Provider Tab

Make sure “Enabled” is checked and “Preferred Binding” is POST.

FederationService-SAML2IdentityProviderConfiguration

Configure SAML 2.0 General Attributes

Environment -> Servers -> AdminServer -> Configuration Tab -. Federation Services Tab -> SAML 2.0 General Tab

IP-FederationService-SAML20GeneralConfiguration1

IP-FederationService-SAML20GeneralConfiguration2

Save and Publish Meta Data

Name the published file as idp-metadata.xml. This file will be imported into the service provider domain (bamdomain) in later steps.

 

Configure Service Provider in bamdomain

 

Create a SAML2IdentityAsserter and Restart bamdomain

There is no provider specific configuration required.

Configure SAML 2.0 Service Provider

Environment -> Servers -> AdminServer -> Configuration Tab -. Federation Services Tab -> SAML 2.0 Service Provider Tab

Make sure “Enabled” is checked and “Preferred Binding” is POST.

SP-FederationService-SAML2ServiceProviderConfiguration

Configure SAML 2.0 General

Environment -> Servers -> AdminServer -> Configuration Tab -. Federation Services Tab -> SAML 2.0 General Tab

SP-FederationService-SAML2GeneralConfiguration1

SP-FederationService-SAML2GeneralConfiguration2

Save and Publish Meta Data

Name the published file as sp-metadata.xml. This file will be imported into the identity provider domain (wlsdomain1) in later steps.

Import sp-metadata.xml into Identity Provider wlsdomain1

Security Realms -> myrealm -> Providers -> TestSAML2CredentialMapper -> Management Tag

New Button -> New Web Single Sign-On Service Provider Partner

Import the sp-metadata.xml file

Click the partner name and check “Enabled”. No need to change anything else.

IDP-ServiceProviderPartner

Import idp-metadata.xml into Service Provider bamdomain

Security Realms -> myrealm -> Providers -> BamSpSAML2IdentityAsserter -> Management Tag

New Button -> New Web Single Sign-On Identity Provider Partner

Import the idp-metadata.xml file

Click the partner name and check “Enabled”.

Add all URI’s you want to have SSO configured to “Redirect URIs” field. Whenever a request for any of the URI’s in the field is received by the service provider domain (bamdomain), the sp domain will initiate SAML 2.0 hand shake with the identity provider domain (wlsdomain1).

SP-IdentityProviderPartner

Restart wlsdomain1 and bamdomain

Test SSO

http://hostname:port/mywebapp1/index.jsp

Login as testuser

Click one of the two BAM links.

 

Good luck in your own trials.

Add Your Comment