Front-ending a SAML Service Provider with OHS

This is a follow-up to one of my previous posts titled Integrating OBIEE 11g into Weblogic’s SAML SSO, where I mention the following when configuring the Service Provider:

The Published Site URL field value is the base URL for federation services on the server. For SAML2, make sure the webcontext path is saml2. This is going to be used in the metadata file as the prefix to build the ACS (Assertion Consumer Service) endpoint necessary for allowing an Identity Provider to properly communicate with this Service Provider.

When OBIEE managed servers are in a cluster, there’s typically an HTTP load balancer in front of the servers. In such case, make sure the Published Site URL refers to the name and port of the load balancer, because they are the ones the IdP needs to know.

In this post, I assume there’s an OHS (Oracle HTTP Server) proxying requests to OBIEE analytics application, which is a fairly common production scenario. Let’s take a look at the necessary configuration changes to make it work.

There is only one change to be done in the SAML configuration. The Published Site URL value, in the SAML 2.0 General tab, must be changed to the OHS server http address. Assuming OHS is listening on ateam-us.us.oracle.com:7777:

PublishedSiteURL

Make sure to export the SAML Metadata and re-import it into your Identity Provider partner.

You should see the following as the new Assertion Consumer Service Endpoint:

ACSEndpoint

Now, in OHS, create a mod_wl_ohs routing rule to saml2 web context in the target Weblogic server. mod_wl_ohs is an OHS module that proxies requests to Weblogic server.

Include the following in mod_wl_ohs.conf. It is located in your OHS installation at <instance_home>/config/OHS/<component_name>, same location as httpd.conf.

<Location /saml2>
   SetHandler weblogic-handler 
   WebLogicHost sp.us.oracle.com
   WebLogicPort 9704
</Location>

<Location /analytics>
   SetHandler weblogic-handler 
   WebLogicHost sp.us.oracle.com
   WebLogicPort 9704
</Location>

Restart OHS.

With such configuration in place, an unauthenticated request made to http://ateam-us.us.oracle.com:7777/analytics goes through OHS to Weblogic server, who redirects it to the Identity Provider site for authentication. Once finished, the Identity Provider redirects the browser to http://ateam-us.us.oracle.com:7777/saml2/sp/acs/post (per Assertion Consumer Service Endpoint above) along with a generated SAML assertion. The request is proxied by OHS to Weblogic server sp.us.oracle.com on port 9704 (per routing rule above). Once Weblogic server verifies the assertion, it redirects the browser to http://ateam-us.us.oracle.com:7777/analytics. The request goes through OHS again to the Weblogic server and the user is hopefully and finally given access to the application.

Add Your Comment