As you implement IDCS (Oracle IDentity Cloud Service) use cases, you would have started thinking, "how do you integration application X with IDCS?", Specially the applications running on-premise or running somewhere other than Oracle public cloud. This blog talks about integration of weblogic hosted applications with IDCS running on-premise or running somewhere other than Oracle public cloud. Integrating weblogic hosted application running on Oracle public cloud with IDCS is relatively simple with cloudgate along with IDCS authentication provider however cloudgate is not available for an application running on-premise or outside Oracle public cloud. However this might change soon and cloudgate could be made available for on-premise applications.
Until cloudgate is available, what comes to rescue is, SAML Identity Asserter that is supported Out-Of the Box on weblogic container. You can use that and configure weblogic container as a service provider. IDCS can act as Identity Provider (IDP) or you can use on-premise IDP if you have one. Once the user is authenticated via SAML by weblogic container, IDCS authentication provider asserts identity and creates weblogic session for the logged in user. With IDCS authentication provider, you do not need to replicate IDCS user store on application data center. It uses IDCS SCIM APIs to connect to IDCS and fetch user data.
Now that we have understood how the integration works at a high level, lets look at "How to". The integration involves two weblogic security providers. SAML Identity asserter and IDCS authentication provider.
SAML 2.0 Identity Asserter interacts with ACS (Assertion Consumer Service) of weblogic container to validate the assertion and if the assertion is valid, it passes identified user down to the next authentication provider configured in security realm. Make sure you configure IDCS authentication provider below SAML Identity Asserter in the security realm.
To create SAML 2.0 Identity Asserter, login to weblogic admin console and browse to security realms from domain structure. Click on 'Providers' tab to open providers screen. Now click on 'New' button to create new authentication provider.
Once you add SAML Identity Asserter, restart weblogic server. This is necessary for us to be able to configure service provider.
Configure Weblogic Federation Services by filling in SAML 2.0 General tab for the Service Provider server. The information entered here is used to generate partner metadata.
Now we can enable SAML 2.0 Service provider module for the container as below. Default URL below is the resource user is redirected to if user does IDP initiated federation without relay state.
Now that container is configured for SAML authentication, we need to add Identity provider that container should redirect user to. You need partner (IDP) metadata file before you begin this configuration. Once you add partner metadata, modify provider configuration to add protected application URL as redirect URIs. This is mandatory step.
Identity Asserter cannot create Java subject for the authenticated user so you need authentication provider. If you have on-prem directory with users data, you can create LDAP authenticator connection to on-prem LDAP server. However if you do not have any on-prem directory, you can configure IDCS authentication provider to authenticate against IDCS. IDCS authentication provider is a combination of Identity Asserter and Authenticator. If user is already logged in, it can validate IDCS assertion from cloud gate and create Java subject or it can also validate user credentials against IDCS and create Java subject.
For WLS 220.127.116.11 and 18.104.22.168, IDCS provider is available Out-Of the Box.
For WLS to authenticate users with IDCS, the IDCS security provider needs to be associated with an OAuth Client. This client would be registered with the IDCS instance and would allow the provider to access IDCS. So create OAuth client for IDCS provider as shown in the screen below using IDCS admin interface.
After you create OAuth client, copy client ID, client secret. We will need that while creating IDCS provider. First login to WLS console and browse to "Security Realms" -> Providers to create IDCS provider as shown in the screen below.
Now open Provider specific tab and update clientID, client secret, tenant name, IDCS hostname and post number as highlighted in the screen below. Keep rest of the configurations unchanged. Save provider specific configuration and then restart the container.
After you restart the container, make sure application is configured for container authentication. If not, follow steps mentiones in the next section and then deploy the application to test the integration.
An application must be configured to trigger container authentication when protected URL is accessed for container to begin federation authentication process. Configure CLIENT-CERT authn method in web.xml file to trigger container authentication.