8 Configuring Federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS
You can refer to the use case description, solution summary, components involved, and the linked documentation resources to configure web services federation with Microsoft ADFS 2.0 STS as the Identity Provided STS (IP-STS) and Oracle STS as the Replying Party (RP-STS).
- Use Case
-
Configure web services federation with Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS as the RP-STS.
- Solution
-
Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains.
- Components
-
-
Oracle WebLogic Server
-
Oracle Web Services Manager (OWSM)
-
Oracle STS
-
Microsoft ADFS 2.0 STS
-
Web service and client applications to be secured
-
- Additional Resources on Oracle Web Services Manager
This use case demonstrates the steps required to:
-
Attach the appropriate OWSM security policies to enforce message-level protection using SAML bearer authentication.
Specifically, you attach the following policies to the client and service, respectively:
-
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
and policies based onoracle/sts_trust_config_client_template
-
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
-
-
Configure web services federation using Microsoft ADFS 2.0 STS as the IP-STS and Oracle STS is used as the RP-STS.
Transport security with SSL is used to protect the service, the RP-STS, and IP-STS.
For more information on how to implement this use case, see Use Case: Implementing Web Services federation with Microsoft ADFS2.0 STS.
8.1 Use Case: Implementing Web Services federation with Microsoft ADFS2.0 STS
To implement the use case, complete the following tasks in sequence: configure the Web Service, configure Oracle STS as the RP-STS, configure Microsoft ADFS 2.0 STS as the IP-STS, and configure the Web Service Client.
Note:
In the following sections, high-level configuration steps for Oracle STS and Microsoft ADFS 2.0 STS are provided. For detailed information about how to perform these configuration steps, refer to the documentation for the particular STS:
-
For Microsoft ADFS 2.0 STS:
http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
8.1.1 Configuring the Web Service
To implement the use case Web Services federation with Microsoft ADFS2.0 STS, first you need to configure the web service.
- Attach the
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
policy to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager. - Import the signing certificate for the Oracle STS
/wssbearer
endpoint into the OWSM keystore. - Define the Oracle STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
8.1.2 Configuring Oracle STS as the RP-STS
To implement the use case Web Services federation with Microsoft ADFS2.0 STS, you need to configure Oracle STS as the RP-STS.
8.1.3 Configuring Microsoft ADFS 2.0 STS as the IP-STS
To implement the use case Web Services federation with Microsoft ADFS2.0 STS, you need to configure Microsoft ADFS 2.0 STS as the IP-STS.
For the complete procedure, see the Microsoft ADFS 2.0 STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
.)
- Confirm that the
/usernamemixed
endpoint is enabled. - Add the Oracle STS instance acting as the IP-STS as a relying party using the ADFS 2.0 management console.
- Configure ADFS 2.0 STS to issue SAML bearer tokens for the RP-STS.