9 Configuring Federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS
You can refer to the use case description, solution summary, components involved, and the linked documentation resources to configure web services federation with Oracle STS as the Identity Provided STS (IP-STS) and Microsoft ADFS 2.0 STS as the Replying Party (RP-STS).
- Use Case
-
Configure web services federation with Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS as the RP-STS.
- Solution
-
Attach Oracle Web Services Manager (OWSM) WS-Trust policies to the web service and client, and configure Oracle STS and Microsoft ADFS 2.0 STS to establish trust across security domains.
- Components
-
-
Oracle WebLogic Server
-
Oracle Web Services Manager (OWSM)
-
Oracle STS
-
Microsoft ADFS 2.0 STS
-
Web service and client applications to be secured
-
- Additional Resources on Oracle Web Services Manager
- Additional resources provides more information about the technologies and tools used to implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS.
This use case demonstrates the steps required to:
-
Attach the appropriate OWSM security policies to enforce message-level protection using SAML holder-of-key (HOK) authentication.
Specifically, you attach the following policies to the client and service, respectively:
-
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
and policies based onoracle/sts_trust_config_client_template
-
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
-
-
Configure web services federation using Oracle STS as the IP-STS and Microsoft ADFS 2.0 STS is used as the RP-STS.
For more information on how to implement this use case, see Use Case: Implementing Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS.
9.1 Use Case: Implementing Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS
To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS: first configure the web service, then configure Microsoft ADFS 2.0 STS as the RP-STS, followed by configuring Oracle STS as the IP-STS, and in the end configure the Web Service Client.
9.1.1 Configuring the Web Service
To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, first you need to configure the web service.
- Attach
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
to the web service. For the complete procedure, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager. - Import the signing certificate for the ADFS 2.0 STS
/issuedtokensymmetricbasic256
endpoint into the OWSM keystore. - Define the ADFS 2.0 STS endpoint as a trusted issuer and a trusted DN. For the complete procedure, see "Defining Trusted Issuers and Trusted Distinguished Names List for SAML Signing Certificates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
9.1.2 Configuring Microsoft ADFS 2.0 STS as the RP-STS
To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, after configuring the web service, you need to configure Microsoft ADFS 2.0 STS as RP-STS.
For the complete procedure, see the Oracle STS documentation at http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
.
- Confirm that the
/issuedtokensymmetricbasic256
endpoint is enabled. - Add the service as a relying party using the ADFS 2.0 management console.
- Add the Oracle STS instance acting as the IP-STS as a trusted claim provider using the ADFS 2.0 management console.
9.1.3 Configuring Oracle STS as the IP-STS
To implement the use case configuring web services federation with Oracle STS as IP-STS and Microsoft ADFS 2.0 STS as RP-STS, after configuring the web service and RP-STS, you need to configure Oracle STS as the IP-STS.