How can I connect the Spring SAML example application to a Weblogic IDP?

Question

1. I downloaded the Spring SAML example application here: http://docs.spring.io/spring-security-saml/docs/current/reference/htmlsingle/#quick-start-steps
2. I ran the application and successfully authenticated against the SSOCircle IDP.
3. I then tried to switch to a Weblogic IDP, but when I try the authentication, it fails with an exception.

Exception stacktrace:

Jun 17, 2015 10:33:31 AM org.apache.catalina.core.StandardWrapperValve invoke
    SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception [org.opensaml.ws.message.encoder.MessageEncodingException: Unable to builder artifact for message to relying party] with root cause
    org.opensaml.ws.message.encoder.MessageEncodingException: Unable to builder artifact for message to relying party
            at org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.buildArtifact(HTTPArtifactEncoder.java:232)
            at org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.getEncode(HTTPArtifactEncoder.java:195)
            at org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.doEncode(HTTPArtifactEncoder.java:137)
            at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:227)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:195)
            at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:144)
            at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:105)
            at org.springframework.security.saml.SAMLEntryPoint.initializeSSO(SAMLEntryPoint.java:226)
            at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:153)
            at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)

In the log there's another message that says:

No artifact resolution service endpoint defined for the entity null

1. What can I do to make the artifact resolution succeed? I debugged the application and found that the method org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder#getAcsEndpoint() returns null, which causes the exception above. I'm not really sure what this means or what to do to make it work.
2. I exported the IDP metadata and included that in the metadata provider bean and in turn exported the SP metadata and uploaded it into Weblogic as a federated partner metadata. Did I miss something?

I tried to make the example application authenticate against a Weblogic IDP and against a Shibboleth IDP, but I didn't manage to make it work. Either the configuration is not complete or I'm missing something fundamental.

Answer 1

1. Add Credential Mapping

To enable SAML functionality, we first need to add a credential mapping. Open the Weblogic Administration Console

http://server:port/console
e.g.
http://127.0.0.1:7101/console

1.1. Add mapping entry

1.1.1. Navigate to the Credential Mapping page:

Security Realms > myrealm > Providers > Credential Mapping

1.1.2. Click the new button

• Enter a name for the mapping (e.g. SamlCredentialMapper)
• Select the SAML2CredentialMappertype
• Save the new mapping

1.1.3. Click on the new mapping

• Go to the Provider Specific tab

• Enter an Issuer URI:

  e.g. http://www.server.com/issuer

• Save the mapping

2. Configure SAML properties

2.1. Navigate to the Servers page

• Open the server entry for the Admin Server.
• Note the values of Listen Address and Listen Port on the General tab.

2.2. Navigate to Federation Services > SAML 2.0 General

• Enter a value for the Published Site URL (host and port should be the same as the values you noted in the previous step):

  e.g. http://localhost:7101/saml2

• Enter an Entity ID (note that this ID MUST BE the same as the Issuer URI you entered earlier)

  e.g. http://www.server.com/issuer

• Has to be the same as the Issuer URI from the Credential Mapping.

• Save the settings

2.3. Switch to the SAML 2.0 Identity Provider tab

• Check the enabled checkbox.
• Select POST as the preffered binding.
• Save the settings.

3. Exchange metadata information

3.1. Export IDP metadata

The Identity Provider metadata file is used by the Service Provider (SSO client) application to determine login URLs and other useful information.

3.1.1. Navigate to Federation Services > SAML 2.0 General

• Click on the Publish Meta Data button.
• Select a file name for the metadata file
  • by entering a path / file name in the Path text field
  • OR by selecting an existing file in the directory structure (you have to check the Overwrite checkbox to overwrite the file)
• Click OK to export the metadata file.

3.2. Use the metadata file in the Service Provider application

The Service Provider application needs to know where to find the IDP. This information is contained in the IDP metadata file.

3.3. Obtain the Service Provider metadata file

The IDP needs to know about the Service Provider (SSO client) as well. You need to obtain the SP metadata file.

3.4. Configure Service Provider Partner

• Navigate to the Credential Mapping you created earlier.
• Go to the Management tab.
• Create a New Web Single Sign-on Service Provider Partner.
• pick a name (or leave the default)
• Select the SP metadata file by navigating to a directory and selecting an existing file in the directory structure
• Click OK to save the new partner.
• Click on the new Service Provider Partner.
• Check the enabled checkbox.
• Click on Save.

Links

• Single sign-on
• SAML 2.0
• Configuring SAML 2.0 Services
• Configure SAML 2.0 Identity Provider services

Answer 2

Which Weblogic version are you using? At least in older versions Oracle consultants told me that the Weblogic's SAML IDP support is not "production quality" and the implementation indeed had issues (like usage of old libraries, no support for SAML encryption, handling bugs), but it may have changed since.

The error "No artifact resolution service endpoint" suggests that your IDP's metadata doesn't have an ArtifactResolutionEndpoint in its metadata. In your place I'd try to use HTTP-POST binding instead of Artifact.