#OpenSSO #Fedlet Integration with #Oracle #Identity #Federation 11g

What is a Fedlet? (snipped from Oracle’s Identity Management Web site)

The Oracle OpenSSO Fedlet (Fedlet) is a compact, easy to deploy SAML 2.0 service provider implementation. It includes a small software package and a simple file-based configuration, embeddable into a service provider’s Java or .NET application. The Fedlet establishes single sign-on (SSO) between an identity provider instance and the service provider application without requiring a fully-featured federation product on the service provider side.

The Oracle OpenSSO Fedlet can accept SAML 2.0 assertions from any SAML 2.0 identity provider and retrieve user attributes to accomplish SSO and content personalization. The Fedlet can be configured to communicate with any number of identity providers. It also can leverage an external discovery service to find the preferred identity provider.

My Environment:

  • OIF 11g is configured as an Identity Provider (IDP)
  • Fedlet is configured as Service Provider (SP)
  • SAML version is 2.0

Assumptions:

  1. Weblogic is already installed and configured
  2. Have access to the idp.xml metadata file from your Identity Provider
  3. Installing on either Linux or Solaris (I am installing on Solaris but this is essentially the same for Linux)

Make sure that $JAVA_HOME/bin is in your PATH variable, so that JDK commands such as jar, java, and keytool are accessible.

Copy the Fedlet binary (from Oracle) to /opt/Fedlet_stuff/

cd /opt/Fedlet_stuff/java

Expand the war file:

jar xvf FEDLET_ZIP_DIR/java/fedlet.war

Run the Configure Fedlet Script

java -classpath WEB-INF/lib/opensso-sharedlib.jar:WEB-INF/lib/openfedlib.jar:install/lib/configurefedlet.jar oracle.security.fed.fedlet.install.ConfigureFedlet

Enter the directory with path where Oracle-OpenSSO-Fedlet.zip is extracted to: /opt/Fed_stuff

Enter the URL where this Fedlet will be deployed on (in http(s)://host.domain:port/uri format):

 http://hostname.hostdomain:7001/fedletsample

Enter Fedlet Provider ID:[fedlet_sp_sample] // I accepted the default here

Do you want to generate keystore and key pair for the Fedlet? 1=yes/2=no [1] 1

Enter Fedlet keystore password: Re-enter Fedlet keystore password: Enter Fedlet key password: Re-enter Fedlet key password:

Do you want to import IDP metadata? 1=yes/2=no [1] 1

Enter IDP metadata filename with path: /opt/Fed_stuff/idp.xml

Include sample and generate fedletsample.war? 1=yes/2=no [2] 1

Enter the directory with path where the newly generated Fedlet configuration and optionally fedletsample.war should be saved to: /opt/fedlet

Fedlet configuration is created at: /opt/fedlet fedletsample.war is created at: /opt/fedlet

Deploy the newly created war file, that was created here: /opt/fedlet/fedletsample.war

[if you need instructions on deploying the war to Weblogic or Glassfish …  then email me and I can provide to you.]

Copy the sp.xml file (from /opt/fedlet/fedlet/sp.xml) to your desktop console.

Import the sp.xml (that you just copied) to the Circle of Trust on your IDP’s OIF Admin Console.

8 thoughts on “#OpenSSO #Fedlet Integration with #Oracle #Identity #Federation 11g”

  1. Sudarshan H Walikar

    Hi,

    i am getting this error when i send an auth request to IDP, can you help me with this please?

    11/03/09 11:33:59: ERROR
    oracle.security.fed.http.translator.saml.SAMLProtocolMessageTranslator.translateMessage() – oracle.security.fed.xml.translator.TranslationException: org.xml.sax.SAXException: Could not locate translation scheme associated with “urn:oasis:names:tc:SAML:2.0:protocol”:NameIdPolicy, child of “urn:oasis:names:tc:SAML:2.0:protocol”:AuthnRequest.

    11/03/09 11:33:59: ERROR
    oracle.security.fed.controller.ApplicationController.processServletRequest() – oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: Message creation failed. null; oracle.security.fed.xml.translator.TranslationException: org.xml.sax.SAXException: Could not locate translation scheme associated with “urn:oasis:names:tc:SAML:2.0:protocol”:NameIdPolicy, child of “urn:oasis:names:tc:SAML:2.0:protocol”:AuthnRequest.

    Regards,
    Sudarshan

    1. Hi Sudarshan,

      Hopefully I can help. Can you post your SP metadata file that you provided to your IDP? What version of the Oracle OpenSSO Fedlet are you using? What J2EE container did you deploy to and on what OS platform? Also, which version of Java do you have installed on this server? Additionally, Can you tell me which vendor is the IDP platform?

      Thanks,
      Brad

  2. I am getting a http error 404 (no such resource) AFTER a saml assertion is generated.

    OIF 11.1.1.5 on linux hosted on weblogic 10.3.5
    Fedlet 11.1.1.3 on windows on weblogic 10.3.5

    I generated the fedletsample.war and deployed on the weblogic windows. I can go to fedletsample/index.jsp and then click on idp generated sso. I get OIF login prompt, provide credentials- but when the response is POST ed to the fedlet:7001/samplefedlet/fedletapplication, then it gets error 404.

    Any clue?

    1. Mitra,

      Check to make sure that the URL on the initiate page and the URL on the return URL is the same. I have noticed that if the hostname changed that you can get a 404. Also, I noticed if the name that the war is deployed as doesnt match what is expected that you can get a 404 as well.

      Let me know if you need additional assistance.

      Brad

    1. You can export either the IDP metadata or the SP metadata directly by going to:
      host:port/fed/idp/metadata or host:port/fed/sp/metadata

      Also,
      You can export from Enterprise Manager by going to Oracle Identity Federation > Administration > Security and Trust. From there click on the Provider Metadata tab and then at the bottom of the page under the Generate Metadata section select the Provider Type and Protocol and then click Generate. Your browser will prompt you to download the generated file.

      Let me know if that didn’t answer your question.

      Thanks,

      Brad

  3. Brad,

    I am looking for a copy of the metadata that is provided to me by the SP (loaded @ Oracle Identity
    Federation – Administration – Federation) we do not access to the orginal file that was loaded and would like to see that actual information.

    1. That’s a really good question. I have never not had access to that file before so I haven’t been in your situation. I have an environment where the name of the imported file is sp.xml. I did a find on the file name and the only hits that I got were on instances of the file that resided in the fedlet directory and on another that was in the tomcat directory where I had deployed the fedlet. How are the data sources for your OIF instance setup? Are you storing everything in LDAP, DB or XML? You may want to check those sources to see if OIF stores a copy of the file there.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top