What is a Fedlet? (snipped from Oracle’s Identity Management Web site)
The Oracle OpenSSO Fedlet (Fedlet) is a compact, easy to deploy SAML 2.0 service provider implementation. It includes a small software package and a simple file-based configuration, embeddable into a service provider’s Java or .NET application. The Fedlet establishes single sign-on (SSO) between an identity provider instance and the service provider application without requiring a fully-featured federation product on the service provider side.
The Oracle OpenSSO Fedlet can accept SAML 2.0 assertions from any SAML 2.0 identity provider and retrieve user attributes to accomplish SSO and content personalization. The Fedlet can be configured to communicate with any number of identity providers. It also can leverage an external discovery service to find the preferred identity provider.
My Environment:
- OIF 11g is configured as an Identity Provider (IDP)
- Fedlet is configured as Service Provider (SP)
- SAML version is 2.0
Assumptions:
- Weblogic is already installed and configured
- Have access to the idp.xml metadata file from your Identity Provider
- Installing on either Linux or Solaris (I am installing on Solaris but this is essentially the same for Linux)
Make sure that $JAVA_HOME/bin
is in your PATH
variable, so that JDK commands such as jar
, java
, and keytool
are accessible.
Copy the Fedlet binary (from Oracle) to /opt/Fedlet_stuff/
cd /opt/Fedlet_stuff/java
Expand the war file:
jar xvf FEDLET_ZIP_DIR/java/fedlet.war
Run the Configure Fedlet Script
java -classpath WEB-INF/lib/opensso-sharedlib.jar:WEB-INF/lib/openfedlib.jar:install/lib/configurefedlet.jar oracle.security.fed.fedlet.install.ConfigureFedlet
Enter the directory with path where Oracle-OpenSSO-Fedlet.zip is extracted to: /opt/Fed_stuff
Enter the URL where this Fedlet will be deployed on (in http(s)://host.domain:port/uri format):
http://hostname.hostdomain:7001/fedletsample
Enter Fedlet Provider ID:[fedlet_sp_sample] // I accepted the default here
Do you want to generate keystore and key pair for the Fedlet? 1=yes/2=no [1] 1
Enter Fedlet keystore password: Re-enter Fedlet keystore password: Enter Fedlet key password: Re-enter Fedlet key password:
Do you want to import IDP metadata? 1=yes/2=no [1] 1
Enter IDP metadata filename with path: /opt/Fed_stuff/idp.xml
Include sample and generate fedletsample.war? 1=yes/2=no [2] 1
Enter the directory with path where the newly generated Fedlet configuration and optionally fedletsample.war should be saved to: /opt/fedlet
Fedlet configuration is created at: /opt/fedlet fedletsample.war is created at: /opt/fedlet
Deploy the newly created war file, that was created here: /opt/fedlet/fedletsample.war
[if you need instructions on deploying the war to Weblogic or Glassfish … then email me and I can provide to you.]
Copy the sp.xml file (from /opt/fedlet/fedlet/sp.xml) to your desktop console.
Import the sp.xml (that you just copied) to the Circle of Trust on your IDP’s OIF Admin Console.
Hi,
i am getting this error when i send an auth request to IDP, can you help me with this please?
11/03/09 11:33:59: ERROR
oracle.security.fed.http.translator.saml.SAMLProtocolMessageTranslator.translateMessage() – oracle.security.fed.xml.translator.TranslationException: org.xml.sax.SAXException: Could not locate translation scheme associated with “urn:oasis:names:tc:SAML:2.0:protocol”:NameIdPolicy, child of “urn:oasis:names:tc:SAML:2.0:protocol”:AuthnRequest.
11/03/09 11:33:59: ERROR
oracle.security.fed.controller.ApplicationController.processServletRequest() – oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: Message creation failed. null; oracle.security.fed.xml.translator.TranslationException: org.xml.sax.SAXException: Could not locate translation scheme associated with “urn:oasis:names:tc:SAML:2.0:protocol”:NameIdPolicy, child of “urn:oasis:names:tc:SAML:2.0:protocol”:AuthnRequest.
Regards,
Sudarshan
Hi Sudarshan,
Hopefully I can help. Can you post your SP metadata file that you provided to your IDP? What version of the Oracle OpenSSO Fedlet are you using? What J2EE container did you deploy to and on what OS platform? Also, which version of Java do you have installed on this server? Additionally, Can you tell me which vendor is the IDP platform?
Thanks,
Brad
I am getting a http error 404 (no such resource) AFTER a saml assertion is generated.
OIF 11.1.1.5 on linux hosted on weblogic 10.3.5
Fedlet 11.1.1.3 on windows on weblogic 10.3.5
I generated the fedletsample.war and deployed on the weblogic windows. I can go to fedletsample/index.jsp and then click on idp generated sso. I get OIF login prompt, provide credentials- but when the response is POST ed to the fedlet:7001/samplefedlet/fedletapplication, then it gets error 404.
Any clue?
Mitra,
Check to make sure that the URL on the initiate page and the URL on the return URL is the same. I have noticed that if the hostname changed that you can get a 404. Also, I noticed if the name that the war is deployed as doesnt match what is expected that you can get a 404 as well.
Let me know if you need additional assistance.
Brad
Can I export the service partners xml file from OIF? if so were does the file reside? OS Red Hat 5
You can export either the IDP metadata or the SP metadata directly by going to:
host:port/fed/idp/metadata or host:port/fed/sp/metadata
Also,
You can export from Enterprise Manager by going to Oracle Identity Federation > Administration > Security and Trust. From there click on the Provider Metadata tab and then at the bottom of the page under the Generate Metadata section select the Provider Type and Protocol and then click Generate. Your browser will prompt you to download the generated file.
Let me know if that didn’t answer your question.
Thanks,
Brad
Brad,
I am looking for a copy of the metadata that is provided to me by the SP (loaded @ Oracle Identity
Federation – Administration – Federation) we do not access to the orginal file that was loaded and would like to see that actual information.
That’s a really good question. I have never not had access to that file before so I haven’t been in your situation. I have an environment where the name of the imported file is sp.xml. I did a find on the file name and the only hits that I got were on instances of the file that resided in the fedlet directory and on another that was in the tomcat directory where I had deployed the fedlet. How are the data sources for your OIF instance setup? Are you storing everything in LDAP, DB or XML? You may want to check those sources to see if OIF stores a copy of the file there.