Skip to Main Content

Identity & Platform

Announcement

For appeals, questions and feedback, please email oracle-forums_moderators_us@oracle.com

SAML2 AttributeStatement for Application Roles supported by Weblogic Identity Assert

Oladayo SalawuJan 4 2024 — edited Jan 4 2024

Hello guys,

I have successfully done a SAML2 integration between Oracle IDCS as an IDP and an on premise Weblogic 12c instance as a SP (WLS).

I have deployed a custom ADF 12c application with ADF security configured onto the weblogic instance. There are custom application roles securing taskflows and pages/pagedef's using the ADF security model.

The SAML response received on the WLS shows the custom application role “CustomRole” in it as below

<saml:AttributeStatement>
<saml:Attribute Name="oracle:cloud:identity:domain" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">idcs-efed60b1f2b84d54980e210144ea94e8
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="oracle:cloud:identity:sessionid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">135b8c2dcc7f409882e11bb62fd9d3db:20e25b
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="oracle:cloud:identity:tenant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">idcs-
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">CustomAppRole
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="oracle:cloud:identity:url" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">https://idcs-.identity.oraclecloud.com
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

However, I hit a 401 error after successfully authenticating using the IDCS credentials challenge screen.

The application logs does suggest that weblogic saml2 identity asserter is not able to identity any roles/groups within the SAML response e.g.

>searched for app roles for principal [user@domain.com] and found 0 roles
>In App GlobalPolicy, Incomming Principals: [user@domain.com], Direct app roles:[]
>In App SampleAdfApp, Incomming Principals: [user@domain.com], Flattend app roles:
>Cache-Hit for Principal:user@domain.com, Roles: null
>Cache hit for principal user@domain.com, application roles []
>login(): Identity Asserted for: username:user@domain.com, groups: null
>SAMLIALoginModule: login(): User name is 'user@domain.com'

Virtual users for the SP has been configured.

Question:
1. Is there any specific attributeName/Format that's required for custom roles in SAML2 for WLS Identity Asserter to process such correctly?

jdeveloper version: 12.2.1.4

*****Moderator action: moved to ‘Identity & Platform’ community *****

Comments
Post Details
Added on Jan 4 2024
2 comments
55 views