Configuring Single Sign-On with Microsoft Clients 6-11 -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=Example.CORP -Djava.security.krb5.kdc=ADhostname where ■ javax.security.auth.useSubjectCredsOnly specifies that it is permissible to use an authentication mechanism other than Subject credentials. ■ java.security.auth.login.config specifies the JAAS login file, krb5Login.conf, described in Section 6.7, Creating a JAAS Login File. ■ java.security.krb5.realm defines the Microsoft domain in which the Active Directory server runs. ■ java.security.krb5.kdc defines the host name on which the Active Directory server runs. Java GSS messages are often very useful during troubleshooting, so you might want to add -Dsun.security.krb5.debug=true as part of the initial setup.

6.10 Verifying Configuration of SSO with Microsoft Clients

To verify that SSO with Microsoft clients is configured properly, point a browser that you have configured as described in Section 6.6.2, Configuring an Internet Explorer Browser to the Microsoft Web application or Web service you want to use. If you are logged on to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web service without providing a username or password. 6-12 Securing Oracle WebLogic Server 7 Configuring Single Sign-On with Web Browsers and HTTP Clients 7-1 7 Configuring Single Sign-On with Web Browsers and HTTP Clients The Security Assertion Markup Language SAML enables cross-platform authentication between Web applications or Web services running in a WebLogic domain and Web browsers or other HTTP clients. WebLogic Server supports single sign-on SSO based on SAML. When users are authenticated at one site that participates in a single sign-on SSO configuration, they are automatically authenticated at other sites in the SSO configuration and do not need to log in separately. The following sections describe how to set up single sign-on SSO with Web browsers or other HTTP clients by using authentication based on the Security Assertion Markup Language SAML versions 1.1 and 2.0. ■ Section 7.1, Configuring Single Sign-On Using SAML White Paper ■ Section 7.2, Configuring SAML 1.1 Services ■ Section 7.3, Configuring SAML 2.0 Services ■ Section 7.4, Enabling Debugging for SAML 1.1 and 2.0 For an overview of SAML-based single sign on, see the following topics in Understanding Security for Oracle WebLogic Server: ■ Security Assertion Markup Language SAML ■ Web Browsers and HTTP Clients via SAML ■ Single Sign-On with the WebLogic Security Framework

7.1 Configuring Single Sign-On Using SAML White Paper

The Configuring Single Sign-On using SAML in WebLogic Server 9.2 white paper http:www.oracle.comtechnologypubarticlesdev2arch200612 sso-with-saml.html provides step-by-step instructions for configuring the single sign-on capability between two simple Java EE Web applications running on two different WebLogic domains. The SAML configuration for single sign-on is performed using the WebLogic Server 9.2 Administration Console with no programming involved. The tutorial also briefly introduces the basic interactions between WebLogic Note: A WebLogic Server instance that is configured for SAML 2.0 SSO cannot sent a request to a server instance configured for SAML 1.1, and vice-versa. 7-2 Securing Oracle WebLogic Server containers, the security providers, and the security framework during the single sign-on process. Although it is based on a previous version of WebLogic Server, you may find this tutorial to be a useful resource as you develop your own SAML implementation.

7.2 Configuring SAML 1.1 Services