Wednesday, January 19, 2011

Solutions to issue “Using back button upon authentication via SAML SSO gives HTTP 404”

Typically Achieving SSO using SAML 1.1 between two applications deployed to WebLogic domains involves configuring
  1.  Identity Asserter (IA) on Destination  WebLogic domain
  2. Credential Mapper (CM) on the Source WebLogic domain
Details on how to achieve SSO using SAML 1.1 is not the intent of this article, hence this articles just focuses on one of the major issue that is faced with SSO using SAML 1.1. Assuming that with the required IA and CM configuration settings done on the source and  the destination WebLogic domains , SSO using SAML 1.1 starts working. Users can login to one application and they are logged into the other application via SSO using SAML 1.1.
So far so good, but after a user logs in onto the landing page of any of the application  and hits back button of the browser, they encounter HTTP 404 error.
The solution provided below solves the problem:
  1. Deploy the attached web appliation saml_acs.war to all the WebLogic domains configured to be SAML 1.1 destinations    
  2. Target saml_acs.war to the cluster
  3. Set the system flags like below. Set the flag on all the servers in the domain and restart them for the system flags to take effect.
  4. -Dsaml_acs.redirect.url=http(s)://<hostname>:<port>/<landing page>
  5. In the WLS admin console update all the servers
    • Navigate to the “Server name -> Configuration -> Federation Services -> SAML 1.1 Destination Site” tab
    • Change the “Assertion Consumer URI” to “/saml_acs/acs”
    • This requires a restart


    saml_acs.war
    -web-inf
    --web.xml
     <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
    <web-app>
         <error-page>
            <error-code>404</error-code>
            <location>/redirect.jsp</location>
        </error-page>
    </web-app>

    --weblogic.xml
    <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 8.1//EN" "http://www.bea.com/servers/wls810/dtd/weblogic810-web-jar.dtd">
    <weblogic-web-app>
      </weblogic-web-app>

    meta-inf
    redirect.jsp
    <%@page import="javax.servlet.http.*"%>

    <%
    /*
    This jsp helps in handing 404 http error that occurs when a user
    authenticates to portal desktop via saml for the first time and
    hits the browser back button.
    set the system property = the portal url like the default property value shown below

    Example:
    -Dsaml_acs.redirect.url="https://<hostname>:<port>/<default landing page if required>"
    */

    String newLocation=System.getProperty("saml_acs.redirect.url","/default landing page");
    response.sendRedirect(newLocation);
    %>











    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)