Weblogic上的SSO，AD身份验证

Question

I want to do SSO with active directory on weblogic. I have found very useful information on web. But in all the cases it is mentioned how to configure the weblogic for the AD authentication. But my question is how the username will get passed to the weblogic from the apache webserver. If we will not get the username in the weblogic itself then SSO won't work. If anyone have any idea regarding the SSO AD authentication on weblogic server (in which user name get passed from apache webserver) then please share.

Answer 1

It depends on how you set up the connections to weblogic. If you are connecting from apache, what method are you using? If it is working as a proxy, say from a browser, you could try to forward the credentials. It is is a webservice, you need to implement some fashion, such as BASIC authentication in the header. As long as you can pass credentials, you can manage SSO.

Normally for SSO, you would have a browser on a domain, say IE since it works with kerberos without further config, it would connect to the weblogic server. It would pass a ticket on to weblogic, which works as a TGT to active directory. That allows weblogic to then return a token granting access to the application to the client. Without that type of connection (ie browser to weblogic) you need to implement some way working out how to login to weblogic- otherwise who would log in to the application from apache? Would it be apache itself as a domain account? Assuming you want SSO from clients, you need the client to pass on their credentials to either apache (which needs to forward them somehow) or weblogic directly. Weblogic supports SAML 1.1 (i don't think it inherently does 2.0 but you can add it in with extensions) which can be used to forward details from a source to a destination to perform authentication- this is something you might want to look at. The weblogic documentation exists for this between two weblogic domains, so you could use that as a starting point to create the destination. (dont want to link the documentation as it varies depending on the version of weblogic you are using)

Answer 2

I've never done Kerberos setup with Apache, but have done it dozens of times with IIS and there are no settings on IIS that need to be modified for Kerberos, so I'm guessing it should be the same for Apache. As long as it forwards requests to Weblogic, you should be fine. Your Apache's URL should be in the SPN on AD. Whenever you try to open it in Internet Explorer on machine that's logged into AD domain, Internet Explorer will ask AD whether it has any services registered for this URL, and once AD finds SPN that matches the URL, it will issue Kerberos ticket which contains, among other things, your domain username and service principal. Weblogic will get this ticket and compare service principal in it to service principals it has in its keytab file. Once it finds a match (I'm omitting boring encryption/decryption details), it will know that you're really a member of that domain and your username is considered valid.