Friday, May 22, 2015

Recommendations while using custom federation

Suppose you are the Service Provider using COTS federation product and your partner is Identity Provider using custom federation solution. Here are some personal recommendations for achieving SAML Single Sign-On in a smooth manner.

  1. Identify the features you are implementing with your partner upfront such as HTTP Binding, Signing, encryption, logout, Query Attributes, Account Linking etc., 
  2. Discuss and agree the certificate, private key, encryption algorithms etc., 
  3. Setup local environment to do proof of concept with COTS products and make sure you implement all the agreed features.
  4. Make sure your partner having custom federation solution has done POC so that you are sure that they are adhering to SAML standards. 
  5. If your partner has not done any POC in their local environment then you will need to validate the metadata manually before importing it to Service Provider.
  6. When partner metadata is validated and make sure it is imported in your Service Provider properly. Be heedful of syntactical errors. 
  7. If your partner has SAML response tested by dummy client, then ask for SAML response. If the response is encoded, use a SAML decoder and verify if all the elements are present. This is where we ended up wasting lot of time while running the test and identifying each and every element missing in SAML response. 
  8. It is always suggested to test the basic federation without Signing/Encryption/Attribute Query etc.,
  9. Once basic federation is tested, signing is next step.
  10. Then test the encryption.

wlst.sh failed to connect in SSL

We have enabled SSL for WebLogic Admin Server and disabled the non-SSL port. We wanted to run some WLST commands and ran wlst.sh from
While trying to connect to wlst.sh with SSL port to admin server, the connection failed. I've tried various combinations of hosts with/without domain name and localhost too. See the below screenshot.


The actual fix is to add -Dweblogic.security.SSL.ignoreHostnameVerification=true parameter in startWebLogic.sh script. This parameter will essentially disable the hostname verification and required for stand alone clients connecting to weblogic server.

Restarted the WebLogic servers after making the script changes and wlst.sh connection worked with SSL.