SAML in WebLogic

Question

I need to configure SAML between 2 or more applications deployed in WebLogic 10.3.6 server. I successfully configure SAML between 2 different domains, but I need to use SAML between 2 applications in same domain, diferent managed servers. If I deploy apps in same domain, same managed server, credentials are sharing automatically even SAML not configured. App1 call App2 within an iframe. When I access App1, logon page works. When I access App2 within iframe, credentials was transfered perfectly from App1 to App2, but when I return to App1, session is ended. Deploying apps on diferent domains all works fine and I can access App1 and App2 normally.

I can't understand why App1's session was killed when I access App2 in same domain and different managed servers.

Answer 1

I don't know if it is still relevant: The weblogic SAML2 implementation stores the JSESSIONID-Cookie under the root cookie-path "/". When your managed servers in the same domain are on the same host, the authentication cookie is overwritten each time you change your request from one server to the other. So you have to re-authenticate... (the cookie is stored only under the domain name! The application path and ports are irrelevant)

The solution ist to start each managed server under a different ip-address, dns-name or simply under a different dns-alias: e.g. for an alias:

managedserverA.example.net points to 192.168.1.5
managedserverB.example.net points to 192.168.1.5 either

Now your Browser could store the authentication cookies under different domains:

JSESSIONID CLmYRsmZJ41TgyLJkcDQNf1!1664721840 /managedserverA.example.net
JSESSIONID q6nHRsnPNscWksZw99LBJh2!606405387  /managedserverB.example.net

Do not forgert to change the published-site-url in your SAML2 configuration to include your dns-alias for each managed server:

published site url: http://managedserverA.example.net:7020/saml2
published site url: http://managedserverB.example.net:7030/saml2

Cheers,

Tomislav Dedus