Session Replication Issue for SSO when LBaaS is Configured Along with JCS Instance Creation (OCI)
(Doc ID 2577966.1)
Last updated on DECEMBER 19, 2022
Applies to:Java Cloud Service - Version N/A to N/A [Release 1.0]
Information in this document applies to any platform.
- Customer provisioned an Oracle Java Cloud Service instance on OCI using the PSM UI creation wizard.
- The service was provisioned with a 2-node Weblogic Server cluster and an Oracle-managed LBaaS instance.
- Customer then configured SSO using the SAML 2.0 specification on both the managed servers in the cluster.
- IDCS is acting as the Identity Provider and JCS is acting as the Service Provider.
- Customer followed steps mentioned in this blog for the setup.: https://blogs.oracle.com/blogbypuneeth/post/steps-to-configure-saml-20-with-oracle-saas-as-idp-and-oracle-java-cloud-service-as-sp
- Customer deployed an ADF application and targeted it to the Weblogic Server cluster.
When the client hits the application URL via the Load Balancer, it should be redirected to the IDCS login page. Once authenticated, it should redirect to the application page.
For any application deployed on the WLS cluster, the redirection to IDCS for authentication is successful, but then the application page is not reachable. Either the application URL goes into an infinite loop or receives a 403 error code.
After enabling the following debug flags for the server:
weblogic -> security -> Atn
weblogic -> security -> saml2
weblogic -> servlet -> internal
weblogic -> servlet -> DebugHttp
A 403 error is seen on the saml2/sp/acs URL.
This was tested using a sample SSO application provided in the blog link above (to remove ADF out of the picture). The SAML configuration was verified, and the same issue with a 403 error was observed on saml2/sp/acs. The redirection to IDCS works and after login, the application page does not come up.
Next, a new managed server which was not part of the cluster was created, and SSO works as expected on that server.
Also, a single managed server running in the cluster does not show the issue: only an occasional 404 when the request goes to the server that is down.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!