Cannot open TEMP post file /tmp/_wl_proxy/_

From oracle

Location of POST Data Files

When the FileCaching parameter is set to ON, and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk and then forwarded to the WebLogic Server in chunks of 8192 bytes. This preserves the POST data during failover.

The temporary POST file is located under /tmp/_wl_proxy for UNIX. For Windows it is located as follows (if WLTempDir is not specified):

1. Environment variable TMP
2. Environment variable TEMP
3. C:\Temp

/tmp/_wl_proxy is a fixed directory and is owned by the HTTP Server user. When there are multiple HTTP Servers installed by different users, some HTTP Servers might not be able to write to this directory. This condition results in an error.

To correct this condition, use the WLTempDir parameter to specify a different location for the _wl_proxy directory for POST data files.

 here is what i use to fix it

I have created folder under /tmp/_wl_proxy and it resolved the error.

to check nodemanager error from running logs

nodemanager error

ps -ef | grep -v grep | grep -i weblogic.NodeManager

startup error

DeploymentService> <BEA-290074> <Deployment service servlet received file download request for file "config/jdbc/security/SerializedSystemIni.dat". The file may exist, but download of this file is not allowed

Solution:

-Dweblogic.data.canTransferAnyFile=true

what is RelayState what it meant for during SAML SP request

 Along with a SAML Request, an HTTP parameter called RelayState is passed along to the Identity Provider SSO Access Manager. This captures the location of the resource the user originally requested. In simple it is Endpoint where user want to go after the Successful Authentication.


Endpoint https://sp.mysite.com:9031/sp/ACS.saml2

Web Policy Agent Traffic Flow

Does SAML integration require PORT or FIREWAL Rules to be opened ?

SAML Traffic Flow

view of the SAML traffic flow is illustrated below:

IPs / Ports / Firewall Rules

A question that frequently arises concerning the SAML architecture is which network ports and firewall rules do I need to open?”.  The answer should be readily evident from the diagram flow above.  Since there is no direct communication between the IDP and the Service Provider and all communication happens via the user’s browser (outbound ports: 80, 443, and 8443), therefore, no IPs/ports/firewall rules are necessary for your infrastructure vis-à-vis  Access Manager.  Your users, on the other hand, will need to be able to interface/reach  IdP as well as your application instance. .

How to Enable SAML at your application. Do i need to modify code or other options available ?

SAML Enabling Your Application

If your application is COTS or GOTS the first step would be to determine whether your application supports SAML or any other form of federation by checking the vendor documentation, contacting the vendor, or searching the web for SAML module support or integration.  If your application is “homegrown” software, then in order to SAML enable your application, you will need to search the web for a SAML toolkit or SAML libraries written in the same language as your software.  While many other options exist, some sample SAML code libraries are included below for your convenience:

• https://www.onelogin.com/resources/saml-toolkits
• http://www.componentspace.com/Products/SAMLSuite.aspx
• https://www.ssoeasy.com/
• http://www.componentpro.com/saml.net/
• https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-quick-start.html

Apache Server

A slightly less tightly integrated SAML alternative can also be implemented on some web servers such as Apache, rather than at the application level.  There is a module name "mod auth mellon" which enables SAML on Apache servers. It is also available in the RHEL 7 repositories.  The advantage of this Apache module is that it does not require any code modifications and at the same time it enables you to protect different locations/URLs using group membership as an LDAP attribute sent from  Identity Provider (IdP) / Access Manager.  

IIS Server
In order to SAML enable an IIS server, a third party module named "Shibboleth" can be used. Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

https://www.shibboleth.net/

http://www.testshib.org

Generating Matadata for Integration.

If you are using the Apache mod auth mellon module then you will execute the “mellon_create_metadata.sh” to export your metadata.

If you are generating the metadata manually (ex. “homegrown” application) you may want to use the following site to generate your metadata: https://www.samltool.com/sp_metadata.php

Verifying Signature url
You can use below website to verify meta data signature.
https://www.samltool.com/sign_authn.php