edocs Home > Oracle WebLogic Server Documentation > Administration Console Online Help > SAML 2.0 Identity Asserter: Web Service identity provider Partner: General

SAML 2.0 Identity Asserter: Web Service identity provider Partner: General

Configuration Options     Related Tasks     Related Topics

Configures a SAML 2.0 Web Service identity provider Partner's General Properties

Configuration Options

Name Description
Name of

Name of of this identity provider partner.

Available in the com.bea.security.saml2.providers.registry.Partner interface.

Enabled

Whether interactions with this identity provider partner are enabled on this server.

Available in the com.bea.security.saml2.providers.registry.Partner interface.

Description

Description of this identity provider partner.

Available in the com.bea.security.saml2.providers.registry.Partner interface.

Audience URIs

One or more partner lookup strings, and optionally one or more SAML Audience URIs that must be included in assertions generated by this identity provider partner.

In the WebLogic Server implementation of SAML 2.0, the Audience URI attribute is overloaded to perform two related but separate functions:

  • Specify one or more Audience URIs that must be included in assertions received from this identity provider partner.

  • Specify one or more partner lookup strings, which specify the endpoint URL that is used to discover the identity provider partner configured to generate assertions for requests on that endpoint, thereby enabling those assertions to be validated.

A value specified for this attribute must have the following syntax: [target:char:]<endpoint-url>

In the preceding syntax, target:char:is a prefix that is used to designate a partner lookup string, where char represents one of three special characters: a hyphen, plus sign, or asterisk (-, +, or *). This prefix determines how partner lookup is performed, as follows. (Note that because the transport, host, and port is stripped from a URL when it is passed in by a WebLogic Server instance configured in the role of service provider, the value you specify for <endpoint-url> should contain only the part of the endpoint path that follows the host and port.)

  • target:-:<endpoint-url> specifies that partner lookup is conducted using an exact match of the URL, <endpoint-url>. For example, target:-:/myserver/myservicecontext/myservice-endpoint specifies that a run-time invocation on this specific endpoint can be matched to this identity provider partner.

  • target:+:<endpoint-url> specifies that partner lookup is conducted for an exact match of the URL, <endpoint-url>. For example, target:+:/myserver/myservicecontext/myservice-endpoint. (Note: Configuring this form of partner lookup string is unlikely to produce an Audience URI match with an identity provider partner and therefore should be avoided.)

  • target:*:<endpoint-url> specifies that partner lookup us conducted for an initial-string pattern match of the URL, <endpoint-url>. For example, target:*:/myserver specifies that run-time invocations either /myserver/contextA/endpointA or /myserver/contextB/endpointB (that is, any web service endpoint in /myserver) can be matched to this identity provider partner. If more than one identity provider partner is discovered that is a match for the initial string, the partner with the longest initial string match is selected.

Note: Configuring one or more target lookup strings for an identity provider partner is required in order for that partner to be discovered at run time. If this partner cannot be discovered, assertions received from it are rejected.

If you configure an endpoint URL without using the target lookup prefix, it will be handled as a conventional Audience URI that must be contained in assertions received from this identity provider partner. (Unlike a target lookup string, an Audience URI should include the transport, host, and port of the target endpoint. For example, http://www.avitek.com:7001/myserver/myservice-context/myservice-endpoint.)

Available in the com.bea.security.saml2.providers.registry.Partner interface.

Issuer URI

The Issuer URI of this identity provider partner.

Available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

identity provider Name Mapper Class Name

Override the default username mapper class which the SAML 2.0 Identity Asserter provider is configured.

Custom implementation of the com.bea.security.saml2.providers.SAML2IdentityAsserterNameMapper Used for assertions received from this specific identity provider partner.

Available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Virtual User

Whether the user information contained in assertions received from this identity provider partner are mapped to virtual users.

Note that to use virtual users, configure the SAML Authentication provider.

Available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Confirmation Method

Specifies the type of confirmation method that is used when using SAML 2.0 assertions for identity.

The available confirmation methods are:

  • sender-vouches (default)

  • holder-of-key

  • bearer

When specifying a confirmation method, include the fully-qualified URN of the method. For example, urn:oasis:names:tc:SAML:2.0:cm:sender-vouches.

Note that if you use WLST to configure a partner, WebLogic Server provides constants for each of the confirmation methods that may be defined on partner class objects. For example, the following WLST command sets the bearer confirmation method on a partner: p.setConfirmationMethod(p.ASSERTION_TYPE_BEARER)

Available in the com.bea.security.saml2.providers.registry.WSSPPartner interface.

Process Attributes

Whether the the SAML 2.0 identity assertion provider shall consume the attribute statements contained in assertions received from this identity provider partner.

To use this attribute, the SAML Authentication provider must be configured in the domain, and it must:

  • Be configured to run before other authentication providers

  • Have the JAAS Control Flag set to SUFFICIENT

The SAML Authentication provider creates an authenticated subject using the user name and groups extracted from a SAML assertion by the SAML 2.0 identity assertion provider.

Available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Related Tasks

Related Topics