SAML APIs

Programming WebLogic Security

SAML APIs

The Security Assertion Markup Language, SAML, is an XML-based protocol for exchanging security information between disparate entities. The SAML standard defines a framework for exchanging security information between software entities on the Web. SAML security is based on the interaction of asserting and relying parties.
SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times.
WebLogic Server supports SAML versions 2.0 and 1.1. The WebLogic Server implementation:

Supports the HTTP POST and HTTP Artifact bindings for the Web SSO profile for SAML 1.1. For SAML 2.0, WebLogic Server adds the HTTP Redirect binding for the Web SSO profile.
Supports SAML authentication and attribute statements (does not support SAML authorization statements)

For a general description of SAML and SAML assertions in a WebLogic Server environment, see Security Assertion Markup Language (SAML) in Understanding WebLogic Security.
For information on configuring a SAML credential mapping provider, see Configuring a SAML credential mapping Provider for SAML 1.1 and Configuring a SAML 2.0 credential mapping Provider for SAML 2.0 in Securing WebLogic Server.
For access to the SAML specifications, go to http://www.oasis-open.org. Also see the Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1 and Security Assertion Markup Language (SAML) 2.0 Technical Overview.
This section covers the following topics:

SAML API Description
Custom POST Form Parameter Names

SAML API Description

Table 9-1 lists the WebLogic SAML APIs. Table 9-2 lists the WebLogic SAML 2.0 APIs. See the Javadoc for details.

Table 9-1 WebLogic SAML APIs
WebLogic SAML API Description
weblogic.security.providers.saml The WebLogic SAML package.
SAMLAssertionStore Interface that defines methods for storing and retrieving assertions for the Artifact profile. This interface is deprecated in favor of SAMLAssertionStoreV2.
SAMLAssertionStoreV2 The SAMLAssertionStoreV2 interface extends the SAMLAssertionStore interface, adding methods to support identification and authentication of the destination site requesting an assertion from the SAML ARS. Note that V2 refers to the second version of the WebLogic SAML provider, not to version 2 of the SAML specification.
SAMLCredentialAttributeMapper Interface used to perform mapping from Subject to SAMLAssertion attributes.
SAMLCredentialNameMapper Interface that defines methods used to map subject information to fields in a SAML assertion.
SAMLIdentityAssertionAttributeMapper Interface used to perform mapping from SAML Attribute Statement to Attribute Principals.
SAMLIdentityAssertionNameMapper Interface that defines methods used to map information from a SAML assertion to user and group names.
SAMLUsedAssertionCache Interface that defines methods for caching assertion IDs so that the POST profile one-use policy can be enforced. Classes implementing this interface must have a public no-arg constructor.
SAMLNameMapperInfo Instances of this class are used to pass user and group information to and from the name mappers. The class also defines several useful constants.
SAMLAssertionStoreV2.AssertionInfo The AssertionInfo class is returned by SAMLAssertionStoreV2.retrieveAssertionInfo(). It contains the retrieved assertion and related information. An implementation of the SAMLAssertionStoreV2 interface would have to return this class.
SAMLAttributeInfo A class that represents a single attribute of a SAMLAssertion AttributeStatement.
SAMLAttributeStatementInfo A class that represents an AttributeStatement in a SAMLAssertion.
SAMLNameMapperInfo The SAMLNameMapperInfo is used to represent user name and group information for SAML assertions.
SAMLCommonPartner Abstract representation of attributes common to a SAML 1.1 Partner.
SAMLRelyingParty Represents a SAML Relying Party entry in the SAML Relying Party registry.
SAMLAssertingParty Represents a SAML asserting party entry in the LDAP asserting party registry.
SAMLPartner Abstract representation of a SAML partner.

The SAML name mapper classes are required to be in the system classpath. If you create a custom SAMLIdentityAssertionNameMapper, SAMLCredentialNameMapper, SAMLAssertionStore, or SAMLUsedAssertionCache, place the respective class in the system classpath.

Table 9-2 WebLogic SAML 2.0 APIs
WebLogic SAML 2.0 APIs Description
com.bea.security.saml2.providers Provides interfaces and classes for the configuration, control, and monitoring of SAML 2.0 security providers in a WebLogic security realm.
SAML2CredentialNameMapper Interface used to perform the mapping of user and group information to SAML 2.0 assertions.
SAML2IdentityAsserterNameMapper Interface used to perform the mapping of user information contained in a SAML 2.0 assertion to a local user name.
SAML2NameMapperInfo The SAML2NameMapperInfo is used to represent user name and group information contained in SAML 2.0 assertions.
com.bea.security.saml2.providers.registry Abstract interfaces for SAML 2.0 identity provider and service provider partners and metadata.
BindingClientPartner Binding Client partner is a partner that supports backend channel communication.
IdPPartner Abstract representation of a SAML 2.0 identity provider partner.
Endpoint Abstract representation of a SAML 2.0 service endpoint.
IndexedEndpoint This class represents the end point that could be indexed, like Artifact Resolution Service's end point.
MetadataPartner Metadata partner contains contact information for the partner, which is mainly required by the SAML 2.0 metadata profile.
Partner Abstract representation of a SAML 2.0 partner. This interface defines mandatory information for a partner.
SPPartner Abstract representation of a SAML 2.0 service provider partner.
WebSSOIdPPartner Abstract representation of a SAML 2.0 identity provider partner for Web SSO profile.
WebSSOPartner Abstract representation of a SAML 2.0 partner for Web SSO profile.
WebSSOSPPartner Abstract representation of a SAML 2.0 service provider partner for Web SSO profile.
WSSIdPPartner Abstract representation of a SAML 2.0 identity provider partner for WSS SAML Token profile.
WSSPartner Abstract representation of a SAML 2.0 partner for WSS SAML Token profile.
WSSSPPartner Abstract representation of a SAML 2.0 service provider partner for WSS SAML Token profile. It has no specific attributes/methods.

Custom POST Form Parameter Names

The parameters names passed to the POST form when a custom POST form is specified for SAML POST profile handling depend on which SAML provider is configured.

For the WebLogic Server 9.1and higher, Federation Services implementation (in effect when V2 providers are configured), see Table 9-3, SAML V2 Provider Custom POST Form Parameters.
For the WebLogic Server 9.0 SAML services implementation (in effect when V1 providers are configured), see Table 9-4, SAML V1 Provider Custom POST Form Parameters.

The tables provide the parameter names and their data types (required for casting the returned Java Object).
For both implementations, the SAML response itself is passed using the parameter name specified by SAML:
SAMLResponse (String): The base64-encoded SAML Response element.

Table 9-3 SAML V2 Provider Custom POST Form Parameters
Parameter Description
TARGET (String) The TARGET URL specified as a query parameter on the incoming Intersite Transfer Service (ITS) request.
SAML_AssertionConsumerURL (String) The URL of the Assertion Consumer Service (ACS) at the destination site (where the form should be POSTed).
SAML_AssertionConsumerParams (Map) A Map containing name/value mappings for the assertion consumer parameters configured for the relying party. Names and values are Strings.
SAML_ITSRequestParams (Map) A Map containing name/value mappings for the query parameters received with the ITS request. Names and values are Strings. The Map may be empty. TARGET and Rich Presence Information Data Format (RPID) parameters are removed from the map before passing it to the form.

Table 9-4 SAML V1 Provider Custom POST Form Parameters
Parameter Description
targetURL (String)
The TARGET URL specified as a query parameter on the incoming ITS request.
consumerURL (String) The URL of the ACS at the destination site (where the form should be POSTed).

WebLogic SAML API	Description
weblogic.security.providers.saml	The WebLogic SAML package.
SAMLAssertionStore	Interface that defines methods for storing and retrieving assertions for the Artifact profile. This interface is deprecated in favor of SAMLAssertionStoreV2.
SAMLAssertionStoreV2	The SAMLAssertionStoreV2 interface extends the SAMLAssertionStore interface, adding methods to support identification and authentication of the destination site requesting an assertion from the SAML ARS. Note that V2 refers to the second version of the WebLogic SAML provider, not to version 2 of the SAML specification.
SAMLCredentialAttributeMapper	Interface used to perform mapping from Subject to SAMLAssertion attributes.
SAMLCredentialNameMapper	Interface that defines methods used to map subject information to fields in a SAML assertion.
SAMLIdentityAssertionAttributeMapper	Interface used to perform mapping from SAML Attribute Statement to Attribute Principals.
SAMLIdentityAssertionNameMapper	Interface that defines methods used to map information from a SAML assertion to user and group names.
SAMLUsedAssertionCache	Interface that defines methods for caching assertion IDs so that the POST profile one-use policy can be enforced. Classes implementing this interface must have a public no-arg constructor.
SAMLNameMapperInfo	Instances of this class are used to pass user and group information to and from the name mappers. The class also defines several useful constants.
SAMLAssertionStoreV2.AssertionInfo	The AssertionInfo class is returned by SAMLAssertionStoreV2.retrieveAssertionInfo(). It contains the retrieved assertion and related information. An implementation of the SAMLAssertionStoreV2 interface would have to return this class.
SAMLAttributeInfo	A class that represents a single attribute of a SAMLAssertion AttributeStatement.
SAMLAttributeStatementInfo	A class that represents an AttributeStatement in a SAMLAssertion.
SAMLNameMapperInfo	The SAMLNameMapperInfo is used to represent user name and group information for SAML assertions.
SAMLCommonPartner	Abstract representation of attributes common to a SAML 1.1 Partner.
SAMLRelyingParty	Represents a SAML Relying Party entry in the SAML Relying Party registry.
SAMLAssertingParty	Represents a SAML asserting party entry in the LDAP asserting party registry.
SAMLPartner	Abstract representation of a SAML partner.

WebLogic SAML 2.0 APIs	Description
com.bea.security.saml2.providers	Provides interfaces and classes for the configuration, control, and monitoring of SAML 2.0 security providers in a WebLogic security realm.
SAML2CredentialNameMapper	Interface used to perform the mapping of user and group information to SAML 2.0 assertions.
SAML2IdentityAsserterNameMapper	Interface used to perform the mapping of user information contained in a SAML 2.0 assertion to a local user name.
SAML2NameMapperInfo	The SAML2NameMapperInfo is used to represent user name and group information contained in SAML 2.0 assertions.
com.bea.security.saml2.providers.registry	Abstract interfaces for SAML 2.0 identity provider and service provider partners and metadata.
BindingClientPartner	Binding Client partner is a partner that supports backend channel communication.
IdPPartner	Abstract representation of a SAML 2.0 identity provider partner.
Endpoint	Abstract representation of a SAML 2.0 service endpoint.
IndexedEndpoint	This class represents the end point that could be indexed, like Artifact Resolution Service's end point.
MetadataPartner	Metadata partner contains contact information for the partner, which is mainly required by the SAML 2.0 metadata profile.
Partner	Abstract representation of a SAML 2.0 partner. This interface defines mandatory information for a partner.
SPPartner	Abstract representation of a SAML 2.0 service provider partner.
WebSSOIdPPartner	Abstract representation of a SAML 2.0 identity provider partner for Web SSO profile.
WebSSOPartner	Abstract representation of a SAML 2.0 partner for Web SSO profile.
WebSSOSPPartner	Abstract representation of a SAML 2.0 service provider partner for Web SSO profile.
WSSIdPPartner	Abstract representation of a SAML 2.0 identity provider partner for WSS SAML Token profile.
WSSPartner	Abstract representation of a SAML 2.0 partner for WSS SAML Token profile.
WSSSPPartner	Abstract representation of a SAML 2.0 service provider partner for WSS SAML Token profile. It has no specific attributes/methods.

Parameter	Description
TARGET (String)	The TARGET URL specified as a query parameter on the incoming Intersite Transfer Service (ITS) request.
SAML_AssertionConsumerURL (String)	The URL of the Assertion Consumer Service (ACS) at the destination site (where the form should be POSTed).
SAML_AssertionConsumerParams (Map)	A Map containing name/value mappings for the assertion consumer parameters configured for the relying party. Names and values are Strings.
SAML_ITSRequestParams (Map)	A Map containing name/value mappings for the query parameters received with the ITS request. Names and values are Strings. The Map may be empty. TARGET and Rich Presence Information Data Format (RPID) parameters are removed from the map before passing it to the form.

Parameter	Description
targetURL (String)	The TARGET URL specified as a query parameter on the incoming ITS request.
consumerURL (String)	The URL of the ACS at the destination site (where the form should be POSTed).