Programming WebLogic Security
SAML APIs
The Security Assertion Markup Language, SAML, is an XML-based protocol for exchanging security information between disparate entities. The SAML standard defines a framework for exchanging security information between software entities on the Web. SAML security is based on the interaction of asserting and relying parties.
SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times.
WebLogic Server supports SAML version 1.1. The WebLogic Server implementation:
- Supports both the Browser/POST and Browser/Artifact Profiles
- Supports SAML authentication and attribute statements (does not support SAML authorization statements)
For a general description of SAML and SAML assertions in a WebLogic Server environment, see Security Assertion Markup Language (SAML) in Understanding WebLogic Security. For information on configuring a SAML credential mapping provider, see Configuring a SAML Credential Mapping Provider in Securing WebLogic Server.
For access to the SAML specifications, go to http://www.oasis-open.org. Also see the Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1 at www.oasis-open.org.
This section covers the following topics:
SAML API Description
Table 9-1 lists the WebLogic SAML APIs. See the Javadoc for details.
Table 9-1 WebLogic SAML APIs
|
WebLogic SAML API
|
Description
|
|
weblogic.security.providers.saml
|
The WebLogic SAML package.
|
|
SAMLAssertionStore
|
Interface which defines methods for storing and retrieving assertions for the Artifact profile. This interface is deprecated in favor of SAMLAssertionStoreV2.
|
|
SAMLAssertionStoreV2
|
The SAMLAssertionStoreV2 interface extends the SAMLAssertionStore interface, adding methods to support identification and authentication of the destination site requesting an assertion from the SAML ARS.
Note that V2 refers to the second version of the WebLogic SAML provider, not to version 2 of the SAML specification.
|
|
SAMLAssertionStoreV2.AssertionInfo
|
The AssertionInfo class is returned by SAMLAssertionStoreV2.retrieveAssertionInfo(). It contains the retrieved assertion and related information. An implementation of the SAMLAssertionStoreV2 interface would have to return this class.
|
|
SAMLCredentialNameMapper
|
Interface which defines methods used to map subject information to fields in a SAML assertion.
|
|
SAMLIdentityAssertionNameMapper
|
Interface which defines methods used to map information from a SAML assertion to user and group names.
|
|
SAMLUsedAssertionCache
|
Interface which defines methods for caching assertion IDs so that the POST profile one-use policy can be enforced.
Classes implementing this interface must have a public no-arg constructor.
|
|
SAMLNameMapperInfo
|
Instances of this class are used to pass user and group information to and from the name mappers. The class also defines several useful constants.
|
Note: The SAML name mapper classes are required to be in the system classpath. If you create a custom SAMLIdentityAssertionNameMapper, SAMLCredentialNameMapper, SAMLAssertionStore, or SAMLUsedAssertionCache, you must place the respective class in the system classpath.
Custom POST Form Parameter Names
The parameters names passed to the POST form when a custom POST form is specified for SAML POST profile handling depend on which SAML provider is configured.
- For the WebLogic Server 9.1 Federation Services implementation (in effect when V2 providers are configured), see Table 9-2.
- For the WebLogic Server 9.0 SAML services implementation (in effect when V1 providers are configured), see Table 9-3.
The tables provide the parameter names and their data types (required for casting the returned Java Object).
For both implementations, the SAML response itself is passed using the parameter name specified by SAML:
SAMLResponse (String): The base64-encoded SAML Response element.
Table 9-2 SAML V2 Provider Custom POST Form Parameters
|
Parameter
|
Description
|
|
TARGET (String)
|
The TARGET URL specified as a query parameter on the incoming Intersite Transfer Service (ITS) request.
|
|
SAML_AssertionConsumerURL (String)
|
The URL of the Assertion Consumer Service (ACS) at the destination site (where the form should be POSTed).
|
|
SAML_AssertionConsumerParams (Map)
|
A Map containing name/value mappings for the assertion consumer parameters configured for the relying party. Names and values are Strings.
|
|
SAML_ITSRequestParams (Map)
|
A Map containing name/value mappings for the query parameters received with the ITS request. Names and values are Strings. The Map may be empty. TARGET and Rich Presence Information Data Format (RPID) parameters are removed from the map before passing it to the form.
|
Table 9-3 SAML V1 Provider Custom POST Form Parameters
|
Parameter
|
Description
|
|
targetURL (String)
|
The TARGET URL specified as a query parameter on the incoming ITS request.
|
|
consumerURL (String)
|
The URL of the ACS at the destination site (where the form should be POSTed).
|
