Mapping OpenSSO Enterprise Roles to Principal Names

This section applies only to WebLogic Server 10. If the agent is set to the J2EE_POLICY filter mode, map OpenSSO Enterprise roles to the principal names in the respective application's deployment descriptor file(s):

• weblogic.xml

• weblogic-ejb-jar.xml

OpenSSO Enterprise roles are represented in UUIDs. Ensure that the keys in the mapping are UUIDs corresponding to your site's OpenSSO Enterprise installation. A UUID for a OpenSSO Enterprise role is mapped to the respective principal name in the weblogic.xml or weblogic-ejb-jar.xml file. Specifically, the principal name is located within the <principal-name> element.

To configure the WebLogic Server/Portal 10 agent to use privileged attribute mapping. use one of these methods:

• In the OpenSSO Enterprise Administration Console:

  1. Login to the Console as amadmin.

  2. Under Access Control, realm-name, Agents, and J2EE, click the name of the agent profile you want to update.

     The Console displays the Edit page for the agent profile.

  3. Under Application, click Privilege Attributes Processing.

  4. For Enable Privileged Attribute Mapping, check Enabled.

  5. In the Privileged Attribute Mapping list, Add the mapping entries.

  6. When you are finished, click Save.

  or

• Use the ssoadm utility to set the these properties:

  com.sun.identity.agents.config.privileged.attribute.mapping.enable=true
  com.sun.identity.agents.config.privileged.attribute.mapping[id=manager,
  ou=group,dc=example,dc=com]=am_manager_role

Starting with WebLogic Server 9.0, a principal name in the weblogic.xml file or weblogic-ejb-jar.xml file must use the NMTOKEN format, which is mandated by the corresponding schema files. Access Manager UUIDs include the following characters: equal sign (=), comma (,), and ampersand (&).