Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Create a SAML 2.0 Web Single Sign-on Identity Provider partner

Before you begin

Before you configure a SAML 2.0 Identity Provider partner:

To create a SAML 2.0 web single sign-on Identity Provider partner:

  1. In the left pane, select Security Realms.
  2. On the Summary of Security Realms page, select the name of the realm (for example, myrealm).
  3. On the Settings for Realm Name page select Providers > Authentication.
  4. In the Authentication Providers table, select the SAML 2.0 Identity Assertion provider.
  5. On the Settings for SAML 2.0 Identity Asserter page, select Management.
  6. In the table under Identity Provider Partners, click New > New Web Single Sign-On Identity Provider Partner.
  7. On the Create a SAML 2.0 Web Single Sign-on Identity Provider Partner page:
    1. Specify the name of the Identity Provider partner.
    2. In the field next to Path, specify or browse to the full path of the metadata partner file you received from your federated partner.
    3. Click OK.

    Note: If you click the browser's Back button after clicking OK, the partner name is reset to the default.

  8. On the Settings for SAML 2.0 Identity Asserter page, in the Identity Provider Partners table, select the name of your newly-created web single sign-on Identity Provider partner.
  9. In the General page, select Enabled to enable interactions between this server and this Identity Provider partner.
  10. Configure additional settings as appropriate. For example, you may choose to do one or more of the following:
    1. Select Virtual User to map user information from assertions to virtual users in the security realm. If you choose this option, you must also create and configure a SAML Authentication provider instance in the security realm. For more information, see Configuring the SAML Authentication Provider.
    2. In Redirect URIs, specify the URIs for resources hosted at the local site that, if invoked by an unauthorized user, cause an authentication request to be generated and sent to the Identity Provider partner. Note that if you have multiple Identity Provider partners that can generate an authentication response for a given URI, the authentication request is sent to the first such partner that the SAML 2.0 services finds.

      A URI may include a wildcard pattern, but the wildcard pattern must include a file type to match specific files in a directory. For example, to create a match for all files in the /targetapp directory, including all .jsp, .html, and .htm files, the following wildcard patterns are specified:

      /targetapp/*
      /targetapp/*.jsp
      /targetapp/*.html
      /targetapp/*.htm

      Note also that SAML 2.0 provides alternative mechanisms for initiating a web single sign-on session when unauthenticated requests for specific resources arrive at a Service Provider site. See Configuring Single Sign-On with Web Browsers and HTTP Clients.

    3. Select Process Attributes to extract attribute information from the assertions received from this Identity Provider partner. In WebLogic Server, attributes contain the groups in which the mapped Subject belongs.

      Note: To extract attributes from an assertion, you must create and configure a SAML Authentication provider instance in the security realm. For more information, see Configure Authentication and Identity Assertion providers and Configuring the SAML Authentication Provider.

    4. Enable Only Accept Signed Artifact Requests as desired.
    5. Specify whether SAML artifacts are to be delivered to this Identity Provider partner via the HTTP POST method. If you select this attribute, specify the URL of the custom web application that generates the POST form for carrying the SAML response for Artifact bindings to this Identity Provider partner.
    6. Click Save.
  11. Select Site Info to view information about the Identity Provider partner's site. This information is derived from the partner's metadata file and is read-only.
  12. Select Single Sign-on Signing Certificate to view the partner's certificate. This information is read-only and is derived from the Identity Provider partner's metadata file, which includes the certificate.
  13. Select Transport Layer Client Certificate to import or view the Identity Provider partner's transport layer client certificate. You typically need to coordinate with your partner to obtain this certificate in a secure manner; it is not included in the partner metadata file.
  14. Select Single Sign-on Service Endpoints to display the URI of the Identity Provider partner's single sign-on service.
  15. Select Artifact Resolution Service Endpoints to display the endpoints of the Identity Provider's ARS.

    If the Artifact binding is not enabled for this partner, no ARS endpoints information will be available.

Result

The Identity Provider partner is created in the local server instance. The information associated with this partner obtained from the partner's metadata file is visible in the Administration Console as read-only data. Modifying this data is not recommended and may produce unpredictable results.

After you finish

Coordinate with your federated partners to ensure that the SAML bindings you have enabled for this SAML authority, as well as your requirements for signed documents, are compatible with your partners. For more information, see Configuring Single Sign-On with Web Browsers and HTTP Clients.


Back to Top