9 Oracle SAML

This book provides information about using the Oracle Security Assertions Markup Language (SAML) Software Development Kit (SDK). Oracle SAML allows Java developers to develop cross-domain single sign-on and federated access control solutions that conform to the SAML 1.0/1.1 and SAML 2.0 specifications.

This chapter contains the following topics:

See Also:

Section *, "Oracle SAML Changes" for information about Oracle Fusion Middleware 11g updates.

9.1 Oracle SAML Features and Benefits

The Oracle SAML SDK provides a Java API with supporting tools, documentation, and sample programs to assist developers of SAML-compliant Java security services. Oracle SAML can be integrated into existing Java solutions, including applets, applications, EJBs, servlets, and JSPs.

Oracle SAML provides the following features:

  • Support for the SAML 1.0/1.1 and 2.0 specifications

  • Support for SAML-based single sign-on (SSO), Attribute, Metadata, Enhanced Client Proxy, and federated identity profiles

See Also:

For more information and links to these specifications and related documents, see Appendix A, "References".

9.2 Oracle SAML 1.0/1.1

This section explains how to set up your environment for Oracle SAML 1.0/1.1, how to use Oracle SAML 1.0/1.1, and the classes and interfaces of the Oracle SAML 1.0/1.1 toolkit. It contains the following topics:

9.2.1 Oracle SAML 1.0/1.1 Packages

The Oracle SAML Java API contains the following packages for creating SAML 1.0/1.1-compliant Java applications:

oracle.security.xmlsec.saml

This package contains classes that support SAML assertions.

oracle.security.xmlsec.samlp

This package contains classes that support the SAML request and response protocol (SAMLP).

9.2.2 Setting Up Your Oracle SAML 1.0/1.1 Environment

The Oracle Security Developer Tools are installed with Oracle WebLogic Server in ORACLE_HOME.

This section explains how to set up your environment for Oracle SAML 1.0/1.1. It contains these topics:

9.2.2.1 System Requirements for Oracle SAML 1.0/1.1

In order to use Oracle SAML, your system must have the Java Development Kit (JDK) version 1.6 or higher.

9.2.2.2 Setting the CLASSPATH Environment Variable

Your CLASSPATH environment variable must contain the full path and file names to all of the required jar and class files. Make sure the following items are included in your CLASSPATH:

  • osdt_core.jar

  • osdt_cert.jar

  • osdt_xmlsec.jar

  • osdt_saml.jar

  • The org.jaxen_1.1.1.jar file (Jaxen XPath engine, included with your Oracle XML Security distribution)

9.2.2.2.1 Setting the CLASSPATH on Windows

To set the CLASSPATH on Windows:

  1. In your Windows Control Panel, select System.

  2. In the System Properties dialog, select the Advanced tab.

  3. Click Environment Variables.

  4. In the User Variables section, click New to add a CLASSPATH environment variable for your user profile. If a CLASSPATH environment variable already exists, select it and click Edit.

  5. Add the full path and file names for all the required jar files to the CLASSPATH.

    For example, your CLASSPATH might look like this:

    %CLASSPATH%;%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_core.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_cert.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_saml.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_saml2.jar;
%ORACLE_HOME%\modules\org.jaxen_1.1.1.jar;

  6. Click OK.

9.2.2.2.2 Setting the CLASSPATH on UNIX

On UNIX, set your CLASSPATH environment variable to include the full path and file name of all the required jar and class files. For example:

setenv CLASSPATH $CLASSPATH:$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_core.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_cert.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_xmlsec.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_saml.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_saml2.jar:
$ORACLE_HOME/modules/org.jaxen_1.1.1.jar

9.2.3 Classes and Interfaces

This section provides information and code samples for using the classes and interfaces of Oracle SAML 1.0/1.1. It contains these topics:

9.2.3.1 Core Classes

This section provides a brief overview of the core SAML and SAMLP 1.0/1.1 classes with some brief code examples.

The core classes are:

9.2.3.1.1 The oracle.security.xmlsec.saml.SAMLInitializer Class

This class initializes the Oracle SAML toolkit. By default Oracle SAML is automatically initialized for SAML v1.0. You can also initialize Oracle SAML for a specific version of the SAML specification. When the initialize method is called for a specific version, previously initialized versions will remain initialized. Example 9-1 shows how to initialize the SAML toolkit for SAML v1.0 and SAML v1.1.

Example 9-1 Initializing the Oracle SAML Toolkit

// initializes for SAML v1.1
SAMLInitializer.initialize(1, 1); 
// initializes for SAML v1.0, done by default
SAMLInitializer.initialize(1, 0);
9.2.3.1.2 The oracle.security.xmlsec.saml.Assertion Class

This class represents the Assertion element of the SAML Assertion schema.

Example 9-2 shows how to create a new Assertion element and append it to an existing XML document.

Example 9-2 Creating an Assertion Element and Appending to an XML Document

Document doc = Instance of org.w3c.dom.Document;
Assertion assertion = new Assertion(doc);
doc.getDocumentElement().appendChild(assertion);

Example 9-3 shows how to obtain Assertion elements from an XML document.

Example 9-3 Obtaining Assertion Elements From an XML Document

Document doc = Instance of org.w3c.dom.Document;

// Get a list of all Assertion elements in the document

NodeList assrtList = 
    doc.getElementsByTagNameNS(SAMLURI.ns_saml, "Assertion");
if (assrtList.getLength() == 0)
    System.err.println("No Assertion elements found.");

// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.saml.Assertion object and process

for (int s = 0, n = assrtList.getLength(); s < n; ++s)
{
    Assertion assertion = new Assertion((Element)assrtList.item(s));
    // Process Assertion element
    ...
}
9.2.3.1.3 The oracle.security.xmlsec.samlp.Request Class

This class represents the Request element of the SAML Protocol schema.

Example 9-4 shows how to create a new Request element and append it to an existing XML document.

Example 9-4 Creating a Request Element and Appending to an XML Document

Document doc = Instance of org.w3c.dom.Document;
Request request = new Request(doc);
doc.getDocumentElement().appendChild(request);

Example 9-5 shows how to obtain Request elements from an existing XML document.

Example 9-5 Obtaining Request Elements From an XML Document

Document doc = Instance of org.w3c.dom.Document;

// Get a list of all Request elements in the document

NodeList reqList = 
    doc.getElementsByTagNameNS(SAMLURI.ns_samlp, "Request");
if (reqList.getLength() == 0)
    System.err.println("No Request elements found.");

// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.samlp.Request object and process

for (int s = 0, n = reqList.getLength(); s < n; ++s)
{
    Request request = new Request((Element)reqList.item(s));
    // Process Request element
    ...
}
9.2.3.1.4 The oracle.security.xmlsec.samlp.Response Class

This class represents the Response element of the SAML Protocol schema.

Example 9-6 shows how to create a Response element and append it to an existing XML document.

Example 9-6 Creating a Response Element and Appending to an XML Document

Document doc = Instance of org.w3c.dom.Document;
Response response = new Response(doc);
doc.getDocumentElement().appendChild(response);

Example 9-7 shows how to obtain Response elements from an existing XML document.

Example 9-7 Obtaining Response Elements From an XML Document

Document doc = Instance of org.w3c.dom.Document;

// Get a list of all Response elements in the document

NodeList respList = 
    doc.getElementsByTagNameNS(SAMLURI.ns_samlp, "Response");
if (respList.getLength() == 0)
    System.err.println("No Response elements found.");

// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.samlp.Response object and process

for (int s = 0, n = respList.getLength(); s < n; ++s)
{
    Response response = new Response((Element)respList.item(s));
    // Process Response element
    ...
}

9.2.3.2 Supporting Classes and Interfaces

This section provides an overview of the supporting classes and interfaces of Oracle SAML 1.0/1.1:

9.2.3.2.1 The oracle.security.xmlsec.saml.SAMLURI Interface

This interface defines URI string constants for algorithms, namespaces, and objects. The following naming conventions are used:

  • Action Namespace URIs defined in the SAML 1.0 specifications begin with action_ .

  • Authentication Method Namespace URIs defined in the SAML 1.0 specifications begin with authentication_method_ .

  • Confirmation Method Namespace URIs defined in the SAML 1.0 specifications begin with confirmation_method_ .

  • Namespace URIs begin with ns_ .

9.2.3.2.2 The oracle.security.xmlsec.saml.SAMLMessage Class

This is the base class for all the SAML and SAML extension messages that may be signed and contain an XML-DSIG (digital signature) structure.

9.2.4 The Oracle SAML 1.0/1.1 Java API Reference

The Oracle SAML 1.0/1.1 Java API reference (Javadoc) is available at:

Oracle Fusion Middleware SAML 1.0/1.1 Java API Reference for Oracle Security Developer Tools

9.3 Oracle SAML 2.0

This section explains how to set up your environment for Oracle SAML 2.0, how to use Oracle SAML 2.0, and the classes and interfaces of the Oracle SAML 2.0 toolkit. It contains the following topics:

9.3.1 Oracle SAML 2.0 Packages

The Oracle SAML Java API contains the following packages for creating SAML 2.0-compliant Java applications:

oracle.security.xmlsec.saml2.core

This package contains classes that support SAML assertions.

oracle.security.xmlsec.saml2.protocol

This package contains classes that support the SAML request and response protocol (SAMLP).

oracle.security.xmlsec.saml2.ac

This package contains classes that support the SAML authentication context basic types.

oracle.security.xmlsec.saml2.ac.classes

This package contains classes that support various SAML authentication context classes.

oracle.security.xmlsec.saml2.metadata

This package contains classes that support the SAML metadata.

oracle.security.xmlsec.saml2.profiles.attributes

This package contains classes that support various SAML attribute profiles.

oracle.security.xmlsec.saml2.profiles.sso.ecp

This package contains classes that support the SAML ECP SSO profile.

9.3.2 Setting Up Your Oracle SAML 2.0 Environment

The Oracle Security Developer Tools are installed with Oracle WebLogic Server in ORACLE_HOME.

This section explains how to set up your environment for Oracle SAML 2.0. It contains these topics:

9.3.2.1 System Requirements for Oracle SAML 2.0

In order to use Oracle SAML, your system must have the Java Development Kit (JDK) version 1.6 or higher.

9.3.2.2 Setting the CLASSPATH Environment Variable

Your CLASSPATH environment variable must contain the full path and file names to all of the required jar and class files. Make sure the following items are included in your CLASSPATH:

  • osdt_core.jar

  • osdt_cert.jar

  • osdt_xmlsec.jar

  • osdt_saml.jar

  • The org.jaxen_1.1.1.jar file (Jaxen XPath engine, included with your Oracle XML Security distribution)

9.3.2.2.1 Setting the CLASSPATH on Windows

To set the CLASSPATH on Windows:

  1. In your Windows Control Panel, select System.

  2. In the System Properties dialog, select the Advanced tab.

  3. Click Environment Variables.

  4. In the User Variables section, click New to add a CLASSPATH environment variable for your user profile. If a CLASSPATH environment variable already exists, select it and click Edit.

  5. Add the full path and file names for all the required jar files to the CLASSPATH.

    For example, your CLASSPATH might look like this:

    %CLASSPATH%;%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_core.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_cert.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_xmlsec.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_saml.jar;
%ORACLE_HOME%\modules\oracle.osdt_11.1.1\osdt_saml2.jar;
%ORACLE_HOME%\modules\org.jaxen_1.1.1.jar;

  6. Click OK.

9.3.2.2.2 Setting the CLASSPATH on UNIX

On UNIX, set your CLASSPATH environment variable to include the full path and file name of all the required jar and class files. For example:

setenv CLASSPATH $CLASSPATH:$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_core.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_cert.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_xmlsec.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_saml.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_saml2.jar:
$ORACLE_HOME/modules/org.jaxen_1.1.1.jar

9.3.3 Classes and Interfaces

This section provides information and code samples for using the classes and interfaces of Oracle SAML 2.0. It contains these sections:

9.3.3.1 Core Classes

This section provides an overview of the core SAML and SAMLP classes with some brief code examples. The core classes are:

9.3.3.1.1 The oracle.security.xmlsec.saml2.core.Assertion Class

This class represents the Assertion element of the SAML Assertion schema.

Example 9-8 shows how to create a new Assertion element and append it to an existing XML document.

Example 9-8 Creating an Assertion Element and Appending it to an XML Document

Document doc = Instance of org.w3c.dom.Document;
Assertion assertion = new Assertion(doc);
doc.getDocumentElement().appendChild(assertion);

Example 9-9 shows how to obtain Assertion elements from an XML document.

Example 9-9 Obtaining Assertion Elements From an XML Document

// Get a list of all Assertion elements in the document
 
NodeList assrtList = 
    doc.getElementsByTagNameNS(SAML2URI.ns_saml, "Assertion");
if (assrtList.getLength() == 0)
    System.err.println("No Assertion elements found.");
 
// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.saml2.core.Assertion object and process
 
for (int s = 0, n = assrtList.getLength(); s < n; ++s)
{
    Assertion assertion = new Assertion((Element)assrtList.item(s));
    // Process Assertion element
    ...
}
9.3.3.1.2 The oracle.security.xmlsec.saml2.protocol.AuthnRequest Class

This class represents the AuthnRequest element of the SAML Protocol schema.

Example 9-10 shows how to create a new AuthnRequest element and append it to an existing XML document.

Example 9-10 Creating an AuthnRequest Element and Appending it to an XML Document

Document doc = Instance of org.w3c.dom.Document;
AuthnRequest request = new AuthnRequest(doc);
doc.getDocumentElement().appendChild(response);

Example 9-11 shows how to obtain AuthnRequest elements from an existing XML document.

Example 9-11 Obtaining AuthnRequest Elements From an XML Document

Document doc = Instance of org.w3c.dom.Document;

// Get a list of all AuthnRequest elements in the document
 
NodeList reqList = 
    doc.getElementsByTagNameNS(SAML2URI.ns_samlp, "AuthnRequest");
if (reqList.getLength() == 0)
    System.err.println("No Request elements found.");
 
// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.saml2.protocol.AuthnRequest 
// object and process
 
for (int s = 0, n = reqList.getLength(); s < n; ++s)
{
    AuthnRequest request = new AuthnRequest((Element)reqList.item(s));
    // Process Request element
    ...
}
9.3.3.1.3 The oracle.security.xmlsec.saml2.protocol.StatusResponseType Class

This class represents the Response element of the SAML Protocol schema.

The samlp:StatusResponseType element is a base type representing an extension point for the SAML 2.0 protocols. The various protocols defined in the SAML 2.0 specification use sub-types such as samlp:Response or samlp:LogoutResponse.

Example 9-12 shows how to create a Response element and append it to an existing XML document.

Example 9-12 Creating a Response Element and Appending to an XML Document

Document doc = Instance of org.w3c.dom.Document;
Response response = new Response(doc);
doc.getDocumentElement().appendChild(response);

Example 9-13 shows how to obtain Response elements from an existing XML document.

Example 9-13 Obtaining a Response Element and Appending it to an XML Document

Document doc = Instance of org.w3c.dom.Document;

// Get a list of all Response elements in the document
 
NodeList respList = 
    doc.getElementsByTagNameNS(SAML2URI.ns_samlp, "Response");
if (respList.getLength() == 0)
    System.err.println("No Response elements found.");
 
// Convert each org.w3c.dom.Node object to a 
// oracle.security.xmlsec.saml2.protocol.Response object and process
 
for (int s = 0, n = respList.getLength(); s < n; ++s)
{
    Response response = new Response((Element)respList.item(s));
    // Process Response element
    ...
}

9.3.3.2 Supporting Classes and Interfaces

This section provides an overview of the supporting classes and interfaces of Oracle SAML 2.0. It includes:

9.3.3.2.1 The oracle.security.xmlsec.saml2.util.SAML2URI Interface

This interface defines URI string constants for algorithms, namespaces, and objects. The interface uses these naming conventions:

  • Action namespace URIs defined in the SAML 1.0/1.1/2.0 specifications begin with action_ .

  • Authentication method namespace URIs defined in the SAML 1.0/1.1/2.0 specifications begin with authentication_method_.

  • Confirmation method namespace URIs defined in the SAML 1.0/1.1/2.0 specifications begin with confirmation_method_ .

  • Namespace URIs begin with ns_.

9.3.4 The Oracle SAML 2.0 Java API Reference

The Oracle SAML Java API reference (Javadoc) is available at:

Oracle Fusion Middleware SAML 1.0/1.1 Java API Reference for Oracle Security Developer Tools