Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

SAML 2.0 Credential Mapping Provider: Web Service Service Provider Partner: General

Configuration Options     Related Tasks     Related Topics

Configures a SAML 2.0 Web Service Service Provider Partner's Properties.

Configuration Options

Name Description
Name

Displays the name of the Web Service Service Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Enabled

Specifies whether interactions with this Service Provider partner are enabled on this server.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Description

A short description of this Service Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Audience URIs

One or more partner lookup strings, and optionally one or more SAML Audience URIs.

In the WebLogic Server implementation of SAML 2.0, the Audience URI attribute is overloaded to perform two related but separate functions:

  • Specify one or more Audience URIs that must be included in assertions generated for this Service Provider partner.
  • Specify one or more partner lookup strings, which specify the endpoint URL that is used to discover the Service Provider partner for which an assertion is to be generated.

A value specified for this attribute must have the following syntax:

[target:char:]<endpoint-url>

In the preceding syntax, target:char:is a prefix that is used to designate the partner lookup string, where char represents one of three special characters: a hyphen, plus sign, or asterisk (-, +, or *). This prefix determines how partner lookup is performed, as follows:

  • target:-:<endpoint-url> specifies that partner lookup is conducted for an exact match of the URL, <endpoint-url>. For example, target:-:http://www.avitek.com:7001/myserver/myservicecontext/myservice-endpoint specifies the endpoint that can be matched to this Service Provider, for which an assertion should be generated. This form of partner lookup string designates that the endpoint URL is not to be included as an Audience URI to be contained in that assertion.
  • target:+:<endpoint-url> specifies that partner lookup is conducted for an exact match of the URL, <endpoint-url>, and that the endpoint URL is also to be added as an Audience URI in the assertion generated for this Service Provider partner.
  • target:*:<endpoint-url> specifies that partner lookup is conducted for an initial-string pattern match of the URL, <endpoint-url>. For example, target:*:http://www.avitek.com:7001/myserver specifies that any endpoint URL beginning with http://www.avitek.com:7001/myserver can be matched to this Service Provider, such as http://www.avitek.com:7001/myserver/contextA/endpointA and http://www.avitek.com:7001/myserver/contextB/endpointB. If more than one Service Provider partner is discovered that is a match for the initial string, the partner with the longest initial string match is selected.

Note: Configuring one or more partner lookup strings for a Service Provider partner is required in order for that partner to be discovered at run time. If this partner cannot be discovered, no assertions for this partner can be generated.

If you configure an endpoint URL without using the target lookup prefix, it will be handled as a conventional Audience URI that must be contained in assertions generated for this Service Provider partner. (This also enables backwards-compatibility with existing Audience URIs configured for this partner.)

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Service Provider Name Mapper Class Name

The name of the Java class that overrides the default SAML 2.0 credential mapper name mapper class with which this server is configured.

The Service Provider name mapper class specified here is a custom implementation of the com.bea.security.saml2.providers.SAML2CredentialNameMapper interface and is specified here to be used for this Service Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Time To Live

The time to live value, in seconds, for the SAML 2.0 assertions generated for this Service Provider partner.

This value overrides the default setting for the SAML 2.0 Credential Mapping provider.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Time To Live Offset

The time to live offset value, in seconds, for the SAML 2.0 assertions generated for this Service Provider partner.

This value overrides the default setting for the SAML 2.0 Credential Mapping provider. You can specify this value to allow the SAML 2.0 Credential Mapping provider to compensate for clock differences between the Identity Provider and Service Provider sites. The value is a positive or negative integer representing seconds.

Normally, an assertion is valid from the NotBefore time, which defaults to (roughly) the time the assertion was generated, until the NotOnOrAfter time, which is calculated as (NotBefore + TimeToLive). However, the Identity Provider site and Service Provider site may have minor differences in their clock settings. The Time To Live offset value is a positive or negative integer indicating how many seconds before or after "now" the assertion's NotBefore should be set to. If you set a value for the Assertion Time To Live Offset, then the assertion lifetime is still calculated as (NotBefore + TimeToLive), but the NotBefore value is set to (now + Assertion Time To Live Offset). So, an assertion might have a two minute (120 second) lifetime that starts thirty seconds ago, or starts one minute from now. This allows the SAML 2.0 Credential Mapping provider to compensate for clock differences between the Identity Provider and Service Provider sites.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Generate Attributes

Specifies whether the SAML 2.0 Credential Mapping provider includes group information in the assertions generated for this Service Provider partner.

The optional group information is specified via the <Attribute> element, which is subsequently used by the Service Provider's SAML 2.0 Identity Assertion provider to determine the groups into which the mapped user belongs.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Include One Time Use Condition

Specifies whether assertions generated for this Service Provider partner may be used only once.

If specified, this attribute determines that the assertion must be disposed of immediately after use and is not available for reuse.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Key Info Included

Specifies whether this server's signing certificate is included in assertions generated for this Service Provider partner.

Note that WebLogic Server's SAML 2.0 implementation uses only the certificates that are referenced in the partner registry, not certificates contained in assertions.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Confirmation Method

Specifies the type of confirmation method that is used when using SAML 2.0 assertions for identity. The available confirmation methods are:

The available confirmation methods are:

  • sender-vouches (default)
  • holder-of-key
  • bearer

When specifying a confirmation method, include the fully-qualified URN of the method. For example, urn:oasis:names:tc:SAML:2.0:cm:sender-vouches.

Note that if you use WLST to configure a partner, WebLogic Server provides constants for each of the confirmation methods that may be defined on partner class objects. For example, the following WLST command sets the bearer confirmation method on a partner:

p.setConfirmationMethod(p.ASSERTION_TYPE_BEARER)

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WSSPPartner interface.

Only Accept Signed Assertions

Specifies whether the Service Provider partner is configured to receive only assertions that have been signed.

If true, assertions generated for this partner are signed.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.SPPartner interface.

Related Tasks

Related Topics


Back to Top