Programming WebLogic Security

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

SAML APIs

The Security Assertion Markup Language, SAML, is an XML-based protocol for exchanging security information between disparate entities. The SAML standard defines a framework for exchanging security information between software entities on the Web. SAML security is based on the interaction of asserting and relying parties.

SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times.

WebLogic Server supports SAML versions 2.0 and 1.1. The WebLogic Server implementation:

For a general description of SAML and SAML assertions in a WebLogic Server environment, see Security Assertion Markup Language (SAML) in Understanding WebLogic Security.

For information on configuring a SAML credential mapping provider, see Configuring a SAML Credential Mapping Provider for SAML 1.1 and Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0 in Securing WebLogic Server.

For access to the SAML specifications, go to http://www.oasis-open.org. Also see the Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1 and Security Assertion Markup Language (SAML) 2.0 Technical Overview.

This section covers the following topics:

 

SAML API Description

Table 9-1 lists the WebLogic SAML APIs. Table 9-2 lists the WebLogic SAML 2.0 APIs. See the Javadoc for details.

Table 9-1 WebLogic SAML APIs
WebLogic SAML API
Description
weblogic.security.providers.saml
The WebLogic SAML package.
SAMLAssertionStore
Interface that defines methods for storing and retrieving assertions for the Artifact profile. This interface is deprecated in favor of SAMLAssertionStoreV2.
SAMLAssertionStoreV2
The SAMLAssertionStoreV2 interface extends the SAMLAssertionStore interface, adding methods to support identification and authentication of the destination site requesting an assertion from the SAML ARS.
Note that V2 refers to the second version of the WebLogic SAML provider, not to version 2 of the SAML specification.
SAMLCredentialAttributeMapper
Interface used to perform mapping from Subject to SAMLAssertion attributes.
SAMLCredentialNameMapper
Interface that defines methods used to map subject information to fields in a SAML assertion.
SAMLIdentityAssertionAttributeMapper
Interface used to perform mapping from SAML Attribute Statement to Attribute Principals.
SAMLIdentityAssertionNameMapper
Interface that defines methods used to map information from a SAML assertion to user and group names.
SAMLUsedAssertionCache
Interface that defines methods for caching assertion IDs so that the POST profile one-use policy can be enforced.
Classes implementing this interface must have a public no-arg constructor.
SAMLNameMapperInfo
Instances of this class are used to pass user and group information to and from the name mappers. The class also defines several useful constants.
SAMLAssertionStoreV2.AssertionInfo
The AssertionInfo class is returned by SAMLAssertionStoreV2.retrieveAssertionInfo(). It contains the retrieved assertion and related information. An implementation of the SAMLAssertionStoreV2 interface would have to return this class.
SAMLAttributeInfo
A class that represents a single attribute of a SAMLAssertion AttributeStatement.
SAMLAttributeStatementInfo
A class that represents an AttributeStatement in a SAMLAssertion.
SAMLNameMapperInfo
The SAMLNameMapperInfo is used to represent user name and group information for SAML assertions.
SAMLCommonPartner
Abstract representation of attributes common to a SAML 1.1 Partner.
SAMLRelyingParty
Represents a SAML Relying Party entry in the SAML Relying Party registry.
SAMLAssertingParty
Represents a SAML Asserting Party entry in the LDAP Asserting Party registry.
SAMLPartner
Abstract representation of a SAML partner.

Note: The SAML name mapper classes are required to be in the system classpath. If you create a custom SAMLIdentityAssertionNameMapper, SAMLCredentialNameMapper, SAMLAssertionStore, or SAMLUsedAssertionCache, you must place the respective class in the system classpath.

Table 9-2 WebLogic SAML 2.0 APIs
WebLogic SAML 2.0 APIs
Description
com.bea.security.saml2.providers
Provides interfaces and classes for the configuration, control, and monitoring of SAML 2.0 security providers in a WebLogic security realm.
SAML2CredentialNameMapper
Interface used to perform the mapping of user and group information to SAML 2.0 assertions.
SAML2IdentityAsserterNameMapper
Interface used to perform the mapping of user information contained in a SAML 2.0 assertion to a local user name.
SAML2NameMapperInfo
The SAML2NameMapperInfo is used to represent user name and group information contained in SAML 2.0 assertions.
com.bea.security.saml2.providers.registry
Abstract interfaces for SAML 2.0 Identity Provider and Service Provider partners and metadata.
BindingClientPartner
Binding Client partner is a partner that supports backend channel communication.
IdPPartner
Abstract representation of a SAML 2.0 Identity Provider partner.
Endpoint
Abstract representation of a SAML 2.0 service endpoint.
IndexedEndpoint
This class represents the end point that could be indexed, like Artifact Resolution Service's end point.
MetadataPartner
Metadata partner contains contact information for the partner, which is mainly required by the SAML 2.0 metadata profile.
Partner
Abstract representation of a SAML 2.0 partner. This interface defines mandatory information for a partner.
SPPartner
Abstract representation of a SAML 2.0 Service Provider partner.
WebSSOIdPPartner
Abstract representation of a SAML 2.0 Identity Provider partner for Web SSO profile.
WebSSOPartner
Abstract representation of a SAML 2.0 partner for Web SSO profile.
WebSSOSPPartner
Abstract representation of a SAML 2.0 Service Provider partner for Web SSO profile.
WSSIdPPartner
Abstract representation of a SAML 2.0 Identity Provider partner for WSS SAML Token profile.
WSSPartner
Abstract representation of a SAML 2.0 partner for WSS SAML Token profile.
WSSSPPartner
Abstract representation of a SAML 2.0 Service Provider partner for WSS SAML Token profile. It has no specific attributes/methods.

 

Custom POST Form Parameter Names

The parameters names passed to the POST form when a custom POST form is specified for SAML POST profile handling depend on which SAML provider is configured.

The tables provide the parameter names and their data types (required for casting the returned Java Object).

For both implementations, the SAML response itself is passed using the parameter name specified by SAML:

SAMLResponse (String): The base64-encoded SAML Response element.

Table 9-3 SAML V2 Provider Custom POST Form Parameters
Parameter
Description
TARGET (String)
The TARGET URL specified as a query parameter on the incoming Intersite Transfer Service (ITS) request.
SAML_AssertionConsumerURL (String)
The URL of the Assertion Consumer Service (ACS) at the destination site (where the form should be POSTed).
SAML_AssertionConsumerParams (Map)
A Map containing name/value mappings for the assertion consumer parameters configured for the relying party. Names and values are Strings.
SAML_ITSRequestParams (Map)
A Map containing name/value mappings for the query parameters received with the ITS request. Names and values are Strings. The Map may be empty. TARGET and Rich Presence Information Data Format (RPID) parameters are removed from the map before passing it to the form.

Table 9-4 SAML V1 Provider Custom POST Form Parameters
Parameter
Description
targetURL (String)

The TARGET URL specified as a query parameter on the incoming ITS request.

consumerURL (String)
The URL of the ACS at the destination site (where the form should be POSTed).


  Back to Top       Previous  Next