Programming WebLogic Security

SAML APIs

The Security Assertion Markup Language, SAML, is an XML-based protocol for exchanging security information between disparate entities. SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times. For a general description of SAML and SAML assertions in a WebLogic Server environment, see Understanding WebLogic Security. For access to the SAML specifications, go to http://www.oasis-open.org.

WebLogic Server supports SAML version 1.1. The WebLogic Server implementation:

• Supports both the Browser/POST and Browser/Artifact Profiles
• Supports SAML authentication and attribute statements (does not support SAML authorization statements)

Table 8-1 lists and describes the WebLogic SAML APIs

Table 8-1 WebLogic SAML APIs

WebLogic SAML API	Description
weblogic.security.providers.saml	The WebLogic SAML package.
SAMLAssertionStore	Interface which defines methods for storing and retrieving assertions for the Artifact profile. initStore(Properties props) initializes a store. Although the store will normally be instantiated and initialized only once, at server start time, an implementation should be robust in the face of multiple instantiations and multiple calls to init The props parameter is a Properties object containing properties the store needs to initialize. It can be empty or null. flushStore() removes all entries from the store. releaseStore() releases the store. This method is not guaranteed to be called at server shutdown. Although the store will normally be instantiated and initialized only once, at server start time, an implementation should be robust in the face of multiple instantiations and multiple calls to init and release. storeAssertion() stores an assertion for later retrieval using the specified artifact as a key retrieveAssertion() returns the assertion to the caller and removes the assertion from the store.
SAMLCredentialNameMapper	Interface which defines methods used to map subject information to fields in a SAML assertion. Described in the Javadocs.
SAMLIdentityAssertionNameMapper	Interface which defines methods used to map information from a SAML assertion to user and group names. Described in the Javadocs.
SAMLUsedAssertionCache	Interface which defines methods for caching assertion IDs so that the POST profile one-use policy can be enforced. Classes implementing this interface must have a public no-arg constructor. initCache(Properties prop) initializes the cache. Although the cache will normally be instantiated and initialized only once, at server start time, an implementation should be robust in the face of multiple instantiations and multiple calls to init and release. The props parameter is a Properties object containing properties the cache needs to initialize. It can be empty or null. flushCache() flushes all cache entries. releaseCache() releases the cache. This method is not guaranteed to be called at server shutdown. Although the cache will normally be instantiated and initialized only once, at server start time, an implementation should be robust in the face of multiple instantiations and multiple calls to init and release. cacheAssertion(String assertionId, String issuer, long expire) caches the assertion ID and issuer of a consumed assertion. This method must return false if this ID/Issuer combination has already been cached (the one-use policy has failed for the referenced assertion). Otherwise, this method must cache the ID/Issuer and return true. The expire parameter is the NotOnOrAfter time of the to-be-cached assertion. After this time, the cache entry may be discarded, as the assertion is no longer valid and hence cannot be re-used. The method returns true if the referenced assertion was successfully cached; false if the referenced assertion was already in cache.
SAMLNameMapperInfo	Instances of this class are used to pass user and group information to and from the name mappers. The class also defines several useful constants. Described in the Javadocs.