The Security Assertion Markup Language, SAML, is an XML-based protocol for exchanging security information between disparate entities. The SAML standard defines a framework for exchanging security information between software entities on the Web. SAML security is based on the interaction of asserting and relying parties.
SAML provides single sign-on capabilities; users can authenticate at one location and then access service providers at other locations without having to log in multiple times.
WebLogic Server supports SAML versions 2.0 and 1.1. The WebLogic Server implementation:
Supports the HTTP POST and HTTP Artifact bindings for the Web SSO profile for SAML 1.1. For SAML 2.0, WebLogic Server adds the HTTP Redirect binding for the Web SSO profile.
Supports SAML authentication and attribute statements (does not support SAML authorization statements)
For a general description of SAML and SAML assertions in a WebLogic Server environment, see "Security Assertion Markup Language (SAML)" in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.
For information on configuring a SAML credential mapping provider, see "Configuring a SAML Credential Mapping Provider for SAML 1.1" and "Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0" in Oracle Fusion Middleware Securing Oracle WebLogic Server
For access to the SAML specifications, go to http://www.oasis-open.org. Also see the Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1 (http://www.oasis-open.org/committees/download.php/6628/sstc-saml-tech-overview-1.1-draft-05.pdf) and Security Assertion Markup Language (SAML) 2.0 Technical Overview (http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf).
This section covers the following topics:
Table 9-1 lists the WebLogic SAML APIs. Table 9-2 lists the WebLogic SAML 2.0 APIs. See the Javadoc for details.
| WebLogic SAML API | Description |
|---|---|
|
The WebLogic SAML package. |
|
|
Interface that defines methods for storing and retrieving assertions for the Artifact profile. This interface is deprecated in favor of SAMLAssertionStoreV2. |
|
|
The SAMLAssertionStoreV2 interface extends the SAMLAssertionStore interface, adding methods to support identification and authentication of the destination site requesting an assertion from the SAML ARS. Note that V2 refers to the second version of the WebLogic SAML provider, not to version 2 of the SAML specification. |
|
|
Interface used to perform mapping from Subject to SAMLAssertion attributes. |
|
|
Interface that defines methods used to map subject information to fields in a SAML assertion. |
|
|
Interface used to perform mapping from SAML Attribute Statement to Attribute Principals. |
|
|
Interface that defines methods used to map information from a SAML assertion to user and group names. |
|
|
Interface that defines methods for caching assertion IDs so that the POST profile one-use policy can be enforced. Classes implementing this interface must have a public no-arg constructor. |
|
|
Instances of this class are used to pass user and group information to and from the name mappers. The class also defines several useful constants. |
|
|
The AssertionInfo class is returned by SAMLAssertionStoreV2.retrieveAssertionInfo(). It contains the retrieved assertion and related information. An implementation of the SAMLAssertionStoreV2 interface would have to return this class. |
|
|
A class that represents a single attribute of a SAMLAssertion AttributeStatement. |
|
|
A class that represents an AttributeStatement in a SAMLAssertion. |
|
|
The SAMLNameMapperInfo is used to represent user name and group information for SAML assertions. |
|
|
Abstract representation of attributes common to a SAML 1.1 Partner. |
|
|
Represents a SAML Relying Party entry in the SAML Relying Party registry. |
|
|
Represents a SAML Asserting Party entry in the LDAP Asserting Party registry. |
|
|
Abstract representation of a SAML partner. |
Note:
The SAML name mapper classes are required to be in the system classpath. If you create a custom SAMLIdentityAssertionNameMapper, SAMLCredentialNameMapper, SAMLAssertionStore, or SAMLUsedAssertionCache, you must place the respective class in the system classpath.Table 9-2 WebLogic SAML 2.0 APIs
| WebLogic SAML 2.0 APIs | Description |
|---|---|
|
Provides interfaces and classes for the configuration, control, and monitoring of SAML 2.0 security providers in a WebLogic security realm. |
|
|
Interface used to perform the mapping of user and group information to SAML 2.0 assertions. |
|
|
Interface used to perform the mapping of user information contained in a SAML 2.0 assertion to a local user name. |
|
|
The SAML2NameMapperInfo is used to represent user name and group information contained in SAML 2.0 assertions. |
|
|
Abstract interfaces for SAML 2.0 Identity Provider and Service Provider partners and metadata. |
|
|
Binding Client partner is a partner that supports backend channel communication. |
|
|
Abstract representation of a SAML 2.0 Identity Provider partner. |
|
|
Abstract representation of a SAML 2.0 service endpoint. |
|
|
This class represents the end point that could be indexed, like Artifact Resolution Service's end point. |
|
|
Metadata partner contains contact information for the partner, which is mainly required by the SAML 2.0 metadata profile. |
|
|
Abstract representation of a SAML 2.0 partner. This interface defines mandatory information for a partner. |
|
|
Abstract representation of a SAML 2.0 Service Provider partner. |
|
|
Abstract representation of a SAML 2.0 Identity Provider partner for Web SSO profile. |
|
|
Abstract representation of a SAML 2.0 partner for Web SSO profile. |
|
|
Abstract representation of a SAML 2.0 Service Provider partner for Web SSO profile. |
|
|
Abstract representation of a SAML 2.0 Identity Provider partner for WSS SAML Token profile. |
|
|
Abstract representation of a SAML 2.0 partner for WSS SAML Token profile. |
|
|
Abstract representation of a SAML 2.0 Service Provider partner for WSS SAML Token profile. It has no specific attributes/methods. |
The parameters names passed to the POST form when a custom POST form is specified for SAML POST profile handling depend on which SAML provider is configured.
For the WebLogic Server 9.1and higher, Federation Services implementation (in effect when V2 providers are configured), see Table 9-1.
For the WebLogic Server 9.0 SAML services implementation (in effect when V1 providers are configured), see Table 9-1.
The tables provide the parameter names and their data types (required for casting the returned Java Object).
For both implementations, the SAML response itself is passed using the parameter name specified by SAML:
SAMLResponse (String): The base64-encoded SAML Response element.
Table 9-3 SAML V2 Provider Custom POST Form Parameters
| Parameter | Description |
|---|---|
|
TARGET (String) |
The TARGET URL specified as a query parameter on the incoming Intersite Transfer Service (ITS) request. |
|
SAML_AssertionConsumerURL (String) |
The URL of the Assertion Consumer Service (ACS) at the destination site (where the form should be POSTed). |
|
SAML_AssertionConsumerParams (Map) |
A Map containing name/value mappings for the assertion consumer parameters configured for the relying party. Names and values are Strings. |
|
SAML_ITSRequestParams (Map) |
A Map containing name/value mappings for the query parameters received with the ITS request. Names and values are Strings. The Map may be empty. TARGET and Rich Presence Information Data Format (RPID) parameters are removed from the map before passing it to the form. |