Java Fedlet Support for Attribute Query (CR 6930476) (Oracle OpenSSO 8.0 Update 2 Release Notes)

Oracle OpenSSO 8.0 Update 2 Release Notes

Java Fedlet Support for Attribute Query (CR 6930476)

The Java Fedlet supports the SAMLv2 Attribute Query to query an identity provider such as Oracle OpenSSO 8.0 Update 2 for specific identity attribute values. You can configure the Fedlet to sign the query and encrypt the query. Signing is required for issuing a Fedlet query, but encryption is optional.

To Configure the Java Fedlet for Attribute Query

Enable XML signing to sign the Attribute Query, as described in Java Fedlet Support for Signing and Encryption.

Add the certificate generated in the previous step to the RoleDescriptor element in the Fedlet sp.xml file. In the following example, there are two KeyDescriptor tags in which you paste the certificate. One is for signing and another is for encryption. If you are not enabling encryption, the KeyDescriptor use="encryption" tag is not required.

<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
      xsi:type="query:AttributeQueryDescriptorType"
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            --certificate--
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
  </KeyDescriptor>
  <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            --certificate--
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    <EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
    </EncryptionMethod>
  </KeyDescriptor>
</RoleDescriptor>

In the Java Fedlet sp-extended.xml file, specify the value for the signingCertAlias attribute and if configured, for the encryptionCertAlias attribute.

If you plan to configure the identity provider to encrypt the assertion, also encrypt the NameID element. Thus, the value of the wantNameIDEncrypted attribute must be set to true. Add the XML code to the AttributeQueryConfig element. For example:
```
<Attribute name="signingCertAlias">
      <Value>test</Value>
</Attribute>
<Attribute name="encryptionCertAlias">
      <Value>test</Value>
</Attribute>
<Attribute name="wantNameIDEncrypted">
      <Value>true</Value>
</Attribute>
```
In this example, test is the alias for the sample key.

Import the Java Fedlet metadata file (sp.xml) into the identity provider.

Also, perform the additional configuration steps in the identity provider to support the Attribute Query for the Fedlet.