A partner lookup string must be specified when configuring either a web service Identity Provider partner or a Service Provider partner. This string, which specifies an endpoint URL, is required at run time by WebLogic Server to discover the partner that is associated with a SAML 2.0 assertion that needs to be either generated or validated.

For example, when a web service client needs an assertion, it passes the endpoint of the target web service to the SAML 2.0 Credential Mapping provider. The SAML 2.0 Credential Mapping provider looks up the appropriate web service Service Provider partner by searching for any partner entry that is configured with a lookup string that matches that endpoint, and then generates the assertion that is required for the partner that is found.

In a similar manner, when a WebLogic Server instance configured in the role of Service Provider receives the invocation from the web service client, it passes the assertion and the invoked endpoint to the SAML 2.0 Identity Assertion provider. The SAML 2.0 Identity Assertion provider looks up the appropriate web service Identity Provider partner by searching for any partner configured with a lookup string that matches that endpoint, and then validates the assertion against the partner that is found.

WebLogic Server also allows you to configure a partner lookup string so that the specified endpoint also serves as an Audience URI. The Audience URI attribute is therefore overloaded to perform two related but separate functions: to specify the Audience URIs that must be included in assertions, and also to designate partner lookup strings. (When configuring an Identity Provider partner, partner lookup strings and Audience URIs need to be specified in separate entries due to the way in which endpoint URLs are passed to the SAML 2.0 Identity Assertion provider.)

If a partner lookup string is not configured for a SAML 2.0 web service partner, that partner cannot be discovered at run time, and the necessary assertion for that partner cannot be generated or validated.

The general syntax for the partner lookup string is the same for both Identity Provider and Service Provider partners, but the way in which it is specified differs because of the way in which incoming endpoint URLs are handled by WebLogic Server. WebLogic Server supports two basic forms of the partner lookup string:

• Exact-match: the URL you specify in a partner's lookup string requires that the endpoint URL that is passed to the SAML 2.0 security provider must be an exact match in order for that partner to be selected. For example, if you specify http://www.abc.com/xxx/yyy/zzz as an exact match lookup string for Partner A, the result is that Partner A can be selected as a match only when that exact same endpoint is passed in to the appropriate SAML 2.0 security provider.

  WebLogic Server supports two ways in which you can specify an exact-match partner lookup string so that the specified URL is may be included in, or excluded from, from assertions as an Audience URI. When configuring a Service Provider partner, this mechanism eliminates the need to duplicate a given URL as both an Audience URI as well as a partner lookup string.

• Initial-string match: the URL you specify in a partner's lookup string contains only the initial string of the URL that must be matched in order for the partner to be selected. For example, if you specify http://www.abc.com/xxx as an initial-string match lookup string for Partner A, the result is that Partner A can be selected as a match for any endpoint passed in that begins with http://www.abc.com/xxx. Endpoints such as http://www.abc.com/xxx/yyy/zzz and http://www.abc.com/xxx/aaa/bbb can be matched to this partner.

The partner lookup string has the following syntax:

[target:char:]<endpoint-url>

In the preceding syntax, target:char:is a prefix that is used to designate the partner lookup string, where char represents one of three special characters: a hyphen, plus sign, or asterisk (-, +, or *). This prefix determines how partner lookup is performed, as follows:

• target:-:<endpoint-url> specifies that partner lookup is conducted for an exact match of the URL, <endpoint-url>. This form of partner lookup string designates that the endpoint URL is not to be included as an Audience URI to be contained in that assertion.
• target:+:<endpoint-url> specifies that partner lookup is conducted for an exact match of the URL, <endpoint-url>, and that the endpoint URL is also to be added as an Audience URI in the assertion. Note: Specifying this form of the partner lookup string on an Identity Provider partner is unlikely to produce a match and should therefore be avoided.
• target:*:<endpoint-url> specifies that the partner lookup is conducted for an initial-string pattern match of the URL, <endpoint-url>.