Before you begin
A partner lookup string must be specified when configuring either a web service Identity Provider partner or a Service Provider partner. This string, which specifies an endpoint URL, is required at run time by WebLogic Server to discover the partner that is associated with a SAML 2.0 assertion that needs to be either generated or validated.
For example, when a web service client needs an assertion, it passes the endpoint of the target web service to the SAML 2.0 Credential Mapping provider. The SAML 2.0 Credential Mapping provider looks up the appropriate web service Service Provider partner by searching for any partner entry that is configured with a lookup string that matches that endpoint, and then generates the assertion that is required for the partner that is found.
In a similar manner, when a WebLogic Server instance configured in the role of Service Provider receives the invocation from the web service client, it passes the assertion and the invoked endpoint to the SAML 2.0 Identity Assertion provider. The SAML 2.0 Identity Assertion provider looks up the appropriate web service Identity Provider partner by searching for any partner configured with a lookup string that matches that endpoint, and then validates the assertion against the partner that is found.
WebLogic Server also allows you to configure a partner lookup string so that the specified endpoint also serves as an Audience URI. The Audience URI attribute is therefore overloaded to perform two related but separate functions: to specify the Audience URIs that must be included in assertions, and also to designate partner lookup strings. (When configuring an Identity Provider partner, partner lookup strings and Audience URIs need to be specified in separate entries due to the way in which endpoint URLs are passed to the SAML 2.0 Identity Assertion provider.)
If a partner lookup string is not configured for a SAML 2.0 web service partner, that partner cannot be discovered at run time, and the necessary assertion for that partner cannot be generated or validated.
The general syntax for the partner lookup string is the same for both Identity Provider and Service Provider partners, but the way in which it is specified differs because of the way in which incoming endpoint URLs are handled by WebLogic Server. WebLogic Server supports two basic forms of the partner lookup string:
http://www.abc.com/xxx/yyy/zzz
as an exact match
lookup string for Partner A
, the result is that
Partner A
can be selected as a match only when that
exact same endpoint is passed in to the appropriate SAML 2.0 security
provider.WebLogic Server supports two ways in which you can specify an exact-match partner lookup string so that the specified URL is may be included in, or excluded from, from assertions as an Audience URI. When configuring a Service Provider partner, this mechanism eliminates the need to duplicate a given URL as both an Audience URI as well as a partner lookup string.
http://www.abc.com/xxx
as an initial-string
match lookup string for Partner A
, the result is that
Partner A
can be selected as a match for any endpoint
passed in that begins with http://www.abc.com/xxx
.
Endpoints such as http://www.abc.com/xxx/yyy/zzz
and
http://www.abc.com/xxx/aaa/bbb
can be matched to this
partner.The partner lookup string has the following syntax:
[target:char:]<endpoint-url>
In the preceding syntax, target:char:
is a
prefix that is used to designate the partner lookup string, where
char represents one of three special characters: a hyphen, plus
sign, or asterisk (-
, +, or *
). This
prefix determines how partner lookup is performed, as follows:
target:-:<endpoint-url>
specifies
that partner lookup is conducted for an exact match of the URL,
<endpoint-url>
. This form of partner
lookup string designates that the endpoint URL is not to be included
as an Audience URI to be contained in that assertion.target:+:<endpoint-url>
specifies
that partner lookup is conducted for an exact match of the URL,
<endpoint-url>
, and that the endpoint
URL is also to be added as an Audience URI in the assertion.
Note: Specifying this form of the partner lookup string on an
Identity Provider partner is unlikely to produce a match and should
therefore be avoided.target:*:<endpoint-url>
specifies
that the partner lookup is conducted for an initial-string pattern
match of the URL, <endpoint-url>
.When you configure a Service Provider site, this behavior enables you to configure a single Identity Provider partner that can be used to validate all assertions for the same web service, regardless of the variations in the transport protocol (i.e., HTTP vs. HTTPS), host name, IP address, and port information across all the machines in a domain that host that web service.
Therefore, the endpoint URLs you configure in any lookup string for an Identity Provider partner should contain only the portion of the URL that follows the host and port. For example,target:*:/myserver/xxx
.target:*:/
target:*:http://
target:*:https://