Oracle® Fusion Middleware Federated Portals Guide for Oracle WebLogic Portal 10g Release 3 (10.3.4) Part Number E14235-05 |
|
|
View PDF |
This chapter discusses how to configure the security realms of WebLogic Portal producers and consumers running in different domains. In the first part of this chapter, we explain the configuration that is required when both the producer and consumer are running in WebLogic Portal version 9.2 or later domains. In the second part of this chapter, the case of mixed domains is discussed, where the producer and consumer can be running in either WebLogic Portal 8.1x or 9.2 or later domains.
This chapter includes the following sections:
Section 15.1, "SAML Security Between WebLogic Portal Domains"
Section 15.2, "SAML Security Between WebLogic Portal 8.1x and 9.2 or Later Versions"
This section explains the procedure for configuring WSRP security using custom SAML tokens when the producer and consumer are running in different WebLogic Portal version 9.2 or later domains. Use the procedure described in this section to configure security on production systems where custom SAML tokens are required.
Note:
By default, with no previous configuration, WebLogic Portal 9.2 and later domains share a common key. This allows you to quickly create, for demonstration or testing purposes, federated portals that require user authentication without undergoing the configuration procedure described in this section.
Caution:
It is recommended that you do not use the default key described in the previous note in a production environment. Using this default setting allows any consumer to connect to your producer.
This section includes these topics:
In a typical scenario, consumer and producer applications are running in separate WebLogic Portal 9.2 or later domains, as shown in Figure 15-1.
By default, WebLogic Portal specifies SAML as the default security token type for WSRP. If you are running in a demonstration or development environment, no further configuration is required. However, for a production environment it is recommended that you perform the SAML configuration described in this section.
This section describes an example federated portal application where the producer and consumer are running in different WebLogic Portal 9.2 or later domains. This example provides a basis for discussing how to configure SAML security between these domains.
The portal shown in Figure 15-2 includes a local portlet on the left and a remote (proxy) portlet on the right. The local portlet is a login portlet. When a user logs in successfully, the producer portlet displays the user's name. As you will see, however, unless SAML security is properly configured, an error results when a user logs in to the portal.
Figure 15-2 Consumer Portal Before User Login
As you can see in Figure 15-2, the proxy portlet renders without error before a user logs in. It isn't until a user attempts to log in that a SAML message is sent, resulting in an error.
Checkpoint: This section described an example federated portal where the consumer and producer are running in separate WebLogic Portal domains. In the following sections, we explain how to configure the consumer and producer so that the SAML token sent from the consumer is accepted by the producer.
To correct the error shown in the previous section, you need to configure both the consumer and the producer. This section discusses the consumer configuration.
This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
Tip:
Anytime you generate a new key, you must copy the keystore to the entire cluster.
Note:
By default, the consumer has a keystore that the server uses for its SSL key. The default keystore is called DemoIdentity.jks. If you are using a different keystore, then modify the one that you are currently using.
On the consumer, open a command window and CD to the <
WEBLOGIC_HOME
>/server/lib
directory.
Run the keytool command to generate a new key, as shown in Figure 15-3. For example, the following command generates a key called testalias
.
keytool -genkey -keypass testkeypass -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyalg rsa -alias testalias
The options used in the example keytool command include the following:
Command Parameter | Description |
---|---|
keytool |
A Java tool used to generate a key. |
-genkey |
Instructs the keytool to generate a key. |
-keypass |
Specifies the password to be used with the new key. |
-keystore |
Specifies the name of the keystore. A keystore stores keys and certificates. The default keystore, |
-storepass |
Specifies the password for the keystore. |
-keyalg |
Specifies the encryption algorithm for the keystore. You must use |
-alias |
Specifies a name for the generated key. |
Export the key from the consumer server. In the same command window that you used to generate the key, in the same directory, run the keytool command with the -export
option, as shown in Figure 15-4. For example, the following command generates a key file called testalias.der
.
keytool -export -keypass testkeypass -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -alias testalias -file testalias.der
This section explains the procedure for configuring the consumer to use the key that you generated.
Tip:
A security realm is a container for the mechanisms–including users, groups, security roles, security policies, and security providers–that are used to protect WebLogic resources. You can have multiple security realms in a WebLogic Server domain, but only one can be set as the default (active) realm. The default is called myrealm.
Log in to the WebLogic Server Administration Console on the consumer. To do this, open a browser and enter the following URL:
http://
serverIP
:
port
/console
where serverIP
is the IP address of the server on which the consumer application is running, and port
is the server's port number. For example:
http://localhost:7001/console
Figure 15-5 WebLogic Server Administration Console Login Dialog
In the Administration Console, select Security Realms in the Domain Structure tree, as shown in Figure 15-6.
Select a security realm. The default security realm is called myrealm
, as shown in Figure 15-7.
Select the Providers tab and then the Credential Mapping tab, as shown in Figure 15-8.
Figure 15-8 Selecting the Credential Mapping Tab
Select SAMLCredentialMapper, as shown in Figure 15-9.
Tip:
The SAML Credential Mapper provider acts as a producer of SAML security assertions, allowing WebLogic Server to act as a source site for using SAML for single sign-on.
Figure 15-9 Selecting the SAMLCredentialMapper
Select Provider Specific, as shown in Figure 15-10.
Figure 15-10 Selecting the Provider Specific Tab
In the Change Center window, select Lock and Edit, as shown in Figure 15-11. This function blocks other users from making Administration Console changes and enables you to edit the SAMLCredentialMapper settings.
Edit the Issuer URI, as shown in Figure 15-12. This unique URI tells the producer the origin of the SAML message and allows the producer to match the consumer with the key. Typically, the consumer's URL is used in this string to guarantee that it is unique. For example:
http://www.bea.com/demoConsumer
Enter the Signing Key Alias and Signing Key Pass Phrase, as shown in Figure 15-13. These are the values you used when you generated the keystore. In this example they were:
Provider Field | Value |
---|---|
Signing Key Alias |
testalias |
Signing Key Pass Phrase |
testkeypass |
Tip:
It is recommended that you set the Default Time To Live to 120 seconds, the Cred Cache Min Viable TTL to 10 seconds, and the Default Time To Live Offset to 0. Then, select the Management tab and in the relying party configuration, set the Assertion Time To Live Offset to the difference between the clock times of the consumer and producer (consumer time minus producer time).
Click Save.
In the Change Center window, click Activate Changes, as shown in Figure 15-14.
Checkpoint: At this point, the SAML credential mapper provider on the consumer is configured to use the keystore you generated. If you were to try to log in to the login portlet, you would receive an error, as shown in Figure 15-15. This is because the producer does not yet recognize the new key sent from the consumer. In the next steps, you will configure the producer to accept the key sent from the consumer.
Figure 15-15 Login Results in an Error in the Producer Portlet
Tip:
If you scroll the portal to the right, you will see that the error message says "The SAML token is not valid," as shown in Figure 15-16.
This section explains how to configure the producer. To do this, you import the certificate into the SAML asserter, and configure the asserting party properties.
Copy the key file (testailias.der
) that you generated on the consumer to the producer using any method you want, such as FTP or SMB. You can place the file in any directory on the destination machine.
Open the WebLogic Server Administration Console on the producer machine and log in.
Select Security Realms.
Select a security realm, such as myrealm.
Select the Providers tab.
Select the Authentication tab.
Select SAMLIdentityAsserter, as shown in Figure 15-17. An identity asserter allows WebLogic Server to establish trust by validating a user.
Figure 15-17 Selecting the Identity Asserter
Click the Management tab, and click Certificates, as shown in Figure 15-18.
Figure 15-18 Selecting the Certificates Tab
In the Certificates dialog, click New, as shown in Figure 15-19.
In the Alias field, enter a name for the certificate, as shown in Figure 15-20. It is a good practice to use the same name you used when you created the certificate. In this example, the name of the alias is testalias
.
In the Certificate File Name field, enter the path to the certificate file, as shown in Figure 15-20.
Figure 15-20 Entering Certificate Properties
Click Finish. If there are no problems, the following message is displayed:
The certificate has been successfully registered.
On the Management tab, click Asserting Parties.
Tip:
The WsrpDefault asserting party is set up for the producer's default WSRP key. If the consumer and producer applications were running on the same server, the WSRP key of the consumer would be accepted by the producer. It is a good practice to delete the WsrpDefault party for an application that is in production.
In the Asserting Parties table, click New, as shown in Figure 15-21.
Figure 15-21 Creating a New Asserting Party
In the Profile dropdown menu, select WSS/Sender Vouches, as shown in Figure 15-22.
In the Description field, enter a name to identify the asserting party, as shown in Figure 15-22. For example: demoConsumer
.
Enable the new asserting party. To do this, click the Partner ID link for the asserting party. In this example, the link is ap_0002 for the asserting party called demoConsumer, as shown in Figure 15-23.
Figure 15-23 Selecting the New Asserting Party
Set the asserting party values, as listed in Table 15-0 and shown in Figure 15-24.
Table 15-2 Asserting Party Values
Parameter | Value |
---|---|
Enabled |
Select the checkbox (true). |
Target URL |
default |
Issurer URI |
Use the same one that you configured on the consumer. In this example, it is |
Signature Required |
Select the checkbox (true). |
Assertion Signing Certificate Alias |
Use the same one that you configured on the consumer. In this example it is |
Click Save.
If there were no problems, the message, Settings updated successfully, appears.
On the consumer, log into the portal application with a valid user name and password. You will see the user name appear in the proxy portlet. This indicates that the SAML message was passed from the consumer to the producer, and that the producer recognized and accepted it.
Producer and consumer applications developed with WebLogic Portal 9.2 or later versions are compatible with producers and consumers developed with WebLogic Portal 8.1x. That is, a portal developed with WebLogic Portal 9.2 or later versions can consume portlets deployed in a WebLogic Portal 8.1x domain. Similarly, portlets exposed in a WebLogic Portal 9.2 or later producer can be consumed by an 8.1x consumer. These two use cases are summarized in Figure 15-26.
This section discusses addresses both of these use cases. The following topics are discussed:
Section 15.2.1, "SAML Security Between 9.2 or Later Version Consumers and 8.1x Producers"
Section 15.2.2, "SAML Security Between 8.1x Consumers and 9.2 or Later Version Producers"
This section explains how to achieve SAML-based security compatibility between a WebLogic Portal 9.2 or later version consumer and an 8.1x producer, as summarized in Figure 15-27.
Tip:
By default, with no configuration changes made to either side, WSRP between a 9.2 or later version consumer and 8.1x producer works. That is, a 9.2 or later version consumer can consume a portlet from an 8.1x producer with no configuration changes. However, if you want to use your own key for the 9.2 or later version consumer, you need to follow the procedure outlined in this section
The portal shown in Figure 15-28 includes a local portlet on the left and a remote (proxy) portlet on the right. The remote portlet is deployed in an 8.1x producer. The local portlet is a login portlet. Before SAML security is properly configured, when a user logs in, the name that is returned is null.
Figure 15-28 Consumer Portal Before User Login
The following sections explain how to configure the consumer with a key that can sign the SAML assertion sent to the producer. The basic tasks include:
Generating a key
Changing the consumer's name
Modifying the consumer's security realm
This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems web site.
On the consumer, open a command window and CD to the <
WEBLOGIC_HOME
>/server/lib
directory.
Run the keytool command to generate a new key, as shown in Figure 15-29. For example, the following command generates a key called consumer92key
.
keytool -genkey -alias consumer92key -keystore wsrpKeystore.jks -storepass password -keypass consumer92pass
The options used in the example keytool command include the following:
Command parameter | Description |
---|---|
keytool |
A Java tool used to generate a key. |
-genkey |
Instructs the keytool to generate a key. |
-alias |
Specifies a name for the generated key. |
-keystore |
Specifies the name of the keystore. A keystore stores keys and certificates. The default keystore, |
-storepass |
Specifies the password for the keystore. |
-keypass |
Specifies the password to be used with the new key. |
Copy the wsrp-consumer-security-config.xml
from the J2EE Shared Library to your project. To do this in Oracle Enterprise Pack for Eclipse, open the Merged Projects view, find the file in the WEB-INF directory of your consumer web application. Right-click the file and select Copy to Project. For more information on copying files from J2EE Shared Libraries, see the Oracle Fusion Middleware Production Operations Guide for Oracle WebLogic Portal and the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
Edit the file wsrp-consumer-security-config.xml
in the WEB-INF
directory of your consumer web application. Change the <consumer-name>
element from wsrpConsumer
to another arbitrary name. For example, change:
<consumer-name>wsrpConsumer<consumer-name>
to
<consumer-name>consumer9x<consumer-name>
Restart the consumer application's server so that the change to the configuration file takes effect.
Checkpoint: If you try to log in to the remote portlet again, you will receive an error, as shown in Figure 15-30. This error is caused by the fact that the producer cannot find the key that was sent from the consumer. The next step is to configure the security realm for the consumer domain.
Log in to the WebLogic Server Administration Console on the consumer. The URL for the console is:
http://
servername
:
portnumber
/console
where servername
is your server's IP name, and portnumber
is the server's port. For example:
http://localhost:7001/console
Click the Security Realms link in the Domain Structure window, as shown in Figure 15-31.
Select myrealm (or the name of the security realm you are using) and then select the Credential Mappings tab.
In the Credential Mappings tab, select PKI, as shown in Figure 15-32.
Tip:
PKI, or public key infrastructure, allows the exchange of data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. For more information, see "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
In the PKI Credential Mappings table, click New to create a new credential.
In the Create New Security Credential dialog, click Next without entering any remote resource attribute information.
Tip:
By leaving the remote resource attributes blank, the credential will be accepted by all producers. If you want to specify a producer, enter the appropriate information in this dialog.
In the Create a New Security Credential Map Entry dialog, enter the following in the Local User field:
consumerName
__81_COMPAT
where consumerName
is the consumer name you entered previously in the wsrp-consumer-security-config.xml
file. (Note that the name is followed by a double underscore.)
For this example, the correct value for Local User is: consumer9x__81_COMPAT
.
Select the User radio button.
In the Keystore Alias field, enter the alias you used for the key that you generated previously. In this example, the alias is consumer92key
.
In the Password field, enter the key password you used when you generated the key. In this example, the password is consumer92pass
.
Click Finish. Figure 15-33 shows the new principal name added to the PKI Credential Mappings: consumer92__81_COMPAT
.
Figure 15-33 List of PKI Credential Mappings
Export the key from the consumer's keystore. Use the keytool
utility to export the key that you created previously. You will use this key in the next set of steps to configure the WebLogic Portal 8.1x producer. For example:
keytool -export -alias consumer92key -keystore wsrpKeystore.jks -storepass password -keypass consumer92pass -file consumer92.der
Checkpoint: In the previous steps, you associated this consumer, consumer92
, to a key to sign the SAML assertion. If you now try to log in to the remote portlet, the previously seen error does not appear. This means that the consumer is now properly associated with a key. However, now after logging in, the user name is null
, as shown in Figure 15-34. This is because this consumer is not yet known to the producer. The next set of steps demonstrate how to configure the WebLogic Portal 8.1x producer to accept the WebLogic Portal 9.2 or later version consumer's key.
Tip:
It is interesting to note an important difference between the behavior of a WebLogic Portal 9.2 or later version producer and a WebLogic Portal 8.1x producer. If a WebLogic Portal 9.2 or later version producer cannot verify what the consumer is sending, you will receive an error. If a WebLogic Portal 8.1x producer cannot verify what the consumer is sending, the producer ignores this condition and continues with an anonymous user. In addition, if an 8.1x consumer sends an unverifiable message to a 9.2 or later version producer, the producer likewise ignores the condition and continues with an anonymous user.
This section explains how to configure the WebLogic Portal 8.1x producer. To do this, you import the key into the producer's keystore.
To import the certificate, follow this procedure.
Copy the previously exported certificate to the system on which the producer application is deployed, using whichever method is appropriate for your system, such as FTP or SMB. You can put this file anywhere on the destination machine.
In a command window, CD to the root directory of the producer's domain. For example:
<MW_HOME>/weblogic81/user_projects/domains/portalDomain
Import the key using the keytool utility. For example:
keytool -import -keystore wsrpKeystore.jks -file c:\consumer92.der -storepass password -alias consumer9x -keypass consumer92pass
Note:
The alias argument must match the consumer name you used when you created the key on the consumer. In this example, that name is consumer9x.
Restart the server in which the producer application is deployed.
After the producer server is restarted, you can once again test the remote portlet in the consumer application. When you log into the portal, you will see that the remote portlet now recognizes the user as logged in, as shown in Figure 15-35.
The preceding example demonstrated how to configure SAML security between a WebLogic Portal 9.2 or later version consumer and a WebLogic Portal 8.1x producer. In the next example, you will see the reverse: configuring SAML security between a WebLogic Portal 8.1x consumer and a WebLogic Portal 9.2 or later version producer.
This section explains how to achieve security compatibility between a WebLogic Portal 8.1x consumer and an 9.2 or later version producer, as summarized in Figure 15-36.
The basic steps include:
This section explains how to configure the 8.1x consumer. The basic steps include generating a key and configuring the WSRP Consumer Security Service in the WebLogic Administration Portal.
This section explains how to use the keytool utility to generate a key on the consumer. Keytool, a Java utility distributed by Sun Microsystems, manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems web site.
If you have not already done this, generate a key. To do this, CD to the root directory of the WebLogic Portal 8.1x consumer application's domain and use the keytool utility to generate the key. For example:
<MW_HOME>/weblogic81/user_projects/domains/portal
keytool -genkey -keystore wsrpKeystore.jks -alias consumer8xkey -storepass password -keypass consumer8xpass
The options used in the example keytool command include the following:
Command Parameter | Description |
---|---|
keytool |
A Java tool used to generate a key. |
-genkey |
Instructs the keytool to generate a key. |
-keystore |
Specifies the name of the keystore. A keystore stores keys and certificates. The default keystore, |
-alias |
Specifies a name for the generated key. |
-storepass |
Specifies the password for the keystore. |
-keypass |
Specifies the password to be used with the new key. |
Log in to the version 8.1x WebLogic Administration Portal on the consumer application's server. To start the Administration Portal from Oracle Enterprise Pack for Eclipse, select Portal > Portal Administration. Or, enter the following URL in a browser:
http://localhost:7001/
applicationName
/login.jsp
where applicationName
is the name of the WebLogic Portal consumer application.
Figure 15-37 WebLogic Administration Portal Sign In Page
In the Administration Portal, select Service Administration.
In the Application Configuration Settings tree, select WSRP Consumer Security Service, as shown in Figure 15-38.
Figure 15-38 Selecting WSRP Consumer Security Service
In the Configuration Settings dialog, enter a name for the consumer, the Certificate Alias that you used when you generated the consumer key, and the Certificate Private Key Password that you used when you generated the key, as shown in Figure 15-39 and click Update.
Figure 15-39 Entering Security Service Parameters
Export the key using the keytool utility. To do this, CD to the consumer's domain root directory, and enter the appropriate keytool command. For example:
keytool -export -alias consumer8xkey -keystore wsrpKeystore.jks -file consumer81.der
This section explains how to configure the producer. To do this, you must configure the producer's PKI credential mappings to include the consumer's certificate.
Copy the exported key to the WebLogic Portal 9.2 or later version producer's root domain directory using an appropriate method, such as FTP or SMB. You can put this file anywhere on the destination machine.
Use the keytool utility to import the key into the 9.2 or later version producer's keystore. For example:
keytool -import -keystore wsrpKeystore.jks -file consumer81.der -alias consumer8xkey -keypass consumer8xpass
Log in to the WebLogic Server Administration Console on the producer server.
Click the Security Realms link in the Domain Structure window, as shown in Figure 15-31.
Select myrealm (or the name of the security realm you are using) and then select the Credential Mappings tab.
In the Credential Mappings tab, select PKI, as shown in Figure 15-32.
Tip:
PKI, or public key infrastructure, allows the exchange of data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. For more information, see "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
In the PKI Credential Mappings dialog, click New, as shown in Figure 15-42.
Figure 15-42 Creating a New PKI Credential Mapping
In the Creating the Remote Resource for the Security Credential Mapping dialog, leave all fields blank and click Next.
Tip:
By leaving the fields blank, this indicates that the credential is recognized for all consumers. If you want to restrict the credential to a specific consumer, you can fill in the required information.
In the Create a New Security Credential Map Entry dialog, enter the following information:
Select the Certificate radio button (true).
In the Principal Name field, enter consumerName
__81_COMPAT
, where consumerName
is the name of the consumer. In this example, the name is consumer8x
.
Select the User radio button.
In the Keystore Alias field, enter the alias you used when you imported the keystore. In this example, it is consumer8xkey
.
In the Password field, enter the key password you used when you imported the keystore. In this example, it is consumer81pass
.
Figure 15-43 shows the completed dialog.
Figure 15-43 Entering PKI Credential Mappings Parameters
Click Finish. The PKI Credential Mappings table reappears and shows that the new certificate has been added, as shown in Figure 15-44.
Figure 15-44 New Certificate Added to the Producer
To test the configuration, log in to the consumer portal. As shown in Figure 15-45, the user name weblogic
appears in the proxy portlet. This indicates success: the user was logged in successfully on the producer.
A name mapper is a class that maps one user name to another. Use a name mapper when the producer and consumer have different names for the same user. This section explains how to write and configure a name mapper class on both the consumer and the producer.
If you want to use a name mapping class on the producer or the consumer, the basic steps include:
WebLogic Portal provides two user name mapping interfaces:
weblogic.security.providers.saml.SAMLCredentialNameMapper
Implement this interface on the consumer to map a user name on the consumer to a new name. See Section 15.3.1.1, "Implementing SAMLCredentialNameMapper on the Consumer" for an example.
weblogic.security.providers.saml.SAMLIdentityAssertionNameMapper
Implement this interface on the producer to map a user name sent from the consumer to a user name on the producer. See Section 15.3.1.2, "Implementing SAMLIdentityAssertionNameMapper on the Producer" for an example.
Implement SAMLCredentialNameMapper on the consumer to provide name mapping on the consumer. Example 15-1 shows an example implementation of SAMLCredentialNameMapper.
The mapSubject() method gets a Subject (user) and returns a SAMLNameMapperInfo object. The method provides logic to test the user name and replace it with a new user name. This new user name is then returned in a SAMLNameMapperInfo object, which is then passed to the producer.
For detailed information on this interface, see the Oracle Fusion Middleware Java API Reference for Oracle WebLogic Portal.
Example 15-1 Example SAMLCredentialNameMapper Implementation
package com.bea.wsrp.qa.security; import java.util.Collection; import java.util.Set; import javax.security.auth.Subject; import weblogic.security.SubjectUtils; import weblogic.security.providers.saml.SAMLCredentialNameMapper; import weblogic.security.providers.saml.SAMLNameMapperInfo; import weblogic.security.service.ContextHandler; import weblogic.security.spi.WLSGroup; public class CustomSAMLNameMapperImpl implements SAMLCredentialNameMapper { private String nameQualifier = null; public CustomSAMLNameMapperImpl (){ } /************ SAMLCredentialNameMapper implementation**************/ public synchronized void setNameQualifier(String nameQualifier) { this.nameQualifier = nameQualifier; } public SAMLNameMapperInfo mapName (String name, ContextHandler handler) { return new SAMLNameMapperInfo(nameQualifier, name, null); } public SAMLNameMapperInfo mapSubject (Subject subject, ContextHandler handler) { // Provider checks for null Subject... Set groups = subject.getPrincipals(WLSGroup.class); String userName = null; userName = SubjectUtils.getUsername(subject); if (userName == null || userName.equals("")) { System.out.println("mapSubject: Username string is null or empty, returning null"); return null; } if (userName.equals("testUser")) { userName = "testUser_Mapped"; } // Return mapping information... return new SAMLNameMapperInfo(nameQualifier, userName, groups); } }
Implement SAMLIdentityAssertionNameMapper on the producer to provide name mapping. Example 15-2 shows an example implementation of SAMLIdentityAssertionNameMapper. In this example, if you log in on the consumer as testUser_Mapped
, the name mapper class retrieves that user name on the producer and logs you in as testUser_Producer
.
The mapNameInfo() method gets a SAMLNameMapperInfo object from the consumer. This object contains the name with which the user logged in on the consumer. The method provides logic to test the user name from the consumer and replace it with a user name on the producer.
For detailed information on this interface, see the Oracle Fusion Middleware Java API Reference for Oracle WebLogic Portal.
Example 15-2 Example SAMLIdentityAssertionNameMapper Implementation
package com.bea.wsrp.qa.security; import java.util.Collection; import java.util.Set; import javax.security.auth.Subject; import weblogic.security.SubjectUtils; import weblogic.security.providers.saml.SAMLIdentityAssertionNameMapper; import weblogic.security.providers.saml.SAMLNameMapperInfo; import weblogic.security.service.ContextHandler; import weblogic.security.spi.WLSGroup; public class CustomSAMLNameMapperImpl implements SAMLIdentityAssertionNameMapper { private String nameQualifier = null; public CustomSAMLNameMapperImpl (){ } /************ SAMLIdentityAssertionNameMapper implementation**************/ public String getGroupAttrName () { return SAMLNameMapperInfo.BEA_GROUP_ATTR_NAME; } public String getGroupAttrNamespace () { return SAMLNameMapperInfo.BEA_GROUP_ATTR_NAMESPACE; } public Collection mapGroupInfo(SAMLNameMapperInfo info, ContextHandler handlr) { return info.getGroups(); } public String mapNameInfo(SAMLNameMapperInfo info, ContextHandler handler) { String userName = info.getName(); if (userName == null || userName.equals("")) { System.out.println("mapNameInfo: Username string is null or empty, returning null"); return null; } if (userName.equals("testUser_Mapped")) { userName = "testUser_Producer"; } return userName; } }
Whether you are implementing a mapper class on the producer or the consumer, the class must be in the server's class path. For information on adding classes to the server class path, refer to the WebLogic Server topic "Adding Startup and Shutdown Classes to the Classpath" at in the Oracle WebLogic Server Administration Console Help.
You need to use the WebLogic Server Administration Console add the mapper classes to the security realm of the producer and/or consumer.
To add a mapper class to the producer:
Open the WebLogic Server Administration Console on the producer machine and log in.
Select Security Realms from the Domain Structure tree.
Select a security realm, such as myrealm.
Select Providers.
Select SAMLIdentityAsserter, as shown in Figure 15-46. An identity asserter allows WebLogic Server to establish trust by validating a user.
Figure 15-46 Selecting the Identity Asserter
Click the Management tab.
In the Asserting Parties table, click the Partner ID link for the asserting party you want to use. In this example, the link is ap_0002 for the asserting party called demoConsumer, as shown in Figure 15-47.
Figure 15-47 Selecting the New Asserting Party
In the Configuration tab, enter the full class name of the mapper class in the Name Mapper Class field, as shown in Figure 15-48. For example:
com.bea.wsrp.qa.security.CustomSAMLNameMapperImpl
Figure 15-48 Entering the Name Mapper Class
Click Save.
To add a mapper class to the producer:
Open the WebLogic Server Administration Console on the consumer machine and log in.
Select Security Realms from the Domain Structure tree.
Select a security realm, such as myrealm.
Select the Providers and then the Credential Mapping tab.
Figure 15-49 Selecting the Credential Mapping Tab
Select SAMLCredentialMapper, as shown in Figure 15-50.
Figure 15-50 Selecting the SAMLCredentialMapper
Select Management tab.
Select the Relying Parties link for the relying party you want to use. For example, the relying party shown in Figure 15-51 is rp_00001.
Tip:
For more information on relying party configuration, see the WebLogic Server topic, "Configuring a Relying Party" in the Oracle WebLogic Server Administration Console Online Help.
In the Name Mapper Class field, enter the full class name of the mapper class, as shown in Figure 15-52. For example:
com.bea.wsrp.qa.security.CustomSAMLNameMapperImpl
Figure 15-52 Entering the Name Mapper Class
Click Save.
You can configure the producer to automatically create a new user if it does not recognize the user name sent from the consumer. This feature is useful if you do not want to manually create a unique user name on the producer for every user who might log in from a consumer application. You can use this feature as long as the producer is configured to recognize the consumer's SAML token, as explained previously in this chapter.
To configure the producer to allow virtual users:
Log in to the WebLogic Server Administration Console.
Navigate to the SAMLIdentityAsserter Configuration tab. For instructions on navigating to this tab, see Section 15.3.3.1, "Adding a Mapper Class to the Producer".
Check the Allow Virtual Users checkbox, as shown in Figure 15-53.
Click Save.