To create a SAML 2.0 Web
service Identity Provider partner:
-
In the left
pane, select Security Realms.
-
On the Summary
of Security Realms page, select the name of the realm (for example,
myrealm).
-
On the
Settings for Realm Name page select Providers >
Authentication.
-
In the
Authentication Providers table, select the SAML 2.0 Identity Assertion
provider.
-
On the
Settings for SAML 2.0 Identity Asserter page, select
Management.
-
In the table
under Identity Provider Partners, click New > New Web
Service Identity Provider Partner.
-
On the Create
a SAML 2.0 Web Service Identity Provider Partner page, enter the name
of the new Identity Provider partner, and click
Finish.
Note: If you click the browser's Back button after
clicking Finish, the partner name is
reset to the default.
-
In the Identity Provider Partners table, select the name of your
newly-created Identity Provider partner.
-
In the Settings for SAML 2.0 Identity Asserter > General page,
select Enabled to enable interactions between
this server and this Identity Provider partner.
-
Specify an Issuer URI, which is a string that is uniquely
associated with this Identity Provider partner.
-
Specify one or more partner lookup strings, and optionally
Audience URIs, as Audience URI attributes. WebLogic Server
overloads this attribute to serve both functions, as follows:
- A partner lookup string contains an endpoint URL that
enables the SAML 2.0 Identity Assertion provider to match a
requested Web service endpoint with an Identity Provider partner
that is configured to generate valid assertions for accessing that
endpoint. Configuring a partner lookup string for an Identity
Provider partner is necessary in order for WebLogic Server to be
able to discover that partner at run time. For details about how to
create a partner lookup string, see Create partner lookup
strings.
- Audience URIs are optional, but if they are included, they
must be specified as entries separate from partner lookup strings.
Any assertion received from this Identity Provider partner that does
not contain at least one of the specified Audience URIs is
rejected.
-
Configure additional settings as appropriate. For example, you
may choose to do one or more of the following:
-
Specify an Identity Provider Name Mapper class, which is a
custom implementation of the
com.bea.security.saml2.providers.SAML2IdentityAsserterNameMapper
interface. This class overrides the default Identity Asserter Name
Mapper class with which the SAML 2.0 Identity Asserter provider is
configured. The Name Mapper class you specify in this field is
used only for assertions received from this Identity Provider
partner.
For more information about this name mapper class, see Configuring a SAML
2.0 Identity Assertion Provider for SAML 2.0.
-
Select Virtual User to map user
information from assertions to virtual users in the security
realm. If you choose this option, you must also create and
configure a SAML Authentication provider instance in the security
realm. For more information, see Configuring the SAML
Authentication Provider.
-
Select Process Attributes to extract
the information from the assertions received from this partner
that is used to determine the groups in which the mapped Subject
belongs. If you choose this option, you must also create and
configure a SAML Authentication provider instance in the security
realm. For more information, see Configuring the SAML
Authentication Provider.
For more information about these configuration options, see Using Security
Assertion Markup Language (SAML) Tokens For Identity.
-
Click Save.
-
In the Settings for SAML 2.0 Identity Asserter
> Assertion Signing Certificate
page, configure the Identity Provider partner's assertion signing
certificate. You need to coordinate with your partner to obtain this
certificate in a secure manner. For more information, see Using Security
Assertion Markup Language (SAML) Tokens For Identity.
Result
The Web service Identity Provider partner is created in the local
server instance.