When Security Token Service does not support the token that you want to validate or issue out-of-the-box, a developer can write custom validation and issuance module classes.
You can apply the information when you have:
WS-Security User Name Token
WS-Trust Custom Token
Issuing Custom Token
Note:
You can also write a script that includes WebLogic Scripting Tool commands for any operation that you can accomplish through the console. For more information, see WLST Command Reference for WebLogic Server.
The following topics provide information about:
After writing the custom token validation and/or issuance classes, you must add Custom Token Configuration to Security Token Service to indicate when and how these classes should be used.
On the New Custom Token page only the Token Type Name is required (identified with an asterisk, *). See Figure 45-16.
Not all elements apply to all custom tokens. However, if you submit information that is incomplete, a dialog box appears to identify what is missing.
For the custom token, you must decide on the XML Element Name, XML Element Namespace, Binary Security Token Type, and so on. Table 45-14 describes the elements on a Custom Token page based on the examples.
Table 45-14 New Custom Token Elements
Element | Description |
---|---|
Token Type Name |
The unique name you choose for this custom token. For example: email_token Note: After you save a new custom token configuration, you cannot edit this name. |
Default Token URI |
The URI for this custom token. This URI can then be used in the RST to request that a custom token of this type should be issued. For the example in this chapter, the value would be: oracle.security.fed.sts.customtoken.email |
XML Element Name |
The name you decide on, which will be associated with the Token Type Name. For example: If you specify Note: Minimally, you need either an XML Element Name or Binary Security Token Type. |
Validation Classname |
The name of the custom token validation class that you made available to Security Token Service. For example: oracle.security.fed.sts.tpe.providers.email.EmailTokenValidatorModuleImpl Note: Minimally, you need either an issuance class name or validation class name, depending on whether you want to issue or validate a custom token. |
XML Element Namespace |
The namespace of the custom token element name. For example: http://email.example.com |
Issuance Classname |
The name of the custom token issuance class that you made available to Security Token Service. For example: oracle.security.fed.sts.tpe.providers.email.EmailTokenIssuerModuleImpl Note: Minimally, you need either an Issuance classname or Validation classname, depending on whether you want to issue or validate a custom token. |
Binary Security Token Type |
Enables the class to validate a custom token sent in as a BinarySecurityToken. The ValueType of the BinarySecurityToken for this custom token. If Security Token Service receives a Binary Security Token with this ValueType, it will be forwarded to this custom token's Validation class for validation. |
Validation Attributes |
This section enables you to add (or remove) validation attributes. The table displays existing validation attributes, if any. For this example:
Note: You will add a value to the attribute when creating a Token Validation Template. |
Issuance Attributes |
This section enables you to add (or remove) issuance attributes. The table displays the following information for existing issuance attributes.
Note: You will add a value to the attribute when creating a Token Issuance Template. |
Save |
Click this button on the New Custom Tokens page to save your configuration information. |
Cancel |
Click this button to dismiss your configuration details. |
Apply |
Click this button to submit your changes. |
Revert |
Click this button to dismiss your changes. |
You can add custom tokens for custom classes.
To add custom tokens:
TokenIssuerModule or
TokenValidatorModule
classes (or both). No XML metadata or manifest is needed.By default, all currently defined custom tokens are listed in the Search Results table. In custom token searches, wild cards are not allowed.
Figure 45-17 illustrates the Custom Tokens Search controls and Results table. These appear when you double-click the Custom Tokens node in the navigation tree.
Figure 45-17 Custom Tokens Search Page and Controls
Table 45-15 describes the Custom Tokens Search elements and controls. No wild cards (*) are allowed in Custom Token searches.
Table 45-15 Custom Tokens Search Elements and Controls
Element | Description |
---|---|
Default Token URI |
The URI that was defined for the custom token. You can enter the entire URI or only part of it. For instance, if you enter "ai" the Search Results table will display all custom tokens defined with a token URI that includes the letters "ai". Note: Wild cards are not allowed in Custom Token searches. |
Search |
Initiates the Search function using criteria provided in the form. |
Reset |
Resets the Search form with defaults only. |
Search Results |
Provides the results of your search based on your choices in the View menu. |
Actions menu |
Provides the following functions that can be performed on a selection in the results table: Note: Actions menu functions mirror command buttons above the results table. For example:
|
View menu |
Provides functions you can use to display various information in the results table: |
Up-Down Arrows |
Controls affecting the ordering of items listed in the results table:
|
Users with valid Administrator credentials can manage custom tokens for custom Token Module classes.
The following procedure includes steps to add, edit, and delete custom tokens or attributes of a custom token. Skip any steps that you do not need.
See the developer creating the custom tokens and the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details about Writing a TokenIssuanceModule Class:
You can create a new Custom Token, find it and edit its configuration. From the Search Results table, you can delete a particular custom token.
To make custom classes available:
Create and add the JAR containing your Issuance and Validation classes to the OAM Server hosting Security Token Service using one of these methods:
Add the custom token jar and the sts-common.jar that is available in $DOMAIN_HOME/config/fmwconfig/mbeans/oam to the Managed Server classpath by editing the startup script.
Add the custom token jar and the sts-common.jar that is available in $DOMAIN_HOME/config/fmwconfig/mbeans/oam to the $DOMAIN_HOME/lib directory to automatically add these jars to the Managed Server classpath.
Restart the OAM Server.
New Custom Token:
In the Oracle Access Management Console, click Federation at the top of the window.
Select Create Custom Token from the Create (+) drop-down menu in the Security Token Service section.
Fill in the New Custom Token page with details for your custom classes.
See Table 45-14.
Click Save and dismiss the confirmation window (or click Cancel to dismiss the page without submitting it).
Close the page (or edit as described in Step 4).
Proceed to Step 4, if needed, or go to the following topic:
See "Managing a Custom Security Token Service Configuration".
Find Custom Tokens: In the Federation console, select Custom Tokens from the View menu in the Security Token Service section.
Find All: Click the Search button and view the results table with all custom tokens listed.
Narrow the Search: Enter some or all characters in the desired Default Token URI, click the Search Button, and review the results table.
Reset the Search Form: Click the Reset button.
Edit Custom Token Configuration: Start with the saved page you just created.
Alternatively: Use Step 3 to find the desired Custom Token, then double-click the name in the Search Results table to open the page.
In the named Custom Token page, click the appropriate field and edit as needed.
Add Attributes: Click the Add (+) icon for the Attributes table, enter the Attribute Name and an Attribute Type.
See Table 45-14.
Remove Attributes: From the Attributes table, click the row containing the attribute to remove, click the Delete (X) icon for the table, and dismiss the Confirmation window.
Apply Changes: Click the Apply button at the top of the page to submit changes.
Remove a Custom Token:
Click the desired name in the Search Results table to select the item to remove.
From the Actions menu, click Delete (or click the Delete (X) command button above the table.
Click the Delete button in the Confirmation window (or click No to cancel the operation).