|         | 
 
SAML 2.0 Identity Asserter: Web Service Identity Provider Partner: General
Configuration Options Related Tasks Related Topics
Configures a SAML 2.0 Web Service Identity Provider Partner's General Properties.
Configuration Options
Name Description Name Name of this Identity Provider partner.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Enabled Specifies whether interactions with this Identity Provider partner are enabled on this server.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Description A short description of this Identity Provider partner.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Audience URIs One or more partner lookup strings, and optionally one or more SAML Audience URIs that must be included in assertions generated by this Identity Provider partner.
In the WebLogic Server implementation of SAML 2.0, the Audience URI attribute is overloaded to perform two related but separate functions:
- Specify one or more Audience URIs that must be included in assertions received from this Identity Provider partner.
- Specify one or more partner lookup strings, which specify the endpoint URL that is used to discover the Identity Provider partner configured to generate assertions for requests on that endpoint, thereby enabling those assertions to be validated.
A value specified for this attribute must have the following syntax:
[target:char:]<endpoint-url>In the preceding syntax,
target:char:is a prefix that is used to designate a partner lookup string, where char represents one of three special characters: a hyphen, plus sign, or asterisk (-, +, or*). This prefix determines how partner lookup is performed, as follows. (Note that because the transport, host, and port is stripped from a URL when it is passed in by a WebLogic Server instance configured in the role of Service Provider, the value you specify for<endpoint-url>should contain only the part of the endpoint path that follows the host and port.)
target:-:<endpoint-url>specifies that partner lookup is conducted using an exact match of the URL,<endpoint-url>. For example,target:-:/myserver/myservicecontext/myservice-endpointspecifies that a run-time invocation on this specific endpoint can be matched to this Identity Provider partner.
target:+:<endpoint-url>specifies that partner lookup is conducted for an exact match of the URL,<endpoint-url>. For example,target:+:/myserver/myservicecontext/myservice-endpoint. (Note: Configuring this form of partner lookup string is unlikely to produce an Audience URI match with an Identity Provider partner and therefore should be avoided.)
target:*:<endpoint-url>specifies that partner lookup us conducted for an initial-string pattern match of the URL,<endpoint-url>. For example,target:*:/myserverspecifies that run-time invocations either/myserver/contextA/endpointA or(that is, any web service endpoint in/myserver/contextB/endpointB/myserver) can be matched to this Identity Provider partner. If more than one Identity Provider partner is discovered that is a match for the initial string, the partner with the longest initial string match is selected.Note: Configuring one or more target lookup strings for an Identity Provider partner is required in order for that partner to be discovered at run time. If this partner cannot be discovered, assertions received from it are rejected.
If you configure an endpoint URL without using the target lookup prefix, it will be handled as a conventional Audience URI that must be contained in assertions received from this Identity Provider partner. (Unlike a target lookup string, an Audience URI should include the transport, host, and port of the target endpoint. For example,
http://www.avitek.com:7001/myserver/myservice-context/myservice-endpoint.)Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Issuer URI The Issuer URI of this Identity Provider partner.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.IdPPartnerinterface.Identity Provider Name Mapper Class Name The Java class that overrides the default username mapper class with which the SAML 2.0 Identity Asserter provider is configured.
If specified, this class is a custom implementation of the
com.bea.security.saml2.providers.SAML2IdentityAsserterNameMapperinterface and is used for assertions received from this specific Identity Provider partner.Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.IdPPartnerinterface.Virtual User Specifies whether the user information contained in assertions received from this Identity Provider partner are mapped to virtual users.
Note that to use virtual users, you must configure the SAML Authentication provider.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.IdPPartnerinterface.Confirmation Method Specifies the type of confirmation method that is used when using SAML 2.0 assertions for identity.
The available confirmation methods are:
sender-vouches(default)
holder-of-key
bearerWhen specifying a confirmation method, include the fully-qualified URN of the method. For example,
urn:oasis:names:tc:SAML:2.0:cm:sender-vouches.Note that if you use WLST to configure a partner, WebLogic Server provides constants for each of the confirmation methods that may be defined on partner class objects. For example, the following WLST command sets the
bearerconfirmation method on a partner:p.setConfirmationMethod(p.ASSERTION_TYPE_BEARER)Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.WSSSPPartnerinterface.Process Attributes Specifies whether the SAML 2.0 Identity Assertion provider shall consume the attribute statements contained in assertions received from this Identity Provider partner.
To use this attribute, the SAML Authentication provider must be configured in the domain, and it must:
- Be configured to run before other authentication providers
- Have the JAAS Control Flag set to SUFFICIENT
The SAML Authentication provider creates an authenticated subject using the user name and groups extracted from a SAML assertion by the SAML 2.0 Identity Assertion provider.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.IdPPartnerinterface.
- Configuring a SAML 2.0 Identity Assertion Provider
- Understanding Security for Oracle WebLogic Server
- Using Security Assertion Markup Language (SAML) Tokens For Identity
- API reference for com.bea.security.saml2.providers.registry.Partner interface
- API reference for com.bea.security.saml2.providers.registry.IdPPartner interface
- API reference for com.bea.security.saml2.providers.registry.WSSSPPartner interface
|   |