|         | 
 
SAML 2.0 Credential Mapping Provider: Web Service Service Provider Partner: General
Configuration Options Related Tasks Related Topics
Configures a SAML 2.0 Web Service Service Provider Partner's Properties.
Configuration Options
Name Description Name Displays the name of the Web Service Service Provider partner.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Enabled Specifies whether interactions with this Service Provider partner are enabled on this server.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Description A short description of this Service Provider partner.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Audience URIs One or more partner lookup strings, and optionally one or more SAML Audience URIs.
In the WebLogic Server implementation of SAML 2.0, the Audience URI attribute is overloaded to perform two related but separate functions:
- Specify one or more Audience URIs that must be included in assertions generated for this Service Provider partner.
- Specify one or more partner lookup strings, which specify the endpoint URL that is used to discover the Service Provider partner for which an assertion is to be generated.
A value specified for this attribute must have the following syntax:
[target:char:]<endpoint-url>In the preceding syntax,
target:char:is a prefix that is used to designate the partner lookup string, where char represents one of three special characters: a hyphen, plus sign, or asterisk (-, +, or*). This prefix determines how partner lookup is performed, as follows:
target:-:<endpoint-url>specifies that partner lookup is conducted for an exact match of the URL,<endpoint-url>. For example,target:-:http://www.avitek.com:7001/myserver/myservicecontext/myservice-endpointspecifies the endpoint that can be matched to this Service Provider, for which an assertion should be generated. This form of partner lookup string designates that the endpoint URL is not to be included as an Audience URI to be contained in that assertion.
target:+:<endpoint-url>specifies that partner lookup is conducted for an exact match of the URL,<endpoint-url>, and that the endpoint URL is also to be added as an Audience URI in the assertion generated for this Service Provider partner.
target:*:<endpoint-url>specifies that partner lookup is conducted for an initial-string pattern match of the URL,<endpoint-url>. For example,target:*:http://www.avitek.com:7001/myserverspecifies that any endpoint URL beginning withhttp://www.avitek.com:7001/myservercan be matched to this Service Provider, such ashttp://www.avitek.com:7001/myserver/contextA/endpointA and. If more than one Service Provider partner is discovered that is a match for the initial string, the partner with the longest initial string match is selected.http://www.avitek.com:7001/myserver/contextB/endpointBNote: Configuring one or more partner lookup strings for a Service Provider partner is required in order for that partner to be discovered at run time. If this partner cannot be discovered, no assertions for this partner can be generated.
If you configure an endpoint URL without using the target lookup prefix, it will be handled as a conventional Audience URI that must be contained in assertions generated for this Service Provider partner. (This also enables backwards-compatibility with existing Audience URIs configured for this partner.)
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.Partnerinterface.Service Provider Name Mapper Class Name The name of the Java class that overrides the default SAML 2.0 credential mapper name mapper class with which this server is configured.
The Service Provider name mapper class specified here is a custom implementation of the
com.bea.security.saml2.providers.SAML2CredentialNameMapperinterface and is specified here to be used for this Service Provider partner.Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.Time To Live The time to live value, in seconds, for the SAML 2.0 assertions generated for this Service Provider partner.
This value overrides the default setting for the SAML 2.0 Credential Mapping provider.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.Time To Live Offset The time to live offset value, in seconds, for the SAML 2.0 assertions generated for this Service Provider partner.
This value overrides the default setting for the SAML 2.0 Credential Mapping provider. You can specify this value to allow the SAML 2.0 Credential Mapping provider to compensate for clock differences between the Identity Provider and Service Provider sites. The value is a positive or negative integer representing seconds.
Normally, an assertion is valid from the NotBefore time, which defaults to (roughly) the time the assertion was generated, until the NotOnOrAfter time, which is calculated as (NotBefore + TimeToLive). However, the Identity Provider site and Service Provider site may have minor differences in their clock settings. The Time To Live offset value is a positive or negative integer indicating how many seconds before or after "now" the assertion's NotBefore should be set to. If you set a value for the Assertion Time To Live Offset, then the assertion lifetime is still calculated as (NotBefore + TimeToLive), but the NotBefore value is set to (now + Assertion Time To Live Offset). So, an assertion might have a two minute (120 second) lifetime that starts thirty seconds ago, or starts one minute from now. This allows the SAML 2.0 Credential Mapping provider to compensate for clock differences between the Identity Provider and Service Provider sites.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.Generate Attributes Specifies whether the SAML 2.0 Credential Mapping provider includes group information in the assertions generated for this Service Provider partner.
The optional group information is specified via the
<Attribute>element, which is subsequently used by the Service Provider's SAML 2.0 Identity Assertion provider to determine the groups into which the mapped user belongs.Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.Include One Time Use Condition Specifies whether assertions generated for this Service Provider partner may be used only once.
If specified, this attribute determines that the assertion must be disposed of immediately after use and is not available for reuse.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.Key Info Included Specifies whether this server's signing certificate is included in assertions generated for this Service Provider partner.
Note that WebLogic Server's SAML 2.0 implementation uses only the certificates that are referenced in the partner registry, not certificates contained in assertions.
Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.Confirmation Method Specifies the type of confirmation method that is used when using SAML 2.0 assertions for identity. The available confirmation methods are:
The available confirmation methods are:
- sender-vouches (default)
- holder-of-key
- bearer
When specifying a confirmation method, include the fully-qualified URN of the method. For example,
urn:oasis:names:tc:SAML:2.0:cm:sender-vouches.Note that if you use WLST to configure a partner, WebLogic Server provides constants for each of the confirmation methods that may be defined on partner class objects. For example, the following WLST command sets the
bearerconfirmation method on a partner:p.setConfirmationMethod(p.ASSERTION_TYPE_BEARER)Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.WSSPPartnerinterface.Only Accept Signed Assertions Specifies whether the Service Provider partner is configured to receive only assertions that have been signed.
If
true, assertions generated for this partner are signed.Operations on this parameter are available in the
com.bea.security.saml2.providers.registry.SPPartnerinterface.
- Create a SAML 2.0 Web service Service Provider partner
- Configure Authentication and Identity Assertion providers
- Manage security providers
- Configuring Single Sign-On with Web Browsers and HTTP Clients
- Configuring SAML 2.0 Services
- Configuring a SAML 2.0 Credential Mapping Provider
- Understanding Security for Oracle WebLogic Server
- Configuring Keystores
- Using Security Assertion Markup Language (SAML) Tokens For Identity
- API reference for com.bea.security.saml2.providers.registry.Partner interface
- API reference for com.bea.security.saml2.providers.registry.SPPartner interface
- API reference for com.bea.security.saml2.providers.registry.WSSSPPartner interface
|   |