17 Configuring the SAML Authentication Provider

This chapter explains how to configure the SAML Authentication provider for WebLogic Server 12.1.3. The SAML Authentication provider may be used in conjunction with the SAML 1.1 or SAML 2.0 Identity Assertion provider to do the following:

  • Allow virtual users to log in via SAML

    If true, the SAML Identity Asserter will create user/group principals, with the possible result that the user is logged in as a virtual user — a user that does not correspond to any locally-known user.

  • If the SAML Authentication provider is configured to run before other authentication providers, and has a JAAS Control Flag set to SUFFICIENT, this provider creates an authenticated subject using the user name and groups retrieved from a SAML assertion by the SAML Identity Assertion provider V2 or the SAML 2.0 Identity Assertion provider.

If the SAML Authentication provider is not configured, or if another authentication provider (e.g., the default LDAP Authentication provider) is configured before it and its JAAS Control Flag set is set to SUFFICIENT, then the user name returned by the SAML Identity Assertion provider is validated by the other authentication provider. In the case of the default LDAP Authentication provider, authentication fails if the user does not exist in the identity directory.

Important:

If you configure the SAML Authentication provider to allow virtual users to log in and gain access to a resource, make note of the following:
  1. The resource must be configured with a security policy to control access. If the resource is unprotected, the subject created for the virtual user has no principals, which prevents access from being granted.

  2. The protected resource must also use the default cookie JSESSIONID. If the resource uses a cookie name other than JSESSIONID, the subject's identity is not propagated to the resource.

For information about configuring security policies, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.

If you want groups from a SAML assertion, you must configure the SAML Authentication provider even if you want the LDAP Authentication provider to verify the user's existence. Otherwise, the groups with which the user is associated is derived from the LDAP directory and not with the groups in the assertion.

The SAML Authentication provider creates a subject only for users whose identities are asserted by either the SAML Identity Assertion provider V2 or SAML 2.0 Identity Assertion provider. The SAML Authentication provider ignores all other authentication or identity assertion requests.