16 Configuring the SAML Authentication Provider

The Oracle WebLogic Server Security Assertion Markup Language (SAML) Authentication provider may be used in conjunction with the SAML 1.1 or SAML 2.0 Identity Assertion providers to allow virtual users to log in using SAML. If virtual users are allowed, then the SAML Identity Asserter creates user/group principals, which permit the user to be logged in as a virtual user — a user that does not correspond to any locally-known user.

If the SAML Authentication provider is configured to run before other authentication providers, and has a JAAS Control Flag set to SUFFICIENT, this provider creates an authenticated subject using the user name and groups retrieved from a SAML assertion by the SAML Identity Assertion provider V2 or the SAML 2.0 Identity Assertion provider.

If the SAML Authentication provider is not configured, or if another authentication provider (e.g., the default LDAP Authentication provider) is configured before it and its JAAS Control Flag set is set to SUFFICIENT, then the user name returned by the SAML Identity Assertion provider is validated by the other authentication provider. In the case of the default LDAP Authentication provider, authentication fails if the user does not exist in the identity directory.

Note:

If you configure the SAML Authentication provider to allow virtual users to log in and gain access to a resource, make note of the following:

  1. The resource must be configured with a security policy to control access. If the resource is unprotected, the subject created for the virtual user has no principals, which prevents access from being granted.

  2. The protected resource must also use the default cookie JSESSIONID. If the resource uses a cookie name other than JSESSIONID, the subject's identity is not propagated to the resource.

For information about configuring security policies, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.

If you want groups from a SAML assertion, you must configure the SAML Authentication provider even if you want the LDAP Authentication provider to verify the user's existence. Otherwise, the groups with which the user is associated is derived from the LDAP directory and not with the groups in the assertion.

The SAML Authentication provider creates a subject only for users whose identities are asserted by either the SAML Identity Assertion provider V2 or SAML 2.0 Identity Assertion provider. The SAML Authentication provider ignores all other authentication or identity assertion requests.