To create a SAML 2.0 Web
service Service Provider partner:
-
In the left
pane, select Security Realms.
-
On the Summary
of Security Realms page, select the name of the realm (for example,
myrealm).
-
On the
Settings for Realm Name page select Providers >
Credential Mapping.
-
In the
Credential Mapping Providers table, select the SAML 2.0 Credential
Mapping provider.
-
On the
Settings for SAML 2.0 CredMapper page, select
Management.
-
In the table
under Service Provider Partners, click New > New Web
Service Service Provider Partner.
-
On the Create
a SAML 2.0 Web Service Service Provider Partner page, enter the name
of the new Service Provider partner, and click
Finish.
Note: If you click the browser's Back button after
clicking Finish, the partner name is
reset to the default.
-
In the Service Provider Partners table, select the name of your
newly-created Service Provider partner.
-
In the Settings for SAML 2.0 CredMapper
page, select Enabled to enable interactions
between this server and this Service Provider partner.
-
Specify one or more partner lookup strings, and optionally
Audience URIs, as Audience URI attributes. WebLogic Server
overloads this attribute to serve both functions, as follows:
- A partner lookup string contains an endpoint URL that
enables the SAML 2.0 Credential Mapping provider to match a
requested Web service endpoint with a Service Provider partner for
which an assertion is then generated. Configuring a partner lookup
string for a Service Provider partner is necessary in order for
WebLogic Server to be able to discover that partner at run
time.
- The endpoint URL in a partner lookup string may optionally
also be designated as an Audience URI that must be included in the
assertion that is generated for the Service Provider
partner.
Note: You may also designate Audience URIs separately
from partner lookup strings.
For details about how to create a partner lookup string, and also
how to designate the lookup URL as an Audience URI in that string,
see Create partner lookup
strings.
-
Configure additional settings as appropriate. For example, you
may choose to do one or more of the following:
-
Specify a Service Provider Name Mapper Class, which is
a custom implementation of the
com.bea.security.saml2.providers.SAML2CredentialNameMapper
interface. If specified, this class overrides the default SAML 2.0
credential mapper name mapper class, with which the SAML 2.0
Credential Mapping provider is configured. The class you specify
here is used only for assertions generated for this Service
Provider partner.
For more information about this name mapper class, see Configuring a
SAML 2.0 Credential Mapping Provider for SAML 2.0 and
API Reference for
com.bea.security.saml2.providers.SAML2CredentialNameMapper
interface.
-
Specify time to live values for assertions generated for this
Service Provider partner.
-
Select Generate Attributes to include
group information in the assertions generated for this particular
Service Provider partner. This partner can subsequently extract
this information from the assertion to determine the groups to
which the mapped Subject belongs.
-
Select Include One Time Use Condition
if you want the generated assertions to be used only once by your
Service Provider partner and not to be available for reuse.
Note that the Key Info Included
attribute is available in WebLogic Server for SAML 2.0 services,
but no signing certificate is included in assertions generated
by SAML 2.0 services. Partners should rely upon the signing
certificates that they should have already exchanged securely
and maintain in their partner registry.
-
Coordinate with your Service Provider partner to agree upon
the assertion confirmation method and whether assertions generated
for this partner should be signed.
For more information about the options for configuring a Web
service Service Provider partner, see Using Security Assertion Markup Language (SAML)
Tokens For Identity.
-
Click Save.
Result
The Web service Service Provider partner is created in the local
server instance.
