Before you begin
A partner lookup string must be specified when configuring either a web service Identity Provider partner or a Service Provider partner. This string, which specifies an endpoint URL, is required at run time by WebLogic Server to discover the partner that is associated with a SAML 2.0 assertion that needs to be either generated or validated.
For example, when a web service client needs an assertion, it passes the endpoint of the target web service to the SAML 2.0 Credential Mapping provider. The SAML 2.0 Credential Mapping provider looks up the appropriate web service Service Provider partner by searching for any partner entry that is configured with a lookup string that matches that endpoint, and then generates the assertion that is required for the partner that is found.
In a similar manner, when a WebLogic Server instance configured in the role of Service Provider receives the invocation from the web service client, it passes the assertion and the invoked endpoint to the SAML 2.0 Identity Assertion provider. The SAML 2.0 Identity Assertion provider looks up the appropriate web service Identity Provider partner by searching for any partner configured with a lookup string that matches that endpoint, and then validates the assertion against the partner that is found.
WebLogic Server also allows you to configure a partner lookup string so that the specified endpoint also serves as an Audience URI. The Audience URI attribute is therefore overloaded to perform two related but separate functions: to specify the Audience URIs that must be included in assertions, and also to designate partner lookup strings. (When configuring an Identity Provider partner, partner lookup strings and Audience URIs need to be specified in separate entries due to the way in which endpoint URLs are passed to the SAML 2.0 Identity Assertion provider.)
If a partner lookup string is not configured for a SAML 2.0 web service partner, that partner cannot be discovered at run time, and the necessary assertion for that partner cannot be generated or validated.
The general syntax for the partner lookup string is the same for both Identity Provider and Service Provider partners, but the way in which it is specified differs because of the way in which incoming endpoint URLs are handled by WebLogic Server. WebLogic Server supports two basic forms of the partner lookup string:
http://www.abc.com/xxx/yyy/zzzas an exact match lookup string for
Partner A, the result is that
Partner Acan be selected as a match only when that exact same endpoint is passed in to the appropriate SAML 2.0 security provider.
WebLogic Server supports two ways in which you can specify an exact-match partner lookup string so that the specified URL is may be included in, or excluded from, from assertions as an Audience URI. When configuring a Service Provider partner, this mechanism eliminates the need to duplicate a given URL as both an Audience URI as well as a partner lookup string.
http://www.abc.com/xxxas an initial-string match lookup string for
Partner A, the result is that
Partner Acan be selected as a match for any endpoint passed in that begins with
http://www.abc.com/xxx. Endpoints such as
http://www.abc.com/xxx/aaa/bbbcan be matched to this partner.
The partner lookup string has the following syntax:
In the preceding syntax,
prefix that is used to designate the partner lookup string, where
char represents one of three special characters: a hyphen, plus
sign, or asterisk (
-, +, or
prefix determines how partner lookup is performed, as follows:
target:-:<endpoint-url>specifies that partner lookup is conducted for an exact match of the URL,
<endpoint-url>. This form of partner lookup string designates that the endpoint URL is not to be included as an Audience URI to be contained in that assertion.
target:+:<endpoint-url>specifies that partner lookup is conducted for an exact match of the URL,
<endpoint-url>, and that the endpoint URL is also to be added as an Audience URI in the assertion. Note: Specifying this form of the partner lookup string on an Identity Provider partner is unlikely to produce a match and should therefore be avoided.
target:*:<endpoint-url>specifies that the partner lookup is conducted for an initial-string pattern match of the URL,
When you configure a Service Provider site, this behavior enables you to configure a single Identity Provider partner that can be used to validate all assertions for the same web service, regardless of the variations in the transport protocol (i.e., HTTP vs. HTTPS), host name, IP address, and port information across all the machines in a domain that host that web service.Therefore, the endpoint URLs you configure in any lookup string for an Identity Provider partner should contain only the portion of the URL that follows the host and port. For example,