Configuring Single Sign-On with Web Browsers and HTTP Clients 7-5 For WebLogic Server browser SSO configurations that communicate with another WebLogic Server instance, set the ID of the SAML Asserting Party APID in the relying party ACS parameters. This parameter is required with the V2 providers in order for the browser profile configurations to work. That is, the ACS looks for an asserting party ID APID as a form parameter of the incoming request, and uses this to look up the configuration before performing any other processing. The APID parameter also removes the need for you to specify a Target URL parameter for browser SSO. The Target URL is used for Web service configurations.

7.2.2.4 Replacing the Default Assertion Store

WebLogic Server uses a simple assertion store to maintain persistence for produced assertions. You can replace this assertion store with a custom assertion store class that implements weblogic.security.providers.saml.AssertionStoreV2. Configure WebLogic Server to use your custom assertion store class, rather than the default class, using the FederationServicesMBean.AssertionStoreClassName attribute. You can configure properties to be passed to the initStore method of your custom assertion store class by using the FederationServicesMBean.AssertionStoreProperties attribute. Configure these attributes in the Administration Console on the Environment: Servers ServerName Configuration Federation Services SAML 1.1 Source Site page.

7.2.3 Configuring a SAML 1.1 Destination Site for Single Sign-On

The following topics describe how to configure WebLogic Server as a SAML destination site: ■ Section 7.2.3.1, Configure SAML Identity Assertion Provider ■ Section 7.2.3.2, Configure Destination Site Federation Services ■ Section 7.2.3.3, Configuring Asserting Parties

7.2.3.1 Configure SAML Identity Assertion Provider

In your security realm, create and configure a SAML Identity Assertion Provider V2 instance. The SAML Identity Assertion provider is not part of the default security realm. See Section 5.9.4, Configuring a SAML Identity Assertion Provider for SAML 1.1.

7.2.3.2 Configure Destination Site Federation Services

Before you configure WebLogic as a SAML destination site, you must first create a SAML Identity Assertion Provider V2 instance in your security realm. Configuration of a WebLogic Server instance as a SAML destination site is controlled by the FederationServicesMBean. You can access the FederationServicesMBean using the WebLogic Scripting Tool or through the Administration Console, using the Environment: Servers ServerName Configuration Federation Services SAML 1.1 Destination Site page. Configure the SAML destination site attributes as follows.

7.2.3.2.1 Enable the SAML Destination Site Allow the WebLogic Server instance to serve

as a SAML destination site by setting Destination Site Enabled to true. 7-6 Securing Oracle WebLogic Server

7.2.3.2.2 Set Assertion Consumer URIs Set the URIs for the SAML Assertion Consumer

Service. This is the URL that receives assertions from source sites, so that the destination site can use the assertions to authenticate users. The Assertion Consumer URI is also specified in the configuration of a Relying Party.

7.2.3.2.3 Configure SSL for the Assertion Consumer Service You can require all access to

the Assertion Consumer Service to use SSL by setting FederationServicesMBean.acsRequiresSSL to true.

7.2.3.2.4 Add SSL Client Identity Certificate The SSL client identity is used to contact the

ARS at the source site for Artifact profile. Add this certificate to the keystore and enter the credentials alias and passphrase to be used to access the certificate.

7.2.3.2.5 Configure Single-Use Policy and the Used Assertion Cache or Custom Assertion

Cache Optionally, you can require that each POST profile assertion be used no more than once. WebLogic Server maintains a cache of used assertions so that it can support a single-use policy for assertions. You can replace this assertion cache with a custom assertion cache class that implements weblogic.security.providers.saml.SAMLUsedAssertionCache. Configure WebLogic Server to use your custom assertion cache class, rather than the default class, using the FederationServicesMBean.SAMLUsedAssertionCache attribute. You can configure properties to be passed to the initCache method of your custom assertion cache class using the FederationServicesMBean.UsedAssertionCacheProperties attribute. You can configure these attributes in the Administration Console on the Environment Servers ServerName Configuration Federation Services SAML 1.1 Destination Site page.

7.2.3.2.6 Configure Recipient Check for POST Profile Optionally, you can require that the