SAML APIs 9-15

6. Click Save.

7. To activate these changes, in the Change Center, click Activate Changes.

When you configure a SAML Relying Party, you can optionally set a name mapper class specific to that Relying Party, which will override the default value you set here for the default name mapper class name. For details about how to set a name mapper class name in the Administration Console, see Configure a custom user name mapper in the Oracle WebLogic Server Administration Console Help.

9.4 Configuring SAML SSO Attribute Support

This section describes SAML SSO attributes and how to use them with SAML 2.0 and SAML 1.1. The following topics are described: ■ Section 9.4.1, What Are SAML SSO Attributes? ■ Section 9.4.2, New API’s for SAML Attributes ■ Section 9.4.3, SAML 2.0 Basic Attribute Profile Required ■ Section 9.4.4, Passing Multiple Attributes to SAML Credential Mappers ■ Section 9.4.5, How to Implement SAML Attributes ■ Section 9.4.6, Examples of the SAML 2.0 Attribute Interfaces ■ Section 9.4.7, Examples of the SAML 1.1 Attribute Interfaces ■ Section 9.4.8, Make the Custom SAML Credential Attribute Mapper Class Available in the Console ■ Section 9.4.9, Make the Custom SAML Identity Asserter Class Available in the Console 9.4.1 What Are SAML SSO Attributes? A SAML assertion is a piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization data applying to the subject with respect to a specified resource. The SAML specification see http:www.oasis-open.org allows additional, unspecified information about a particular subject to be exchanged between SAML partners as attribute statements in an assertion. A SAML attribute assertion is therefore a particular type of SAML assertion that conveys site-determined information about attributes of a Subject. In previous versions of WebLogic Server, the SAML 1.1 Credential Mapping provider supported attribute information, stored in the Subject, that specified the groups to which the identity contained in the assertion belonged In this release, WebLogic Server enhances the SAML 1.1 and 2.0 Credential Mapping provider and Identity Assertion provider mechanisms to support the use of a custom attribute mapper that can obtain additional attributes other than group information to be written into SAML assertions, and to then map attributes from incoming SAML assertions. To do this: 9-16 Programming Security for Oracle WebLogic Server ■ The SAML credential mapper on the SAML Identity Provider site determines how to package the attributes based on the existence of this custom attribute mapper. ■ The SAML identity asserter on the SAML Service Provider site determines how to get the attributes based on the configuration of the custom name mapper. ■ The Java Subject is used to make the attributes extracted from assertions available to applications. This requires that the SAML Authentication provider be configured and the virtual user be enabled on a SAML partner.

9.4.2 New API’s for SAML Attributes