9-26 Programming Security for Oracle WebLogic Server attr.getAttributeNamespace, attr.getAttributeValues; pals.addpal; } } } } The SAML 1.1 IdentityAssertion provider makes the attributes from a SAML assertion available to consumers via the subject. Use the WebLogic Server Administration Console to configure the User Name Mapper class name to the fully-qualified class name of this mapper implementation, as described in Section 9.4.9, Make the Custom SAML Identity Asserter Class Available in the Console . If you are allowing virtual users to log in via SAML, you need to create and configure an instance of the SAML Authentication provider. For information, see Configuring the SAML Authentication Provider. If the virtual user is enabled and SAML Authenticator provider configured, the attributes returned by the custom attribute mapper are added into the subject. The attributes returned by the mapper are stored as subject principals or private credentials, depending on the class type of the mapped attributes. Specifically, if the mapper returns a collection of Principal objects, the mapped attributes are stored into the subject principal set. Otherwise, the subject private credential set is used to carry the mapped attributes. Your application code needs to know the class type of the object that the mapper uses to represent attributes added to the subject. Applications can retrieve the SAML attributes from the subject private credential or principal set, given the class type that the customer attribute mapper uses to represent the attributes.

9.4.8 Make the Custom SAML Credential Attribute Mapper Class Available in the Console

To have the SAML Credential Mapping provider use your SAML2CredentialAttributeMapper SAML 2.0 or SAMLCredentialAttributeMapper SAML 1.1 instance, you use the WebLogic Server Administration Console to set the existing NameMapperClassName attribute to the class name of this SAML2CredentialAttributeMapper or SAML2CredentialAttributeMapper instance. That is, you use the Console control for the name mapper class name attribute to specify the class name of the SAML2CredentialAttributeMapper or SAMLCredentialAttributeMapper instance in the active security realm. To use a custom user name mapper with the WebLogic SAML Credential Mapping provider 1. If you have not already done so, in the Change Center of the Administration Console, click Lock Edit. 2. On the Security Realms page, select the name of the realm you are configuring for example, TestRealm.

3. Expand Providers Credential Mapping and select the name of the SAML 2.0

Credential Mapping provider, or the SAML Credential Mapping provider Version 2.

4. Select the Provider Specific tab.

SAML APIs 9-27

5. In the Name Mapper Class Name SAML 2.0 or Default Name Mapper Class

Name SAML 1.1 field, enter the class name of your SAML2CredentialAttributeMapper or SAMLCredentialAttributeMapper implementation. The class name must be in the system classpath.

6. Click Save.

7. To activate these changes, in the Change Center, click Activate Changes.

9.4.9 Make the Custom SAML Identity Asserter Class Available in the Console

To have the SAML Identity Assertion provider use this SAML2IdentityAsserterAttributeMapper SAML 2.0 or SAMLIdentityAssertionAttributeMapper SAML 1.1 instance, you use the WebLogic Server Administration Console to set the existing NameMapperClassName attribute to the class name of this SAML2IdentityAsserterAttributeMapper or SAMLIdentityAssertionAttributeMapper instance. That is, you use the Console control for the name mapper class name attribute to specify the class name of the SAML2IdentityAsserterAttributeMapper or SAMLIdentityAssertionAttributeMapper instance in the active security realm. To use a custom user name mapper with the WebLogic SAML Identity Asserter provider: 1. If you have not already done so, in the Change Center of the Administration Console, click Lock Edit. 2. On the Security Realms page, select the name of the realm you are configuring for example, TestRealm.

3. Expand Providers Authentication and select the name of the SAML 2.0

Identity Asserter, or the SAML Identity Asserter Version 2.

4. Select the Provider Specific tab.

5. In the Name Mapper Class Name SAML 2.0 or Default Name Mapper Class

Name SAML 1.1 field, enter the class name of your SAML2IdentityAsserterAttributeMapper or SAMLIdentityAssertionAttributeMapper implementation. The class name must be in the system classpath.

6. Click Save.

7. To activate these changes, in the Change Center, click Activate Changes.

For details about how to set a name mapper class name in the Administration Console, see Configure a custom user name mapper in the Oracle WebLogic Server Administration Console Help. 9-28 Programming Security for Oracle WebLogic Server 10 Using CertPath Building and Validation 10-1 10 Using CertPath Building and Validation The WebLogic Security service provides the Certificate Lookup and Validation CLV API that finds and validates X509 certificate chains. A CertPath is a JDK class that stores a certificate chain in memory. The term CertPath is also used to refer to the JDK architecture and framework that is used to locate and validate certificate chains. The CLV framework extends and completes the JDK CertPath functionality. CertPath providers rely on a tightly-coupled integration of WebLogic and JDK interfaces. Your application code can use the default CertPath providers provided by WebLogic Server to build and validate certificate chains, or any custom CertPath providers. The following topics are covered in this section: ■ Section 10.1, CertPath Building ■ Section 10.2, CertPath Validation ■ Section 10.1.1, Instantiate a CertPathSelector ■ Section 10.1.2, Instantiate a CertPathBuilderParameters ■ Section 10.1.3, Use the JDK CertPathBuilder Interface ■ Section 10.2.1, Instantiate a CertPathValidatorParameters ■ Section 10.2.2, Use the JDK CertPathValidator Interface

10.1 CertPath Building

To use a CertPath Builder in your application, follow these steps: 1. Section 10.1.1, Instantiate a CertPathSelector 2. Section 10.1.2, Instantiate a CertPathBuilderParameters 3. Section 10.1.3, Use the JDK CertPathBuilder Interface

10.1.1 Instantiate a CertPathSelector

The CertPathSelector interface weblogic.security.pk.CertPathSelector contains the selection criteria for locating and validating a certification path. Because there are many ways to look up certification paths, a derived class is implemented for each type of selection criteria. Each selector class has one or more methods to retrieve the selection data and a constructor.