3-12 Understanding Security for Oracle WebLogic Server

3.3.2.1 SAML Security Providers

WebLogic Server provides the following security providers to support SAML 1.1 and 2.0:

3.3.2.2 Single Sign-On Services

WebLogic Server can be configured to act as a SAML Identity Provider IdP, Service Provider, or both. When acting as an IdP, the SAML credential mapping provider must be configured so that the IdP can produce assertions. When acting as a Service Provider, the SAML identity assertion provider must be configured so that the Service Provider can consume assertions. SAML Single Sign-On Services SSO are configured on a per-server basis. To enable SAML SSO in two or more servers in a domain, such as in a cluster, the recommended approach is to do the following:

1. Create a domain in which the RDBMS security store is configured. For more

information, see Managing the RDBMS Security Store in Securing Oracle WebLogic Server.

2. Ensure that SSO services are configured individually and identically on each

server instance.

3.3.2.3 Web Services Support for SAML Token Profile 1.1

WebLogic Server Web services supports SAML Token Profile 1.1. This feature includes support for both SAML 2.0 and SAML 1.1 assertions and is backwards-compatible with SAML Token Profile 1.0. Table 3–1 Security Providers Included in WebLogic Server to Support SAML To support . . . The following provider . . . Does the following . . . SAML 1.1 SAML Credential Mapping provider Version 2 Generates SAML 1.1 assertions. This provider must be configured for a WebLogic Server instance that serves as an Identity Provider or, as identified in the Administration Console, the source site. SAML 1.1 SAML Credential Mapping provider Version 1 Generates SAML 1.1 assertions deprecated. SAML 1.1 SAML Identity Assertion provider Version 2 Consumes SAML 1.1 assertions. This provider must be configured for a WebLogic Server instance that serves as an Service Provider or, as identified in the Administration Console, the destination site. SAML 1.1 SAML Identity Assertion provider Version 1 Consumes SAML 1.1 assertions deprecated. SAML 2.0 SAML 2.0 Credential Mapping provider Generates SAML 2.0 assertions. This provider must be configured for a WebLogic Server instance that serves as an Identity Provider. SAML 2.0 SAML 2.0 Identity Assertion provider Consumes SAML 2.0 assertions. This provider must be configured for a WebLogic Server instance that serves as an Service Provider. SAML 1.1 and 2.0 SAML Authentication provider Enables virtual user functionality for both the SAML 1.1 and SAML 2.0 Identity Assertion providers. See Configuring the SAML Authentication Provider in Securing Oracle WebLogic Server. Security Fundamentals 3-13 You configure SAML tokens for a web service through use of the appropriate WS-SecurityPolicy assertions. When using SAML Token Profile, the appropriate SAML security providers must be configured either the SAML 2.0 or SAML 1.1 credential mapping or identity assertion providers depending on the desired SAML version and assertion usage.

3.4 Single Sign-On SSO