SAML APIs 9-19
The SAML Identity Assertion provider processes AttributeStatement elements of the incoming SAML assertions and constructs a collection of SAML
attribute statements.
3.
The SAML Identity Assertion provider determines if the configured custom name mapper implements the SAML2IdentityAsserterAttributeMapper
interface. If it does, the SAML Identity Assertion provider calls the mapAttributeInfo method to obtain the SAML assertion’s attributes.
Your mapAttributeInfo method takes a Collection of SAMLAttributeStatementInfo instances that represent the attributes of
attribute statements in a SAML Assertion, and maps the desired attributes in any application specific way.
4.
The SAML IdentityAssertion provider makes the attributes from a SAML assertion available to consumers via the Java Subject. This requires that the SAML
Authentication provider be configured and the virtual user be enabled on a SAML partner.
The attributes returned by the mapper are stored as subject principals or private credentials, depending on the class type of the mapped attributes. Specifically, if
the mapper returns a collection of Principal objects, the mapped attributes are stored into the subject principal set. Otherwise, the subject private credential set is
used to carry the mapped attributes.
The consuming code needs to know the class type of the object that the mapper uses to represent attributes added to the subject, as shown in
Example 9–7 .
5.
The SAML Identity Assertion provider checks the ContextHandler and attribute mapper. This walk through assumes the presence of the attribute
mapper as stated in Step 4.
9.4.6 Examples of the SAML 2.0 Attribute Interfaces
This section provides examples of implementing the SAML 2.0 attribute interfaces that allow writing additional attributes into SAML assertions.
9.4.6.1 Example Custom SAML 2.0 Credential Attribute Mapper
Example 9–6 shows an example of a single class that implements both the
SAML2CredentialNameMapper interface and the SAML2CredentialAttributeMapper interface.
Example 9–6 SAML 2.0 Credential Attribute Mapper
public class CustomSAML2CredentialAttributeMapperImpl implements SAML2CredentialNameMapper, SAML2CredentialAttributeMapper {
private String nameQualifier = null; public CollectionSAML2AttributeStatementInfo mapAttributes
Subject subject, ContextHandler handler { return getAttributeStatementInfosubject, handler;
}
Note: If both the ContextHandler and attribute mapper are
present and configured, the attributes are instead made available to Web services via the ContextHandler, as described in Securing
WebLogic Web Services for Oracle WebLogic Server .
9-20 Programming Security for Oracle WebLogic Server
same as SAML2NameMapperImpl public SAML2NameMapperInfo mapNameString name, ContextHandler handler {
System.out .printlnCustomSAML2CredentialAttributeMapperImpl:mapName: Mapped name:
qualifier: + nameQualifier + , name: + name;
return new SAML2NameMapperInfonameQualifier, name, null; }
same as SAML2NameMapperImpl public synchronized void setNameQualifierString nameQualifier {
this.nameQualifier = nameQualifier; }
same as SAML2NameMapperImpl public SAML2NameMapperInfo mapSubjectSubject subject,
ContextHandler handler { Provider checks for null Subject...
Set subjects = subject.getPrincipalsWLSUser.class; Set groups = subject.getPrincipalsWLSGroup.class;
String userName = null; if subjects == null || subjects.size == 0 {
System.out .printlnCustomSAML2CredentialAttributeMapperImpl:mapSubject: No valid WLSUser
pricipals found in Subject, returning null; return null;
} if groups == null || groups.size == 0 {
System.out .printlnCustomSAML2CredentialAttributeMapperImpl:mapSubject: No valid WLSGroup
pricipals found in Subject, continuing; }
if subjects.size = 1 { System.out
.printlnCustomSAML2CredentialAttributeMapperImpl:mapSubject: More than one WLSUser principal found in Subject, taking first user only;
} userName = WLSUser subjects.iterator.next.getName;
if userName == null || userName.equals { System.out
.printlnCustomSAML2CredentialAttributeMapperImpl:mapSubject: Username string is null or empty, returning null;
return null; }
SAML APIs 9-21
Return mapping information... System.out
.printlnCustomSAML2CredentialAttributeMapperImpl:mapSubject: Mapped subject: qualifier:
+ nameQualifier + , name:
+ userName + , groups:
+ groups; return new SAML2NameMapperInfonameQualifier, userName, groups;
}
private CollectionSAML2AttributeStatementInfo getAttributeStatementInfo Subject subject, ContextHandler handlers {
CollectionSAML2AttributeInfo attrs = new ArrayListSAML2AttributeInfo; SAML2AttributeInfo attrInfo = new SAML2AttributeInfo
AttributeWithSingleValue, ValueOfAttributeWithSingleValue; attrInfo.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basic
; attrs.addattrInfo;
ArrayListString v = new ArrayListString; v.addValue1OfAttributeWithMultipleValue;
v.addValue2OfAttributeWithMultipleValue; v.addValue3OfAttributeWithMultipleValue;
SAML2AttributeInfo attrInfo1 = new SAML2AttributeInfo AttributeWithMultipleValue, v;
attrInfo.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basic ;
attrs.addattrInfo1; :
: CollectionSAML2AttributeStatementInfo attrStatements = new
ArrayListSAML2AttributeStatementInfo; attrStatements.addnew SAML2AttributeStatementInfoattrs;
attrStatements.addnew SAML2AttributeStatementInfoattrs1; return attrStatements;
} }
Use the WebLogic Server Administration Console to configure the User Name Mapper class name to the fully-qualified class name of this mapper implementation, as
described in Section 9.4.8, Make the Custom SAML Credential Attribute Mapper
Class Available in the Console .
The attributes encapsulated in the collection of SAML2AttributeStatementInfo objects returned by the custom mapper implementation are included in the generated
assertions by the SAML 2.0 Credential Mapping provider.
9.4.6.2 Custom SAML 2.0 Identity Asserter Attribute Mapper