Configuring Single Sign-On with Web Browsers and HTTP Clients 7-11 ■ Whether requests for SAML artifacts received from your partners must be signed. ■ Configuration settings for the SAML artifact cache. ■ Keystore alias and passphrase for the key to be used when signing documents sent to your federated partners, such as authentication requests or responses. For information about the steps for configuring SAML 2.0 general services, see Configure SAML 2.0 general services in the Oracle WebLogic Server Administration Console Help.

7.3.2.2 Publishing and Distributing the Metadata File

The local site information that is needed by your federated partners — such as the local site contact information, entity ID, published site URL, whether TLSSSL client authentication is required, and so on — is published to a metadata file by clicking Publish Meta Data in the SAML 2.0 General console page. When you publish the metadata file, you specify an existing directory on the local machine in which the file can be created. The process of distributing the metadata file to your federated partners is a detail that is not implemented by WebLogic Server. However, you may send this file via a number of commonly used mechanisms suitable for securely transferring electronic documents, such as encrypted email or secure FTP. Keep the following in mind regarding the metadata file: ■ Before you publish the metadata file, you should configure the Identity Provider andor Service Provider services for the SAML 2.0 roles in which the WebLogic Server instances in your domain are enabled to function. The configuration data for the SAML 2.0 services your site offers that is needed by your federated partners is included in this metadata file, greatly simplifying the tasks your partners perform to import your signing certificates, identify your sites SAML 2.0 service endpoints, and use the correct binding types for connecting to your sites services, and so on. ■ You should have only a single version of the metadata file that you share with your federated partners, even if your site functions in the role of Service Provider with some partners and Identity Provider with others. By having only a single version of the metadata file, you reduce the likelihood that your configuration settings might become incompatible with those of a partner. ■ If you change the local sites SAML 2.0 configuration, you should update your metadata file. Because the metadata file is shared with your partners, it will be convenient to minimize the frequency with which you update your SAML 2.0 configuration so that your partners can minimize the need to make concomitant updates to their own partner registries. ■ When you receive a metadata file from a federated partner, place it in a location that can be accessed by all the nodes in your domain in which SAML 2.0 services are configured. At the time you create a partner, you bring the contents the partners metadata file into the partner registry. Operations on the metadata file are available via the com.bea.security.saml2.providers.registry.Partner Java interface.

7.3.3 Configuring an Identity Provider Site for SAML 2.0 Single Sign-On