Configuring Authentication Providers 5-33 ■ Create a SAML 2.0 Web Single Sign-on Identity Provider partner in the Oracle WebLogic Server Administration Console Help Configuring a web service Identity Provider partner does not use a metadata file, but does consist of establishing the following information about that partner: ■ Issuer URI, which is a string that uniquely identifies this Identity Provider partner, distinguishing it from other partners in your SAML federation ■ Audience URIs, which specify an audience restriction to be included in assertions received from this partner In WebLogic Server, the Audience URI attribute is overloaded to also include the partner lookup string, which is required by the web service run time to discover the partner. See Section 5.9.5.1.1, Partner Lookup Strings Required for Web Service Partners. ■ Custom name mapper class that overrides the default name mapper and that is to be used specifically with this partner For more information about configuring web service Service Provider partners, see Create a SAML 2.0 Web Service Identity Provider partner in the Oracle WebLogic Server Administration Console Help.

5.9.5.1.1 Partner Lookup Strings Required for Web Service Partners For web service Identity

Provider partners, you also configure Audience URIs. In WebLogic Server, the Audience URI attribute is overloaded to perform two distinct functions: ■ Specify an audience restriction consisting of a target URL, per the OASIS SAML 2.0 specification. ■ Contain a partner lookup string, which is required at run time by WebLogic Server to discover the Identity Provider partner for which a SAML 2.0 assertion needs to be validated. The partner lookup string specifies an endpoint URL, which is used for partner lookup and can optionally also serve as an Audience URI restriction that must be included in the assertion received from this Identity Provider partner. Lookup String Syntax The partner lookup string has the following syntax: [target:char:]endpoint-url In this syntax, target:char: is a prefix that designates the partner lookup string, where char represents one of three special characters: a hyphen, plus sign, or asterisk -, +, or . This prefix determines how partner lookup is performed, as described in Table 5–11 . Note: You must configure a partner lookup string for an Identity Provider partner so that partner can be discovered at run time by the web service run time. 5-34 Securing Oracle WebLogic Server Note: A WebLogic Server instance that is configured in the role of Service Provider always strips off the transport, host, and port portions of an endpoint URL that is passed in to the SAML 2.0 Identity Assertion provider. Therefore, the endpoint URLs you configure in any lookup string for an Identity Provider partner should contain only the portion of the URL that follows the host and port. For example, target::myserverxxx. When you configure a Service Provider site, this behavior enables you to configure a single Identity Provider partner that can be used to validate all assertions for the same web service, regardless of the variations in the transport protocol i.e., HTTP vs. HTTPS, host name, IP address, and port information across all the machines in a domain that host that web service. Table 5–11 Identity Provider Partner Lookup String Syntax Lookup String Description target:-:endpoint-url Specifies that partner lookup is conducted for an exact match of the URL, endpoint-url. For example, target:-:myservermyservicecontextmy-endpoin t specifies the endpoint that can be matched to this Identity Provider partner, for which an assertion should be validated. This form of partner lookup string excludes the endpoint URL from being added as an Audience URI for this Identity Provider partner. target:+:endpoint-url Specifies that partner lookup is conducted for an exact match of the URL, endpoint-url. Note: Using the plus sign + in the lookup string results in the endpoint URL being added as an Audience URI in the assertion received from this Identity Provider partner. Because this form of lookup string is unlikely to produce a match for an Identity Provider partner, it should be avoided. target::endpoint-url Specifies that partner lookup is conducted for an initial-string pattern match of the URL, endpoint-url. For example, target::myserver specifies that any endpoint URL beginning with myserver can be matched to this Identity Provider, such as: myservercontextAendpointA and myservercontextBendpointB. If more than one Identity Provider partner is discovered that is a match for the initial string, the partner with the longest initial string match is selected. This form of partner lookup string excludes the endpoint URL from being added as an Audience URI for this Identity Provider partner. Configuring Authentication Providers 5-35 Specifying Default Partners To support the need for a default Identity Provider partner entry, one or more of the default partners Audience URI entries may contain a wildcard match that works for all targets. For example, target::.

5.9.5.1.2 Management of Partner Certificates The SAML 2.0 Identity Assertion provider