7-16 Securing Oracle WebLogic Server ■ Whether assertions received from Identity Provider partners are signed

7.3.4.4.3 Specify How Authentication Requests Are Managed Optionally you may enable

the following attributes of the authentication request cache: ■ Maximum cache size ■ Time-out value for authentication requests, which establishes the time interval beyond which stored authentication requests are expired

7.3.4.4.4 Enable Binding Types Oracle recommends enabling all the available binding

types for the endpoints of the Service Provider services; namely, POST, and Artifact. Optionally you may specify a preferred binding type.

7.3.4.4.5 Set Default URL Optionally, you may specify the URL to which unsolicited

authentication responses are sent if they do not contain an accompanying target URL.

7.3.4.5 Create and Configure Web Single Sign-On Identity Provider Partners

A SAML 2.0 Identity Provider partner is an entity that generates SAML 2.0 assertions consumed by the Service Provider site. The configuration of Identity Provider partners is available from the Administration Console, using the Security Realms RealmName Providers Authentication SAML2IdentityAsserterName Management page. The attributes that can be set on this console page can also be accessed programmatically via a set of Java interfaces, which are identified in the sections that follow. See Create a SAML 2.0 Web Single Sign-on Identity Provider partner in the Oracle WebLogic Server Administration Console Help for complete details about the specific steps for configuring a Service Provider partner. For a summary of the site information, signing certificates, and service endpoint information available when you configure a web single sign-on partner, see Section 7.3.5, Viewing Partner Site, Certificate, and Service Endpoint Information. The following sections summarize tasks for configuring an Identity Provider partner.

7.3.4.5.1 Obtain Your Identity Provider Partners Metadata File Before you configure an

Identity Provider partner for web single sign-on, you need to obtain the partners SAML 2.0 metadata file via a trusted and secure mechanism, such as encrypted email or an SSL-enabled FTP site. Your partners metadata file describes that partner site and binding support, includes the partners certificates and keys, and so on. Copy the partners metadata file into a location that can be accessed by each node in your domain configured for SAML 2.0. The SAML 2.0 metadata file is described in Section 7.3.2.2, Publishing and Distributing the Metadata File.

7.3.4.5.2 Create Partner and Enable Interactions To create an Identity Provider partner

and enable interactions for web single sign-on: ■ From the Management tab of the SAML 2.0 Identity Assertion configuration page, specify the partners name and metadata file. ■ From the General tab of the partner configuration page, enable interactions between the partner and the WebLogic Server instance. WebLogic Server provides the com.bea.security.saml2.providers.registry.Partner Java interface for configuring these attributes. Configuring Single Sign-On with Web Browsers and HTTP Clients 7-17

7.3.4.5.3 Configure Authentication Requests and Assertions Optionally, you can configure

the following attributes of the authentication requests generated for, and assertions received from, this Identity Provider partner: ■ The Identity Provider Name Mapper Class name This is the custom Java class that overrides the default username mapper class with which the SAML 2.0 Identity Assertion provider is configured in this security realm. The custom class you specify is used only for identities contained in assertions received from this particular partner. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.IdPPartner Java interface. ■ Whether the identities contained in assertions received from this partner are mapped to virtual users in the security realm Operations on this attribute are available in the com.bea.security.saml2.providers.registry.IdPPartner Java interface. ■ Whether to consume attribute information contained in assertions received from this partner If enabled, the SAML 2.0 Identity Assertion provider extracts attribute information from the assertion, which it uses in conjunction with the SAML Authentication provider which must be configured in the security realm to determine the groups in the security realm to which the corresponding user belongs. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.IdPPartner Java interface. ■ Whether authentication requests sent to this Identity Provider partner must be signed. This is a read-only attribute that is derived from the partners metadata file. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.WebSSOIdPPartner Java interface. ■ Whether SAML artifact requests received from this Identity Provider partner must be signed. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.WebSSOIdPPartner Java interface.

7.3.4.5.4 Configure Redirect URIs You can configure a set of URIs that, if invoked by an