SAML APIs 9-5

9.3 Creating Assertions for Non-WebLogic SAML 1.1 Relying Parties

If you use the SAML 1.1 Credential Mapping Provider Version 2 to configure a source site, but configure a third-party SAML Relying Party that is implemented on a non-WebLogic Server platform, the SAML assertions generated by WebLogic Server might not support all of the attributes required by the configured third-party SAML Relying Party. In this case the Relying Party might be unable to work with the Asserting Party because certain expected attributes of the assertion are not available. You can create a custom SAML name mapper that maps Subjects to the specific SAML 1.1 assertion attributes required by your third-party SAML Relying Party by implementing the SAMLCredentialAttributeMapper interface, which is provided by WebLogic Server. Details about the SAMLCredentialAttributeMapper are available in the Oracle WebLogic Server API Reference. The following sections explain how to create a custom SAML name mapper: ■ Section 9.3.1, Overview of Creating a Custom SAML Name Mapper ■ Section 9.3.2, Do You Need Multiple SAMLCredentialAttributeMapper Implementations? ■ Section 9.3.3, Classes, Interfaces, and Methods ■ Section 9.3.4, Example Custom SAMLCredentialAttributeMapper Class ■ Section 9.3.5, Make the Custom SAMLCredentialAttributeMapper Class Available in the Console

9.3.1 Overview of Creating a Custom SAML Name Mapper

To create a custom implementation of the SAMLCredentialAttributeMapper interface, you must do the following: ■ Use the following classes to describe the attribute data for an assertion: – SAMLAttributeStatementInfo – SAMLAttributeInfo SAML_AssertionConsumerParams Map A Map containing namevalue mappings for the assertion consumer parameters configured for the relying party. Names and values are Strings. SAML_ITSRequestParams Map A Map containing namevalue mappings for the query parameters received with the ITS request. Names and values are Strings. The Map may be empty. TARGET and Rich Presence Information Data Format RPID parameters are removed from the map before passing it to the form. Table 9–4 SAML V1 Provider Custom POST Form Parameters Parameter Description targetURL String The TARGET URL specified as a query parameter on the incoming ITS request. consumerURL String The URL of the ACS at the destination site where the form should be POSTed. Table 9–3 Cont. SAML V2 Provider Custom POST Form Parameters Parameter Description 9-6 Programming Security for Oracle WebLogic Server ■ Also implement the SAMLCredentialNameMapper interface. The SAMLCredentialAttributeMapper and SAMLCredentialNameMapper interfaces must both be in the same implementation. By also implementing the SAMLCredentialNameMapper interface, you can later use the WebLogic Server Administration Console to set the NameMapperClassName attribute to the class name of this SAMLCredentialAttributeMapper instance. You configure the custom SAML name mapper in the active security realm, using the User Name Mapper Class Name attribute of the SAML Credential Mapping Provider Version 2. 9.3.2 Do You Need Multiple SAMLCredentialAttributeMapper Implementations?