SAML APIs 9-5
9.3 Creating Assertions for Non-WebLogic SAML 1.1 Relying Parties
If you use the SAML 1.1 Credential Mapping Provider Version 2 to configure a source site, but configure a third-party SAML Relying Party that is implemented on a
non-WebLogic Server platform, the SAML assertions generated by WebLogic Server might not support all of the attributes required by the configured third-party SAML
Relying Party. In this case the Relying Party might be unable to work with the Asserting Party because certain expected attributes of the assertion are not available.
You can create a custom SAML name mapper that maps Subjects to the specific SAML 1.1 assertion attributes required by your third-party SAML Relying Party by
implementing the SAMLCredentialAttributeMapper interface, which is provided by WebLogic Server. Details about the SAMLCredentialAttributeMapper are
available in the Oracle WebLogic Server API Reference.
The following sections explain how to create a custom SAML name mapper:
■
Section 9.3.1, Overview of Creating a Custom SAML Name Mapper
■
Section 9.3.2, Do You Need Multiple SAMLCredentialAttributeMapper Implementations?
■
Section 9.3.3, Classes, Interfaces, and Methods
■
Section 9.3.4, Example Custom SAMLCredentialAttributeMapper Class
■
Section 9.3.5, Make the Custom SAMLCredentialAttributeMapper Class Available in the Console
9.3.1 Overview of Creating a Custom SAML Name Mapper
To create a custom implementation of the SAMLCredentialAttributeMapper interface, you must do the following:
■
Use the following classes to describe the attribute data for an assertion:
– SAMLAttributeStatementInfo
– SAMLAttributeInfo
SAML_AssertionConsumerParams Map A Map containing namevalue mappings for the
assertion consumer parameters configured for the relying party. Names and values are Strings.
SAML_ITSRequestParams Map A Map containing namevalue mappings for the
query parameters received with the ITS request. Names and values are Strings. The Map may be
empty. TARGET and Rich Presence Information Data Format RPID parameters are removed
from the map before passing it to the form.
Table 9–4 SAML V1 Provider Custom POST Form Parameters
Parameter Description
targetURL String The TARGET URL specified as a query parameter on the incoming
ITS request. consumerURL String
The URL of the ACS at the destination site where the form should be POSTed.
Table 9–3 Cont. SAML V2 Provider Custom POST Form Parameters
Parameter Description
9-6 Programming Security for Oracle WebLogic Server
■
Also implement the SAMLCredentialNameMapper interface. The SAMLCredentialAttributeMapper and SAMLCredentialNameMapper
interfaces must both be in the same implementation.
By also implementing the SAMLCredentialNameMapper interface, you can later use the WebLogic Server Administration Console to set the
NameMapperClassName attribute to the class name of this SAMLCredentialAttributeMapper instance.
You configure the custom SAML name mapper in the active security realm, using the User Name Mapper Class Name attribute of the SAML Credential Mapping
Provider Version 2.
9.3.2 Do You Need Multiple SAMLCredentialAttributeMapper Implementations?