9-14 Programming Security for Oracle WebLogic Server for int k = 0; k tas.length; k++ { ArrayList al = null; String[] values = tas[k].getValues; if values = null { al = new ArrayList; for int i = 0; i values.length; i++ if values[i] = null al.addvalues[i]; else al.add; } SAMLAttributeInfo ai = new SAMLAttributeInfotas[k].getName, tas[k].getNamespace, al; SAMLAttributeStatementInfo asi = new SAMLAttributeStatementInfo; asi.addAttributeInfoai; statementList.addasi; } return statementList; } }

9.3.5 Make the Custom SAMLCredentialAttributeMapper Class Available in the Console

To have the SAML Credential Mapping Provider Version 2 use this SAMLCredentialAttributeMapper instance, you use the WebLogic Server Administration Console to set the existing NameMapperClassName attribute to the class name of this SAMLCredentialAttributeMapper instance. That is, you use the Console control for the name mapper class name attribute to specify the class name of the SAMLCredentialAttributeMapper in the active security realm. You can configure the user name mapper class name attribute in one of the following ways: ■ Once for the SAML Provider Version 2 ■ Individually for one or more Relying Parties ■ Both for the SAML Credential Mapping Provider Version 2, and individually for Relying Parties. To use a custom user name mapper with the WebLogic SAML Credential Mapping Provider Version 2: 1. If you have not already done so, in the Change Center of the Administration Console, click Lock Edit. 2. On the Security Realms page, select the name of the realm you are configuring for example, TestRealm.

3. Expand Providers Credential Mapping and select the name of the SAML

Credential Mapping Provider Version 2.

4. Select the Provider Specific tab.

5. In the Default Name Mapper Class Name field, enter the class name of your

SAMLCredentialAttributeMapper implementation. The class name must be in the system classpath. SAML APIs 9-15

6. Click Save.

7. To activate these changes, in the Change Center, click Activate Changes.

When you configure a SAML Relying Party, you can optionally set a name mapper class specific to that Relying Party, which will override the default value you set here for the default name mapper class name. For details about how to set a name mapper class name in the Administration Console, see Configure a custom user name mapper in the Oracle WebLogic Server Administration Console Help.

9.4 Configuring SAML SSO Attribute Support

This section describes SAML SSO attributes and how to use them with SAML 2.0 and SAML 1.1. The following topics are described: ■ Section 9.4.1, What Are SAML SSO Attributes? ■ Section 9.4.2, New API’s for SAML Attributes ■ Section 9.4.3, SAML 2.0 Basic Attribute Profile Required ■ Section 9.4.4, Passing Multiple Attributes to SAML Credential Mappers ■ Section 9.4.5, How to Implement SAML Attributes ■ Section 9.4.6, Examples of the SAML 2.0 Attribute Interfaces ■ Section 9.4.7, Examples of the SAML 1.1 Attribute Interfaces ■ Section 9.4.8, Make the Custom SAML Credential Attribute Mapper Class Available in the Console ■ Section 9.4.9, Make the Custom SAML Identity Asserter Class Available in the Console 9.4.1 What Are SAML SSO Attributes? A SAML assertion is a piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization data applying to the subject with respect to a specified resource. The SAML specification see http:www.oasis-open.org allows additional, unspecified information about a particular subject to be exchanged between SAML partners as attribute statements in an assertion. A SAML attribute assertion is therefore a particular type of SAML assertion that conveys site-determined information about attributes of a Subject. In previous versions of WebLogic Server, the SAML 1.1 Credential Mapping provider supported attribute information, stored in the Subject, that specified the groups to which the identity contained in the assertion belonged In this release, WebLogic Server enhances the SAML 1.1 and 2.0 Credential Mapping provider and Identity Assertion provider mechanisms to support the use of a custom attribute mapper that can obtain additional attributes other than group information to be written into SAML assertions, and to then map attributes from incoming SAML assertions. To do this: