5-8 Understanding Security for Oracle WebLogic Server subject key identifier from the SSL protocol, a WebLogic Web service, or application code. 2. The CLV framework ensures calls the certificate chain is ordered and each certificate in the chain signs the next. 3. If the certificate chain is valid, the CLV framework calls any CertPath Validators configured in the security realm the order they were configured. The certificate chain is only valid if all the configured CertPath Validators successfully validate it. Validation stops if an error occurs. 4. The CLV framework returns the certificate chain to the requesting party. 5. Processing continues.

5.2 Single Sign-On with the WebLogic Security Framework

The SAML and Windows Integrated Login features provide web-based single sign-on SSO functionality for WebLogic Server applications. The following sections describe the interactions among the WebLogic containers, the security providers, and the WebLogic Security Framework during the single sign-on process: ■ Section 5.2.1, Single Sign-On with SAML 1.1 ■ Section 5.2.2, Single Sign-On and SAML 2.0 ■ Section 5.2.3, Desktop SSO Process

5.2.1 Single Sign-On with SAML 1.1

The following sections describe how a WebLogic Server instance behaves during when configured with SAML 1.1 services: ■ Section 5.2.1.1, WebLogic Server Acting a SAML 1.1 Source Site ■ Section 5.2.1.2, Weblogic Server Acting as SAML 1.1 Destination Site

5.2.1.1 WebLogic Server Acting a SAML 1.1 Source Site

Acting as a SAML source involves the following: ■ Generating valid SAML assertions that assert that a source domain has authenticated a user and provide the name by which the user is known at the SAML source site. Optionally, the names of the local source site groups that the user is a member of are provided. ■ Providing a SAML ITS and a SAML Assertion Retrieval Service ARS WebLogic Server can act as a SAML ITS and ARS. These services are provided by a servlet that is deployed based on configuration settings on the Server Configuration Federated Services pages in the Administration Console. The SAML ITS service requires separate URLs for the POST and Artifact profiles for V1 SAML providers; separate URLs are not required for the POST and Artifact profiles with V2 SAML providers. The following sections detail how WebLogic Server is used as a SAML source in the POST and Artifact profiles.

5.2.1.1.1 POST Profile The POST profile works as follows:

WebLogic Security Service Architecture 5-9 1. The user accesses the web site for example, http:www.weblogic.comsamlitsits for the SAML source site. 2. The SAML ITS servlet calls the SAML Credential Mapper to request a bearer assertion. 3. The SAML Credential Mapping provider returns the assertion. The SAML Credential Mapping provider also returns the URL of the SAML destination site and the path to the appropriate POST form. 4. The SAML ITS servlet generates a signed SAML response containing the generated assertion, signs it, based64-encodes it, and embeds it in the HTML form default or custom. 5. The SAML ITS servlet returns the form to the users browser. 6. The users browser POSTs the form to the destination sites ACS. 7. The assertion is validated and if successful, the user is logged in and redirected to the target.

5.2.1.1.2 Artifact Profile The Artifact profile works as follows:

1. The user accesses the web site www.weblogic.com for the SAML source site. 2. The SAML Inter-site Transfer Service ITS servlet calls the SAML Credential Mapper to request an assertion, passing in the desired assertion type artifact. 3. The SAML Credential Mapping provider returns the assertion. The SAML Credential Mapping provider also returns the destination Assertion Consumer Service ACS URL and the assertion ID. 4. The SAML ITS servlet generates an artifact based on the assertion ID and the local source sites source ID. This value is calculated from the Source Site URL configured on the Federation Services Source Site page. 5. The SAML ITS servlet redirects the user to the Assertion Consumer Service ACS of the SAML destination site, passing the artifact as a query parameter. 6. The ACS gets the artifact from the query parameter and decodes it to get the source ID. It then uses the source ID to look up the URL of the Assertion Retrieval Service ARS of the SAML source site. The ACS then sends a request to the URL of the ARS of the SAML source site requesting the assertion corresponding to the artifact. 7. The SAML Assertion Retrieval Service ARS responds to the incoming assertion request, using the artifact to locate the corresponding assertion in its assertion store, and if found, returning the assertion to the SAML destination site. 8. The assertion is validated and if successful, the user is logged in and redirected to the target.

5.2.1.2 Weblogic Server Acting as SAML 1.1 Destination Site