Configuring Single Sign-On with Web Browsers and HTTP Clients 7-7 For WebLogic Server browser SSO configurations that communicate with another WebLogic Server instance, you must set the ID of the SAML Relying Party RPID in the Asserting Party ITS parameters. This parameter is required with the V2 providers in order for the browser profile configurations to work. That is, the ITS looks for the RPID as a form parameter of the incoming request, and uses this to look up the configuration before performing any other processing. The RPID parameter also removes the need for you to specify a Target URL parameter for WebLogic Server-to-WebLogic Server browser SSO configurations only. The Target URL is used for Web service configurations.

7.2.4 Configuring Relying and Asserting Parties with WLST

SAML partners Relying Parties and Asserting Parties are maintained in a registry. You can configure SAML partners using the WebLogic Administration Console or using WebLogic Scripting Tool. The following example shows how you might configure two Relying Parties using WLST in online mode. Note that the example sets the ID of the SAML Asserting Party APID in the relying party Assertion Consumer Service parameters. For WebLogic Server browser SSO configurations that communicate with another WebLogic Server instance, you must set the ID of the SAML Asserting Party APID in the relying party ACS parameters. You would also set the ID of the SAML Relying Party RPID in the asserting party ITS parameters. The APID is required for WebLogic Server-to-WebLogic Server browser SSO configurations only. This parameter is required with the V2 providers in order for the browser profile configurations to work. Example 7–1 Creating Relying Parties with WLST connectweblogic,weblogic,t3:localhost:7001 rlm=cmo.getSecurityConfiguration.getDefaultRealm cm=rlm.lookupCredentialMappersamlv2cm rp=cm.newRelyingParty rp.setDescriptiontest post profile rp.setProfileBrowserPOST rp.setAssertionConsumerURLhttp:domain.example.com:7001saml_destinationacs rp.setAssertionConsumerParamsarray[APID=ap_00001],String rp.setSignedAssertionstrue rp.setEnabledtrue cm.addRelyingPartyrp rp=cm.newRelyingParty rp.setDescriptiontest artifact profile rp.setProfileBrowserArtifact rp.setAssertionConsumerURLhttp:domain.example.com:7001saml_destinationacs rp.setAssertionConsumerParamsarray[APID=ap_00002],String rp.setARSUsernamefoo rp.setARSPasswordbar rp.setSSLClientCertAliasdemoidentity rp.setEnabledtrue cm.addRelyingPartyrp disconnect exit 7-8 Securing Oracle WebLogic Server The following example shows how you might edit an existing Asserting Party. The example gets the Asserting Party, using its Asserting Party ID, and sets the Assertion Retrieval URL. Example 7–2 Editing an Asserting Party with WLST connectweblogic,weblogic,t3:localhost:7001 rlm=cmo.getSecurityConfiguration.getDefaultRealm ia=rlm.lookupAuthenticationProvidersamlv2ia ap=ia.getAssertingPartyap_00002 ap.setAssertionRetrievalURLhttps:hostname:7002samlarsars ia.updateAssertingPartyap disconnect exit

7.3 Configuring SAML 2.0 Services

This topic includes the following sections: ■ Section 7.3.1, Configuring SAML 2.0 Services: Main Steps ■ Section 7.3.2, Configuring SAML 2.0 General Services ■ Section 7.3.3, Configuring an Identity Provider Site for SAML 2.0 Single Sign-On ■ Section 7.3.4, Configuring a Service Provider Site for SAML 2.0 Single Sign-On ■ Section 7.3.5, Viewing Partner Site, Certificate, and Service Endpoint Information ■ Section 7.3.6, Web Application Deployment Considerations for SAML 2.0

7.3.1 Configuring SAML 2.0 Services: Main Steps

A summary of the main steps you take to configure SAML 2.0 services is as follows: 1. Determine whether you plan to have SAML 2.0 services running in more than one WebLogic Server instance in the domain. If so, do the following: a. Create a domain in which the RDBMS security store is configured. The RDBMS security store is required by the SAML 2.0 security providers so that the data they manage can be synchronized across all the WebLogic Server instances that share that data. Note that Oracle does not recommend upgrading an existing domain in place to use the RDBMS security store. If you want to use the RDBMS security store, you should configure the RDBMS security store at the time of domain creation. If you have an existing domain with which you want to use the RDBMS security store, create the new domain and migrate your existing security realm to it. For information, see Chapter 10, Managing the RDBMS Security Store. b. Ensure that all SAML 2.0 services are configured identically in each WebLogic Server instance. If you are configuring SAML 2.0 services in a cluster, each Managed Server in that cluster must be configured individually. c. Note the considerations described in Section 7.3.6, Web Application Deployment Considerations for SAML 2.0. 2. If you are configuring a SAML 2.0 Identity Provider site: