WebLogic Security Service Architecture 5-25 ■ sender-vouches ■ holder-of-key

5.5.15 SAML 2.0 Credential Mapping Provider

The SAML 2.0 Credential Mapping provider generates SAML 2.0 assertions for authenticated subjects based on the configuration of Identity Provider services and the set of Service Provider partners. Assertions contain an authentication statement and, optionally, an attribute statement containing WebLogic Server group information. If the requested target has not been configured and no defaults are set, an assertion will not be generated. User information and group membership if configured as such are put in the AttributeStatement. The Administration Console Federation Services configuration pages for SAML 2.0 include settings that configure and enable SAML 2.0 source site and destination site services such as Single Sign-On, and Artifact Resolution Service to run in the server. The provider supports the following SAML Subject confirmation methods: ■ bearer ■ sender-vouches ■ holder-of-key

5.5.16 PKI Credential Mapping Provider

The PKI Public Key Infrastructure Credential Mapping provider maps a WebLogic Server subject the initiator and target resource and an optional credential action to a publicprivate key pair or public certificate that should be used by the application when using the targeted resource. This provider can also map an alias to a publicprivate key pair or public certificate. The PKI Credential Mapping provider uses the subject and resource name, or the alias, to retrieve the corresponding credential from the keystore.

5.5.17 WebLogic CertPath Provider

The WebLogic CertPath provider is both a CertPath Builder and a CertPath Validator. The provider completes certificate paths and validates the certificates using the trusted CA configured for a particular server instance.If a certificate chain cannot be completed, it is invalid. The WebLogic CertPath provider also checks the signatures in the chain, ensures that the chain has not expired, and checks that one of the certificates in the chain is issued by one of the trusted CAs configured for the server. If any of these checks fail, the chain is not valid. Finally, the provider checks that the each certificates basic constraints that is, the ability of the certificate to issue other certificates to ensure the certificate is in the proper place in the chain. The WebLogic CertPath provider can be used as CertPath Builder or a CertPath Validator in a security realm.

5.5.18 Certificate Registry