SAML APIs 9-23 return null; } CollectionPrincipal pals = new ArrayListPrincipal; for SAML2AttributeStatementInfo stmtInfo : attrStmtInfos { CollectionSAML2AttributeInfo attrs = stmtInfo.getAttributeInfo; if attrs == null || attrs.size == 0 { System.out .printlnCustomIAAttributeMapperImpl: no attribute in statement: + stmtInfo.toString; } else { for SAML2AttributeInfo attr : attrs { CustomPrincipal pal = new CustomPrincipalattr .getAttributeName, attr.getAttributeNameFormat, attr.getAttributeValues; pals.addpal; } } } return pals; } The SAML 2.0 IdentityAssertion provider makes the attributes from a SAML assertion available to consumers via the subject. Use the WebLogic Server Administration Console to configure the User Name Mapper class name to the fully-qualified class name of this mapper implementation, as described in Section 9.4.9, Make the Custom SAML Identity Asserter Class Available in the Console . If you are allowing virtual users to log in via SAML, you need to create and configure an instance of the SAML Authentication provider. For information, see Configuring the SAML Authentication Provider. If the virtual user is enabled and SAML Authenticator provider configured, the attributes returned by the custom attribute mapper are added into the subject. The attributes returned by the mapper are stored as subject principals or private credentials, depending on the class type of the mapped attributes. Specifically, if the mapper returns a collection of Principal objects, the mapped attributes are stored into the subject principal set. Otherwise, the subject private credential set is used to carry the mapped attributes. The example code shows both approaches. Your application code needs to know the class type of the object that the mapper uses to represent attributes added to the subject. Applications can retrieve the SAML attributes from the subject private credential or principal set, given the class type that the customer attribute mapper uses to represent the attributes.

9.4.7 Examples of the SAML 1.1 Attribute Interfaces

This section provides examples of implementing the SAML 1.1 attribute interfaces that allow writing additional attributes into SAML assertions.

9.4.7.1 Example Custom SAML 1.1 Credential Attribute Mapper

Example 9–8 shows an example of a single class that implements both the SAMLCredentialNameMapper interface and the SAMLCredentialAttributeMapper interface. 9-24 Programming Security for Oracle WebLogic Server Example 9–8 SAML 1.1 Credential Attribute Mapper public class CustomCredentialAttributeMapperImpl implements SAMLCredentialNameMapper, SAMLCredentialAttributeMapper { private String nameQualifier = null; public CollectionSAMLAttributeStatementInfo mapAttributesSubject subject, ContextHandler handler { return AttributeStatementInfoGenerator.getInfossubject, handler; } … public SAMLNameMapperInfo mapSubjectSubject subject, ContextHandler handler { Provider checks for null Subject... Set subjects = subject.getPrincipalsWLSUser.class; Set groups = subject.getPrincipalsWLSGroup.class; String userName = null; : userName = WLSUser subjects.iterator.next.getName; if userName == null || userName.equals { System.out .printlnCustomCredentialAttributeMapperImpl:mapSubject: Username string is null or empty, returning null; return null; } : Return mapping information... System.out .printlnCustomCredentialAttributeMapperImpl:mapSubject: Mapped subject: qualifier: + nameQualifier + , name: + userName + , groups: + groups; return new SAMLNameMapperInfonameQualifier, userName, groups; } : : class AttributeStatementInfoGenerator { static final String SAML_ATTR_NAME_SAPCE = urn:bea:security:saml:attributes; static CollectionSAMLAttributeStatementInfo getInfosSubject subject, ContextHandler handlers { SAMLAttributeInfo info1 = new SAMLAttributeInfoAttributeWithSingleValue, SAML_ATTR_NAME_SAPCE, ValueOfAttributeWithSingleValue; ArrayListString v2 = new ArrayListString; v2.addValue1OfAttributeWithMultipleValue; v2.addValue2OfAttributeWithMultipleValue; SAMLAttributeInfo info2 = new SAMLAttributeInfoAttributeWithMultipleValue, SAML_ATTR_NAME_SAPCE, v2; SAMLAttributeStatementInfo stmt1 = new SAMLAttributeStatementInfo; stmt1.addAttributeInfoinfo1; stmt1.addAttributeInfoinfo2; ArrayListSAMLAttributeStatementInfo result = new ArrayListSAMLAttributeStatementInfo; result.addstmt1; : : return result; } SAML APIs 9-25 Use the WebLogic Server Administration Console to configure the User Name Mapper class name to the fully-qualified class name of this mapper implementation, as described in Section 9.4.8, Make the Custom SAML Credential Attribute Mapper Class Available in the Console . The attributes encapsulated in the collection of SAMLAttributeStatementInfo objects returned by the custom mapper implementation are included in the generated assertions by the SAML 1.1 Credential Mapping provider.

9.4.7.2 Custom SAML 1.1 Identity Asserter Attribute Mapper