Configuring Single Sign-On with Web Browsers and HTTP Clients 7-17

7.3.4.5.3 Configure Authentication Requests and Assertions Optionally, you can configure

the following attributes of the authentication requests generated for, and assertions received from, this Identity Provider partner: ■ The Identity Provider Name Mapper Class name This is the custom Java class that overrides the default username mapper class with which the SAML 2.0 Identity Assertion provider is configured in this security realm. The custom class you specify is used only for identities contained in assertions received from this particular partner. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.IdPPartner Java interface. ■ Whether the identities contained in assertions received from this partner are mapped to virtual users in the security realm Operations on this attribute are available in the com.bea.security.saml2.providers.registry.IdPPartner Java interface. ■ Whether to consume attribute information contained in assertions received from this partner If enabled, the SAML 2.0 Identity Assertion provider extracts attribute information from the assertion, which it uses in conjunction with the SAML Authentication provider which must be configured in the security realm to determine the groups in the security realm to which the corresponding user belongs. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.IdPPartner Java interface. ■ Whether authentication requests sent to this Identity Provider partner must be signed. This is a read-only attribute that is derived from the partners metadata file. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.WebSSOIdPPartner Java interface. ■ Whether SAML artifact requests received from this Identity Provider partner must be signed. Operations on this attribute are available in the com.bea.security.saml2.providers.registry.WebSSOIdPPartner Java interface.

7.3.4.5.4 Configure Redirect URIs You can configure a set of URIs that, if invoked by an

unauthenticated user, cause the user request to be redirected to the Identity Provider partner where the user can be authenticated. Note: To use this attribute, you must have a SAML Authentication provider configured in the realm. 7-18 Securing Oracle WebLogic Server WebLogic Server provides the com.bea.security.saml2.providers.registry.WebSSOIdPPartner Java interface for configuring this attribute.

7.3.4.5.5 Configure Binding and Transport Settings Optionally, you also use the General

tab of the Service Provider partner configuration page to configure the following: ■ Whether SAML artifacts are delivered to this partner via the HTTP POST method. If so, you may also specify the URI of a custom web application that generates the HTTP POST form for sending the SAML artifact. ■ The URL of the custom web application that generates the POST form for carrying the SAML response for POST bindings to this Identity Provider partner. ■ The URL of the custom web application that generates the POST form for carrying the SAML response for Artifact bindings to this Identity Provider partner. Operations on these attributes are available via the com.bea.security.saml2.providers.registry.WebSSOPartner Java interface. For added security in the exchange of documents with this partner, you can also specify a client user name and password to be used by this Identity Provider partner when connecting to the local sites binding using Basic authentication. This attribute is available via the com.bea.security.saml2.providers.registry.BindingClientPartner Java interface.

7.3.5 Viewing Partner Site, Certificate, and Service Endpoint Information

When you configure SAML 2.0 partners, the partner configuration pages displayed by the Administration Console include tabs for viewing and configuring the following additional information about the partner: ■ The Site tab displays information about the Service Provider partner, which is derived from the partners metadata file. The data in this tab is read-only. WebLogic Server provides the com.bea.security.saml2.providers.registry.MetadataPartner Java interface for partner site information. ■ The Single Sign-On Signing Certificate tab displays details about the partners signing certificate, which are also derived from the partners metadata file. The data in this tab is read-only. Operations on these attributes are available from the com.bea.security.saml2.providers.registry.WebSSOPartner Java interface. ■ The Transport Layer Client Certificate tab displays partners transport layer client certificate. You can optionally import this certificate by clicking Import Certificate from File . Note: If you configure one or more redirect URIs, remember to set a security policies on them as well; otherwise the web container will not attempt to authenticate the user and, consequently, not redirect the user’s request to the Identity Provider partner.