Security Fundamentals 3-13 You configure SAML tokens for a web service through use of the appropriate WS-SecurityPolicy assertions. When using SAML Token Profile, the appropriate SAML security providers must be configured either the SAML 2.0 or SAML 1.1 credential mapping or identity assertion providers depending on the desired SAML version and assertion usage.

3.4 Single Sign-On SSO

Single Sign-On is the ability to require a user to sign on to an application only once and gain access to many different application components, even though these components may have their own authentication schemes. Single sign-on enables users to login securely to all their applications, web sites and mainframe sessions with just one identity. WebLogic Server provides single sign-on SSO with the following environments: ■ Section 3.4.1, Web Browsers and HTTP Clients via SAML ■ Section 3.4.2, Desktop Clients

3.4.1 Web Browsers and HTTP Clients via SAML

The Security Assertion Markup Language SAML enables cross-platform authentication between Web applications or Web services running in a WebLogic Server domain and Web browsers or other HTTP clients. WebLogic Server supports single sign-on SSO based on SAML. When users are authenticated at one site that participates in a single sign-on SSO configuration, they are automatically authenticated at other sites in the SSO configuration and do not need to log in separately. The following steps describe a typical scenario that shows how SAML SSO works. 1. A Web user attempts to access a target resource at a site that is configured to accept authentications through SAML assertions. When configuring SAML 1.1 in the Administration Console, this site is called the destination site. In SAML 2.0, this site is called the Service Provider. 2. The Service Provider determines that the users credentials need to be authenticated by a central site that can generate a SAML assertion for that user. The Service Provider redirects the authentication request to that central site. In SAML 1.1, the site that generates the SAML assertion is called the source site. In SAML 2.0, this site is the Identity Provider. In both SAML versions, this site is sometimes called a SAML Authority. Note: SAML Token Profile 1.1 is supported only through WS-SecurityPolicy. The earlier WLS 9.2 Security Policy supports SAML Token Profile 1.0SAML 1.1 only. Note: When you use the Administration Console to configure SAML, you will notice that the names used for some SAML entities differ between SAML 1.1 and 2.0. This section identifies the key terminology differences. 3-14 Understanding Security for Oracle WebLogic Server 3. The user logs in to the Identity Provider site, typically via a login web application hosted by that site. The Identity Provider authenticates the user, and generates a SAML assertion. 4. Information about the SAML assertion provided by the Identity Provider and associated with the user and the desired target is conveyed from the Identity Provider site to the Service Provider site by the protocol exchange. Through a sequence of HTTP exchanges, the user browser is transferred to an Assertion Consumer Service ACS at the Service Provider site. The WebLogic Server SAML Identity Assertion provider makes up a portion of the ACS. 5. The Identity Assertion provider maps the identity contained in the assertion to a Subject in the local security realm. The access policies on the requested target are evaluated to determine whether the user is authorized for that target. If access is authorized, the user authenticated by the Identity Provider site is accepted as an authenticated user by the Service Provider site, thereby achieving Web-based SSO. For more background information about the OASIS SAML standard, see the following: ■ For SAML V1.1, see Bindings and Profiles for the OASIS Security Assertion Markup Language SAML V1.1 http:www.oasis-open.orgcommitteesdownload.php3405oasis -sstc-saml-bindings-1.1.pdf . ■ For SAML V2.0, see: ■ Profiles for the OASIS Security Assertion Markup Language SAML V2.0 http:docs.oasis-open.orgsecuritysamlv2.0saml-profil es-2.0-os.pdf . ■ Bindings for the OASIS Security Assertion Markup Language SAML V2.0 http:docs.oasis-open.orgsecuritysamlv2.0saml-bindin gs-2.0-os.pdf . For information about how SSO with web browsers and HTTP clients is implemented in WebLogic Server, see Section 5.2, Single Sign-On with the WebLogic Security Framework .

3.4.2 Desktop Clients