10-40 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ oraclewss10_saml_token_with_message_protection_service_policy ■ oraclewss_saml_token_over_ssl ■ oraclewss_saml_token_bearer_over_ssl_service_policy ■ oraclewss10_saml_hok_token_with_message_protection_service_policy ■ oraclewss11_saml_token_with_message_protection_service_policy ■ oraclewss10_saml_token_with_message_protection_ski_basic256_service_ policy ■ oraclewss11_x509_token_with_message_protection_service_policy What Type of WebLogic Security Authentication Providers Must You Create? You can use any WebLogic Authentication provider that can validate the credentials in the NameCallback and PasswordCallback callbacks, or the NameCallback alone, as appropriate. This means that you can use the WebLogic Default Authentication provider and authenticate the user against the embedded LDAP data store if you so choose, or the Default Identity Asserter, and so forth. See Configure Authentication and Identity Assertion Providers in the Oracle WebLogic Server Administration Console Help for information on how to do this. Configuring the SAML and Kerberos Login Modules The SAML and Kerberos policies have associated login modules, as determined by the assertions that make up the policy. When you attach a SAML policy to a Web service, you can edit the login policy and make any needed changes. You can configure the following SAML and Kerberos login modules: ■ saml.loginmodule—The SAML login module is a Java Authentication and Authorization Service JAAS login module that accepts SAML assertions for a login. The SAML login module enables the Web services to run using the login context of the principal created from the SAML assertion. ■ saml2.loginmodule—The SAML2 login module is a JAAS login module that accepts SAML2 assertions for a login. The SAML2 login module enables the Web services to run using the login context of the principal created from the SAML2 assertion. ■ krb5.loginmodule—The Kerberos login module is a JAAS login module that authenticates users using Kerberos protocols. The Kerberos login module has optional properties that you can configure. Login modules associated with other policy types do not have settings specific to the Web service policies. To configure a login module:

1. In the navigator pane, expand WebLogic Domain to show the domain for which

you need to configure the login module. Select the domain.

2. Using Fusion Middleware Control, click WebLogic Domain, then Security, and

then Security Provider Configuration. 3. From the list of login modules, select a login module and click Edit. For example, if you select the saml.loginmodule from the list of login modules and click Edit, the Edit Login Module page shown in Figure 10–11 is displayed. Setting Up Your Environment for Policies 10-41 Figure 10–11 Edit Login Module Page for SAML Login Module

4. Optionally, in the SAML Specific Attributes section, configure an alternate Issuer

attribute if required for your configuration. For SAML policies, the Issuers attribute is required. This attribute specifies the name of the issuer of the SAML or SAML2 token. For predefined Oracle SAML policies and assertions, the default value is www.oracle.com. If you are using the predefined SAML policies or assertions for both the Web service client and Web service sides, you can generally use the defaults and not configure any issuer. For more information, see Adding an Additional SAML Assertion Issuer Name on page 10-47.

5. In the Custom Properties section of the page, configure any custom properties for

the login module. Note: Do not edit the default values in the General Properties section or unexpected results may occur. The default values for these properties are as follows: ■ Control Flag —Required ■ Debug — true ■ Add All Roles — true ■ Log Level — Fine 10-42 Oracle Fusion Middleware Security and Administrators Guide for Web Services To add a property, click Add and enter a property name and value in the Add New Property window. Click OK to add the property to the Custom Properties list. To change the value of an existing property, you need to delete the property from the Custom Properties list and add a new property with the revised value. Table 10–1 lists the SAML and Kerberos login modules and describes properties that you can configure. Table 10–1 SAML and Kerberos Login Modules Attributes and Properties Login Module Service Name Property Description saml.loginmodule saml2.loginmodule oracle.security.jps.assert.saml.ide ntity A domain-wide property used to determine the mapping between the SAML subject and the user. Valid values include: ■ false—When this flag is set to false, the username in the SAML subject is mapped to the actual user in the identity store. The user roles and subject are created with username and roles specified in the identity store. This is the default. ■ true—When this flag is set to true, the SAML subject is treated as a logicalvirtual user. The user is not mapped to the actual user in the identity store. The subject is populated only with the username from the SAML subject. Because the subject is treated as a virtual user, identity store configuration is not required and the Identity Assertion Provider is not invoked for all SAML policies in the domain using this login module. oracle.security.jps.add.assertion.t o.subject Boolean flag used to indicate whether the SAML assertion should be added to the authenticated subject as a private credential. The default is true. krb5.loginmodule principal The name of the principal that should be used. It can be a simple username, such as testuser, or a service name such as hosttesthost.eng.sun.com. You can use the principal option to set the principal when there are credentials for multiple principals in the keyTab or when you want a specific ticket cache only.