Configuring Single Sign-On with Web Browsers and HTTP Clients 7-13

7.3.3.3 Create and Configure Web Single Sign-On Service Provider Partners

A SAML 2.0 Service Provider partner is an entity that consumes the SAML 2.0 assertions generated by the Identity Provider site. The configuration of Service Provider partners is available from the Administration Console, using the Security Realms RealmName Providers Credential Mapper SAML2CredentialMapperName Management page. The attributes that can be set on this console page can also be accessed programmatically via a set of Java interfaces, which are identified in the sections that follow. See Create a SAML 2.0 Web Single Sign-on Service Provider partner in the Oracle WebLogic Server Administration Console Help for complete details about the specific steps for configuring a Service Provider partner. For a summary of the site information, signing certificates, and service endpoint information available when you configure a web single sign-on partner, see Section 7.3.5, Viewing Partner Site, Certificate, and Service Endpoint Information.

7.3.3.3.1 Obtain Your Service Provider Partners Metadata File Before you configure a

Service Provider partner for web single sign-on, you need to obtain the partners SAML 2.0 metadata file via a trusted and secure mechanism, such as encrypted email or an SSL-enabled FTP site. Your partners metadata file describes the partner site and binding support, includes the partners certificates and keys, contains your partners SAML 2.0 service endpoints, and more. Copy the partners metadata file into a location that can be accessed by each node in your domain configured for SAML 2.0. The SAML 2.0 metadata file is described in Section 7.3.2.2, Publishing and Distributing the Metadata File.

7.3.3.3.2 Create Partner and Enable Interactions To create and enable a Service Provider

partner for web single sign-on:

1. From the Management tab of the SAML 2.0 Credential Mapping provider page,

specify the partners name and metadata file.

2. From the General tab of the partner configuration page, enable interactions

between the partner and the WebLogic Server instance. WebLogic Server provides the com.bea.security.saml2.providers.registry.Partner Java interface for configuring these attributes.

7.3.3.3.3 Configure How Assertions are Generated Optionally from the General tab of the

partner configuration page in the console, you can configure the following attributes of the SAML 2.0 assertions generated specifically for this Service Provider partner: ■ The Service Provider Name Mapper Class name This is the Java class that overrides the default username mapper class with which the SAML 2.0 Credential Mapping provider is configured in this security realm. ■ Time to Live attributes The Time to Live attributes specify the interval of time during which the assertions generated for this partner are valid. These attributes prevent expired assertions from being used. ■ Whether to generate attribute information that is included in assertions If enabled, the SAML 2.0 Credential Mapping provider adds, as attributes in the assertion, the groups to which the corresponding user belongs. 7-14 Securing Oracle WebLogic Server ■ Whether the assertions sent to this partner must be disposed of immediately after use ■ Whether this servers signing certificate is included in assertions generated for this partner WebLogic Server provides the com.bea.security.saml2.providers.registry.SPPartner Java interface for configuring these attributes.

7.3.3.3.4 Configure How Documents Are Signed You can use the General tab of the Service