SAML APIs 9-17
An example of doing this is as follows: private CollectionSAML2AttributeStatementInfo getAttributeStatementInfo
Subject subject, ContextHandler handlers { CollectionSAML2AttributeInfo attrs = new ArrayListSAML2AttributeInfo;
SAML2AttributeInfo attrInfo = new SAML2AttributeInfo AttributeWithSingleValue, ValueOfAttributeWithSingleValue;
attrInfo.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basic ;
attrs.addattrInfo; ArrayListString v = new ArrayListString;
v.addValue1OfAttributeWithMultipleValue; v.addValue2OfAttributeWithMultipleValue;
v.addValue3OfAttributeWithMultipleValue; SAML2AttributeInfo attrInfo1 = new SAML2AttributeInfo
AttributeWithMultipleValue, v; attrInfo1.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basi
c; attrs.addattrInfo1;
SAML2AttributeInfo attrInfo2 = new SAML2AttributeInfo AttributeWithInvalidNameFormat,
ValueOfAttributeWithInvalidNameFormatValue; attrInfo2.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:unsp
ecified; attrs.addattrInfo2;
SAML2AttributeInfo attrInfo3 = new SAML2AttributeInfo AttributeWithNullValue, null;
attrInfo3.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basi c;
attrs.addattrInfo3; :
: CollectionSAML2AttributeStatementInfo attrStatements = new
ArrayListSAML2AttributeStatementInfo; attrStatements.addnew SAML2AttributeStatementInfoattrs;
attrStatements.addnew SAML2AttributeStatementInfoattrs1; return attrStatements;
}
9.4.5 How to Implement SAML Attributes
This section walks through the process you follow to implement SAML attributes.
From the SAML credential mapping Identity Provider site:
1. Instantiate the SAML2AttributeInfo and SAML2AttributeStatementInfo
classes. Implement the SAML2CredentialAttributeMapper interface.
Note: This section uses the SAML 2.0 interface names for the
purpose of example. SAML 1.1 usage is similar except for different interface names for the mapper- and partner-related classes, as well as
the attribute and method names used for the mapper configuration.
9-18 Programming Security for Oracle WebLogic Server
Also implement the SAML2CredentialNameMapper interface in the same implementation. The SAML2CredentialAttributeMapper and
SAML2CredentialNameMapper interfaces must both be in the same implementation.
By implementing the SAML2CredentialNameMapper interface, you can then use the WebLogic Server Administration Console to set the
NameMapperClassName attribute to the class name of your SAML2CredentialAttributeMapper instance.
2.
Use the WebLogic Server Administration Console to configure your new custom attribute mapper on a SAML provider, or on each individual partner, using the
NameMapperClassName attribute of the SAML Credential Mapping provider to identify it. See
Section 9.4.8, Make the Custom SAML Credential Attribute Mapper Class Available in the Console
.
3.
The SAML Credential Mapping provider determines if the configured custom name mapper is an implementation of the attribute mapping interface and, if so,
calls your custom attribute mapping interface to obtain attribute values to write to the generated SAML assertions.
4.
The SAML Credential Mapping provider does not validate the attribute names or values obtained from your custom attribute mapper.
Any attribute with a non-null attribute name is written to the attribute statements in the SAML assertion. An attribute with a null or empty attribute name is
ignored, and subsequent attributes are processed.
If an attribute has multiple values, each value appears as an AttributeValue element of a single Attribute in SAML attribute statements.
For SAML 1.1, attributes with a null value are written to the SAML assertion as an empty string .
For SAML 2.0, null or empty attribute values are handled based on Assertions and the Protocols for the OASIS SAML V2.0 March 2005
http:docs.oasis-open.orgsecuritysamlv2.0saml-core-2.0- os.pdf
. An attribute with a name format other than
urn:oasis:names:tc:SAML:2.0:attrname-format:basic is skipped. From the SAML Identity Assertion Service Provider site:
1.
Implement the SAML2IdentityAsserterAttributeMapper and SAML2IdentityAsserterNameMapper interfaces in the same implementation.
The SAML2IdentityAsserterAttributeMapper and SAML2IdentityAsserterNameMapper interfaces must both be in the same
implementation.
By implementing the SAML2IdentityAsserterNameMapper interface, you can then use the WebLogic Server Administration Console to set the
NameMapperClassName attribute to the class name of your SAML2IdentityAsserterAttributeMapper instance.
2.
Use the WebLogic Server Administration Console to configure the SAML Identity Assertion provider, as described in
Section 9.4.9, Make the Custom SAML Identity Asserter Class Available in the Console
. Set the NameMapperClassName attribute to the class name of your custom
SAML2IdentityAsserterAttributeMapper instance.
SAML APIs 9-19
The SAML Identity Assertion provider processes AttributeStatement elements of the incoming SAML assertions and constructs a collection of SAML
attribute statements.
3.
The SAML Identity Assertion provider determines if the configured custom name mapper implements the SAML2IdentityAsserterAttributeMapper
interface. If it does, the SAML Identity Assertion provider calls the mapAttributeInfo method to obtain the SAML assertion’s attributes.
Your mapAttributeInfo method takes a Collection of SAMLAttributeStatementInfo instances that represent the attributes of
attribute statements in a SAML Assertion, and maps the desired attributes in any application specific way.
4.
The SAML IdentityAssertion provider makes the attributes from a SAML assertion available to consumers via the Java Subject. This requires that the SAML
Authentication provider be configured and the virtual user be enabled on a SAML partner.
The attributes returned by the mapper are stored as subject principals or private credentials, depending on the class type of the mapped attributes. Specifically, if
the mapper returns a collection of Principal objects, the mapped attributes are stored into the subject principal set. Otherwise, the subject private credential set is
used to carry the mapped attributes.
The consuming code needs to know the class type of the object that the mapper uses to represent attributes added to the subject, as shown in
Example 9–7 .
5.
The SAML Identity Assertion provider checks the ContextHandler and attribute mapper. This walk through assumes the presence of the attribute
mapper as stated in Step 4.
9.4.6 Examples of the SAML 2.0 Attribute Interfaces