SAML APIs 9-17 An example of doing this is as follows: private CollectionSAML2AttributeStatementInfo getAttributeStatementInfo Subject subject, ContextHandler handlers { CollectionSAML2AttributeInfo attrs = new ArrayListSAML2AttributeInfo; SAML2AttributeInfo attrInfo = new SAML2AttributeInfo AttributeWithSingleValue, ValueOfAttributeWithSingleValue; attrInfo.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basic ; attrs.addattrInfo; ArrayListString v = new ArrayListString; v.addValue1OfAttributeWithMultipleValue; v.addValue2OfAttributeWithMultipleValue;

v.addValue3OfAttributeWithMultipleValue; SAML2AttributeInfo attrInfo1 = new SAML2AttributeInfo

AttributeWithMultipleValue, v; attrInfo1.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basi c; attrs.addattrInfo1; SAML2AttributeInfo attrInfo2 = new SAML2AttributeInfo AttributeWithInvalidNameFormat, ValueOfAttributeWithInvalidNameFormatValue; attrInfo2.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:unsp ecified; attrs.addattrInfo2; SAML2AttributeInfo attrInfo3 = new SAML2AttributeInfo AttributeWithNullValue, null; attrInfo3.setAttributeNameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:basi c; attrs.addattrInfo3; : : CollectionSAML2AttributeStatementInfo attrStatements = new ArrayListSAML2AttributeStatementInfo; attrStatements.addnew SAML2AttributeStatementInfoattrs; attrStatements.addnew SAML2AttributeStatementInfoattrs1; return attrStatements; }

9.4.5 How to Implement SAML Attributes

This section walks through the process you follow to implement SAML attributes. From the SAML credential mapping Identity Provider site:

1. Instantiate the SAML2AttributeInfo and SAML2AttributeStatementInfo

classes. Implement the SAML2CredentialAttributeMapper interface. Note: This section uses the SAML 2.0 interface names for the purpose of example. SAML 1.1 usage is similar except for different interface names for the mapper- and partner-related classes, as well as the attribute and method names used for the mapper configuration. 9-18 Programming Security for Oracle WebLogic Server Also implement the SAML2CredentialNameMapper interface in the same implementation. The SAML2CredentialAttributeMapper and SAML2CredentialNameMapper interfaces must both be in the same implementation. By implementing the SAML2CredentialNameMapper interface, you can then use the WebLogic Server Administration Console to set the NameMapperClassName attribute to the class name of your SAML2CredentialAttributeMapper instance. 2. Use the WebLogic Server Administration Console to configure your new custom attribute mapper on a SAML provider, or on each individual partner, using the NameMapperClassName attribute of the SAML Credential Mapping provider to identify it. See Section 9.4.8, Make the Custom SAML Credential Attribute Mapper Class Available in the Console . 3. The SAML Credential Mapping provider determines if the configured custom name mapper is an implementation of the attribute mapping interface and, if so, calls your custom attribute mapping interface to obtain attribute values to write to the generated SAML assertions. 4. The SAML Credential Mapping provider does not validate the attribute names or values obtained from your custom attribute mapper. Any attribute with a non-null attribute name is written to the attribute statements in the SAML assertion. An attribute with a null or empty attribute name is ignored, and subsequent attributes are processed. If an attribute has multiple values, each value appears as an AttributeValue element of a single Attribute in SAML attribute statements. For SAML 1.1, attributes with a null value are written to the SAML assertion as an empty string . For SAML 2.0, null or empty attribute values are handled based on Assertions and the Protocols for the OASIS SAML V2.0 March 2005 http:docs.oasis-open.orgsecuritysamlv2.0saml-core-2.0- os.pdf . An attribute with a name format other than urn:oasis:names:tc:SAML:2.0:attrname-format:basic is skipped. From the SAML Identity Assertion Service Provider site: 1. Implement the SAML2IdentityAsserterAttributeMapper and SAML2IdentityAsserterNameMapper interfaces in the same implementation. The SAML2IdentityAsserterAttributeMapper and SAML2IdentityAsserterNameMapper interfaces must both be in the same implementation. By implementing the SAML2IdentityAsserterNameMapper interface, you can then use the WebLogic Server Administration Console to set the NameMapperClassName attribute to the class name of your SAML2IdentityAsserterAttributeMapper instance. 2. Use the WebLogic Server Administration Console to configure the SAML Identity Assertion provider, as described in Section 9.4.9, Make the Custom SAML Identity Asserter Class Available in the Console . Set the NameMapperClassName attribute to the class name of your custom SAML2IdentityAsserterAttributeMapper instance. SAML APIs 9-19 The SAML Identity Assertion provider processes AttributeStatement elements of the incoming SAML assertions and constructs a collection of SAML attribute statements. 3. The SAML Identity Assertion provider determines if the configured custom name mapper implements the SAML2IdentityAsserterAttributeMapper interface. If it does, the SAML Identity Assertion provider calls the mapAttributeInfo method to obtain the SAML assertion’s attributes. Your mapAttributeInfo method takes a Collection of SAMLAttributeStatementInfo instances that represent the attributes of attribute statements in a SAML Assertion, and maps the desired attributes in any application specific way. 4. The SAML IdentityAssertion provider makes the attributes from a SAML assertion available to consumers via the Java Subject. This requires that the SAML Authentication provider be configured and the virtual user be enabled on a SAML partner. The attributes returned by the mapper are stored as subject principals or private credentials, depending on the class type of the mapped attributes. Specifically, if the mapper returns a collection of Principal objects, the mapped attributes are stored into the subject principal set. Otherwise, the subject private credential set is used to carry the mapped attributes. The consuming code needs to know the class type of the object that the mapper uses to represent attributes added to the subject, as shown in Example 9–7 . 5. The SAML Identity Assertion provider checks the ContextHandler and attribute mapper. This walk through assumes the presence of the attribute mapper as stated in Step 4.

9.4.6 Examples of the SAML 2.0 Attribute Interfaces