Configure the SAML 1.1 Credential Mapping Provider Configure the Source Site Federation Services
7.2.2 Configuring a SAML 1.1 Source Site for Single Sign-On
The following topics explain how to configure a WebLogic Server instance as a SAML 1.1 source site: ■ Section 7.2.2.1, Configure the SAML 1.1 Credential Mapping Provider ■ Section 7.2.2.2, Configure the Source Site Federation Services ■ Section 7.2.2.3, Configure Relying Parties ■ Section 7.2.2.4, Replacing the Default Assertion Store7.2.2.1 Configure the SAML 1.1 Credential Mapping Provider
In your security realm, create a SAML Credential Mapping Provider V2 instance. The SAML Credential Mapping provider is not part of the default security realm. See Section 4.10, Configuring a SAML Credential Mapping Provider for SAML 1.1. Configure the SAML Credential Mapping provider as a SAML authority, using the Issuer URI, Name Qualifier, and other attributes.7.2.2.2 Configure the Source Site Federation Services
Configuration of a WebLogic Server instance as a SAML 1.1 source site is controlled by the FederationServicesMBean. Access the FederationServicesMBean with the WebLogic Scripting Tool or through the Administration Console, on the Environment Servers ServerName Configuration Federation Services SAML 1.1 Source Site page. See Configure SAML 1.1 source services in the Oracle WebLogic Server Administration Console Help. Configure SAML source site attributes as follows: ■ Enable the SAML Source Site . Allow the WebLogic server instance to serve as a SAML source site by setting Source Site Enabled to true. ■ Set Source Site URL and Service URIs . Set the URL for the SAML source site. This is the URL that hosts the Intersite Transfer Service and the Assertion Retrieval Service. The source site URL is encoded as a source ID in hex and Base64. When you configure a SAML Asserting Party for BrowserArtifact profile, you specify the encoded source ID. Specify the URIs for the Intersite Transfer Service and to support BrowserArtifact profile the Assertion Retrieval Service. You also specify the Intersite Transfer Service URI when you configure a Relying Party. The default URI FederationServicesMBean.IntersiteTransferURIs values are shown in Table 7–1 . Table 7–1 Intersite Transfer URIs Default URI Values Description samlits_baits BASIC authentication, POST or Artifact profile samlits_baitspost BASIC authentication, POST profile samlits_baitsartifact BASIC authentication, Artifact profile samlits_ccits Client cert authentication, POST or Artifact profile samlits_ccitspost Client cert authentication, POST profile samlits_ccitsartifact Client cert authentication, Artifact profile 7-4 Securing Oracle WebLogic Server The Intersite Transfer URI text box allows you to accept the default values as-is, or modify them as you choose. Each URI includes the application context, followed by its, itspost, or itsartifact. The provided application contexts are samlits_ba BASIC authentication or samlits_cc client certificate authentication. You could also specify an application-specific context if needed, for example yourapplicationits, but in most cases the defaults provide the easiest configuration option. If you specify these URIs as samlits_baits, if a redirect occurs and the users session on the source site has timed out, a BASIC authentication dialog is presented. If you instead want to use a FORM dialog, the URI should point to a custom Web application that authenticates users and then forwards to the actual ITS URI. ■ Add signing certificate . The SAML source site requires a trusted certificate with which to sign assertions. Add this certificate to the keystore and enter the credentials alias and passphrase to be used to access the certificate. The servers SSL identity keycertificates will be used by default if a signing alias and passphrase are not supplied. ■ Configure SSL for the Assertion Retrieval Service . You can require all access to the Assertion Retrieval Service to use SSL by setting FederationServicesMBean.arsRequiresSSL to true. You can require two-way SSL authentication for the Assertion Retrieval Service by setting both arsRequiresSSL and ARSRequiresTwoWaySSL to true.7.2.2.3 Configure Relying Parties
Parts
» Oracle Fusion Middleware Online Documentation Library
» Document Scope Document Audience
» Related Information Oracle Fusion Middleware Online Documentation Library
» New and Changed Security Features Security Realms in WebLogic Server
» Security Providers Oracle Fusion Middleware Online Documentation Library
» WebLogic Resources Security Policies and WebLogic Resources
» Deployment Descriptors and the WebLogic Server Administration Console
» The Default Security Configuration in WebLogic Server Configuring WebLogic Security: Main Steps
» Methods of Configuring Security
» Management Tasks Available in Compatibility Security
» Why Customize the Default Security Configuration?
» Before You Create a New Security Realm
» Creating and Configuring a New Security Realm: Main Steps
» When Do You Need to Configure a Security Provider?
» Configuring an Authorization Provider Configuring the WebLogic Adjudication Provider
» Configuring a Role Mapping Provider
» Auditing ContextHandler Elements Configuring the WebLogic Auditing Provider
» Configuration Auditing Enabling Configuration Auditing
» Configuration Auditing Messages Configuring the WebLogic Auditing Provider
» Audit Events and Auditing Providers
» Configuring a WebLogic Credential Mapping Provider
» PKI Credential Mapper Attributes Credential Actions
» SAML 2.0 Credential Mapping Provider Attributes
» Lookup String Syntax The partner lookup string has the following syntax:
» CertPath Provider Certificate Registry
» Configuring a WebLogic Keystore Provider Choosing an Authentication Provider
» Setting the JAAS Control Flag Option Changing the Order of Authentication Providers
» Setting User Attributes Configuring the WebLogic Authentication Provider
» Accessing Other LDAP Servers Enabling an LDAP Authentication Provider for SSL
» Configuring Static Groups Use of GUID and LDAP DN Data in WebLogic Principals
» Optimizing the Group Membership Caches
» Optimizing the Connection Pool Size and User Cache
» Domain Controller Settings Configuring a Windows NT Authentication Provider
» Password Composition Rules for the Password Validation Provider
» Using the Password Validation Provider with the WebLogic Authentication Provider
» Creating an Instance of the Password Validation Provider Specifying the Password Composition Rules
» Partner Lookup Strings Required for Web Service Partners For web service Identity
» Configuring a Negotiate Identity Assertion Provider Ordering of Identity Assertion for Servlets
» Configuring Identity Assertion Performance in the Server Cache Configuring a User Name Mapper
» Configuring a Custom User Name Mapper
» Configuring the SAML Authentication Provider Overview of Single Sign-On with Microsoft Clients
» Configuring Your Network Domain to Use Kerberos Creating a JAAS Login File
» Configure the SAML 1.1 Credential Mapping Provider Configure the Source Site Federation Services
» Configuring Relying and Asserting Parties with WLST
» Configuring SAML 2.0 Services: Main Steps
» About SAML 2.0 General Services
» Publishing and Distributing the Metadata File
» Viewing Partner Site, Certificate, and Service Endpoint Information
» About SAML Debug Scopes and Attributes Enabling Debugging Using the Command Line
» Enabling Debugging Using the WebLogic Server Administration Console
» Enabling Debugging Using the WebLogic Scripting Tool Sending Debug Messages to Standard Out
» Overview of Security Data Migration
» Migration Concepts Formats and Constraints Supported by WebLogic Security Providers
» Configuring the Embedded LDAP Server
» The Access Control File Access Control Location
» Access Control Scope Attributes Types
» Subject Types GrantDeny Evaluation Rules
» Backup and Recovery Oracle Fusion Middleware Online Documentation Library
» Security Providers that Use the RDBMS Security Store
» Oracle Example MS-SQL Example
» DB2 Example For More Information About Default Connection Properties Internally, the RDBMS
» Configuring JMS Connection Recovery in the Event of Failure
» Using Your Own Certificate Authority Converting a Microsoft p7b Format to PEM Format
» How End User Certificate Callback Handlers Work Creating a Certificate Callback Implementation
» SSL: An Introduction One-Way and Two-Way SSL
» Java Secure Socket Extension JSSE SSL Implementation Supported Setting Up SSL: Main Steps
» Using Host Name Verification SSL Session Behavior
» Controlling the Level of Certificate Validation Accepting Certificate Policies in Certificates
» Checking Certificate Chains Using Certificate Lookup and Validation Providers
» Configuring RMI over IIOP with SSL Using the nCipher JCE Provider with WebLogic Server
» System Property Differences Between the JSSE-Based and Certicom SSL Implementations
» Supported Cipher Suites Using the JSSE-Based SSL Implementation
» Using Debugging with JSSE SSL
» Configuring Cross-Domain Security Enabling Cross Domain Security Between WebLogic Server Domains
» Configuring a Cross-Domain User Configure a Credential Mapping for Cross-Domain Security
» Enabling Global Trust Enabling Trust Between WebLogic Server Domains
» Using Connection Filters Oracle Fusion Middleware Online Documentation Library
» Using the Java Authorization Contract for Containers Viewing MBean Attributes
» How Passwords Are Protected in WebLogic Server Protecting User Accounts
» Configuring a Domain to Use JAAS Authorization
» Running Compatibility Security: Main Steps
» Configuring a Realm Adapter Authentication Provider
» Accessing 6.x Security from Compatibility Security
Show more