It's all about Weblogic..!!

July 6, 2010

Introduction to SAML

Filed under: * Security — streethawkz @ 12:14 pm

– SAML is an API – XML based standard framework.

– SAML token contains the subject / user information. ( XML based token )

– Using SAML tokens identity is established in two different domains ( say hotel domain and car domian ) with just one login.

How SAML token is created ?

– SAML token is created in hotel domain – Hence it has a credential mapper that takes the subject and converts it into SAML token and sends it across to car domain.

– Car domain has to receive the token hence it has an Identity Asserter which maps the received token against the user and authenticates him.

One who generated the SAML token is called the Identity Provider OR Asserting Party OR Source Site.

And the one accepts the token is called the Service Provider OR Relying Party OR Destination Site.

Trust has to be established between them for SAML to work hence details of the Service Provider has to be with the Identity Provider and details Identity Provider has to be with the Service Provider.

SAML can be classified into two types depending on the manner in which requests are obtained.

– IDP initiated ( Identity Provider Initiated )

– SP initiated ( Service Provider initiated )

IDP initiated :

Here request first comes to the Identity Provider and then goes to the Service Provider.

i.e user logs in to the domain where the token is generated and then is passed onto another domain wherein he is automatically logged in.

SP initiated :

Here the user comes to the Service Provider first and hence he has to be sent to the Identity Provider where the token is created and then the token is again consumed by the Service Provider and user is authenticated.

The request that is sent from the SP to IDP is in a separate format called SAML authentication request

Tokens can be received in two ways :

– HTTP based SSO with SAML Browser/POST Profile. ( PUSH method ) – In weblogic

– HTTP based SSO with SAML Browser/Artifact profile. ( PULL method ) – In Weblogic

There are two more profiles that are used in WebServers bases on SOAP :

– WSS and SAML “sender-vouches” profile

– WSS and SAML “holder-of-key” profile

The only difference between the above two is the way we receive the tokens.

POST Profile :

Service provider requests the Identity Provider for a token.

Identity Provider generates a SAML token and then replies back in http POST.

ARTIFACT Profile :

When SP sends a request to IDP for a token.

IDP creates an artifact and sends it to SP.

SP receives the artifact and replies back to the IDP that it has the artifact and requests for a token.

IDP now sends the token to  SP.


Lets go in details now..!!

IDP uses the Credential mapper to generate tokens.

Credential Mapper ( CM ) has a service called ITS which is actually responsible for generating tokens.

There is no need to configure ITS it is a service which is taken care internally by CM.

ITS – Inter-site Transfer Service

Along with ITS there is another service on the IDP called ARS ( Assertion Receiver Service ).

ARS is an addressable component that receives SAML assertion that corresponds to an artifact and sends the respective token to SP.

ARS comes into picture only in case of artifact profile.

Artifact – 40bit length. It just like a unique ID for a token.

ACS – Assertion Consumer Service.

At the Service Provider end we have the Identity Asserter to consume the tokens.

The actual consumption of tokens is done by a service in IA called ACS.

What does assertion mean ?

It is a package of information that supplies one or more statements made by SAML authority.

It consists of following information :

– Authentication statements – this consists of information as to when and how a subject was authenticated.

– Attribute statements – It gives specific information about the subject ( eg : subject’s group etc )

– Authorization statements  – gives information about what is the subject authorized to do.


Protocols : SAML defines a request/response protocol for obtaining assertions.


Binding : A binding details exactly how the SAML protocol maps onto transport and messaging protocols (HTTP or SOAP).


Profiles : Gives information about the type of binding i.e how to get and send assertions.


Federal Identity : A principal’s identity is said to be federated between a set of providers when there is an agreement between the providers on a set of identifiers and/or attributes to use to refer to the Principal.


Metadata : Metadata defines a way to express and share configuration information between SAML parties.


Now lets configure SAML 1.1 on WLS 🙂

Click on the link below to learn more about configuring SAML 1.1 with Weblogic :

Link :



  1. Great article ! I hope that you have time to write other great ones. Thanks

    Comment by CuongPT — October 10, 2010 @ 8:28 am

  2. Hey thanks CuongPT

    Will make some time and try writing few more 🙂

    Stay tuned 🙂

    — Puneeth

    Comment by streethawkz — October 11, 2010 @ 9:06 pm

  3. Great…. 🙂 🙂
    Great effort to simplify SAML Concept

    ~Iqubal Mustafa Kaki

    Comment by Iqubal Mustafa Kaki — March 16, 2011 @ 12:36 pm

  4. Hi,

    I would like to pass displayname attribute of AD into SAML 2.0 response where my Weblogic 10.3 acts as IdP for other SPs outside of my organization. I looked through all the documentation and only thing i could find relevant was to develop my own class which implements SAML2CredentialMapper and SAMLCredentialAttributeMapper interfaces and implement mapSubject() and mapAttribtue() methods respectively and configure my class in Name Mapper Class name in Provider Specific tab on SAML2CredentailMapper.

    My issue is that 1. I do not see my mapAttrbitues() method being called by Weblogic during SAML assertion generation and 2. How do I even populate displayname attribute from my AD into Weblogic’s ContextHandler and also populate in SAML response.

    Please note that my Weblogic has AD Provider configured as one of the authenticators.

    Thanks for you help,


    Comment by Mickey — December 25, 2011 @ 8:18 am

  5. Hi,
    In my previous post I wrote about the problem I am facing during SAML creation. Let me replicate the requirement.
    I am using weblogic as an Identity Provider and Oracle Identity federation (OIF) as a service Provider. The federation will be IDP(weblogic) initiated.
    I have configured both sides. I have configured both the sides as per your blog (weblogic and OIF) , published metadata and exchanged.
    Now the problem we are facing is that we don’t know that any web application need to be deployed in weblogic or any out of box feature is there in weblogic which we can use in order to get SAML working.
    Is there any out of box feature of weblogic by which we can use SAML after configuration only or we need to write a separate java code in order to create login page and using the entire configuration which I made in weblogic.
    As my requirement is a bit different from the solution in your blog. I am using OIF as service provider and in your blog weblogic is being used on both the places. I used source site configuration part form the blog (cause I am also using weblogic as an IDP). I configured OIF on my own. Exchanged metadata of OIF and weblogic.
    IF I had used OIF at both sides in that case my job would be pretty easy (cause OIF is specifically made for this purpose. But our requirement is different as I have to use weblogic as an IDP).
    In your blog you you haven’t written about any web application which needs to be deployed on weblogic side .
    What URL I need to hit for SAML if there is out of box feature in weblogic for using SAML(after configuring everything in weblogic).
    It’s been so long I am doing this task but I am not able to achieve it. Therefore any help regarding this task will be highly appreciated


    Comment by piyush — January 3, 2012 @ 2:58 pm

  6. We have an application which has different entry points, one is for suppliers and admins
    how to configure these multiple IDP in weblogic10.3.6 based on the entry URLs ?

    Comment by MyNanban — April 16, 2013 @ 7:00 pm

  7. howdy! , I adore your current composing quite definitely! talk about we carry on the messages additional somewhere around your current content about Yahoo? My partner and i demand a expert with this method to solve my personal dilemma. Might be that is certainly a person! Waiting for seem you.

    Comment by Email Hosting — October 24, 2013 @ 7:52 pm

  8. Great Post.You made my day Thank you 🙂

    Comment by Archana — May 21, 2014 @ 6:50 pm

  9. I really like what you guys are up too. This type of clever work and coverage!
    Keep up the amazing works guys I’ve included
    you guys to blogroll.

    Comment by mickyhosting — July 18, 2014 @ 10:43 am

  10. Though a clarifying face cleaner works wonderful to minimize
    all traces of oil and give you a tidy feeling, in case
    you begin experiencing terribly itchy skin or red spots quickly stop
    the use of that particular facial cleanser. These trees are heavily exploited and have been depleted to about 50% in the last
    century. This results in a more stable blood sugar and insulin levels.

    Comment by argan oil — October 3, 2014 @ 4:27 pm

  11. Total Cleanse Plus

    Introduction to SAML | It’s all about Weblogic..!!

    Trackback by Total Cleanse Plus — October 4, 2014 @ 8:18 am

  12. Great post ! 🙂 Have nice day ! hddwuszqri

    Comment by Thomas — August 10, 2017 @ 3:50 am

  13. Great Post! Can a weblogic domain act as both service provider and identity provider to another domain. We have a weblogic domain that is configured against pingfederate as identity provider, authenticated users will access bi domain from adf domain. We need this work under the same saml sso session. Can we configure adf domain as identity provider for bi domain to achieve this.

    Comment by prabhu — March 18, 2018 @ 9:17 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

%d bloggers like this: