public interface SingleSignOnServicesMBean extends ConfigurationMBean, SingleSignOnServicesConfigSpi
This MBean represents configuration for SAML 2.0-based local site Single Sign-On Services.
DEFAULT_EMPTY_BYTE_ARRAY| Modifier and Type | Method and Description |
|---|---|
int |
getArtifactMaxCacheSize()
The maximum size of the artifact cache.
|
int |
getArtifactTimeout()
The maximum timeout (in seconds) of artifacts stored in the local cache.
|
int |
getAuthnRequestMaxCacheSize()
The maximum size of the authentication request cache.
|
int |
getAuthnRequestTimeout()
The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.
|
String |
getBasicAuthPassword()
The password used to assign Basic Authentication credentials to outgoing HTTPS connections
|
byte[] |
getBasicAuthPasswordEncrypted()
The encrypted password used assign Basic Authentication credentials to outgoing HTTPS connections.
|
String |
getBasicAuthUsername()
The username that is used to assign Basic authentication credentials to outgoing HTTPS connections.
|
String |
getContactPersonCompany()
The contact person's company name.
|
String |
getContactPersonEmailAddress()
The contact person's e-mail address.
|
String |
getContactPersonGivenName()
The contact person given (first) name.
|
String |
getContactPersonSurName()
The contact person surname (last name).
|
String |
getContactPersonTelephoneNumber()
The contact person's telephone number.
|
String |
getContactPersonType()
The contact person type.
|
String |
getDefaultURL()
The Service Provider's default URL.
|
String |
getEntityID()
The string that uniquely identifies the local site.
|
String |
getIdentityProviderPreferredBinding()
Specifies the preferred binding type for endpoints of the Identity Provider services.
|
String |
getLoginReturnQueryParameter()
The name of the query parameter to be used for conveying the login-return URL to the login form web application.
|
String |
getLoginURL()
The URL of the login form web application to which unauthenticated requests are directed.
|
String |
getOrganizationName()
The organization name.
|
String |
getOrganizationURL()
The organization URL.
|
String |
getPublishedSiteURL()
The published site URL.
|
String |
getServiceProviderPreferredBinding()
Specifies the preferred binding type for endpoints of Service Provider services.
|
String |
getSSOSigningKeyAlias()
The keystore alias for the key to be used when signing documents.
|
String |
getSSOSigningKeyPassPhrase()
The passphrase used to retrieve the local site's SSO signing key from
the keystore.
|
byte[] |
getSSOSigningKeyPassPhraseEncrypted()
The encrypted passphrase used to retrieve the local site's SSO signing key from
the keystore.
|
String |
getTransportLayerSecurityKeyAlias()
The string alias used to store and retrieve the server's private key, which is used to
establish outgoing TLS/SSL connections.
|
String |
getTransportLayerSecurityKeyPassPhrase()
The passphrase used to retrieve the server's private key from the keystore.
|
byte[] |
getTransportLayerSecurityKeyPassPhraseEncrypted()
The encrypted passphrase used to retrieve the local site's TLS/SSL key from
the keystore.
|
boolean |
isForceAuthn()
Specifies whether the Identity Provider must authenticate users directly
and not use a previous security context.
|
boolean |
isIdentityProviderArtifactBindingEnabled()
Specifies whether the Artifact binding is enabled for the Identity Provider.
|
boolean |
isIdentityProviderEnabled()
Specifies whether the local site is enabled for the Identity Provider
role.
|
boolean |
isIdentityProviderPOSTBindingEnabled()
Specifies whether the POST binding is enabled for the Identity Provider.
|
boolean |
isIdentityProviderRedirectBindingEnabled()
Specifies whether the Redirect binding is enabled for the Identity Provider.
|
boolean |
isPassive()
Determines whether the Identity Provider and the user must not
take control of the user interface from the requester and interact with the user in a
noticeable fashion.
|
boolean |
isPOSTOneUseCheckEnabled()
Specifies whether the POST one-use check is enabled.
|
boolean |
isRecipientCheckEnabled()
Specifies whether the recipient/destination check is enabled.
|
boolean |
isReplicatedCacheEnabled()
Specifies whether the persistent cache (LDAP or RDBMS) is used for
storing SAML 2.0 artifacts and authentication requests.
|
boolean |
isServiceProviderArtifactBindingEnabled()
Specifies whether the Artifact binding is enabled for the Service Provider.
|
boolean |
isServiceProviderEnabled()
Specifies whether the local site is enabled for the Service Provider
role.
|
boolean |
isServiceProviderPOSTBindingEnabled()
Specifies whether the POST binding is enabled for the Service Provider.
|
boolean |
isSignAuthnRequests()
Specifies whether authentication requests must be signed.
|
boolean |
isWantArtifactRequestsSigned()
Specifies whether incoming artifact requests must be signed.
|
boolean |
isWantAssertionsSigned()
Specifies whether incoming SAML 2.0 assertions must be signed.
|
boolean |
isWantAuthnRequestsSigned()
Specifies whether incoming authentication requests must be signed.
|
boolean |
isWantBasicAuthClientAuthentication()
Specifies whether Basic Authentication client authentication is required.
|
boolean |
isWantTransportLayerSecurityClientAuthentication()
Specifies whether TLS/SSL client authentication is required.
|
void |
setArtifactMaxCacheSize(int cacheSize) |
void |
setArtifactTimeout(int timeout) |
void |
setAuthnRequestMaxCacheSize(int cacheSize) |
void |
setAuthnRequestTimeout(int timeout) |
void |
setBasicAuthPassword(String password)
Sets the value of the BasicAuthPassword attribute.
|
void |
setBasicAuthPasswordEncrypted(byte[] passwordEncrypted)
Sets the value of the BasicAuthPasswordEncrypted attribute.
|
void |
setBasicAuthUsername(String name)
Sets Basic Authentication username
|
void |
setContactPersonCompany(String company)
Sets the contact person company
|
void |
setContactPersonEmailAddress(String address)
Sets the contact person e-mail address
|
void |
setContactPersonGivenName(String name)
Sets the contact person given name
|
void |
setContactPersonSurName(String name)
Sets the contact person surname
|
void |
setContactPersonTelephoneNumber(String number)
Sets the contact person telephone number
|
void |
setContactPersonType(String type)
Sets contact person type using enumeration values from SAML 2.0 metadata.
|
void |
setDefaultURL(String defaultURL) |
void |
setEntityID(String entityID)
Sets the Entity ID
|
void |
setForceAuthn(boolean forceAuthn)
Sets the force authentication flag
|
void |
setIdentityProviderArtifactBindingEnabled(boolean enabled) |
void |
setIdentityProviderEnabled(boolean isEnabled)
Sets identity provider enabled flag
|
void |
setIdentityProviderPOSTBindingEnabled(boolean enabled) |
void |
setIdentityProviderPreferredBinding(String binding)
Binding must be one of "None", "HTTP/POST", or "HTTP/Artifact"
|
void |
setIdentityProviderRedirectBindingEnabled(boolean enabled) |
void |
setLoginReturnQueryParameter(String queryParameter)
Sets the login return query parameter
|
void |
setLoginURL(String loginURL)
SEts the Login URL
|
void |
setOrganizationName(String name)
Sets the organization name
|
void |
setOrganizationURL(String url)
Sets the organization URL
|
void |
setPassive(boolean passive)
Sets the passive flag
|
void |
setPOSTOneUseCheckEnabled(boolean postOneUseCheckEnabled)
Set the POST one-use check enabled value.
|
void |
setPublishedSiteURL(String siteURL)
The published site URL.
|
void |
setRecipientCheckEnabled(boolean postRecipientCheckEnabled)
Set the POST recipient check enabled value.
|
void |
setReplicatedCacheEnabled(boolean replicated)
Sets the Use Replicated Cache flag.
|
void |
setServiceProviderArtifactBindingEnabled(boolean enabled) |
void |
setServiceProviderEnabled(boolean isEnabled)
Sets service provider enabled flag
|
void |
setServiceProviderPOSTBindingEnabled(boolean enabled) |
void |
setServiceProviderPreferredBinding(String binding)
Binding must be one of "None", "HTTP/POST", or "HTTP/Artifact"
|
void |
setSignAuthnRequests(boolean signAuthnRequests)
Sets the sign <AuthnRequest> documents flag
|
void |
setSSOSigningKeyAlias(String ssoSigningKeyAlias)
Set the SSO Signing key alias.
|
void |
setSSOSigningKeyPassPhrase(String signingKeyPassPhrase)
Sets the value of the SSOSigningKeyPassPhrase attribute.
|
void |
setSSOSigningKeyPassPhraseEncrypted(byte[] signingKeyPassPhraseEncrypted)
Sets the value of the SSOSigningKeyPassPhraseEncrypted attribute.
|
void |
setTransportLayerSecurityKeyAlias(String keyAlias)
Set the TLS/SSL key alias.
|
void |
setTransportLayerSecurityKeyPassPhrase(String keyPassPhrase)
Sets the value of the TransportLayerSecurityKeyPassPhrase attribute.
|
void |
setTransportLayerSecurityKeyPassPhraseEncrypted(byte[] keyPassPhraseEncrypted)
Sets the value of the TransportLayerSecurityKeyPassPhraseEncrypted attribute.
|
void |
setWantArtifactRequestsSigned(boolean wantSigned)
Sets the flag that determines if <ArtifactRequest> documents will be signed
|
void |
setWantAssertionsSigned(boolean wantSigned)
Set want assertions signed flag
|
void |
setWantAuthnRequestsSigned(boolean wantAuthnRequestsSigned)
Determines that authentication requests must be signed.
|
void |
setWantBasicAuthClientAuthentication(boolean wantBA)
Sets the flag that determines if Basic Authentication client authentication is wanted
|
void |
setWantTransportLayerSecurityClientAuthentication(boolean wantAuthentication)
Sets the flag that determines if TLS/SSL client authentication is required.
|
freezeCurrentValue, getId, getInheritedProperties, getName, getNotes, isDynamicallyCreated, isInherited, isSet, restoreDefaultValue, setComments, setDefaultedMBean, setName, setNotes, setPersistenceEnabled, unSetgetMBeanInfo, getObjectName, getParent, getType, isCachingDisabled, isRegistered, setParentgetAttribute, getAttributes, invoke, setAttribute, setAttributespostDeregister, postRegister, preDeregister, preRegisteraddNotificationListener, getNotificationInfo, removeNotificationListeneraddPropertyChangeListener, createChildCopyIncludingObsolete, getParentBean, isEditable, removePropertyChangeListenergetErrorPathString getContactPersonGivenName()
The contact person given (first) name.
getContactPersonGivenName in interface SingleSignOnServicesConfigSpivoid setContactPersonGivenName(String name)
name - Contact person given nameString getContactPersonSurName()
The contact person surname (last name).
getContactPersonSurName in interface SingleSignOnServicesConfigSpivoid setContactPersonSurName(String name)
name - Contact person surnameString getContactPersonType()
The contact person type.
getContactPersonType in interface SingleSignOnServicesConfigSpivoid setContactPersonType(String type)
type - Contact person typeString getContactPersonCompany()
The contact person's company name.
getContactPersonCompany in interface SingleSignOnServicesConfigSpivoid setContactPersonCompany(String company)
company - Contact person companyString getContactPersonTelephoneNumber()
The contact person's telephone number.
getContactPersonTelephoneNumber in interface SingleSignOnServicesConfigSpivoid setContactPersonTelephoneNumber(String number)
number - Contact person telephone numberString getContactPersonEmailAddress()
The contact person's e-mail address.
getContactPersonEmailAddress in interface SingleSignOnServicesConfigSpivoid setContactPersonEmailAddress(String address)
address - Contact person e-mail addressString getOrganizationName()
The organization name.
This string specifies the name of the organization to which a user may refer for obtaining additional information about the local site.
getOrganizationName in interface SingleSignOnServicesConfigSpivoid setOrganizationName(String name)
name - Organization nameString getOrganizationURL()
The organization URL.
This string specifies a location to which a user may refer for information about the local site. This string is not used by SAML 2.0 services for the actual handling or processing of messages.
getOrganizationURL in interface SingleSignOnServicesConfigSpivoid setOrganizationURL(String url)
url - Organization URLString getPublishedSiteURL()
The published site URL.
When publishing SAML 2.0 metadata, this URL is used as a base URL to construct endpoint URLs for the various SAML 2.0 services. The published site URL is also used during request processing to generate and/or parse various URLs.
The hostname and port portion of the URL should be the hostname and port at which the server is visible externally; this may not be the same as the hostname and port by which the server is known locally. If you are configuring SAML 2.0 services in a cluster, the hostname and port may correspond to the load balancer or proxy server that distributes client requests to servers in the cluster.
The remainder of the URL should be a single path component
corresponding to the application context at which the SAML 2.0
services application is deployed (typically /saml2).
getPublishedSiteURL in interface SingleSignOnServicesConfigSpiSingleSignOnServicesMBean.setPublishedSiteURL(String)void setPublishedSiteURL(String siteURL)
The published site URL.
When publishing SAML 2.0 metadata, this is used as a base URL to construct endpoint URLs for the various SAML 2.0 services. The published site URL is also used during request processing to generate or parse various URLs.
The hostname and port portion of the URL should be the hostname and port at which the server is externally visible; this may not be the same as the hostname and port by which the server is known locally. For example, if you are configuring SAML 2.0 services in a cluster, the hostname and port of the published site URL may correspond to the load balancer or proxy server that distributes client requests to servers in the cluster.
The remainder of the URL should be a single path component
corresponding to the application context at which the SAML 2.0
services application is deployed (typically /saml2).
- Parameters:
siteURL - The published site URL to set.
-
getEntityID
String getEntityID()
The string that uniquely identifies the local site.
- Specified by:
getEntityID in interface SingleSignOnServicesConfigSpi- Returns:
- Entity ID
-
setEntityID
void setEntityID(String entityID)
Sets the Entity ID
- Parameters:
entityID - entity ID
-
isServiceProviderEnabled
boolean isServiceProviderEnabled()
Specifies whether the local site is enabled for the Service Provider
role.
This attribute must be enabled in order to publish the metadata file.
- Specified by:
isServiceProviderEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Service provider enabled flag; 'true', if the service provider is enabled
-
setServiceProviderEnabled
void setServiceProviderEnabled(boolean isEnabled)
Sets service provider enabled flag
- Parameters:
isEnabled - Service provider enabled flag
-
getDefaultURL
String getDefaultURL()
The Service Provider's default URL.
When an unsolicited SSO response arrives at the Service Provider
without an accompanying target URL, the user (if authenticated) is redirected
to this default URL.
- Specified by:
getDefaultURL in interface SingleSignOnServicesConfigSpi- Returns:
- the default URL
-
setDefaultURL
void setDefaultURL(String defaultURL)
-
isServiceProviderArtifactBindingEnabled
boolean isServiceProviderArtifactBindingEnabled()
Specifies whether the Artifact binding is enabled for the Service Provider.
- Specified by:
isServiceProviderArtifactBindingEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Service provider artifact binding enabled flag; if 'true', local services will support endpoint with artifact binding when acting in the role of service provider
-
setServiceProviderArtifactBindingEnabled
void setServiceProviderArtifactBindingEnabled(boolean enabled)
-
isServiceProviderPOSTBindingEnabled
boolean isServiceProviderPOSTBindingEnabled()
Specifies whether the POST binding is enabled for the Service Provider.
- Specified by:
isServiceProviderPOSTBindingEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Service provider POST binding enabled flag; if 'true', local services will support endpoint with POST binding when acting in the role of service provider
-
setServiceProviderPOSTBindingEnabled
void setServiceProviderPOSTBindingEnabled(boolean enabled)
-
getServiceProviderPreferredBinding
String getServiceProviderPreferredBinding()
Specifies the preferred binding type for endpoints of Service Provider services.
Must be set to "None", "POST", or "Artifact".
- Specified by:
getServiceProviderPreferredBinding in interface SingleSignOnServicesConfigSpi- Returns:
- Preferred binding type for endpoints
-
setServiceProviderPreferredBinding
void setServiceProviderPreferredBinding(String binding)
Binding must be one of "None", "HTTP/POST", or "HTTP/Artifact"
-
isSignAuthnRequests
boolean isSignAuthnRequests()
Specifies whether authentication requests must be signed. If set, all outgoing
authentication requests are signed.
- Specified by:
isSignAuthnRequests in interface SingleSignOnServicesConfigSpi- Returns:
- Sign <AuthnRequest> documents flag.
-
setSignAuthnRequests
void setSignAuthnRequests(boolean signAuthnRequests)
Sets the sign <AuthnRequest> documents flag
- Parameters:
signAuthnRequests - Sign <AuthnRequest> documents flag
-
isWantAssertionsSigned
boolean isWantAssertionsSigned()
Specifies whether incoming SAML 2.0 assertions must be signed.
- Specified by:
isWantAssertionsSigned in interface SingleSignOnServicesConfigSpi- Returns:
- Want incoming assertions signed flag
-
setWantAssertionsSigned
void setWantAssertionsSigned(boolean wantSigned)
Set want assertions signed flag
- Parameters:
wantSigned - Want assertions signed flag
-
getSSOSigningKeyAlias
String getSSOSigningKeyAlias()
The keystore alias for the key to be used when signing documents.
The key is used to generate signatures on all the outgoing documents, such as
authentication requests and responses. If you do not specify an alias, the server's
configured SSL private key alias from the server's SSL configuration is used by default.
- Specified by:
getSSOSigningKeyAlias in interface SingleSignOnServicesConfigSpi- Returns:
- The SSO Signing key.
-
setSSOSigningKeyAlias
void setSSOSigningKeyAlias(String ssoSigningKeyAlias)
Set the SSO Signing key alias.
- Parameters:
ssoSigningKeyAlias - The SSO Signing key alias to set.- See Also:
SingleSignOnServicesMBean.getSSOSigningKeyAlias()
-
getSSOSigningKeyPassPhrase
String getSSOSigningKeyPassPhrase()
The passphrase used to retrieve the local site's SSO signing key from
the keystore.
If you do not specify a keystore alias and passphrase, the server's configured private key alias
and private key passphrase from the server's SSL configuration is used by default.
- Specified by:
getSSOSigningKeyPassPhrase in interface SingleSignOnServicesConfigSpi- Returns:
- The signingKeyPassPhrase.
-
setSSOSigningKeyPassPhrase
void setSSOSigningKeyPassPhrase(String signingKeyPassPhrase)
throws InvalidAttributeValueException
Sets the value of the SSOSigningKeyPassPhrase attribute.
When you get the value of this attribute,
WebLogic Server does the following:
- Retrieves the value of the
SSOSigningKeyPassPhraseEncrypted attribute.
- Decrypts the value and returns the unencrypted passphrase as a String.
When you set the value of this attribute, WebLogic Server does the following:
- Encrypts the value.
- Sets the value of the
SSOSigningKeyPassPhraseEncrypted attribute to the
encrypted value.
Using this attribute (SSOSigningKeyPassPhrase) is a potential
security risk because
the String object (which contains the unencrypted passphrase) remains in
the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how
memory is allocated in the JVM, a significant amount of time could pass
before this unencrypted data is removed from memory.
Instead of using this attribute, use
getSSOSigningKeyPassPhraseEncrypted.
- Parameters:
signingKeyPassPhrase - The signingKeyPassPhrase to set.- Throws:
InvalidAttributeValueException
-
getSSOSigningKeyPassPhraseEncrypted
byte[] getSSOSigningKeyPassPhraseEncrypted()
The encrypted passphrase used to retrieve the local site's SSO signing key from
the keystore.
To set this attribute, use weblogic.management.EncryptionHelper.encrypt()
to encrypt the value. Then set this attribute to the output of the encrypt() method.
To compare a password that a user enters with the encrypted
value of this attribute, go to the same WebLogic Server instance
that you used to set and encrypt this attribute
and use weblogic.management.EncryptionHelper.encrypt()
to encrypt the user-supplied password. Then compare the encrypted values.
- Specified by:
getSSOSigningKeyPassPhraseEncrypted in interface SingleSignOnServicesConfigSpi- Returns:
- The encrypted signingKeyPassPhrase.
-
setSSOSigningKeyPassPhraseEncrypted
void setSSOSigningKeyPassPhraseEncrypted(byte[] signingKeyPassPhraseEncrypted)
throws InvalidAttributeValueException
Sets the value of the SSOSigningKeyPassPhraseEncrypted attribute.
- Parameters:
signingKeyPassPhraseEncrypted - The signingKeyPassPhraseEncrypted value to set.- Throws:
InvalidAttributeValueException
-
isForceAuthn
boolean isForceAuthn()
Specifies whether the Identity Provider must authenticate users directly
and not use a previous security context. The default is false.
Note the following:
- Setting
ForceAuthn to true -- that is, enabling Force Authentication --
has no effect in WebLogic Server. SAML logout is not supported in WebLogic Server, so even if the user is
already authenticated at the Identity Provider site and ForceAuthn is set to true,
the user is not forced to authenticate again at the Identity Provider site.
- Setting both
ForceAuthn and IsPassive to true --
that is, Force Authentication and Passive are enabled -- is an invalid configuration that causes WebLogic
server to generate an exception and also causes the single sign-on session to fail.
- Specified by:
isForceAuthn in interface SingleSignOnServicesConfigSpi- Returns:
- Force authentication flag
-
setForceAuthn
void setForceAuthn(boolean forceAuthn)
Sets the force authentication flag
- Parameters:
forceAuthn - Force authentication flag
-
isPassive
boolean isPassive()
Determines whether the Identity Provider and the user must not
take control of the user interface from the requester and interact with the user in a
noticeable fashion. The default setting is false.
The WebLogic Server SAML 2.0 services generate an exception if Passive (IsPassive) is
enabled and the end user is not already authenticated at the Identity Provider site. In this situation,
web single sign-on fails.
- Specified by:
isPassive in interface SingleSignOnServicesConfigSpi- Returns:
- Passive flag
-
setPassive
void setPassive(boolean passive)
Sets the passive flag
- Parameters:
passive - passive flag
-
isIdentityProviderEnabled
boolean isIdentityProviderEnabled()
Specifies whether the local site is enabled for the Identity Provider
role.
- Specified by:
isIdentityProviderEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Identity provider enabled flag; if 'true', local services will act in the role of identity provider
-
setIdentityProviderEnabled
void setIdentityProviderEnabled(boolean isEnabled)
Sets identity provider enabled flag
- Parameters:
isEnabled - Identity provider enabled flag
-
isIdentityProviderArtifactBindingEnabled
boolean isIdentityProviderArtifactBindingEnabled()
Specifies whether the Artifact binding is enabled for the Identity Provider.
- Specified by:
isIdentityProviderArtifactBindingEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Identity provider artifact binding enabled flag; if 'true', local services will support endpoint with artifact binding when acting in the role of identity provider
-
setIdentityProviderArtifactBindingEnabled
void setIdentityProviderArtifactBindingEnabled(boolean enabled)
-
isIdentityProviderPOSTBindingEnabled
boolean isIdentityProviderPOSTBindingEnabled()
Specifies whether the POST binding is enabled for the Identity Provider.
- Specified by:
isIdentityProviderPOSTBindingEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Identity provider POST binding enabled flag; if 'true', local services will support endpoint with POST binding when acting in the role of identity provider
-
setIdentityProviderPOSTBindingEnabled
void setIdentityProviderPOSTBindingEnabled(boolean enabled)
-
isIdentityProviderRedirectBindingEnabled
boolean isIdentityProviderRedirectBindingEnabled()
Specifies whether the Redirect binding is enabled for the Identity Provider.
- Specified by:
isIdentityProviderRedirectBindingEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Identity provider redirect binding enabled flag; if 'true', local services will support endpoint with redirect binding when acting in the role of identity provider
-
setIdentityProviderRedirectBindingEnabled
void setIdentityProviderRedirectBindingEnabled(boolean enabled)
-
getIdentityProviderPreferredBinding
String getIdentityProviderPreferredBinding()
Specifies the preferred binding type for endpoints of the Identity Provider services.
Must be set to None, HTTP/POST, HTTP/Artifact, or HTTP/Redirect.
- Specified by:
getIdentityProviderPreferredBinding in interface SingleSignOnServicesConfigSpi- Returns:
- Preferred binding type for endpoints
-
setIdentityProviderPreferredBinding
void setIdentityProviderPreferredBinding(String binding)
Binding must be one of "None", "HTTP/POST", or "HTTP/Artifact"
-
getLoginURL
String getLoginURL()
The URL of the login form web application to which unauthenticated requests are directed.
By default, the login URL is /saml2/idp/login using Basic authentication. Typically
you specify this URL if you are using a custom login web application.
- Specified by:
getLoginURL in interface SingleSignOnServicesConfigSpi- Returns:
- Login URL.
-
setLoginURL
void setLoginURL(String loginURL)
SEts the Login URL
- Parameters:
loginURL - login URL
-
getLoginReturnQueryParameter
String getLoginReturnQueryParameter()
The name of the query parameter to be used for conveying the login-return URL to the login form web application.
- Specified by:
getLoginReturnQueryParameter in interface SingleSignOnServicesConfigSpi- Returns:
- Login return query parameter
-
setLoginReturnQueryParameter
void setLoginReturnQueryParameter(String queryParameter)
Sets the login return query parameter
- Parameters:
queryParameter - login return query parameter
-
isWantAuthnRequestsSigned
boolean isWantAuthnRequestsSigned()
Specifies whether incoming authentication requests must be signed. If set, authentication requests that
are not signed are not accepted.
- Specified by:
isWantAuthnRequestsSigned in interface SingleSignOnServicesConfigSpi- Returns:
- Want <AuthnRequest> documents signed flag
-
setWantAuthnRequestsSigned
void setWantAuthnRequestsSigned(boolean wantAuthnRequestsSigned)
Determines that authentication requests must be signed.
- Parameters:
wantAuthnRequestsSigned - WAnt <AuthnRequest> documents signed flag
-
isRecipientCheckEnabled
boolean isRecipientCheckEnabled()
Specifies whether the recipient/destination check is enabled. When true, the recipient of
the SAML Request/Response must match the URL in the HTTP Request.
- Specified by:
isRecipientCheckEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- The recipient check enabled value.
-
setRecipientCheckEnabled
void setRecipientCheckEnabled(boolean postRecipientCheckEnabled)
throws InvalidAttributeValueException
Set the POST recipient check enabled value.
- Parameters:
postRecipientCheckEnabled - The POST recipient check enabled value to set.- Throws:
InvalidAttributeValueException
-
isPOSTOneUseCheckEnabled
boolean isPOSTOneUseCheckEnabled()
Specifies whether the POST one-use check is enabled.
If set, the local site POST binding endpoints will store identifiers of all inbound documents
to ensure that those documents are not presented more than once.
- Specified by:
isPOSTOneUseCheckEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- The POST one-use check enabled value.
-
setPOSTOneUseCheckEnabled
void setPOSTOneUseCheckEnabled(boolean postOneUseCheckEnabled)
throws InvalidAttributeValueException
Set the POST one-use check enabled value.
- Parameters:
postOneUseCheckEnabled - The POST one-use check enabled value to set.- Throws:
InvalidAttributeValueException
-
getTransportLayerSecurityKeyAlias
String getTransportLayerSecurityKeyAlias()
The string alias used to store and retrieve the server's private key, which is used to
establish outgoing TLS/SSL connections.
If you do not specify an alias, the server's configured SSL private key alias
from the server's SSL configuration is used for the TLS alias by default.
- Specified by:
getTransportLayerSecurityKeyAlias in interface SingleSignOnServicesConfigSpi- Returns:
- The TLS/SSL Signing key.
-
setTransportLayerSecurityKeyAlias
void setTransportLayerSecurityKeyAlias(String keyAlias)
Set the TLS/SSL key alias.
- Parameters:
keyAlias - The key alias to set.- See Also:
SingleSignOnServicesMBean.getTransportLayerSecurityKeyAlias()
-
getTransportLayerSecurityKeyPassPhrase
String getTransportLayerSecurityKeyPassPhrase()
The passphrase used to retrieve the server's private key from the keystore.
If you do not specify either an alias or a passphrase, the server's configured SSL private key alias
and private key passphrase from the server's SSL configuration is used for the TLS alias and passphrase
by default.
- Specified by:
getTransportLayerSecurityKeyPassPhrase in interface SingleSignOnServicesConfigSpi- Returns:
- The key PassPhrase.
-
setTransportLayerSecurityKeyPassPhrase
void setTransportLayerSecurityKeyPassPhrase(String keyPassPhrase)
throws InvalidAttributeValueException
Sets the value of the TransportLayerSecurityKeyPassPhrase attribute.
When you get the value of this attribute,
WebLogic Server does the following:
- Retrieves the value of the
TransportLayerSecurityKeyPassPhraseEncrypted attribute.
- Decrypts the value and returns the unencrypted passphrase as a String.
When you set the value of this attribute, WebLogic Server does the following:
- Encrypts the value.
- Sets the value of the
TransportLayerSecurityKeyPassPhraseEncrypted attribute to the
encrypted value.
Using this attribute (TransportLayerSecurityKeyPassPhrase) is a potential
security risk because
the String object (which contains the unencrypted passphrase) remains in
the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how
memory is allocated in the JVM, a significant amount of time could pass
before this unencrypted data is removed from memory.
Instead of using this attribute, use
getTransportLayerSecurityKeyPassPhraseEncrypted.
- Parameters:
keyPassPhrase - The key PassPhrase to set.- Throws:
InvalidAttributeValueException
-
getTransportLayerSecurityKeyPassPhraseEncrypted
byte[] getTransportLayerSecurityKeyPassPhraseEncrypted()
The encrypted passphrase used to retrieve the local site's TLS/SSL key from
the keystore.
To set this attribute, use weblogic.management.EncryptionHelper.encrypt()
to encrypt the value. Then set this attribute to the output of the encrypt() method.
To compare a password that a user enters with the encrypted
value of this attribute, go to the same WebLogic Server instance
that you used to set and encrypt this attribute
and use weblogic.management.EncryptionHelper.encrypt()
to encrypt the user-supplied password. Then compare the encrypted values.
- Specified by:
getTransportLayerSecurityKeyPassPhraseEncrypted in interface SingleSignOnServicesConfigSpi- Returns:
- The encrypted signingKeyPassPhrase.
-
setTransportLayerSecurityKeyPassPhraseEncrypted
void setTransportLayerSecurityKeyPassPhraseEncrypted(byte[] keyPassPhraseEncrypted)
throws InvalidAttributeValueException
Sets the value of the TransportLayerSecurityKeyPassPhraseEncrypted attribute.
- Parameters:
keyPassPhraseEncrypted - The keyPassPhraseEncrypted value to set.- Throws:
InvalidAttributeValueException
-
getBasicAuthUsername
String getBasicAuthUsername()
The username that is used to assign Basic authentication credentials to outgoing HTTPS connections.
- Specified by:
getBasicAuthUsername in interface SingleSignOnServicesConfigSpi- Returns:
- The Basic Authentication username.
-
setBasicAuthUsername
void setBasicAuthUsername(String name)
Sets Basic Authentication username
- Parameters:
name - Username
-
getBasicAuthPassword
String getBasicAuthPassword()
The password used to assign Basic Authentication credentials to outgoing HTTPS connections
- Specified by:
getBasicAuthPassword in interface SingleSignOnServicesConfigSpi- Returns:
- The Basic Authentication password.
-
setBasicAuthPassword
void setBasicAuthPassword(String password)
throws InvalidAttributeValueException
Sets the value of the BasicAuthPassword attribute.
When you get the value of this attribute,
WebLogic Server does the following:
- Retrieves the value of the
BasicAuthPasswordEncrypted attribute.
- Decrypts the value and returns the unencrypted passphrase as a String.
When you set the value of this attribute, WebLogic Server does the following:
- Encrypts the value.
- Sets the value of the
BasicAuthPasswordEncrypted attribute to the
encrypted value.
Using this attribute (BasicAuthPassword) is a potential
security risk because
the String object (which contains the unencrypted passphrase) remains in
the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how
memory is allocated in the JVM, a significant amount of time could pass
before this unencrypted data is removed from memory.
Instead of using this attribute, use
getBasicAuthPasswordEncrypted.
- Parameters:
password - The password to set.- Throws:
InvalidAttributeValueException
-
getBasicAuthPasswordEncrypted
byte[] getBasicAuthPasswordEncrypted()
The encrypted password used assign Basic Authentication credentials to outgoing HTTPS connections.
To set this attribute, use weblogic.management.EncryptionHelper.encrypt()
to encrypt the value. Then set this attribute to the output of the encrypt() method.
To compare a password that a user enters with the encrypted
value of this attribute, go to the same WebLogic Server instance
that you used to set and encrypt this attribute
and use weblogic.management.EncryptionHelper.encrypt()
to encrypt the user-supplied password. Then compare the encrypted values.
- Specified by:
getBasicAuthPasswordEncrypted in interface SingleSignOnServicesConfigSpi- Returns:
- The encrypted signingKeyPassPhrase.
-
setBasicAuthPasswordEncrypted
void setBasicAuthPasswordEncrypted(byte[] passwordEncrypted)
throws InvalidAttributeValueException
Sets the value of the BasicAuthPasswordEncrypted attribute.
- Parameters:
passwordEncrypted - The passwordEncrypted value to set.- Throws:
InvalidAttributeValueException
-
isWantArtifactRequestsSigned
boolean isWantArtifactRequestsSigned()
Specifies whether incoming artifact requests must be signed.
This attribute can be set if the Artifact binding is enabled.
- Specified by:
isWantArtifactRequestsSigned in interface SingleSignOnServicesConfigSpi- Returns:
- Want <ArtifactRequest> documents signed flag
-
setWantArtifactRequestsSigned
void setWantArtifactRequestsSigned(boolean wantSigned)
Sets the flag that determines if <ArtifactRequest> documents will be signed
- Parameters:
wantSigned - Want <ArtifactRequest> documents signed flag
-
isWantTransportLayerSecurityClientAuthentication
boolean isWantTransportLayerSecurityClientAuthentication()
Specifies whether TLS/SSL client authentication is required.
If enabled, callers to TLS/SSL bindings
of the local site must specify client authentication (two-way SSL), and the identity specified
must validate against the TLS certificate of the binding client partner.
- Specified by:
isWantTransportLayerSecurityClientAuthentication in interface SingleSignOnServicesConfigSpi- Returns:
- Want TLS/SSL client authentication flag
-
setWantTransportLayerSecurityClientAuthentication
void setWantTransportLayerSecurityClientAuthentication(boolean wantAuthentication)
Sets the flag that determines if TLS/SSL client authentication is required.
- Parameters:
wantAuthentication - Want TLS/SSL client authentication flag
-
isWantBasicAuthClientAuthentication
boolean isWantBasicAuthClientAuthentication()
Specifies whether Basic Authentication client authentication is required.
If enabled, callers to HTTPS bindings
of the local site must specify a Basic authentication header, and the username and password
must be validated against the Basic authentication values of the binding client partner.
- Specified by:
isWantBasicAuthClientAuthentication in interface SingleSignOnServicesConfigSpi- Returns:
- Want basic authentication client authentication flag
-
setWantBasicAuthClientAuthentication
void setWantBasicAuthClientAuthentication(boolean wantBA)
Sets the flag that determines if Basic Authentication client authentication is wanted
- Parameters:
wantBA - want Basic Authentication client authentication flag
-
getAuthnRequestMaxCacheSize
int getAuthnRequestMaxCacheSize()
The maximum size of the authentication request cache.
This cache stores documents issued
by the local Service Provider that are awaiting response from a partner Identity Provider.
Specify '0' to indicate that the
cache is unbounded.
- Specified by:
getAuthnRequestMaxCacheSize in interface SingleSignOnServicesConfigSpi- Returns:
- Maximum size of <AuthnRequest> document cache.
-
setAuthnRequestMaxCacheSize
void setAuthnRequestMaxCacheSize(int cacheSize)
-
getAuthnRequestTimeout
int getAuthnRequestTimeout()
The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.
This cache stores documents issued by the local Service provider that are awaiting response from a partner
Identity Provider. Documents that reach this maximum timeout duration are expired from the local cache
even if no response is received from the Identity Provider. If a response is subsequently returned by the
Identity Provider, the cache behaves as if the <AuthnRequest> had never been generated.
- Specified by:
getAuthnRequestTimeout in interface SingleSignOnServicesConfigSpi- Returns:
- Maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.
-
setAuthnRequestTimeout
void setAuthnRequestTimeout(int timeout)
-
getArtifactMaxCacheSize
int getArtifactMaxCacheSize()
The maximum size of the artifact cache.
This cache contains the artifacts issued
by the local site that are awaiting referencing by a partner. Specify '0' to indicate that the
cache is unbounded.
- Specified by:
getArtifactMaxCacheSize in interface SingleSignOnServicesConfigSpi- Returns:
- Maximum size of artifact cache.
-
setArtifactMaxCacheSize
void setArtifactMaxCacheSize(int cacheSize)
-
getArtifactTimeout
int getArtifactTimeout()
The maximum timeout (in seconds) of artifacts stored in the local cache.
This cache stores artifacts issued by the local site that are awaiting referencing by a partner.
Artifacts that reach this maximum timeout duration are expired in the local cache even if no
reference request has been received from the partner. If a reference request is subsequently received
from the partner, the cache behaves as if the artifact had never been generated.
- Specified by:
getArtifactTimeout in interface SingleSignOnServicesConfigSpi- Returns:
- Maximum timeout (in seconds) of artifacts stored in the local cache.
-
setArtifactTimeout
void setArtifactTimeout(int timeout)
-
isReplicatedCacheEnabled
boolean isReplicatedCacheEnabled()
Specifies whether the persistent cache (LDAP or RDBMS) is used for
storing SAML 2.0 artifacts and authentication requests.
RDBMS is required by the SAML 2.0 security providers in production environments. Use LDAP only in development environments.
If this is not set, artifacts and requests are saved in memory.
If you are configuring SAML 2.0 services for two or more WebLogic Server instances in a domain,
you must enable the replicated cache individually on each server. In addition, if you are configuring
SAML 2.0 services in a cluster, each Managed Server must also be configured individually.
- Specified by:
isReplicatedCacheEnabled in interface SingleSignOnServicesConfigSpi- Returns:
- Use Replicated Cache flag.
-
setReplicatedCacheEnabled
void setReplicatedCacheEnabled(boolean replicated)
Sets the Use Replicated Cache flag.
- Parameters:
replicated - Use Replicated Cache flag