{"id":6683,"date":"2013-12-14T22:53:38","date_gmt":"2013-12-15T02:53:38","guid":{"rendered":"http:\/\/onlineappsdba.com\/?p=6683"},"modified":"2013-12-14T22:53:38","modified_gmt":"2013-12-15T02:53:38","slug":"saml-virtual-user-opss-virtual-user-oracle-security-jps-assert-saml-identity","status":"publish","type":"post","link":"https:\/\/onlineappsdba.com\/index.php\/2013\/12\/14\/saml-virtual-user-opss-virtual-user-oracle-security-jps-assert-saml-identity\/","title":{"rendered":"SAML & Virtual User : OPSS Virtual User oracle.security.jps.assert.saml.identity"},"content":{"rendered":"

A well written post by Andre Correa on Fusion Middleware Security Blog<\/a> says “One of the main strengths of SAML is the ability to communicate identity information across security domains that do not necessarily share the same user base. In other words, the authenticated user in one security domain does not necessarily exist in the target security domain providing the service.<\/strong><\/span>”<\/p>\n

This concept where user authenticated in one domain<\/strong> doesn’t exist in another domain but trusted by second domain (as part of SAML assertion) is called as Virtual User<\/strong>. This post covers covers how to set this virtual user<\/strong> in Oracle Web Services Manager (OWSM)<\/a> that is used to protect WebServices deployed on SOA<\/a>\/ OSB<\/a>.<\/p>\n

OWSM delegated authentication<\/strong> of incoming subject in SAML assertion<\/strong> to Oracle Platform Security Services<\/strong> (OPSS). OWSM uses SAML Login Module (saml.loginmodule<\/strong> or saml2.loginmodule<\/strong>\u00a0) and to enable virtual user in OWSM you set property oracle.security.jps.assert.saml.identity<\/strong>=true in jps-config.xml<\/strong>\u00a0located at $DOMAIN_HOME\/config\/fmwconfig )<\/p>\n

 <\/p>\n

Property oracle.security.jps.assert.saml.identity<\/strong> is a domain-wide property used to determine the mapping between the SAML subject and the user.<\/p>\n

Valid values include:<\/p>\n

a) false<\/strong>\u2014When this flag is set to false, the username in the SAML subject is mapped to the actual user in the identity store. The user roles and subject are created with username and roles specified in the identity store. This is the default value.<\/p>\n

b) true<\/strong>\u2014When this flag is set to true, the SAML subject is treated as a logical\/virtual user. The user is not mapped to the actual user in the identity store. The subject is populated only with the username from the SAML subject. Because the subject is treated as a virtual user, identity store configuration is not required and the Identity Assertion Provider is not invoked for all SAML policies in the domain using this login module.<\/p>\n

To set Virtual User (aka logical user)<\/strong><\/span><\/p>\n

1.<\/strong> Login to Enterprise Manager of WebLogic domain and go to WebLogic Domain<\/p>\n

2. From WebLogic Domain drop down menu, Security<\/strong> -> Security Provider Configuration<\/strong> -> Login Modules<\/strong> -> Edit\u00a0<\/strong><\/p>\n

3. Add custom property \u00a0oracle.security.jps.assert.saml.identity=true<\/strong><\/p>\n

4. Restart Admin and managed servers in WebLogic Domain<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

Related\/References<\/strong><\/span><\/p>\n