Authentication Fails In SAML2 SSO When "urn:oasis:names:tc:SAML:2.0:nameidformat:transient" Is Used In Assertion
(Doc ID 1342933.1)
Last updated on MAY 01, 2023
Applies to:
Oracle WebLogic Server - Version 10.3 to 10.3.6Oracle SOA Suite - Version 12.2.1.4.0 to 12.2.1.4.0 [Release 12c]
Information in this document applies to any platform.
Goal
There are number of Identity Provider (IdP) solutions available, like OpenSSO, PingIdentity to name a few. When using these non-WebLogic based Identity Providers (IdP) against a WebLogic Service Provider (SP), one might wish to carry out federation via transient pseudonym identifier (SAML2 NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient") such that identity anonymity is maintained.
What is SAML2 NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"?
SAML supports one-time or transient identifiers - such identifiers ensure that every time a certain user accesses a given service provider through a single-sign-on operation from an identity provider, that service provider will be unable to recognize them as the same individual as might have previously visited (based solely on the identifier, correlation may be possible through non-SAML handles).
How does it work?
To carry out this setup, either:
- the SP has to explicitly ask for transient pseudonym in its "AuthnRequest" (using NameIDPolicy attribute). WebLogic does not support authentication request protocol (of SAML specification). So this flow is not supported when WebLogic is SP
- or if SP omits the NameIDPolicy in its "AuthnRequest", then IdP can enforce a format that it wishes to. Of course, in this scenario SP is free to accept it or discard it.
How does WebLogic treat NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"?
If IdP sends NamedID with format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient", WebLogic accepts it without any issue. But it treats the value as literal username and looks for it in security realm. WebLogic does not support the Name Identifier Management profile and so won't be able to get hold of the identity based on the transient format NamedID either. Consequently, and obviously, authentication would fail in this scenario as there would be no user corresponding to this one-time identifier.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
What is SAML2 NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"? |
How does it work? |
How does WebLogic treat NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"? |
Solution |