My Oracle Support Banner

Authentication Fails In SAML2 SSO When "urn:oasis:names:tc:SAML:2.0:nameidformat:transient" Is Used In Assertion (Doc ID 1342933.1)

Last updated on APRIL 05, 2021

Applies to:

Oracle WebLogic Server - Version 10.3 to 10.3.6
Oracle SOA Suite - Version 12.2.1.4.0 to 12.2.1.4.0 [Release 12c]
Information in this document applies to any platform.

Goal

There are number of Identity Provider (IdP) solutions available, like OpenSSO, PingIdentity to name a few. When using these non-WebLogic based Identity Providers (IdP) against a WebLogic Service Provider (SP), one might wish to carry out federation via transient pseudonym identifier (SAML2 NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient") such that identity anonymity is maintained.

What is SAML2 NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"?

SAML supports one-time or transient identifiers - such identifiers ensure that every time a certain user accesses a given service provider through a single-sign-on operation from an identity provider, that service provider will be unable to recognize them as the same individual as might have previously visited (based solely on the identifier, correlation may be possible through non-SAML handles).

How does it work?

To carry out this setup, either:

How does WebLogic treat NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"?

If IdP sends NamedID with format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient", WebLogic accepts it without any issue. But it treats the value as literal username and looks for it in security realm. WebLogic does not support the Name Identifier Management profile and so won't be able to get hold of the identity based on the transient format NamedID either. Consequently, and obviously, authentication would fail in this scenario as there would be no user corresponding to this one-time identifier.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 What is SAML2 NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"?
 How does it work?
 How does WebLogic treat NameID format "urn:oasis:names:tc:SAML:2.0:nameidformat:transient"?
Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.