SingleSignOnServicesMBean


Overview  |   Related MBeans  |   Attributes  |   Operations

Overview

This MBean represents configuration for SAML 2.0-based local site Single Sign-On Services.

       
Since9.5.0.0
Fully Qualified Interface NameIf you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.management.configuration.SingleSignOnServicesMBean
Factory Methods No factory methods. Instances of this MBean are created automatically.


Attributes

This section describes the following attributes:


ArtifactMaxCacheSize

The maximum size of the artifact cache.

This cache contains the artifacts issued by the local site that are awaiting referencing by a partner. Specify '0' to indicate that the cache is unbounded.

       
Privileges Read/Write
Typeint
Default Value10000

ArtifactTimeout

The maximum timeout (in seconds) of artifacts stored in the local cache.

This cache stores artifacts issued by the local site that are awaiting referencing by a partner. Artifacts that reach this maximum timeout duration are expired in the local cache even if no reference request has been received from the partner. If a reference request is subsequently received from the partner, the cache behaves as if the artifact had never been generated.

       
Privileges Read/Write
Typeint
Default Value300

AuthnRequestMaxCacheSize

The maximum size of the authentication request cache.

This cache stores documents issued by the local Service Provider that are awaiting response from a partner Identity Provider.

Specify '0' to indicate that the cache is unbounded.

       
Privileges Read/Write
Typeint
Default Value10000

AuthnRequestTimeout

The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.

This cache stores documents issued by the local Service provider that are awaiting response from a partner Identity Provider. Documents that reach this maximum timeout duration are expired from the local cache even if no response is received from the Identity Provider. If a response is subsequently returned by the Identity Provider, the cache behaves as if the <AuthnRequest> had never been generated.

       
Privileges Read/Write
Typeint
Default Value300

BasicAuthPassword

The password used to assign Basic Authentication credentials to outgoing HTTPS connections

       
Privileges Read/Write
Typejava.lang.String
Encryptedtrue

BasicAuthPasswordEncrypted

The encrypted password used assign Basic Authentication credentials to outgoing HTTPS connections.

To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

       
Privileges Read/Write
Typebyte[]
Encryptedtrue

BasicAuthUsername

The username that is used to assign Basic authentication credentials to outgoing HTTPS connections.

       
Privileges Read/Write
Typejava.lang.String

CachingDisabled

Private property that disables caching in proxies.

       
Privileges Read only
Typeboolean
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

ContactPersonCompany

The contact person's company name.

       
Privileges Read/Write
Typejava.lang.String

ContactPersonEmailAddress

The contact person's e-mail address.

       
Privileges Read/Write
Typejava.lang.String

ContactPersonGivenName

The contact person given (first) name.

       
Privileges Read/Write
Typejava.lang.String

ContactPersonSurName

The contact person surname (last name).

       
Privileges Read/Write
Typejava.lang.String

ContactPersonTelephoneNumber

The contact person's telephone number.

       
Privileges Read/Write
Typejava.lang.String

ContactPersonType

The contact person type.

       
Privileges Read/Write
Typejava.lang.String

DefaultURL

The Service Provider's default URL.

When an unsolicited SSO response arrives at the Service Provider without an accompanying target URL, the user (if authenticated) is redirected to this default URL.

       
Privileges Read/Write
Typejava.lang.String

EntityID

The string that uniquely identifies the local site.

       
Privileges Read/Write
Typejava.lang.String

ForceAuthn

Specifies whether the Identity Provider must authenticate users directly and not use a previous security context. The default is false.

Note the following:

  1. Setting ForceAuthn to true -- that is, enabling Force Authentication -- has no effect in WebLogic Server. SAML logout is not supported in WebLogic Server, so even if the user is already authenticated at the Identity Provider site and ForceAuthn is set to true, the user is not forced to authenticate again at the Identity Provider site.

  2. Setting both ForceAuthn and IsPassive to true -- that is, Force Authentication and Passive are enabled -- is an invalid configuration that causes WebLogic server to generate an exception and also causes the single sign-on session to fail.

       
Privileges Read/Write
Typeboolean

IdentityProviderArtifactBindingEnabled

Specifies whether the Artifact binding is enabled for the Identity Provider.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

IdentityProviderEnabled

Specifies whether the local site is enabled for the Identity Provider role.

       
Privileges Read/Write
Typeboolean

IdentityProviderPOSTBindingEnabled

Specifies whether the POST binding is enabled for the Identity Provider.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

IdentityProviderPreferredBinding

Specifies the preferred binding type for endpoints of the Identity Provider services. Must be set to None, HTTP/POST, HTTP/Artifact, or HTTP/Redirect.

       
Privileges Read/Write
Typejava.lang.String
Default ValueNone
Legal Values
  • None
  • HTTP/POST
  • HTTP/Artifact
  • HTTP/Redirect

IdentityProviderRedirectBindingEnabled

Specifies whether the Redirect binding is enabled for the Identity Provider.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

LoginReturnQueryParameter

The name of the query parameter to be used for conveying the login-return URL to the login form web application.

       
Privileges Read/Write
Typejava.lang.String

LoginURL

The URL of the login form web application to which unauthenticated requests are directed.

By default, the login URL is /saml2/idp/login using Basic authentication. Typically you specify this URL if you are using a custom login web application.

       
Privileges Read/Write
Typejava.lang.String
Default Value/saml2/idp/login

MBeanInfo

Returns the MBean info for this MBean.

Deprecated.

       
Privileges Read only
Typejavax.management.MBeanInfo
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

Name

The user-specified name of this MBean instance.

This name is included as one of the key properties in the MBean's javax.management.ObjectName:
Name=user-specified-name

       
Privileges Read/Write
Typejava.lang.String

Notes

Optional information that you can include to describe this configuration.

WebLogic Sever saves this note in the domain's configuration file (config.xml) as XML PCDATA. All left angle brackets (<) are converted to the XML entity &lt;. Carriage returns/line feeds are preserved.

Note:

If you create or edit a note from the Administration Console, the Administration Console does not preserve carriage returns/line feeds.

       
Privileges Read/Write
Typejava.lang.String

ObjectName

Returns the ObjectName under which this MBean is registered in the MBean server.

Deprecated.

       
Privileges Read only
Typeweblogic.management.WebLogicObjectName
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

OrganizationName

The organization name.

This string specifies the name of the organization to which a user may refer for obtaining additional information about the local site.

       
Privileges Read/Write
Typejava.lang.String

OrganizationURL

The organization URL.

This string specifies a location to which a user may refer for information about the local site. This string is not used by SAML 2.0 services for the actual handling or processing of messages.

       
Privileges Read/Write
Typejava.lang.String

Parent

Return the immediate parent for this MBean

       
Privileges Read/Write
Type

Passive

Determines whether the Identity Provider and the user must not take control of the user interface from the requester and interact with the user in a noticeable fashion. The default setting is false.

The WebLogic Server SAML 2.0 services generate an exception if Passive (IsPassive) is enabled and the end user is not already authenticated at the Identity Provider site. In this situation, web single single-on fails.

       
Privileges Read/Write
Typeboolean

POSTOneUseCheckEnabled

Specifies whether the POST one-use check is enabled.

If set, the local site POST binding endpoints will store identifiers of all inbound documents to ensure that those documents are not presented more than once.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

PublishedSiteURL

The published site URL.

When publishing SAML 2.0 metadata, this URL is used as a base URL to construct endpoint URLs for the various SAML 2.0 services. The published site URL is also used during request processing to generate and/or parse various URLs.

The hostname and port portion of the URL should be the hostname and port at which the server is visible externally; this may not be the same as the hostname and port by which the server is known locally. If you are configuring SAML 2.0 services in a cluster, the hostname and port may correspond to the load balancer or proxy server that distributes client requests to servers in the cluster.

The remainder of the URL should be a single path component corresponding to the application context at which the SAML 2.0 services application is deployed (typically /saml2).

For more information, see:

       
Privileges Read/Write
Typejava.lang.String

RecipientCheckEnabled

Specifies whether the recipient/destination check is enabled. When true, the recipient of the SAML Request/Response must match the URL in the HTTP Request.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

Registered

Returns false if the MBean represented by this object has been unregistered.

Deprecated.

       
Privileges Read only
Typeboolean
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

ReplicatedCacheEnabled

Specifies whether the persistent cache (LDAP or RDBMS) is used for storing SAML 2.0 artifacts and authentication requests.

If this is not set, artifacts and requests are saved in memory.

If you are configuring SAML 2.0 services for two or more WebLogic Server instances in a domain, you must enable the replicated cache individually on each server. In addition, if you are configuring SAML 2.0 services in a cluster, each Managed Server must also be configured individually.

       
Privileges Read/Write
Typeboolean

ServiceProviderArtifactBindingEnabled

Specifies whether the Artifact binding is enabled for the Service Provider.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

ServiceProviderEnabled

Specifies whether the local site is enabled for the Service Provider role.

This attribute must be enabled in order to publish the metadata file.

       
Privileges Read/Write
Typeboolean

ServiceProviderPOSTBindingEnabled

Specifies whether the POST binding is enabled for the Service Provider.

       
Privileges Read/Write
Typeboolean
Default Valuetrue

ServiceProviderPreferredBinding

Specifies the preferred binding type for endpoints of Service Provider services. Must be set to "None", "POST", or "Artifact".

       
Privileges Read/Write
Typejava.lang.String
Default ValueNone
Legal Values
  • None
  • HTTP/POST
  • HTTP/Artifact

SignAuthnRequests

Specifies whether authentication requests must be signed. If set, all outgoing authentication requests are signed.

       
Privileges Read/Write
Typeboolean

SSOSigningKeyAlias

The keystore alias for the key to be used when signing documents.

The key is used to generate signatures on all the outgoing documents, such as authentication requests and responses. If you do not specify an alias, the server's configured SSL private key alias from the server's SSL configuration is used by default.

       
Privileges Read/Write
Typejava.lang.String

SSOSigningKeyPassPhrase

The passphrase used to retrieve the local site's SSO signing key from the keystore.

If you do not specify a keystore alias and passphrase, the server's configured private key alias and private key passphrase from the server's SSL configuration is used by default.

       
Privileges Read/Write
Typejava.lang.String
Encryptedtrue

SSOSigningKeyPassPhraseEncrypted

The encrypted passphrase used to retrieve the local site's SSO signing key from the keystore.

To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

       
Privileges Read/Write
Typebyte[]
Encryptedtrue

TransportLayerSecurityKeyAlias

The string alias used to store and retrieve the server's private key, which is used to establish outgoing TLS/SSL connections.

If you do not specify an alias, the server's configured SSL private key alias from the server's SSL configuration is used for the TLS alias by default.

       
Privileges Read/Write
Typejava.lang.String

TransportLayerSecurityKeyPassPhrase

The passphrase used to retrieve the server's private key from the keystore.

If you do not specify either an alias or a passphrase, the server's configured SSL private key alias and private key passphrase from the server's SSL configuration is used for the TLS alias and passphrase by default.

       
Privileges Read/Write
Typejava.lang.String
Encryptedtrue

TransportLayerSecurityKeyPassPhraseEncrypted

The encrypted passphrase used to retrieve the local site's TLS/SSL key from the keystore.

To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

       
Privileges Read/Write
Typebyte[]
Encryptedtrue

Type

Returns the type of the MBean.

       
Privileges Read only
Typejava.lang.String
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

WantArtifactRequestsSigned

Specifies whether incoming artifact requests must be signed.

This attribute can be set if the Artifact binding is enabled.

       
Privileges Read/Write
Typeboolean

WantAssertionsSigned

Specifies whether incoming SAML 2.0 assertions must be signed.

       
Privileges Read/Write
Typeboolean

WantAuthnRequestsSigned

Specifies whether incoming authentication requests must be signed. If set, authentication requests that are not signed are not accepted.

       
Privileges Read/Write
Typeboolean

WantBasicAuthClientAuthentication

Specifies whether Basic Authentication client authentication is required.

If enabled, callers to HTTPS bindings of the local site must specify a Basic authentication header, and the username and password must be validated against the Basic authentication values of the binding client partner.

       
Privileges Read/Write
Typeboolean

WantTransportLayerSecurityClientAuthentication

Specifies whether TLS/SSL client authentication is required.

If enabled, callers to TLS/SSL bindings of the local site must specify client authentication (two-way SSL), and the identity specified must validate against the TLS certificate of the binding client partner.

       
Privileges Read/Write
Typeboolean


Operations

This section describes the following operations:


freezeCurrentValue

If the specified attribute has not been set explicitly, and if the attribute has a default value, this operation forces the MBean to persist the default value.

Unless you use this operation, the default value is not saved and is subject to change if you update to a newer release of WebLogic Server. Invoking this operation isolates this MBean from the effects of such changes.

Note:

To insure that you are freezing the default value, invoke the restoreDefaultValue operation before you invoke this.

This operation has no effect if you invoke it on an attribute that does not provide a default value or on an attribute for which some other value has been set.

Deprecated. 9.0.0.0

   
Operation Name"freezeCurrentValue"
ParametersObject [] {  attributeName }

where:

  • attributeName is an object of type java.lang.String that specifies:

    attributeName

SignatureString [] { "java.lang.String" }
Returns void
Exceptions
  • javax.management.AttributeNotFoundException
  • javax.management.MBeanException

isSet

Returns true if the specified attribute has been set explicitly in this MBean instance.

   
Operation Name"isSet"
ParametersObject [] {  propertyName }

where:

  • propertyName is an object of type java.lang.String that specifies:

    property to check

SignatureString [] { "java.lang.String" }
Returns boolean

restoreDefaultValue

If the specified attribute has a default value, this operation removes any value that has been set explicitly and causes the attribute to use the default value.

Default values are subject to change if you update to a newer release of WebLogic Server. To prevent the value from changing if you update to a newer release, invoke the freezeCurrentValue operation.

This operation has no effect if you invoke it on an attribute that does not provide a default value or on an attribute that is already using the default.

Deprecated. 9.0.0.0

   
Operation Name"restoreDefaultValue"
ParametersObject [] {  attributeName }

where:

  • attributeName is an object of type java.lang.String that specifies:

    attributeName

SignatureString [] { "java.lang.String" }
Returns void
Exceptions
  • javax.management.AttributeNotFoundException

unSet

Restore the given property to its default value.

   
Operation Name"unSet"
ParametersObject [] {  propertyName }

where:

  • propertyName is an object of type java.lang.String that specifies:

    property to restore

SignatureString [] { "java.lang.String" }
Returns void