Skip to Main Content

Identity & Platform


For appeals, questions and feedback, please email

SAML2 AttributeStatement for Application Roles supported by Weblogic Identity Assert

Oladayo SalawuJan 4 2024 — edited Jan 4 2024

Hello guys,

I have successfully done a SAML2 integration between Oracle IDCS as an IDP and an on premise Weblogic 12c instance as a SP (WLS).

I have deployed a custom ADF 12c application with ADF security configured onto the weblogic instance. There are custom application roles securing taskflows and pages/pagedef's using the ADF security model.

The SAML response received on the WLS shows the custom application role “CustomRole” in it as below

<saml:Attribute Name="oracle:cloud:identity:domain" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
xmlns:xs="" xsi:type="xs:string">idcs-efed60b1f2b84d54980e210144ea94e8
<saml:Attribute Name="oracle:cloud:identity:sessionid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
xmlns:xs="" xsi:type="xs:string">135b8c2dcc7f409882e11bb62fd9d3db:20e25b
<saml:Attribute Name="oracle:cloud:identity:tenant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
xmlns:xs="" xsi:type="xs:string">idcs-
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
xmlns:xs="" xsi:type="xs:string">CustomAppRole
<saml:Attribute Name="oracle:cloud:identity:url" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
xmlns:xs="" xsi:type="xs:string">

However, I hit a 401 error after successfully authenticating using the IDCS credentials challenge screen.

The application logs does suggest that weblogic saml2 identity asserter is not able to identity any roles/groups within the SAML response e.g.

>searched for app roles for principal [] and found 0 roles
>In App GlobalPolicy, Incomming Principals: [], Direct app roles:[]
>In App SampleAdfApp, Incomming Principals: [], Flattend app roles:
>Cache-Hit for, Roles: null
>Cache hit for principal, application roles []
>login(): Identity Asserted for:, groups: null
>SAMLIALoginModule: login(): User name is ''

Virtual users for the SP has been configured.

1. Is there any specific attributeName/Format that's required for custom roles in SAML2 for WLS Identity Asserter to process such correctly?

jdeveloper version:

*****Moderator action: moved to ‘Identity & Platform’ community *****

Post Details
Added on Jan 4 2024