Tuesday, 16 May 2017

HTTP Server redirects for Weblogic 12c and SAML2

Last few months I got busy with SAML2 and Weblogic 12c as Service Provider. One with ADFS and another using SurfConext as an IdP.

In both cases a HTTP server is used as a reversed proxy, in one case it is Oracle HTTP Server 12c, in the other we use Apache. Although OHS is based on Apache, of course, it has the Weblogic proxy plugin enabled by default. With Apache this is not the case.

So there are a few things to consider.

WebLogic Proxy Plugin in Apache

The Managed server needs to ‘know’ that the End User approaches the application over TLS (HTTPS), although the HTTP Server ‘offloads’ the security. During the SAML authentication, Weblogic and the Identity Provider redirect the browser back-and-forth to authenthicate and eventually process the saml token. In the end the browser should be redirected to the application. If Weblogic does not ‘know’ the application is approached via an HTTP server over HTTPS, it might redirect to the HTTP channel.

To solve that, the HTTP server should use the Weblogic Proxy Plugin. To configure that, see Oracle® Fusion Middleware Using Oracle WebLogic Server Proxy Plug-Ins 12.1.2 - Configuring WLS Web Server Proxy Plug-In for Apache HTTP Server.

Set Proxy Plugin

To make use of the Weblogic proxy plugin, so that the AdminServer considers it, you need to tell it that it is 'fronted' by it.

To set it on managed server level, go to the server, tab Configuration->General:



Under Advanced, find the 'Weblogic Plug-In Enabled' option and set it to 'yes':
 You can do this on domain, cluster and managed server level. See also this A-team blog. In recent upgrades of Weblogic, the checkbox is replaced by a pulldown list.

Setting the Frontend Host

Another thing is that the URL that is used in the browser to connect to your application is the HTTP Server's host, not the Weblogic host. Also, propably the HTTP Server listens on port 80 (HTTP) and 443 (HTTPS), while your managed server might listen on a port in the 7000, 8000 or 9000 ranges.

But in the redirects, Weblogic has to redirect the application to the HTTP Server, so it needs to know what that address is. This registered in the FrontEnd Host. This is also a setting that  can be set on both Server and Cluster level. To set it on Server level, go to that server, tab Protocols->HTTP.

Then set the Frontend Host and the ports to the particular values of your HTTP Server.




Setting the Frontend HTTP Port to 0, means that the port is not fetched from the Header. So it will use the Managed Server port. However, the configuration of Apache (using the Weblogic Plugin) should be such that HTTP is not routed, but only HTTPS should be passed through. Otherwise set the HTTP Port also to 80.

Application Routing

The application has it's root URI. Let's say it is /MyServiceApp. Let's say OHS is running on the URL https://www.darwin-it.nl. Then the application is reachable on https://www.darwin-it.nl/MyServiceApp. This has to be routed to the sp_server managed server, running on port 7003. Then the routing in the HTTP Server using the following location definition:
<Location /MyServiceApp>
  NSSRequireSSL
  WLSRequest On
  WebLogicHost sp_server.darwin-it.local
  WebLogicPort 7003
</Location>

SAML2 URLs Routing

During the saml interchange the browser is at one point directed to https://www.darwin-it.nl/MyServiceAppsaml2/sp/acs/post. The part until 'MyServiceAppsaml2' is the url registered as 'Published Site URL' in the saml2 configuration, under "Servers" –> Managed Server –> "Federation Services" –> "SAML 2.0 General". The managed server expects to be called on the root URI '/saml2'. You could simply append the HTTP Servers listen-address with /saml2  and provide that as a Published Site URL. Like https://www.darwin-it.nl/saml2. This is ok if you have only one application. But what if you expect multiple Service Provider Applications, deployed on different Managed Servers? You might want to differentiate on the different services. So what if I wanted to use the URL:  https://www.darwin-it.nl/MyServiceAppsaml2? That is ok, if you rewrite the url in the HTTP Server. With the Weblogic Proxy Plugin you can do that with the PathTrim
and PathPrepend options:
<Location /MyServiceAppsaml2>
  NSSRequireSSL
  WLSRequest On
  WebLogicHost sp_server.darwin-it.local
  WebLogicPort 7003
  PathTrim /MyServiceAppsaml2
  PathPrepend /saml2
</Location>

From the request URI it removes the /MyServiceAppsaml2 part, as defined with the PathTrim option. With PathPrepend the URL is prepended/prefixed with /saml2.

Time Skew and TimeZones

With SAML2 timing is everything.  With only a bit of time difference between the Service Provider and Identity Provider, even less then a minute, you can get a succesful SAML token, but with the checking of it by the Service Provider, that is on your server, you can get:
<[Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition).> 
####<Apr 26, 2017 1:27:26 PM CEST> <Debug> <SecuritySAML2Service> <Oracle5> <ManagedServer_1> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <884d7111-ffc4-46ad-b877-77395aa690a3-000031ce> <1493206046903> <BEA-000000> <exception info
javax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition).

To be able to compare the dates of the assertions requests and responses with the server time, it might be handy to have the service provider server run with the same time zone setting. You can do that in the setUserOverrides.cmd/.sh script in the $DOMAIN_HOME/bin folder.


Edit it and add the following lines (Windows format):
@rem set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Duser.timezone='Europe/Amsterdam'
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Duser.timezone=GMT

Choose which line you want to have uncommented.

And make sure that server time is synced with internet or a central time server. Have it adapted regularly. And maybe force it to be updated.

Conclusion

The saml2 configuration on Weblogic is not so hard. But the difficulty is in the several layers and different parties involved. But I provided a few extra considerations and solutions here.

Wednesday, 10 May 2017

BPEL 12.2.1.2 and UMS: no wire target for reference...

A moment ago I stumbled on this question on the Oracle community. User Saurabh  tries to build a composite to send email from BPEL. But on testing the deployed composite in EM it fails with a remote fault. This despite of a correct configuration of the email driver and being able to test that   using soa-infra -> Service Engines -> Human Workflow -> Notification Management.

He found that the problem was a bug in JDeveloper/SOA QuickStart, causing the email activity not being wired to a Email UMS notification reference.

Fortunately there is a patch for it, as described in DocId 2235669.1 on support. Apply Patch 24898307 to solve this.

Found this interesting enough to have it (b)logged. At least for my self...



Monday, 8 May 2017

Introducing Darwin Oracle Type Accelerator


Years ago, I created a set of XSL templates and queries to create object types out of queries on the datadictionary of the Oracle Database. It only did basic types on tables, and selects on those. I wrote an article on it that still can be downloaded here. Later, I extended the framework to also do inserts and updates and follow foreign keys. The thing with foreignkeys is that you can handle them a as a detail-tables like Order Lines with an Order. Or lookup, like a place of birth, or country of origin, etc.

I must say I was quite pleased with what it could do.

Lately I stumbled on a question on community.oracle.com that ran about updating multiple tables using the database adapter. Normally you would need to do multiple invokes of a Database Adapter definitions, at least one per table, to do inserts and or updates.  I created thus because Oracle Types are a very powerful means to get data from a datamodel with multiple tables in just one invoke. Or insert data into it. You just create a pl/sql procedure with a parameter based on the root object. The database adapter wizard creates the accompanying XSD's and you only need to do a proper mapping in to the input variable and do the invoke. In the Pl/Sql procedure you call the particular method (sel, ins, upd) of the root object, that propagates into all the child and lookups. Most of the times that is enough. In more complex models, you might enhance the calling pl/sql.

I'm happy to announce that a moment ago I put my source on Github. I renamed it to Darwin Oracle Type accelerator. I did not have the change to create elaborate documentation. But in short:

  • In $GitHub/Dotacc/Source/Dotacc/ddl/owner\ you'll find setup scripts for the framework.
  • With setupTables.sql and setupPlsql.sql you create a bunch of tables and pl/sql with XXX_ as a prefix to support the generation of types.
  • insertXslNL2.0.sql or insertXslEN2.0.sql creates the xsl in the xxx_xmldocuments table.
  • $GitHub/Dotacc/Source/Dotacc/Config contains a set of insert scripts to define what tables, foreignkeys etc. to handle: 
    • XXX_TABLES: defines the tables for which you want to generate the types. The column generation_order defines in which order the types are created or dropped at recreation. 
    • XXX_FK_DEFINITIONS: defines the foreignkeys to consider. The FK_TYPE column defines if it should be considered as a child table ('DETAIL') or Lookup ('LOOKUP'). 
    • XXX_DERIVED_COLUMNS: defines virtual columns that can be looked up from another table. You can define a method that is added to do the actual lookup based on a lookup value from a key column. 
    • XXX_CUSTOM_METHODS: can be used to add custom methods to the object type.
    • I added two datamodels (Doe_owner and hbc_owner under ddl) as a sample model. It would be nice to come up with a sample filling for named tables.
To do a recreate of the types, perform:
execute  xxx_gen_objects.recreate_objects;

 If you have remarks, post a comment on the blog and/or do a request to contribute on github or send me a PM on community.oracle.com.

Thursday, 4 May 2017

List Weblogic 12c System Components

Besides starting and stopping servers, it turns out handy to be able to list the particular system components of a Weblogic domain. For most domains, you might have an embedded/colocated Oracle HTTP server.
But we're also busy with installing BI publisher domains, and there several BI Components are created. To list which ones are created (and determine where things might went wrong) it might be handy to list all the system components. For that I created the following script. For the referenced fmw12c_env.sh and fmw.properties, I refer to Start and stop a WebLogic (SOA/OSB) Domain.

The wlst script is listSystemComponents.py:
#############################################################################
# List System Components of FMW Domain
#
# @author Martien van den Akker, Darwin-IT Professionals
# @version 1.1, 2017-04-20
#
#############################################################################
# Modify these values as necessary
import sys, traceback
scriptName = sys.argv[0]
#
#
lineSeperator='__________________________________________________________________________________'
pad='                                                                               '
#
#
def usage():
  print 'Call script as: '
  print 'Windows: wlst.cmd '+scriptName+' -loadProperties localhost.properties'
  print 'Linux: wlst.sh '+scriptName+' -loadProperties environment.properties'
  print 'Property file should contain the following properties: '
  print "adminUrl=localhost:7001"
  print "adminUser=weblogic"
  print "adminPwd=welcome1"
#
# Connect To the AdminServer
def connectToAdminServer(adminUrl, adminServerName):
  print(lineSeperator)
  print('Try to connect to the AdminServer')
  try:
    connect(userConfigFile=usrCfgFile, userKeyFile=usrKeyFile, url=adminUrl)
  except NameError, e:
    print('Apparently user config properties usrCfgFile and usrKeyFile not set.')
    print('Try to connect to the AdminServer adminUser and adminPwd properties')
    connect(adminUser, adminPwd, adminUrl)
#
# Get the Servers of Domain 
def getSystemComponents():
  print(lineSeperator)
  print('\nGet SystemComponents from domain')
  serverConfig()
  cd("/")
  sysComponents = cmo.getSystemComponents()
  return sysComponents
#
# Boolean to string
def bool2str(bool):
  result='false'
  if bool:
    result='true'
  return result
#
# Descr system component type
def descSysCompType(sysComponentType):
  result=sysComponentType
  if sysComponentType=='OHS':
    result='Oracle HTTP server'
  elif sysComponentType=='OBIPS':
    result='BI Presentation Service'
  elif sysComponentType=='OBIS':
    result='BI Server'
  elif sysComponentType=='OBISCH':
    result='BI Scheduler'
  elif sysComponentType=='OBICCS':
    result='BI Cluster Controller'    
  elif sysComponentType=='OBIJH':
    result='BI JavaHost'
  else:
    result=sysComponentType
  return result
#
# Start clusters
def showSystemComponents():
  print(lineSeperator)
  print ('Show SystemComponents')
  sysComponents=getSystemComponents()
  #
  if (len(sysComponents) > 0):
    print('SystemComponent                                                  '[:30]+'\t'+'Type                                                                               '[:20]+'\tAutoRestart\tMachine')
    for sysComponent in sysComponents:
      sysCompName = sysComponent.getName()
      sysCompNamePad=sysCompName+pad
      sysCompType=descSysCompType(sysComponent.getComponentType())
      sysCompTypePad=sysCompType+pad
      machine=sysComponent.getMachine()
      if machine is None:
        machineName = 'None'
      else:
        machineName = machine.getName()
      print sysCompNamePad[:30]+'\t'+sysCompTypePad[:20]+'\t'+bool2str(sysComponent.getAutoRestart())+'\t\t'+machineName
  else:
    print('No SystemComponents found!')
  #
  print ('\nFinished showing SystemComponents.')
#
# Main
def main():
  try:
    #
    print(lineSeperator)
    print('\nConnect to the AdminServer: '+adminServerName)
    connectToAdminServer(adminUrl, adminServerName)
    #
    showSystemComponents()
    #
    print('\nExiting...')
    exit()
  except NameError, e:
    print('Apparently properties not set.')
    print "Please check the property: ", sys.exc_info()[0], sys.exc_info()[1]
    usage()
  except:
    apply(traceback.print_exception, sys.exc_info())
    exit(exitcode=1)
#call main()
main()
exit()

To call this easily for different environments I have the following bash listSystemComponents.sh script:
#!/bin/bash
#############################################################################
# List Domain System Components using wlst
#
# @author Martien van den Akker, Darwin-IT Professionals
# @version 1.0, 2017-04-19
#
#############################################################################
#
. fmw12c_env.sh
export ENV=$1
echo
echo "List Domain System Components"
wlst.sh ./listSystemComponents.py -loadProperties ${ENV}.properties

I introduced an ENV variable here, so you can call it as:
[oracle@darlin-vce scripts]$ ./listSystemComponents.sh fmw

This exends the fmw argument with '.properties'. So if you want to use this for different environments, just copy the fmw.properties to a bip-acc.properties file or something like that and adapt the properties. Then using it against that environment is as calling:

[oracle@darlin-vce scripts]$ ./listSystemComponents.sh bip-acc

Tuesday, 2 May 2017

Single Sign On for Apex with ADFS? With Weblogic 12c and ORDS: Yes, you can!

Lately we implemented a Single Sign On solution for Apex, based on Weblogic 12cR2, ORDS 3.0.9, and ADFS as a federated Identity Provider. This combination turns out to be a marriage of 3 different worlds. So we ran in to a several issues that were not described in one simple how-to document. So in this document I try to assemble the information needed to do the end 2 end configuration (apart from the OHS configuration).

For most of the SAML2 configuration on Weblogic, we could have my earlier article  on SAML2.0 on Weblogic 11g, as a guide: Service Provider initiated SSO on WLS11g using SAML2.0 .

This helped a great deal with regards to ADFS and 12c. The rest of the issues I'd like to cover here, for future reference.

ORDS

ORDS can be installed in the regular way. I downloaded ORDS and unzipped it in the weblogic domain home. Then I did the setup using:
[oracle@darlin-vce-db ords309]$ java -jar ords.war setup

Then create the i.war containing the Apex and ORDS images. First copy the Apex images from the Apex home to the ORDS images folder. And then create the i.war:
[oracle@darlin-vce-db ords309]$ java -jar ords.war static /u01/data/oracle/config/domains/SP_domain/ords309/images

It is important to provide a complete/absolute path to the this command. This command creates an i.war that contains a reference to the images folder. You can see this as a virtual directory configuration as you would do in Apache/Oracle HTTP Server. It in fact only contains a web.xml, sun-web.xml and a weblogic.xml that contain a reference to that folder. For instance, the weblogic.xml contains:
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
 <!-- This element specifies the context path the static resources are served from -->
 <context-root>/i</context-root>
 <virtual-directory-mapping>
  <!-- This element specifies the location on disk where the static resources are located -->
  <local-path>/u01/data/oracle/config/domains/SP_domain/ords309/images</local-path>
  <url-pattern>/*</url-pattern>
 </virtual-directory-mapping>
</weblogic-web-app> 

Before deploying the ords.war and i.war files to Weblogic (with Custom Roles), you'll need to make a manual adjustment to the ords.war.
The thing is that ORDS must be instructed to hand over the authentication to Weblogic. To do so, you'll need to add the following to the WEB-INF/web.xml file in the ords.war:
    <!-- Security Constraint -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SecurePages</web-resource-name>
            <description>These pages are only accessible by authorized users.</description>
            <url-pattern>/f/*</url-pattern>
            <!--  <http-method>GET</http-method> -->
        </web-resource-collection>
        <auth-constraint>
            <description>These are the roles who have access.</description>
            <role-name>Anonymous</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description>This is how the user data must be transmitted.</description>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <!-- Login Config -->
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
    <security-role>
        <role-name>Anonymous</role-name>
    </security-role>

In WEB-INF/weblogic.xml add the security-role-assignment for the role Anonymous:
<weblogic-web-app  xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                   xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app 
                   http://xmlns.oracle.com/weblogic/weblogic-web-app/1.6/weblogic-web-app.xsd">  <!-- Weblogic 12c -->
  <container-descriptor>
    <prefer-web-inf-classes>true</prefer-web-inf-classes>
  </container-descriptor>
  <session-descriptor>
    <persistent-store-type>replicated_if_clustered</persistent-store-type>
  </session-descriptor>
  <security-role-assignment>
    <!--<role-name>valid-users</role-name> -->
    <role-name>Anonymous</role-name>
    <principal-name>users</principal-name>
  </security-role-assignment>
  <context-root>/ords</context-root>
</weblogic-web-app>
This is necessary, because after the Authentication using SAML2, the Rolemapper kicks in. And that one has to find a valid role.

APEX-Schema's

APEX uses REST-calls to fetch the images. It is important that all the database users relating to ORDS and APEX are unlocked, that passwords are known. Check for each of the following schema's if you can logon with the known password.

  • ORDS_PUBLIC_USER
  • APEX_PUBLIC_USER
  • APEX_LISTENER
  • APEX_REST_PUBLIC_USER
  • ORDS_METADATA
Then perform the following steps from doc 2075837.1:
  1. Go into the directory where the extracted the full installation of APEX resides
  2. Login to SQLPlus as the SYS user (as sysdba)
  3. Rerun the @apex_rest_config.sql script to recreate the "connect through" privileges for the installation:
    @apex_rest_config
  4. Hit enter for the APEX_LISTENER and APEX_REST_PUBLIC_USER password prompt. (passwords apparently not used for this script)
  5. Verify with the following statement that the connect through grant is present:
    select * from dba_proxies
    where proxy='APEX_REST_PUBLIC_USER'
    and client='APEX_PUBLIC_USER';
  6. If the grant is still missing the customer should verify that the file apex_rest_config_core.sql contains the following statement and run the script again.
    -- Allow REST user to proxy into APEX_PUBLIC_USER for built-in RESTful Services
    alter user APEX_PUBLIC_USER grant connect through ^RESTUN.;
    

ORDS Validation

From ORDS 3.0.5 onwards ORDS expects a column in the table ords_metadata.apex_pool_config called pool_name. So you could end up with an ORDS installation/configuration that seems to work, but you might not get the Apex application images shown. This is described in this community question. If the applications images don't show up:
  1. Validate that this column exists, through a describe of the table, and check if the table contains any rows.
  2. If necessary, perform the following to chreate the column and fill the table:
cd /u01/data/oracle/config/domains/SP_domain/ords309
java -jar ordsname.war validate

APEX Authentication Schema

To have the Apex application use the authenticated user from Weblogic/ADFS, the authentication scheme needs to be changed. 
This has to be done in a way that in the authentication scheme (shared components --> security --> authentication) APEX fetches the user from the  REMOTE_USER header variable: 


Weblogic 12 and ADFS

ADFS will use SHA-256 for signing by default. But WLS currently does not support that for SAML2. Although for many other services WLS does 'know' how to do SHA-256. I found articles how to update the policies for OWSM to use SHA-256. But I could not find how to do the same for the SAML2 configuration of Weblogic. So have ADFS do the signing with SHA-1. This might seem not secure, but when using TLS this is a minor thing. Although Weblogic 12c should solve this, in my opinion. See also this blog on Weblogic with ADFS, point 5 under the Takeway or Gotchas.

Another thing we found is that ADFS expects a valid 'https://' url to the ServiceProvider for the entity-id. A regular unique string does not suffice. ADFS apparently checks this URL to be valid. So I used the default TLS-url to the Oracle HTTP server that I used to reverse proxy to the SP Weblogic.

Lastly, in ADFS we needed to add an extra explicit claim had to fill the urn:mace:dir:attribute-def:uid saml2-attribute. This is needed for the identy mapper.

Identity Mapper Class

I updated the IdentityMapper class that I used in my earlier blog. I found a little bug in determining the actual identity/username, that apparently did not occur in 11g. But I also refactored the class a bit, to my latest Java knowledge, for as far as applicable.

package nl.darwinit.wls.saml;

import com.bea.security.saml2.providers.SAML2AttributeInfo;
import com.bea.security.saml2.providers.SAML2AttributeStatementInfo;
import com.bea.security.saml2.providers.SAML2IdentityAsserterAttributeMapper;
import com.bea.security.saml2.providers.SAML2IdentityAsserterNameMapper;
import com.bea.security.saml2.providers.SAML2NameMapperInfo;

import java.security.Principal;

import java.util.ArrayList;
import java.util.Collection;
import java.util.logging.Logger;

import weblogic.logging.LoggingHelper;

import weblogic.security.service.ContextHandler;


public class WLSSaml2IdentityMapper implements SAML2IdentityAsserterNameMapper, SAML2IdentityAsserterAttributeMapper {
    public static final String ATTR_PRINCIPALS = "com.bea.contextelement.saml.AttributePrincipals";
    public static final String ATTR_USERNAME = "urn:mace:dir:attribute-def:uid";
    private Logger lgr = LoggingHelper.getServerLogger();
    private final String className = "nl.darwinit.wls.saml.WLSSaml2IdentityMapper";
    //

    /**
     * Map Name Info to String
     * @param saml2NameMapperInfo
     * @param contextHandler
     * @return
     */
    @Override
    public String mapNameInfo(SAML2NameMapperInfo saml2NameMapperInfo, ContextHandler contextHandler) {
        final String methodName = className + ".mapNameInfo";
        debugStart(methodName);
        String user = null;
        debug(methodName, "saml2NameMapperInfo: " + saml2NameMapperInfo.toString());
        debug(methodName, "contextHandler: " + contextHandler.toString());
        debug(methodName, "contextHandler number of elements: " + contextHandler.size());
        // getNames gets a list of ContextElement names that can be requested.
        String[] names = contextHandler.getNames();
        // For each possible element
        for (String element : names) {
            debug(methodName, "ContextHandler element: " + element);
            // If one of those possible elements has the AttributePrinciples
            if (element.equals(ATTR_PRINCIPALS)) {
                // Put the AttributesPrincipals into an ArrayList of CustomPrincipals
                ArrayList<CustomPrincipal> customPrincipals =
                    (ArrayList<CustomPrincipal>) contextHandler.getValue(ATTR_PRINCIPALS);
                int i = 0;
                String attr;
                if (customPrincipals != null) {
                    // For each AttributePrincipal in the ArrayList
                    for (CustomPrincipal customPrincipal : customPrincipals) {
                        // Get the Attribute Name and the Attribute Value
                        attr = customPrincipal.toString();
                        debug(methodName, "Attribute " + i + " Name: " + attr);
                        debug(methodName, "Attribute " + i + " Value: " + customPrincipal.getCollectionAsString());
                        // If the Attribute is "loginAccount"
                        if (attr.equals(ATTR_USERNAME)) {
                            user = customPrincipal.getCollectionAsString();
                            // Remove the "@DNS.DOMAIN.COM" (case insensitive) and set the username to that string
                            if (!user.equals("null")) {
                                user = user.replaceAll("(?i)\\@CLIENT\\.COMPANY\\.COM", "");
                                debug(methodName, "Username (from loginAccount): " + user);
                                break;
                            }
                        }
                        i++;
                    }
                }
                // For some reason the ArrayList of CustomPrincipals was blank - just set the username to the Subject
                if (user == null || "".equals(user)) {
                    user = saml2NameMapperInfo.getName(); // Subject = BRID
                    debug(methodName, "Username (from Subject): " + user);
                }
                return user;
            }
        }
        // Just in case AttributePrincipals does not exist
        user = saml2NameMapperInfo.getName(); // Subject = BRID
        debug(methodName, "Username (from Subject): " + user);
        debugEnd(methodName);
        // Set the username to the Subject
        return user;
        // debug(methodName,"com.bea.contextelement.saml.AttributePrincipals: " + arg1.getValue(ATTR_PRINCIPALS));
        // debug(methodName,"com.bea.contextelement.saml.AttributePrincipals CLASS: " + arg1.getValue(ATTR_PRINCIPALS).getClass().getName());
        // debug(methodName,"ArrayList toString: " + arr2.toString());
        // debug(methodName,"Initial size of arr2: " + arr2.size());
    }
    //

    /**
     * Map Attribute Info to Collection<Principal>
     * @param attrStmtInfos
     * @param contextHandler
     * @return
     */
    public Collection<Principal> mapAttributeInfo(Collection<SAML2AttributeStatementInfo> attrStmtInfos,
                                                  ContextHandler contextHandler) {
        final String methodName = className + ".mapAttributeInfo";
        Collection<Principal> principals = null;
        if (attrStmtInfos == null || attrStmtInfos.size() == 0) {
            debug(methodName, "AttrStmtInfos has no elements");
        } else {
            principals = new ArrayList<Principal>();
            for (SAML2AttributeStatementInfo stmtInfo : attrStmtInfos) {
                Collection<SAML2AttributeInfo> attrs = stmtInfo.getAttributeInfo();
                if (attrs == null || attrs.size() == 0) {
                    debug(methodName, "No attribute in statement: " + stmtInfo.toString());
                } else {
                    for (SAML2AttributeInfo attr : attrs) {
                        CustomPrincipal principal = null;
                        String principalName = "";
                        Collection<String> attrValues = attr.getAttributeValues();
                        if (!attrValues.isEmpty()) {
                            int attrValIdx = 0;
                            for (String attrValue : attrValues) {
                                debug(methodName,
                                      "Value " + ++attrValIdx + " of " + attr.getAttributeName() + "= " + attrValue);
                                if (attrValIdx == 1) {
                                    principalName = attrValue;
                                }
                            }
                        } else {
                            principalName = attr.getAttributeName();
                        }
                        principal = new CustomPrincipal(principalName, attr.getAttributeValues());
                        debug(methodName, "Add principal: " + principal.toString());
                        principals.add(principal);
                    }
                }
            }
        }
        return principals;
    }
    //
    private void debug(String methodName, String msg) {
        lgr.fine(methodName + ": " + msg);
    }
    //
    private void debugStart(String methodName) {
        debug(methodName, "Start");
    }
    //
    private void debugEnd(String methodName) {
        debug(methodName, "End");
    }

}

To be complete, here is the principal class:
package nl.darwinit.wls.saml;

import java.util.Collection;

import weblogic.security.principal.WLSAbstractPrincipal;
import weblogic.security.spi.WLSUser;


public class CustomPrincipal extends WLSAbstractPrincipal implements WLSUser {
    @SuppressWarnings("compatibility:1303497257301553869")
    private static final long serialVersionUID = 1L;

    private String commonName;
    private Collection<String> collection;

    public CustomPrincipal(String name, Collection<String> collection) {
        super();
        // Feed the WLSAbstractPrincipal.name. Mandatory
        this.setName(name);
        this.setCommonName(name);
        this.setCollection(collection);
    }

    public CustomPrincipal() {
        super();
    }

    public CustomPrincipal(String commonName) {
        super();
        this.setName(commonName);
        this.setCommonName(commonName);
    }

    public void setCommonName(String commonName) {
        // Feed the WLSAbstractPrincipal.name. Mandatory
        this.setName(commonName);
        this.commonName = commonName; 
        System.out.println("Attribute: " + this.getName());
        // System.out.println("Custom Principle commonName is " + this.commonName);
    }

    public Collection<String> getCollection() {
        return collection;
    }

    public String getCollectionAsString() {
        String collasstr =  "null";
        if (collection != null && collection.size() > 0) {
            for (String value : collection) {
                collasstr = value;
                break;
            }
            /*for (Iterator iterator = collection.iterator(); iterator.hasNext();) {
                collasstr = (String) iterator.next();
                return collasstr;
            }*/
        }
        return collasstr;
    }

    public void setCollection(Collection<String> collection) {
        this.collection = collection;
        // System.out.println("set collection in CustomPrinciple!");
        if (collection != null && collection.size() > 0) {
            /*for (Iterator iterator = collection.iterator(); iterator.hasNext();) {
                final String value = (String) iterator.next();
                System.out.println("Attribute Value: " + value);
            }*/
            for (String value : collection) {
                System.out.println("Attribute Value: " + value);
            }
        }
    }

    @Override
    public int hashCode() {
        final int prime = 31;
        int result = super.hashCode();
        result = prime * result + ((collection == null) ? 0 : collection.hashCode());
        result = prime * result + ((commonName == null) ? 0 : commonName.hashCode());
        return result;
    }

    @Override
    public boolean equals(Object obj) {
        if (this == obj)
            return true;
        if (!super.equals(obj))
            return false;
        if (getClass() != obj.getClass())
            return false;
        CustomPrincipal other = (CustomPrincipal) obj;
        if (collection == null) {
            if (other.collection != null)
                return false;
        } else if (!collection.equals(other.collection))
            return false;
        if (commonName == null) {
            if (other.commonName != null)
                return false;
        } else if (!commonName.equals(other.commonName))
            return false;
        return true;
    }

}

In my earlier article I described how to add a reference to the jar file containing these classes to the java classpath field on the Server Start tab in the console.
In 12c this apparently does not work, the class is not picked up. Add it to the class path by creating/editing the setUserOverrides.sh/.cmd file.

Conclusion

This must be about it. We had quite a bit of Trial & Error. But most of the gotchas are listed here I think. But feel free to hire us if you need help. (Because I think you'll need the A-team for different issues...)