X

Tips and HowTos for Single Sign-On & Federation Oracle Identity Management Integrations

  • January 27, 2015

Custom Authentication Module in OIF/SP

In a previous article, I showed how to create a custom Authentication plugin and include it in an existing Federation Authentication Module. In this article I will create a new custom Authentication Module in OIF/SP that will be made of the existing OIF Federation Authentication Plugins and a custom plugin which will

  • Evaluate the requested protected resource
  • Determine the IdP to be used in the Federation SSO operation
  • Request a higher Federation Authentication Method from the IdP, depending on the resource being requested

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide,  which describes how to develop such a module.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Authentication Module

Enjoy the reading!

Federation Authentication Module


As explained in my previous article, an OAM Authentication Module is:

  • A collection of Authentication Plugins
  • An orchestration determining the order of the execution of the plugins

The OOTB Federation Authentication Module, called FederationPlugin, is made of two plugins:

  • FedAuthnRequestPlugin: starts the Federation SSO flow, determines which IdP to use if not provided by a previous Authentication Plugin, creates an SSO request and redirects the user to the IdP
  • AssertionProcessing: processes an incoming SAML/OpenID SSO Response and maps the message to a local user record in the LDAP directory

The orchestration can be seen by:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Access Manager -> Authentication Modules
  • Open FederationScheme
  • Click on the Steps tab to see the plugins
  • Click on the Steps Orchestration tab to see the orchestration between the different plugins, and the plugin that will be used to start the operation

FedAuthnRequestPlugin Plugin


The FedAuthnRequestPlugin can consume information from a previous custom Authentication Plugin that will affect how the Federation SSO operation will be triggered.

The AuthenticationContext instance shared between the Authentications Plugins contains CredentialParam objects that allow the various plugins to communicate at runtime.

  • oracle.security.am.plugin.authn.AuthenticationContext:
    • Context for the authentication operation
    • Shared across the various Authentication Plugins
  • oracle.security.am.plugin.authn.Credential:
    • Collection of credentials data
    • Stored in the AuthenticationContext
  • oracle.security.am.plugin.authn.CredentialParam:
    • Single credential parameter
    • Referenced by a name, and has a type (string most of the time)
    • Has a value, depending on the type
    • Stored in the Credential instance

Using that mechanism, the FedAuthnRequestPlugin can consume various types of information when starting a Federation SSO operation, stored in the Credential instance:

  • IdP to perform Federation SSO with
    • Optional
    • Referenced by the KEY_FEDIDP string
    • Type: string
    • Value: IdP Partner Name
  • The Federation Authentication Method to request from the IdP
    • Optional
    • Referenced by the KEY_FEDAUTHNMETHOD string
    • Type: string
    • Value: the Federation Authentication Method that should be set in the SSO request
  • The SAML 2.0 Federation Authentication Method Comparison atribute
    • Optional
    • Referenced by the KEY_FEDAUTHNMETHODCOMP string
    • Type: string
    • Value: the comparison to be used in the SAML 2.0 Authn Request message
      • exact for exact
      • better for better
      • min for minimum
      • max for maximum
  • The Force Authn flag
    • Optional
    • Referenced by the KEY_FEDFORCEAUTHN string
    • Type: string
    • Value: the "true" or "false" string to indicate whether or not OIF/SP should request the IdP to challenge the user, even if the user is already authenticated at the IdP
  • The Is Passive flag
    • Optional
    • Referenced by the KEY_FEDISPASSIVE string
    • Type: string
    • Value: the "true" or "false" string to indicate whether or not the IdP is allowed to interact with the user

Custom Authentication Plugin


Overview

The custom Authentication Plugin will:

  • Evaluate the requested resource
  • Determine the IdP to be used
  • Request a strong Federation Authentication Method from the IdP when a sensitive resource is requested, if the IdP supports a stronger Federation Authentication Method

In the example, I have:

  • Three IdP partners:
    • AcmeIdP which supports the following Federation Authentication Methods
      • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (default, no need to specifically request it)
      • urn:oasis:names:tc:SAML:2.0:ac:classes:X509
    • WorldBank
      • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (default, no need to specifically request it)
      • urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
    • WInsuranceIdP
      • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (default, no need to specifically request it)
  • Three high level resources:
    • http://company.com/businesspartners/acmebank, bound to AcmeIdP
    • http://company.com/businesspartners/worldbank, bound to WorldBank
    • http://company.com/businesspartners/worldinsurance, bound to WInsuranceIdP
  • Three sensitive resources, for the three high level resources:
    • http://company.com/businesspartners/acmebank/account
    • http://company.com/businesspartners/worldbank/account
    • http://company.com/businesspartners/worldinsurance/account

My custom Authentication plugin will be made of the following:

  • One Java class extending the oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn class
  • A MANIFEST.MF file describing the Java classes
  • An XML file describing the plugin

Those three elements will be bundled in a JAR file that is then uploaded to the OAM server via the OAM Administration Console. Once uploaded and activated I will create a Federation Authentication Module.

Java Class

The class implementing my custom Authentication plugin must adhere to the following:

  • Extend the oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn class
  • Implement the following methods:
    • public ExecutionStatus process(AuthenticationContext context) throws AuthenticationException
      • Must return a status (failure or success)
      • In my example, this method will
        • Evaluate the requested resource
        • Set the KEY_FEDIDP CredentialParam to indicate the IdP to be used
        • Set the KEY_FEDAUTHNMETHOD CredentialParam to request a specific Federation Authentication Method from the IdP
    • public String getPluginName()
      • Returns the name of the custom plugin
      • In our example it will return "CustomIdPSelectionPlugin"
    • public String getDescription()
      • Returns a description of the custom Authentication Plugin
      • In our example it will return "Custom IdP Selection Plugin"
    • public Map<String, MonitoringData> getMonitoringData()
      • Not used in an Authentication Plugin flow
      • In our example it will return null
    • public boolean getMonitoringStatus()
      • Not used in an Authentication Plugin flow
      • In our example it will return false
    • public int getRevision()
      • Must be the same value than the version specified in the manifest file
      • In our example it will return 10
    • public void setMonitoringStatus(boolean status)
      • Not used in an Authentication Plugin flow
      • In our example this method will be empty

The following code is an example of the custom plugin.

package userauthn;
import java.util.Map;
import oracle.security.am.plugin.ExecutionStatus;
import oracle.security.am.plugin.MonitoringData;
import oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn;
import oracle.security.am.plugin.authn.AuthenticationContext;
import oracle.security.am.plugin.authn.AuthenticationException;
import oracle.security.am.plugin.authn.CredentialParam;

public class CustomIdPSelectionPlugin extends AbstractAuthenticationPlugIn
{
  public ExecutionStatus process(AuthenticationContext context)
    throws AuthenticationException {
    // requested URL
    String resourceURL = context.getResourceURL();

    // determines the IdP based on the request resource
    String idpPartnerName = null;
    if (resourceURL.startsWith("http://company.com/businesspartners/acmebank"))
      idpPartnerName = "AcmeIdP";
    else if (resourceURL.startsWith("http://company.com/businesspartners/worldbank"))
      idpPartnerName = "WorldBank";
    else if (resourceURL.startsWith("http://company.com/businesspartners/worldinsurance"))
      idpPartnerName = "WInsuranceIdP";

    // if IdP was determined, create a Credential param
    // instance in the AuthenticationContext
    // the OIF/SP FedAuthnRequestPlugin will consume it to start Federation SSO
    if (idpPartnerName != null) {
      CredentialParam idpParam = new CredentialParam();
      idpParam.setName("KEY_FEDIDP");
      idpParam.setType("string");
      idpParam.setValue(idpPartnerName);
      context.getCredential().addCredentialParam("KEY_FEDIDP", idpParam);
    }

    // here, the plugin will evaluate if the account subpath is being requested
    // if it is, it will request from IdP higher Fed Auth Method
    String fedAuthnMethod = null;
    if ("AcmeIdP".equals(idpPartnerName) &&
      resourceURL.startsWith("http://company.com/businesspartners/acmebank/account")) {
      // AcmeIdP supports X.509 as the higher authentication method
      fedAuthnMethod = "urn:oasis:names:tc:SAML:2.0:ac:classes:X509";
    } else if ("WorldBank".equals(idpPartnerName) &&
      resourceURL.startsWith("http://company.com/businesspartners/worldbank/account")) {
      // WorldBank supports smart card as the higher authentication method
      fedAuthnMethod = "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI";
    } else if ("WInsuranceIdP".equals(idpPartnerName) &&   
      resourceURL.startsWith("http://company.com/businesspartners/worldinsurance/account"))   
    {
      // WInsuranceIdP does not support another fed authn method
    }

    // if another fed authn method was requested, create a Credential param
    // instance in the AuthenticationContext
    // the OIF/SP FedAuthnRequestPlugin will consume it to start Federation SSO
    if (fedAuthnMethod != null) {
      CredentialParam fedAuthnParam = new CredentialParam();
      fedAuthnParam.setName("KEY_FEDAUTHNMETHOD");
      fedAuthnParam.setType("string");
      fedAuthnParam.setValue(fedAuthnMethod);
      context.getCredential().addCredentialParam("KEY_FEDAUTHNMETHOD", fedAuthnParam);
    }

    // return success, which is mapped to FedAuthnRequestPlugin in the
    // Authentication Module steps orchestration
    return ExecutionStatus.SUCCESS;
  }

  public String getPluginName() {
    return "CustomIdPSelectionPlugin";
  }

  public String getDescription() {
    return "Custom IdP Selection Plugin";
  }

  public Map<String, MonitoringData> getMonitoringData() {
    return null;
  }

  public boolean getMonitoringStatus() {
    return false;
  }

  public int getRevision() {
    return 10;
  }

public void setMonitoringStatus(boolean arg0) {
  }
}

Plugin Registration File

The custom Authentication plugin must be defined in a plugin XML file such as:

<Plugin type="Authentication">
<author>uid=admin</author>
<email>admin@example</email>
<creationDate>08:00:00,2014-01-15</creationDate>
<description>Custom IdP Selection Plugin</description>
<configuration>
</configuration>
</Plugin>

Important Note: the XML file must have the same name as the class implementing the plugin, in this case CustomIdPSelectionPlugin.xml

See the OAM/OIF 11.1.2.2.0 Developer’s Guide for more information

Manifest File

Before packaging the custom Authentication plugin in a JAR file, a MANIFEST.MF must be defined such as:   

Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: CustomIdPSelectionPlugin
Bundle-SymbolicName: CustomIdPSelectionPlugin
Bundle-Version: 10
Bundle-Activator: userauthn.CustomIdPSelectionPlugin
Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.
plugin,oracle.security.am.plugin.authn
Bundle-RequiredExecutionEnvironment: JavaSE-1.6

See the OAM/OIF 11.1.2.2.0 Developer’s Guide for more information

Note: the manifest file must include the Import-Package property which lists all the packages that are used in the plugin

Building the Plugin


Compiling

The following JAR files from the OAM deployment need to be used for compilation:

  • felix.jar
  • oam-plugin.jar

These files are found in the following locations:

  • felix.jar: $IAM_HOME/oam/server/lib/plugin/felix.jar
  • oam-plugin.jar: $IAM_HOME/oam/server/lib/plugin/oam-plugin.jar

In my example, I put the CustomIdPSelectionPlugin.java file in a src/userautn folder:

bash-4.1$ ls -l src/userauthn/
total 4
-rw-r--r-- 1 root root 3894 Mar 1 11:42 CustomIdPSelectionPlugin.java

To compile, execute the following command:

$JDK_HOME/bin/javac -cp $IAM_HOME/oam/server/lib/plugin/felix.jar:$IAM_HOME/oam/server/lib/plugin/oam-plugin.jar src/userauthn/*.java

Packaging the Custom Plugin

I created the MANIFEST.MF in the current directory based on the content listed in the previous section, and the CustomIdPSelectionPlugin.xml in the src directory, which contains the plugin definition listed in the previous section.

find
.
./MANIFEST.MF
./src
./src/userauthn
./src/userauthn/CustomIdPSelectionPlugin.class
./src/userauthn/CustomIdPSelectionPlugin.java
./src/CustomIdPSelectionPlugin.xml

To create the CustomIdPSelectionPlugin.jar JAR file that will contain the plugin and the required files, execute the following command:

jar cfvm CustomIdPSelectionPlugin.jar MANIFEST.MF -C src/ .
added manifest
adding: userauthn/(in = 0) (out= 0)(stored 0%)
adding: userauthn/CustomIdPSelectionPlugin.class(in = 2717) (out= 1267)(deflated 53%)
adding: userauthn/CustomIdPSelectionPlugin.java(in = 3894) (out= 1055)(deflated 72%)
adding: CustomIdPSelectionPlugin.xml(in = 234) (out= 155)(deflated 33%)

This will create the CustomIdPSelectionPlugin.jar. To view the contents of the file:

unzip -l CustomIdPSelectionPlugin.jar
Archive:  CustomIdPSelectionPlugin.jar
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  03-01-2014 10:14   META-INF/
      425  03-01-2014 10:14   META-INF/MANIFEST.MF
        0  03-01-2014 10:13   userauthn/
     2717  03-01-2014 10:13   userauthn/CustomIdPSelectionPlugin.class
     3894  03-01-2014 09:56   userauthn/CustomIdPSelectionPlugin.java
      234  03-01-2014 10:03   CustomIdPSelectionPlugin.xml
---------                     -------
     7270                     6 files

Important Note: the JAR file must have the same name as the class implementing the plugin, in this case CustomIdPSelectionPlugin.jar

Deploying the Custom Authentication Plugin


Perform the following steps to deploy the custom Authentication plugin in OAM:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Access Manager -> Plugins
  • Click Import Plug-In
  • Select the plugin JAR file (CustomIdPSelectionPlugin.jar in this example)

The plugin will be in an uploaded state:

You will need to distribute the plugin to the runtime OAM servers and activate it:

  • Select the plugin
  • Click Distribute Selected
  • The Activation Status tab of the plugin will show the state of the plugin

You will need to activate the plugin:

  • Select the plugin
  • Click Activate Selected
  • The Activation Status tab of the plugin will show the state of the plugin

Creating the Authentication Module


I will now create a new Federation Authentication Module, based on the existing FederationPlugin Authentication Module, which will differ from the existing one:

  • CustomIdPSelectionPlugin will be the initial step
  • Orchestration:
    • On Success will be mapped FedAuthnRequestPlugin
    • On Failure mapped to failure
    • On Error mapped to failure

Perform the following steps to create a new Authentication Module:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Access Manager -> Authentication Modules
  • Click Create Authentication Module
  • Select Create Custom Authentication Module
  • Enter a Name (CustomFedModule for example)

Perform the following steps to add steps to the new Authentication Module:

  • Click on the Steps tab
  • Click Add to add the FedAuthnRequestPlugin step:   
  • Step name: FedAuthnRequestPlugin
  • Plug-in Name: FedAuthnRequestPlugin
  • Click OK

  • Click Add to add the AssertionProcessing step:   
    • Step name: AssertionProcessing
    • Plug-in Name: FedUserAuthenticationPlugin
    • Click OK

  • Click Add to add the IdPSelection step:   
    • Step name: IdPSelection
    • Plug-in Name: CustomIdPSelectionPlugin
    • Click OK

The Steps tab will show:

Perform the following steps to define the steps orchestration for the new Authentication Module:

  • Click on the Steps Orchestration tab
  • Select IdPSelection as the Initial Step
  • For FedAuthnRequestPlugin:
    • Select success for On Success
    • Select AssertionProcessing for On Failure
    • Select failure for On Error
  • For AssertionProcessing:
    • Select success for On Success
    • Select failure for On Failure
    • Select failure for On Error
  • For IdPSelection:
    • Select FedAuthnRequestPlugin for On Success
    • Select failure for On Failure
    • Select failure for On Error
  • Apply

Authentication Scheme


Before being able to protect resources with an Authentication Policy that will use that new Authentication Module, a new Authentication Scheme needs to be created, referencing that new custom module. This is required, since the Authentication Policy is bound to an Authentication Scheme, not an Authentication Module.

To create a new Authentication Scheme for that custom module, perform the following steps:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Access Manager -> Authentication Schemes
  • Click Create Authentication Scheme
  • Enter a name (for example CustomFedScheme) and a description
  • Set the Authentication Level to an acceptable value (2 in my example)
  • Select FORM as the Challenge Method
  • Set the Challenge Redirect URL (in my example, I set it to /oam/server/)
  • Select the newly created custom Authentication Module (CustomFedModule in the example)
  • Set the Challenge URL (/pages/servererror.jsp in this example)
  • Set the Context Type (customWar for example)
  • Set the Context Value (/oam here, since I don't use any pages)
  • Enter the following for the Challenge Parameters at least:
    • initial_command=NONE
    • is_rsa=true
  • Apply

Test


Protect a resource with an Authentication Policy using the newly created Authentication Scheme. This will invoke the custom Authentication Module.

Voila!

In my next article, I cover the benefits of using SAML 2.0 Metadata when setting up Federation between two servers.
Cheers,
Damien Carru

Join the discussion

Comments ( 20 )
  • Aakash Wasnik Thursday, January 29, 2015

    Hi Damien

    Thanks for writing helpful blog. I have learn a lot while reading your blog.

    I have one question regarding custom authentication module. In my case OAM-FED is acting SP & SFDC is acting as IDP. In IDP initiated SSO i see assertion is processed by "FederationPlugin" authentication plugin. Event after creating authentication scheme and module by clicking on "create" button on IDP partner profile page , IDP initiated sso is still going to default "FederationPlugin"

    is there a WLST command that would redirect assertion processing to the authentication module that got created via "create" button IDP partner profile

    Thanks

    Aakash


  • Damien Thursday, January 29, 2015

    Hi Aakash,

    The idea of a custom authentication scheme/module for a specific IdP was to be able to trigger a Federation SSO flow with a specific IdP when an user accesses a specific sets of resources (protected by the custom authentication scheme).

    In an IdP initiated SSO flow, when the user presents the Assertion to the OAM/OIF server, the default Federation Authentication module will be used to process the Assertion: this is a limitation of the IdP initiated SSO flow, since the OAM/OIF server did not trigger the flow.

    In your case, it should not be a problem to use the default Federation Authentication module in an IdP initiated SSO flow.

    Regards,

    Damien


  • Aakash Wasnik Thursday, February 5, 2015

    Hi Damien

    Thanks for your helpful reply.

    I would like to seek your opinion on one more scenario. As a part of assertion processing user is searched in directory platform , if user is not found in directory platform i would like to redirect user to different url based on partner name.

    As part of assertion processing user lookup is done by "FedUserAuthenticationPlugin" , if user is not found this plugin throws error. I have written custom authnetication plugin & configured it in "step orchestration" on error of "FedUserAuthenticationPlugin"

    In my custom authentication plugin i am invoking

    PluginResponse partnerResponse = context.getResponse(

    PluginAttributeContextType.SESSION, "fed.partner");

    String partnerName = (String)partnerResponse.getValue();

    but this api is returning null , hence i am not able to determine exact IDP partner name

    Can you please let me know if there is any other API that i should be using to extract IDP partner name

    Appreciate your response on this.

    Thanks

    Aakash


  • Damien Thursday, April 16, 2015

    Unfortunately, in the current implementation, whenever the Federation SSO operation fails at OIF/SP, the data contained in the Assertion will not be extracted and returned to OAM.

    So the Plugin or the next plugin in the OAM Authn Module won't be able to evaluate the Federation data since it is not present.

    The Federation module would need to be enhanced to return this data in case of failure, to allow subsequent plugins to perform additional tasks.

    Damien


  • Divya Monday, April 27, 2015

    Hi Damien

    We a requirement where OAM/SP needs to consume the attributes from SAML assertion provided by external IDP and pass it over to downstream application. That part is simple. But , we might need to process it before passing. Ex : if Auth context is set to "Password Authenticated", then i neeed to set it to 1FA and pass it down the header. How can i do that ?

    Please assist.


  • guest Monday, April 27, 2015

    Hi Damien

    One more requirement I have is different IDP URL's that needs to be triggered for different applications hosted in OAM/OIF SP.our OAM SP has multiple application domains. IDP is external agency and we need to redirect to these URL' based on protected resource requested. The IDP is single IDP, but the uRL's to be invoked are different. Can we use a custom authentication plugin to achieve the same ?

    - And , we do not have local LDAP store at SP side. Without creating users in local LDAP , can we use the SAML assertion from IDP to complete the authentication cycle and extract attributes to be passed to downstream application.


  • Damien Tuesday, April 28, 2015

    Divya,

    You might want to implement a post custom authentication plugin that would perform any custom operations you require. See this article: https://blogs.oracle.com/dcarru/entry/custom_post_authentication_module_in

    Damien


  • Damien Tuesday, April 28, 2015

    Divya,

    Regarding your second question: Federation SSO is based on decoupling the characteristics of one security domain (in this case the SP) from another one (the IdP).

    In your case, it does not seem correct to redirect to different IdP SAML 2.0 endpoints, based on the resource being requested.

    If you need, you can configure different resources to be protected by different Federation OAM schemes, each scheme being bound to a specific IdP.

    Alternatively, you could implement a custom authentication plugin that would be invoked before the OIF Federation plugin (as described in this article) and that would request a different Authentication Context/Federation method to be used at the IdP to authenticate the user.

    Damien


  • guest Monday, May 4, 2015

    Hi damien

    Thanks a lot for the response. Your blogs have been extremely useful !!

    One final query : Can OAM integrated federation services support below scenario

    Artifact token is posted to SP after authentication by IDP (in a different network) through browser redirect SP endpoint URL.SP should then initiate artifact resolve to retrieve the SAML ASSERTION by directly connecting with Idp through a back channel instead of browser redirect since saml assertion is secure and cannot be sent over browser. Idp responds to Sp directly using artifact response and sends the SAML assertion. This is known as http artifact binding I guess.


  • Damien Thursday, May 7, 2015

    Divya,

    This is supported. See my article:

    https://blogs.oracle.com/dcarru/entry/creating_saml_2_0_sp

    Damien


  • guest Monday, June 29, 2015

    Hi Damien

    Regarding my question about different SAML 2.0 endpoints , Just one correction. We dont redirect to different IDP URL's based on resource requested. The IDP URL is same

    http://saml.com/saml2/idp

    But , we need to pass different query parameters based on resource requested. IDP need it for transaction auditing.

    http://saml.com/saml2/idp/?res_id=res1

    http://saml.com/saml2/idp/?res_id=res2

    Is this possible ?


  • guest Monday, June 29, 2015

    And , they are epxecting IDP initiated SSO to be set up. How can i set it up with OAM , Should i protect the resources using Fed Scheme ? This bit is little confusing


  • Damien Monday, July 27, 2015

    Divya,

    You cannot pass information about the local resource being requested: that is contrary to the spirit of Federation SSO where the integration is loosely coupled. The IdP is now aware of the topology deployed in the SP security domain.

    Damien


  • Damien Monday, July 27, 2015

    Divya,

    For IdP initiated SSO, this would be handled by the IdP: so you would need to understand how to configure the IdP to perform IdP initiated SSO.

    OIF supports IdP initiated SSO without any configuration requirement, and as it is the practice with commercial implementations, the RelayState sent by the IdP along with the SSO Response/Assertion would contain the URL where the user should be redirected at the SP after Federation SSO is done.

    Damien


  • guest Tuesday, July 28, 2015

    Hi Damien

    Thanks a lot. I have configured the IDP initaited SSO. Its working fine.

    One last query :we need to extract Authn Context in Authn Statement from the SAML assertion and send the authz header response, but OOTB we cant find anything for this. How can we get handle this and how to get handle of SAML assertion in Custom plugin to customize this ? Any ideas..

    Thanks

    Divya


  • Damien Tuesday, July 28, 2015

    Divya,

    The SAML Authentication Statement is not provided in the OAM session. Instead the OAM session is populated with the NameID format, NameID value, IdP's PartnerID and the extracted attributes from the SAML Attribute Statement.

    Damien


  • guest Wednesday, July 29, 2015

    hi Damien

    Thanks , but we have to extract this details. How do we get the actual SAMl assertion in the plugin to write custom code

    Thanks

    Divya


  • Damien Sunday, October 4, 2015

    Hi,

    I don't think the SSO Response message is available to the OAM plugins. Instead the information is extracted from the Assertion and made available to the OAM modules, so that subsequent plugins do not need to understand the SAML protocol.

    Damien


  • siva pokuri Thursday, August 23, 2018
    Great article. Thanks for sharing information.

    Understood that we can do customization using custom authentication module when protecting application with OAM form based authentication schema.

    What should be done to use custom authentication module when we have OAAM in place and using TAP schema to protect application?

    Thanks
    Siva Pokuri.
  • Damien Friday, August 31, 2018
    Hi Siva,

    The example above is using FORM as the challenge method, but other methods would work. The Federation module is unaware on how the user is actually challenged (might be FORM, HTTP Basic Auth or even another Federation SSO with a second remote IdP).

    Damien
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.