Wednesday May 28, 2014

Fed Authentication Methods in OIF / IdP

This article is a continuation of my previous entry where I explained how OIF/IdP leverages OAM to authenticate users at runtime:

  • OIF/IdP internally forwards the user to OAM and indicates which Authentication Scheme should be used to challenge the user if needed
  • OAM determine if the user should be challenged (user already authenticated, session timed out or not, session authentication level equal or higher than the level of the authentication scheme specified by OIF/IdP…)
  • After identifying the user, OAM internally forwards the user back to OIF/IdP
  • OIF/IdP can resume its operation

In this article, I will discuss how OIF/IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:

  • When processing an Authn Request, where the SP requests a specific Federation Authentication Method with which the user should be challenged
  • When sending an Assertion, where OIF/IdP sets the Federation Authentication Method in the Assertion

Enjoy the reading!

[Read More]

Monday May 19, 2014

Authentication in OIF / IdP

In this article, I will discuss about authentication when OIF acts as an IdP and how the server can be configured to use specific OAM Authentication Schemes to challenge the user.

When OIF 11gR1 acting as an IdP and OAM 11g were integrated together, OIF was delegating the user authentication to OAM via the use of WebGate:

  • OHS had to be installed in and configured to act as a reverse HTTP proxy for OIF
  • WebGate had to be installed on OHS and registered with OAM
  • OAM had to be configured to protect an OIF URL with
    • An Authentication Policy
    • An Authorization Policy
  • Set up the OIF logout URL in OAM
  • OIF had to be configured to use the OAM 11g Authentication Engine
    • Enter the HTTP header containing the userID injected by WebGate
    • Set up the OAM logout URL

In OIF 11gR2 and OAM 11gR2, the two components are tightly integrated together:

  • No initial setup is required to integrate the two products
  • No WebGate/OHS is required for IdP authentication
  • OIF/IdP can leverage any OAM Authentication Scheme

Note: given the advanced nature of the configuration, OIF authentication setup can only be managed via OIF WLST commands.

Enjoy the reading!

[Read More]

Wednesday May 14, 2014

Partner Profiles in OIF

In this article, I will discuss about the concept of Partner Profile in the OIF configuration.

During any Federation runtime operation between OIF (as an IdP or SP) and remote partners, numerous configuration properties are evaluated that will affect how OIF will execute the operation.

Some of the configuration parameters driving the protocol exchange are specific to the partner with which OIF is interacting (like how the NameID should be populated if OIF acts as a SAML 2.0 IdP), while others can be common to a group of partners (like whether or not to sign SAML 2.0 Assertions when OIF acts as an IdP).

Instead of having each partner entry in the OIF configuration containing all the OIF parameters required to perform the Federation runtime operations, OIF makes use of a Partner Profile which:

  • Contains a set of settings that are common to all partners referencing that partner profile
  • Is specific to
    • A type, either IdP or SP
    • A protocol: SAML 2.0, SAML 1.1 or OpenID 2.0

A Partner Profile in OIF typically contains configuration settings that are generally not changed often and that are considered advanced. For the day-to-day operations, the administration capabilities provided in the OAM Administration Console or via the OIF WLST commands are enough for most cases.

For advanced cases requiring configuration changes, an administrator would have the choice to:

  • Either update the Partner configuration entry, so changes would only apply to the partner
  • Or update the Partner Profile entry, so changes would apply to all partners bound to the Partner Profile

Important note: given the advanced nature of the configuration, Partner Profiles can only be managed via OIF WLST commands.

[Read More]

Friday May 09, 2014

Integrating Office 365 with OIF/IdP

This is a continuation of my previous article where I will configure OIF ( or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

Be sure to have read the article about pre-requisites.

[Read More]

Monday May 05, 2014

Integrating Office 365 with OIF/IdP Pre-Requisites

In the next two articles, I will describe how to integrate OIF ( or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

The integration will cover:

  • Browser Federation SSO integration: this is the flow the user will exercise when accessing the resources via a browser:
    • The will prompt the user to enter its email address
    • The server will detect that Federation SSO should be used for that domain and will start a Federation SSO flow the OIF/IdP
    • OIF/IdP will challenge the user, create a SAML Assertion and redirect the user to
    • will grant access to the user
  • ActiveSync mail integration: in this flow, the user will use a mail application configured for Office 365
    • When the mail application is started, it will send the user’s credentials (email address and IdP password) to Office 365
    • will make a direct connection over SSL to the IdP and will use the SAML 2.0 ECP protocol to send a SAML AuthnRequest and the user’s credentials via HTTP Basic Authentication
    • The OIF/IdP will validate those credentials and return a SAML Assertion via the ECP protocol
    • Office 365 will grant access to the mail application

It is important to note that integration with Office 365 for non SAML 2.0 components will not work, such as:

  • Lync clients
  • OWA Mobile Apps
[Read More]

Friday May 02, 2014

JIT Custom User Provisioning in OIF / SP cont’d

This article is a continuation of my previous entry about User Provisioning in OIF/SP, where I described how to use the built-in module in OIF/SP to create user records during a Federation SSO operation, if the user did not have a local account.

In this article, I will show how to build a custom User Provisioning module in OIF/SP. This will be based on the OAM/OIF Developer’s Guide, chapter 16, which describes how to develop such a module.

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Configure OIF to use the newly uploaded plugin

For this example, I will use the sample code listed in the OAM/OIF Developer’s Guide.

Enjoy the reading!

[Read More]

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service


« May 2014 »