Create SAML 1.1 / OpenID 2.0 IdP Partners in OIF/ SP

This article is a continuation of my previous entry where I discussed how to create SAML 2.0 IdP Partners in OIF/SP. In this article, I will cover how to set up a Federation agreement between OIF acting as an SP and a remote IdP Partner via the SAML 1.1 or OpenID 2.0 protocols:

  • Set up a remote SAML 1.1 IdP Partner
  • Set up a remote OpenID 2.0 IdP Partner

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

Introduction


Be sure to read my previous article where I described:

  • Establishing Federation Trust
  • Assertion Mapping

SAML 1.1


OAM Administration Console

To create a new SAML 1.1 IdP Partner, execute the following steps (ensure first that you have all the data from the IdP partner, such as certificates, IdP identifiers and URLs):

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Service Provider Administration
  • Click on the "Create Identity Provider Partner" button
  • In the Create screen:
    • Enter a name for the partner
    • Enter the Issuer / ProviderID of the IdP Partner
    • If the SuccinctID is left blank, OIF/SP will compute it by digesting the Provider ID using the SHA-1 algorithm (should be left blank)
    • Enter the SSO Service URL for that IdP Partner: this is the URL where the user will be redirected from OIF/SP with a SAML AuthnRequest to the IdP.
    • If the partner supports the SAML 2.0 Artifact protocol, enter the SOAP Service URL where OIF/SP will connect to retrieve the SAML Assertion during an SSO Artifact operation
    • Upload the IdP Signing Certificate file:
      • either in PEM format (where the file contains as the first line -----BEGIN CERTIFICATE-----, then the certificate in Base64 encoded format, then the last line as -----END CERTIFICATE-----)
      • or in DER format where the certificate is stored in binary encoding
    • Assertion Mapping section:
      • Optionally set the OAM Identity Store that should be used (note: in the example, I left the field blank to use the default OAM Identity Store)
      • Optionally set the user search base DN (note: in the example, I left the field blank to use the user search base DN configured in the Identity Store)
      • Select how the mapping will occur (note: in the example, I am mapping the Assertion via the NameID to the LDAP mail attribute)
    • Select the Attribute Profile that will be used to map the names of the attributes in the incoming SAML Assertion to local names. See my next article on IdP Attribute Profile for more information. In this example, I will use the default IdP Attribute Profile.
    • Click Save


After the partner is created, the "Edit Partner" screen will be shown with:

  • The settings set in the previous screen modifiable
  • An Advanced Settings section displayed:
    • HTTP Basic Authentication: if the Artifact binding is used, OIF/SP will need to connect to the IdP directly over SOAP to retrieve the SAML Assertion. Sometimes the IdP will enable HTTP Basic Authentication on the SOAP channel, and OIF/SP will need to provide username/password to the IdP (those credentials will be agreed between the IdP’s and SP’s administrators).

WLST

To create a new SAML 1.1 IdP Partner using the OIF WLST commands, execute the following steps (ensure first that you have all the data from the IdP partner, such as certificates, IdP identifiers and URLs):

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Create SAML 1.1 IdP Partner that will be called acmeIdP in OIF:
    addSAML11IdPFederationPartner("acmeIdP", "https://acme.com/idp", "https://acme.com/saml11/sso", "https://acme.com/saml11/soap")
  • By default, the new SP partner will be configured to:
    • Use the default OAM Identity Store
    • Use the user search base DN of the Identity Store (not overridden)
    • Map the SAML Assertion using the NameID, matching the LDAP mail attribute
    • Use the default Identity Provider Attribute Profile
    • No certificate has been uploaded for this IdP partner
  • Exit the WLST environment:
    exit()

Modifying Federation Settings via WLST

In this section, I will list how to change the common IdP Partner settings via the OIF WLST commands:

  • SAML Assertion Mapping settings
  • OAM Identity Store and User Search Base DN for SAML Assertion Mapping
  • SAML Signing Certificate
  • IdP Partner Attribute Profile for an IdP Partner

I will assume that you are already in the WLST environment and connected using:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()

SAML Assertion Mapping settings

To configure mapping settings for a SAML IdP Partner:

  • Use the following command to map the Assertion via the NameID:
    setIdPPartnerMappingNameID(partnerName, userstoreAttr)
    • partnerName is the name that was used to create the IdP Partner
    • userstoreAttr: LDAP user attribute to match the NameID value.
  • Use the following command to map the Assertion via a SAML Attribute:
    setIdPPartnerMappingAttribute(partnerName, assertionAttr, userstoreAttr)
    • partnerName is the name that was used to create the IdP Partner
    • assertionAttr: name of the SAML Attribute.
    • userstoreAttr: LDAP user attribute to match the SAML Attribute value.
  • Use the following command to map the Assertion via an LDAP query:
    setIdPPartnerMappingAttributeQuery(partnerName, attrQuery)
    • partnerName is the name that was used to create the IdP Partner
    • attrQuery: the LDAP query to be used (for example (&(givenname=%firstname%)(sn=%lastname%))).

OAM Identity Store and User Search Base DN

To configure OIF/SP to use a specific OAM Identity Store and/or a specific User Search Base DN when mapping the incoming SAML Assertion, execute the following command setPartnerIDStoreAndBaseDN():

  • Use the following command to set the OAM Identity Store only:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", storeName="oid")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type
    • storeName: references the OAM Identity Store to use
  • Use the following command to set the Search Base DN only:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", searchBaseDN="ou=managers,dc=acme,dc=com")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type
    • searchBaseDN: indicates the search base DN to use
  • Use the following command to set the OAM Identity Store and Search Base DN:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", storeName="oid", searchBaseDN="ou=managers,dc=acme,dc=com")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type
    • storeName: references the OAM Identity Store to use
    • searchBaseDN: indicates the search base DN to use
  • Use the following command to remove the OAM Identity Store and Search Base DN from the IdP partner entry:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", delete="true")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type

SAML Signing Certificate

There are various WLST commands available to manage signing and encryption certificates:

  • getFederationPartnerSigningCert() which prints the partner’s signing certificate in Base64 encoded format:
    getFederationPartnerSigningCert("acmeIdP", "idp")
    • With acmeIdP being the name of partner created earlier
    • idp indicates the partner type
  • setFederationPartnerSigningCert() which uploads the signing certificate file passed as a parameter to the IdP Partner configuration:
    setFederationPartnerSigningCert("acmeIdP", "idp", "/tmp/cert.file")
    • With acmeIdP being the name of partner created earlier
    • idp indicates the partner type
    • the third parameter indicates the location on the file system of the file containing the certificate:
      • either in PEM format (where the file contains as the first line -----BEGIN CERTIFICATE-----, then the certificate in Base64 encoded format, then the last line as -----END CERTIFICATE-----)
      • or in DER format where the certificate is stored in binary encoding
  • deleteFederationPartnerSigningCert() which removes the signing certificate from the IdP partner entry:
    deleteFederationPartnerSigningCert("acmeIdP", "idp")
    • With acmeIdP being the name of partner created earlier
    • idp indicates the partner type

IdP Partner Attribute Profile

To configure the IdP Partner Attribute Profile for a specific IdP Partner, use the following commands:

  • To configure an IdP Partner to use a specific IdP Partner Attribute Profile, execute:
    setIdPPartnerAttributeProfile(partnerName, attrProfileID)
    • partnerName is the name that was used to create the IdP Partner
    • attrProfileID is the IdP Partner Attribute Profile ID
  • To list the existing the IdP Partner Attribute Profiles, execute:
    listIdPPartnerAttributeProfileIDs()

Examples

The below commands could be used to add a SAML 1.1 IdP partner (in this example I chose to specify an Identity Store):

addSAML11IdPFederationPartner("acmeIdP", "https://acme.com/idp", "https://acme.com/saml11/sso", "https://acme.com/saml11/soap")
setFederationPartnerSigningCert("acmeIdP", "idp", "/tmp/acme-idp-cert.pem")
setPartnerIDStoreAndBaseDN("acmeIdP", "idp", "oid")
setIdPPartnerMappingNameID("acmeIdP", "mail")

OpenID 2.0


OAM Administration Console

To create a new OpenID 2.0 IdP/OP Partner, execute the following steps (ensure first that you have all the data from the IdP/OP partner, such as discovery and SSO URLs):

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Service Provider Administration
  • Click on the "Create Identity Provider Partner" button
  • In the Create screen:
    • Enter a name for the partner
    • Select OpenID 2.0 as the Protocol
    • Select how to interact with the OpenID OP
      • Either by specifying the OpenID Discovery URL where the OP’s XRDS is published
      • Or by specifying the OpenID SSO URL where the user should be redirected for OpenID SSO
    • Enter the URL corresponding to the Service Details choice
    • Mapping section:
      • Optionally set the OAM Identity Store that should be used (note: in the example, I left the field blank to use the default OAM Identity Store)
      • Optionally set the user search base DN (note: in the example, I left the field blank to use the user search base DN configured in the Identity Store)
      • Select how the mapping will occur (note: in the example, I am mapping the OpenID Response via an attribute called http://axschema.org/contact/email to the LDAP mail attribute)
      • Note: Mapping via NameID is not possible with the OpenID protocol
    • Select the Attribute Profile that will be used to map the names of the attributes in the incoming SAML Assertion to local names. See my next article on IdP Attribute Profile for more information. In this example, I will use the default IdP Attribute Profile.
    • Click Save


After the partner is created, the "Edit Partner" screen will be shown with:

  • The settings set in the previous screen modifiable
  • An Advanced Settings section displayed:
    • Enable OpenID UI Extension: indicates to the OIF/SP/RP to include in the OpenID request the UI Extension and set the mode to popup, if supported by the OP.
    • OpenID UI Extension Language Preference: indicates to the OIF/SP/RP to include in the OpenID request the UI Extension and set the language field to the Accept-Language HTTP header value sent by the user’s browser, if supported by the OP.
    • Enable OpenID UI Extension Relying Party Icon: indicates to the OIF/SP/RP to include in the OpenID request the UI Extension and set the icon flag, if supported by the OP.


The OpenID 2.0 protocol mainly relies on user attributes being shared between the OP and the RP during the OpenID 2.0 SSO exchange. OIF/RP can map the names of the attributes in the incoming SSO response to local names, and this is done via the IdP Attribute Profile. In my next article, I will be explaining how the SP can be configured for attribute name mapping.

WLST

To create a new OpenID 2.0 OP Partner using the OIF WLST commands, execute the following steps (ensure first that you have all the data from the OP partner, such as IdP/OP realm and URLs):

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Create OpenID 2.0 OP Partner that will be called acmeOP in OIF:
    addOpenID20IdPFederationPartner("acmeOP", "https://acme.com/openid/sso", "https://acme.com/openid/xrds")
  • By default, the new SP partner will be configured to:
    • Use the default OAM Identity Store
    • Use the user search base DN of the Identity Store (not overridden)
    • Assertion Mapping will not be configured
    • Use the default Service Provider Attribute Profile
  • Exit the WLST environment:
    exit()

Modifying Federation Settings via WLST

In this section, I will list how to change the common IdP/OP Partner settings via the OIF WLST commands:

  • OpenID SSO Response Mapping settings
  • OAM Identity Store and User Search Base DN for OpenID SSO Response
  • IdP Partner Attribute Profile for an IdP Partner

I will assume that you are already in the WLST environment and connected using:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()

OpenID SSO Response Mapping settings

To configure mapping settings for an OpenID IdP Partner:

  • Use the following command to map the SSO Response via a SAML Attribute:
    setIdPPartnerMappingAttribute(partnerName, assertionAttr, userstoreAttr)
    • partnerName is the name that was used to create the IdP Partner
    • assertionAttr: name of the OpenID Attribute.
    • userstoreAttr: LDAP user attribute to match the SAML Attribute value.
  • Use the following command to map the SSO Response via an LDAP query:
    setIdPPartnerMappingAttributeQuery(partnerName, attrQuery)
    • partnerName is the name that was used to create the IdP Partner
    • attrQuery: the LDAP query to be used (for example (&(givenname=%firstname%)(sn=%lastname%))).

OAM Identity Store and User Search Base DN

To configure OIF/SP to use a specific OAM Identity Store and/or a specific User Search Base DN when mapping the incoming OpenID SSO Response, execute the following command setPartnerIDStoreAndBaseDN():

  • Use the following command to set the OAM Identity Store only:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", storeName="oid")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type
    • storeName: references the OAM Identity Store to use
  • Use the following command to set the Search Base DN only:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", searchBaseDN="ou=managers,dc=acme,dc=com")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type
    • searchBaseDN: indicates the search base DN to use
  • Use the following command to set the OAM Identity Store and Search Base DN:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", storeName="oid", searchBaseDN="ou=managers,dc=acme,dc=com")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type
    • storeName: references the OAM Identity Store to use
    • searchBaseDN: indicates the search base DN to use
  • Use the following command to remove the OAM Identity Store and Search Base DN from the IdP partner entry:
    setPartnerIDStoreAndBaseDN(partnerName, "idp", delete="true")
    • partnerName is the name that was used to create the IdP Partner
    • idp indicates the partner type

IdP Partner Attribute Profile

To configure the IdP Partner Attribute Profile for a specific IdP Partner, use the following commands:

  • To configure an IdP Partner to use a specific IdP Partner Attribute Profile, execute:
    setIdPPartnerAttributeProfile(partnerName, attrProfileID)
    • partnerName is the name that was used to create the IdP Partner
    • attrProfileID is the IdP Partner Attribute Profile ID
  • To list the existing the IdP Partner Attribute Profiles, execute:
    listIdPPartnerAttributeProfileIDs()

Examples

The below commands could be used to add an OpenID 2.0 OP partner (in this example I chose not to specify an Identity Store):

addOpenID20IdPFederationPartner("acmeOP", "https://acme.com/openid/sso", "https://acme.com/openid/xrds")
setIdPPartnerMappingAttribute("acmeOP", "http://axschema.org/contact/email", "mail")

OpenID for Google / Yahoo


OIF administration tools provide an easy way to add Google or Yahoo as an OpenID 2.0 OP/IdP.

OIF will create the necessary artifacts to perform Federation SSO with Google or Yahoo via the OpenID protocol

  • For Google:
    • OIF will request the country, mail, firstname, lastname and language attributes
    • The SSO response mapping will be done via the mail attribute
  • For Yahoo
    • OIF will request the country, mail, firstname, lastname, gender and language attributes
    • The SSO response mapping will be done via the mail attribute

OAM Administration Console

To create Google or Yahoo as a new OpenID 2.0 IdP/OP Partner, execute the following steps:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Service Provider Administration
  • Click on the "Create Identity Provider Partner" button
  • In the Create screen:
    • Enter a name for the partner
    • Select OpenID 2.0 as the Protocol
    • Select
      • "Google provider default settings" if you want to add Google
      • "Yahoo provider default settings" if you want to add Yahoo
  • Save

WLST

To create Google or Yahoo as a new OpenID 2.0 IdP/OP Partner using the OIF WLST commands, execute the following steps:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Create OpenID 2.0 OP Partner:
    • For Google (the partner name will be google):
      addOpenID20GoogleIdPFederationPartner()
    • For Yahoo (the partner name will be yahoo):
      addOpenID20YahooIdPFederationPartner()


In the next article, I will talk about how to enable and use the Test SP Application in OIF/SP, which is very useful when OIF is an SP and Federation agreements are set up.
Cheers,
Damien Carru


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today