Example: Sending Attributes with OIF/ IdP

In this article, I will cover two examples on how to configure OIF/IdP to send attributes:
  • Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
  • Via the OIF WLST commands to send attributes to an OpenID 2.0 RP Partner
The sent attributes will be based on:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)
Enjoy the reading!

OAM Administration Console


In this section, I will show how to configure OIF/IdP to send attributes via the admin console. The example will be based on a Federation with a remote SAML 2.0 SP partner, and the OIF/IdP will be configured to:
  • Use the Unspecified NameID format
  • Use the uid LDAP user attribute to set the NameID value
  • Send the following attributes:
    • Email address with the SAML attribute name set to Email
    • An attribute containing a string beginning with “My name is “ and then both the first name and last name, separated by a space. The SAML attribute name will be set to Name
    • UserID with attribute name set to UserID
    • OAM Session count with the SAML attribute name set to SessionCount
    • The client’s IP Address with the SAML attribute name set to IPAddress
For this, I will create a new SP Attribute Profile, and assign it to acmeSP. Later on, if new SP partners are on boarded, it will be possible to assign the existing SP Attribute Profile so that OIF/IdP will send the same attributes to those new SPs.

Steps

To create a new SP Attribute Profile, execute the following steps:
  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the Service Provider Attribute Profiles tab
  • Click on the “Create SP Attribute Profile” button

Set up the basic information about the new SP Attribute Profile:
  • Enter a name
  • Enter a description if needed
  • Note about “Default SP Partner Attribute Profile”:
    • If checked, this will be the pre-assigned SP Attribute Profile when a new SP Partner is created via the UI
    • If checked, it will be the SP Attribute Profile used for SP partners which do not have an SP Attribute Profile assigned (for example the ones created via WLST commands)

We will now add the necessary attributes I listed earlier. Perform the following operations to add the Email attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the email attribute:
    • Message Attribute Name: Email
    • Value: select user, then attr, then enter the LDAP Attribute containing the email address, mail in this case
    • Always send: checked

Perform the following operations to add the Name attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the Name attribute:
    • Message Attribute Name: Name
    • Value: select expression, then enter the following string (in this example, the givenname LDAP attribute contains the first name, and sn the last name): My name is $user.attr.givenname $user.attr.sn
    • Always send: checked

Perform the following operations to add the UserID attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the UserID attribute:
    • Message Attribute Name: UserID
    • Value: select user, then userid
    • Always send: checked

Perform the following operations to add the SessionCount attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the SessionCount attribute:
    • Message Attribute Name: SessionCount
    • Value: select session, then count
    • Always send: checked

Perform the following operations to add the IPAddress attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the IPAddress attribute:
    • Message Attribute Name: IPAddress
    • Value: select request, then client_ip
    • Always send: checked

The SP Attribute Profile has now been configured to send the required attributes to SP partners linked to this profile.

The SP Partner will need to be updated to use the new SP Attribute Profile, as well as configured for the NameID settings mentioned earlier:
  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the Search Service Provider Partners
  • Open the desired SP Partner
  • Select Unspecified as the NameID format
  • For NameID, select User ID Store Attribute then enter uid as the LDAP attribute containing the userID (note: one could have selected Expression in the drop down and entered an expression similarly to what was used earlier).
  • In the Attribute Mapping section, select the newly created SP Attribute Profile  as the Attribute Profile
  • Save


Note about Always Send

The SP Attribute Profile is used for various protocols, including:
  • SAML SSO, where the SP cannot request any attributes at runtime
  • SAML SOAP Attribute exchange, where the SP can request any attributes at runtime
  • OpenID 2.0, where the SP can request any attributes at runtime
  • The “Always Send” option seen in the SP Attribute Profile section allows an administrator to instruct OIF/IdP to always send the attribute in an Assertion even if it was not requested by the SP partner.

SAML Assertion

Based on a user with the following characteristics, OIF/IdP will generate a SAML Assertion similar to the one shown below:
  • UserID: alice
  • First name: Alice
  • Last name: Appleton
  • Email: alice@idp.com
SAML Assertion generated by OIF/IdP for alice:
<samlp:Response ...>
  <saml:Issuer ...>https://idp.com</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ...>
    <saml:Issuer ...>https://idp.com</saml:Issuer>
    <dsig:Signature>
     ...
    </dsig:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">alice</saml:NameID>
      ...
    </saml:Subject>
    <saml:Conditions NotBefore="2014-02-26T20:35:00Z" NotOnOrAfter="2014-02-26T22:35:00Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://acme.com/sp</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-02-26T20:35:00Z" ...>
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:...:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="Name" ...>
        <saml:AttributeValue ...>My name is Alice Appleton</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="SessionCount" ...>
        <saml:AttributeValue ...>1</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="Email" ...>
        <saml:AttributeValue ...>alice@idp.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="IPAddress" ...>
        <saml:AttributeValue ...>10.145.120.253</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="UserID" ...>
        <saml:AttributeValue ...>alice</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

 WLST Commands


In this section, I will show how to configure OIF/IdP to send attributes by using the OIF WLST commands. The example will be based on a Federation with a remote OpenID 2.0 SP partner, and the OIF/IdP will be configured to:
  • Send the following attributes:
    • Email address with the OpenID attribute name set to http://axschema.org/contact/email
    • An attribute containing a string beginning with “My name is “ and then both the first name and last name, separated by a space. The OpenID attribute name will be set to http://openid.net/schema/namePerson/friendly
    • UserID with the OpenID attribute name set to http://schemas.openid.net/ax/api/user_id
    • OAM Session count with the OpenID attribute name set to http://session/count
    • The client’s IP Address with attribute name set to http://session/ipaddress

For this, I will create a new SP Attribute Profile, and assign it to acmeRP. Later on, if new RP partners are on boarded, it will be possible to assign the existing SP Attribute Profile so that OIF/IdP will send the same attributes to those new SPs.

I will assume that you are already in the WLST environment and connected using:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()

Steps

To configure the new SP Attribute Profile, execute the following steps:

  • Create a new SP Attribute Profile
    createSPPartnerAttributeProfile("openIDAttrProfile")
    • Specify the name of the new SP Attribute Profile
  • Create the Email attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://axschema.org/contact/email", "$user.attr.mail")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://axschema.org/contact/email
    • Set the value to the LDAP Attribute containing the email address, mail in this case: $user.attr.mail
  • Create the Name attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://openid.net/schema/namePerson/friendly", "My name is $user.attr.givenname $user.attr.sn")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://openid.net/schema/namePerson/friendly
    • Set the value to (in this example, the givenname LDAP attribute contains the first name, and sn the last name): My name is $user.attr.givenname $user.attr.sn
  • Create the UserID attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://schemas.openid.net/ax/api/user_id", "$user.userid")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://schemas.openid.net/ax/api/user_id
    • Set the value to the LDAP Attribute containing the email address, mail in this case: $user.attr.uid
  • Create the OAM Session Count attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://session/count", "$session.count")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://session/count
    • Set the value to: $session.count
  • Create the client’s IP Address attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://session/ipaddress", "$request.client_ip")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://session/ipaddress
    • Set the value to: $request.client_ip

To update the SP partner to use that SP Attribute Profile, execute:

  • The setSPPartnerAttributeProfile command:
    setSPPartnerAttributeProfile("acmeRP", "openIDAttrProfile")
    • Specify the SP partner name
    • Specify the name of the SP Attribute Profile to use

OpenID Response

Based on a user with the following characteristics, OIF/IdP will generate an OpenID Response similar to the one shown below:

  • UserID: alice
  • First name: Alice
  • Last name: Appleton
  • Email: alice@idp.com

OpenID Response generated by OIF/IdP for alice:

https://acme.com/sp/openidv20?refid=id-UnaYvk-mDQy6ZQB-4R39L4An4B0-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20&openid.claimed_id=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did-p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D&openid.identity=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did-p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D&openid.return_to=http%3A%2F%2Fadc00peq.us.oracle.com%3A7499%2Ffed%2Fsp%2Fopenidv20%3Frefid%3Did-UnaYvk-mDQy6ZQB-4R39L4An4B0-&openid.response_nonce=2014-02-26T21%3A35%3A08Zid-uTAXy9lDK7TVvgezZVY3XZ06iSDcZb97zxiOl0qw&openid.assoc_handle=id-n-nN-qW2VAZa75-XJshWpmVHK53Yz0-lTZtrtsJm&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=2&openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.attr1=My+name+is+Alice+Appleton&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr2=alice&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=alice%40idp.com&openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.attr4=10.145.120.253&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax.type.attr2%2Cax.value.attr2%2Cax.type.attr3%2Cax.value.attr3%2Cax.type.attr4%2Cax.value.attr4&openid.sig=TeDo%2FouX%2BXRI%2F1G8kJVsw5JOVY8%3D

The decoded URL query parameters related to the attributes are:

  • Name of attribute #0: openid.ax.type.attr0=http://session/count
  • Value for attribute #0: openid.ax.value.attr0=2
  • Name of attribute #1: openid.ax.type.attr1= http://openid.net/schema/namePerson/friendly
  • Value for attribute #1: openid.ax.value.attr1=My name is Alice Appleton
  • Name of attribute #2: openid.ax.type.attr2= http://schemas.openid.net/ax/api/user_id
  • Value for attribute #2: openid.ax.value.attr2=alice
  • Name of attribute #3: openid.ax.type.attr3=http://axschema.org/contact/email
  • Value for attribute #3: openid.ax.value.attr3=alice@idp.com
  • Name of attribute #4: openid.ax.type.attr4=http://session/ipaddress
  • Value for attribute #4: openid.ax.value.attr4=10.145.120.253


In my next article, I will be showing how to create IdP partners with OIF being a Service Provider.
Cheers,
Damien Carru

Comments:

Hi,

This is a really helpful blog, but I have a such a situation where I need to PayLoad which is being posted by SAP before starting IDP initiated CALL . So question is how to mapp SAML attributes with the payload post before sending SAML assertion to SP provider. _

Thanks
Ankit

Posted by guest on October 28, 2015 at 11:31 PM EDT #

Hi Ankit,

The OIF IdP server can generate an Assertion based on the following only:
- LDAP User attributes
- OAM User Session attributes
- HTTP Cookies sent to the OAM server
- HTTP headers

The query string and POST data are not used in this case: the reason is that the flows exercised at runtime differ greatly depending on the use case: for example if the user is not authenticated yet, a login page will be presented, and the query string/POST data at the time of the IdP Assertion generation will be based on the data posted by the user when logging in; if the user is already authenticated, the IdP Assertion generation will be based on the data presented/posted by the user when redirected by the SP to the IdP.
For those reasons, the POST/query string data cannot be used when generating the Assertion.

Damien

Posted by Damien on October 29, 2015 at 11:11 AM EDT #

Damien,

Thanks for your quick response , now is it possible to take the payload and generate the request httpheader which we can utilize to map ? As this is a working scenerio with existing IAM product which we are replacing at client.

Thanks
Ankit

Posted by Ankit on October 29, 2015 at 12:13 PM EDT #

Hi Ankit,

You could implement a service that would take the payload, sets a cookie in the user's browser bound to the machine or domain where OAM/OIF is running, then configure OIF/IdP to use the cookie to create SAML Attributes in the SAML Assertion.

Damien

Posted by Damien on October 30, 2015 at 02:26 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« February 2016
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
     
       
Today