Example: Sending Attributes with OIF/ IdP

In this article, I will cover two examples on how to configure OIF/IdP to send attributes:
  • Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
  • Via the OIF WLST commands to send attributes to an OpenID 2.0 RP Partner
The sent attributes will be based on:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)
Enjoy the reading!

OAM Administration Console


In this section, I will show how to configure OIF/IdP to send attributes via the admin console. The example will be based on a Federation with a remote SAML 2.0 SP partner, and the OIF/IdP will be configured to:
  • Use the Unspecified NameID format
  • Use the uid LDAP user attribute to set the NameID value
  • Send the following attributes:
    • Email address with the SAML attribute name set to Email
    • An attribute containing a string beginning with “My name is “ and then both the first name and last name, separated by a space. The SAML attribute name will be set to Name
    • UserID with attribute name set to UserID
    • OAM Session count with the SAML attribute name set to SessionCount
    • The client’s IP Address with the SAML attribute name set to IPAddress
For this, I will create a new SP Attribute Profile, and assign it to acmeSP. Later on, if new SP partners are on boarded, it will be possible to assign the existing SP Attribute Profile so that OIF/IdP will send the same attributes to those new SPs.

Steps

To create a new SP Attribute Profile, execute the following steps:
  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the Service Provider Attribute Profiles tab
  • Click on the “Create SP Attribute Profile” button

Set up the basic information about the new SP Attribute Profile:
  • Enter a name
  • Enter a description if needed
  • Note about “Default SP Partner Attribute Profile”:
    • If checked, this will be the pre-assigned SP Attribute Profile when a new SP Partner is created via the UI
    • If checked, it will be the SP Attribute Profile used for SP partners which do not have an SP Attribute Profile assigned (for example the ones created via WLST commands)

We will now add the necessary attributes I listed earlier. Perform the following operations to add the Email attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the email attribute:
    • Message Attribute Name: Email
    • Value: select user, then attr, then enter the LDAP Attribute containing the email address, mail in this case
    • Always send: checked

Perform the following operations to add the Name attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the Name attribute:
    • Message Attribute Name: Name
    • Value: select expression, then enter the following string (in this example, the givenname LDAP attribute contains the first name, and sn the last name): My name is $user.attr.givenname $user.attr.sn
    • Always send: checked

Perform the following operations to add the UserID attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the UserID attribute:
    • Message Attribute Name: UserID
    • Value: select user, then userid
    • Always send: checked

Perform the following operations to add the SessionCount attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the SessionCount attribute:
    • Message Attribute Name: SessionCount
    • Value: select session, then count
    • Always send: checked

Perform the following operations to add the IPAddress attribute:
  • Click the Add Entry button in the Attribute Mapping table
  • Set up the IPAddress attribute:
    • Message Attribute Name: IPAddress
    • Value: select request, then client_ip
    • Always send: checked

The SP Attribute Profile has now been configured to send the required attributes to SP partners linked to this profile.

The SP Partner will need to be updated to use the new SP Attribute Profile, as well as configured for the NameID settings mentioned earlier:
  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the Search Service Provider Partners
  • Open the desired SP Partner
  • Select Unspecified as the NameID format
  • For NameID, select User ID Store Attribute then enter uid as the LDAP attribute containing the userID (note: one could have selected Expression in the drop down and entered an expression similarly to what was used earlier).
  • In the Attribute Mapping section, select the newly created SP Attribute Profile  as the Attribute Profile
  • Save


Note about Always Send

The SP Attribute Profile is used for various protocols, including:
  • SAML SSO, where the SP cannot request any attributes at runtime
  • SAML SOAP Attribute exchange, where the SP can request any attributes at runtime
  • OpenID 2.0, where the SP can request any attributes at runtime
  • The “Always Send” option seen in the SP Attribute Profile section allows an administrator to instruct OIF/IdP to always send the attribute in an Assertion even if it was not requested by the SP partner.

SAML Assertion

Based on a user with the following characteristics, OIF/IdP will generate a SAML Assertion similar to the one shown below:
  • UserID: alice
  • First name: Alice
  • Last name: Appleton
  • Email: alice@idp.com
SAML Assertion generated by OIF/IdP for alice:
<samlp:Response ...>
  <saml:Issuer ...>https://idp.com</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ...>
    <saml:Issuer ...>https://idp.com</saml:Issuer>
    <dsig:Signature>
     ...
    </dsig:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">alice</saml:NameID>
      ...
    </saml:Subject>
    <saml:Conditions NotBefore="2014-02-26T20:35:00Z" NotOnOrAfter="2014-02-26T22:35:00Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://acme.com/sp</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-02-26T20:35:00Z" ...>
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:...:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="Name" ...>
        <saml:AttributeValue ...>My name is Alice Appleton</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="SessionCount" ...>
        <saml:AttributeValue ...>1</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="Email" ...>
        <saml:AttributeValue ...>alice@idp.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="IPAddress" ...>
        <saml:AttributeValue ...>10.145.120.253</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="UserID" ...>
        <saml:AttributeValue ...>alice</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

 WLST Commands


In this section, I will show how to configure OIF/IdP to send attributes by using the OIF WLST commands. The example will be based on a Federation with a remote OpenID 2.0 SP partner, and the OIF/IdP will be configured to:
  • Send the following attributes:
    • Email address with the OpenID attribute name set to http://axschema.org/contact/email
    • An attribute containing a string beginning with “My name is “ and then both the first name and last name, separated by a space. The OpenID attribute name will be set to http://openid.net/schema/namePerson/friendly
    • UserID with the OpenID attribute name set to http://schemas.openid.net/ax/api/user_id
    • OAM Session count with the OpenID attribute name set to http://session/count
    • The client’s IP Address with attribute name set to http://session/ipaddress

For this, I will create a new SP Attribute Profile, and assign it to acmeRP. Later on, if new RP partners are on boarded, it will be possible to assign the existing SP Attribute Profile so that OIF/IdP will send the same attributes to those new SPs.

I will assume that you are already in the WLST environment and connected using:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()

Steps

To configure the new SP Attribute Profile, execute the following steps:

  • Create a new SP Attribute Profile
    createSPPartnerAttributeProfile("openIDAttrProfile")
    • Specify the name of the new SP Attribute Profile
  • Create the Email attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://axschema.org/contact/email", "$user.attr.mail")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://axschema.org/contact/email
    • Set the value to the LDAP Attribute containing the email address, mail in this case: $user.attr.mail
  • Create the Name attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://openid.net/schema/namePerson/friendly", "My name is $user.attr.givenname $user.attr.sn")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://openid.net/schema/namePerson/friendly
    • Set the value to (in this example, the givenname LDAP attribute contains the first name, and sn the last name): My name is $user.attr.givenname $user.attr.sn
  • Create the UserID attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://schemas.openid.net/ax/api/user_id", "$user.userid")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://schemas.openid.net/ax/api/user_id
    • Set the value to the LDAP Attribute containing the email address, mail in this case: $user.attr.uid
  • Create the OAM Session Count attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://session/count", "$session.count")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://session/count
    • Set the value to: $session.count
  • Create the client’s IP Address attribute
    setSPPartnerAttributeProfileEntry("openIDAttrProfile", "http://session/ipaddress", "$request.client_ip")
    • Specify the name of the SP Attribute Profile to modify
    • Specify the OpenID attribute name to http://session/ipaddress
    • Set the value to: $request.client_ip

To update the SP partner to use that SP Attribute Profile, execute:

  • The setSPPartnerAttributeProfile command:
    setSPPartnerAttributeProfile("acmeRP", "openIDAttrProfile")
    • Specify the SP partner name
    • Specify the name of the SP Attribute Profile to use

OpenID Response

Based on a user with the following characteristics, OIF/IdP will generate an OpenID Response similar to the one shown below:

  • UserID: alice
  • First name: Alice
  • Last name: Appleton
  • Email: alice@idp.com

OpenID Response generated by OIF/IdP for alice:

https://acme.com/sp/openidv20?refid=id-UnaYvk-mDQy6ZQB-4R39L4An4B0-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20&openid.claimed_id=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did-p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D&openid.identity=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did-p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D&openid.return_to=http%3A%2F%2Fadc00peq.us.oracle.com%3A7499%2Ffed%2Fsp%2Fopenidv20%3Frefid%3Did-UnaYvk-mDQy6ZQB-4R39L4An4B0-&openid.response_nonce=2014-02-26T21%3A35%3A08Zid-uTAXy9lDK7TVvgezZVY3XZ06iSDcZb97zxiOl0qw&openid.assoc_handle=id-n-nN-qW2VAZa75-XJshWpmVHK53Yz0-lTZtrtsJm&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=2&openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.attr1=My+name+is+Alice+Appleton&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr2=alice&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=alice%40idp.com&openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.attr4=10.145.120.253&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax.type.attr2%2Cax.value.attr2%2Cax.type.attr3%2Cax.value.attr3%2Cax.type.attr4%2Cax.value.attr4&openid.sig=TeDo%2FouX%2BXRI%2F1G8kJVsw5JOVY8%3D

The decoded URL query parameters related to the attributes are:

  • Name of attribute #0: openid.ax.type.attr0=http://session/count
  • Value for attribute #0: openid.ax.value.attr0=2
  • Name of attribute #1: openid.ax.type.attr1= http://openid.net/schema/namePerson/friendly
  • Value for attribute #1: openid.ax.value.attr1=My name is Alice Appleton
  • Name of attribute #2: openid.ax.type.attr2= http://schemas.openid.net/ax/api/user_id
  • Value for attribute #2: openid.ax.value.attr2=alice
  • Name of attribute #3: openid.ax.type.attr3=http://axschema.org/contact/email
  • Value for attribute #3: openid.ax.value.attr3=alice@idp.com
  • Name of attribute #4: openid.ax.type.attr4=http://session/ipaddress
  • Value for attribute #4: openid.ax.value.attr4=10.145.120.253


In my next article, I will be showing how to create IdP partners with OIF being a Service Provider.
Cheers,
Damien Carru

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today