Fed Authentication Method Requests in OIF / IdP

In my previous article, I explained how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, for OIF/IdP to be able to map the OAM Authentication Scheme to a Federation Authentication Method when issuing an SSO Response.

In this post, I will describe how to set up OIF/IdP, so that an SP can request the user to be authenticated via a specific OAM Authentication Scheme.

The approach is based on the Federation Authentication Methods and their mappings to OAM Authentication Schemes. In a recent article, I explained that:

  • Each defined Federation Authentication Method can be mapped to several Authentication Schemes
  • In a Federation Authentication Method <-> Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that will be used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method

The examples will show how to indicate to OIF/IdP which Authentication Scheme to use to challenge the user, when the SP requests a specific Federation Authentication Method to be used.

Configuration


Similarly to the examples listed in the previous post, mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent, since the methods are defined in the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0), and this can be done:

  • Either the SP Partner Profile and affect all Partners referencing that profile, which do not override the Federation Authentication Method to OAM Authentication Scheme mappings
  • Or the SP Partner entry, which will only affect the SP Partner

It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all the mappings defined in the SP Partner Profile will be ignored.

WLST Commands


The same OIF WLST commands used to map Federation Authentication Methods to OAM Authentication Schemes are used to indicate a scheme to be used when an SP request a user to be challenged via a specificFederation Authentication Method :

  • addSPPartnerProfileAuthnMethod() to define a mapping on an SP Partner Profile, taking as parameters:
    • The name of the SP Partner Profile
    • The Federation Authentication Method
    • The OAM Authentication Scheme name
    • A default flag indicating if this scheme should be the one used for authentication, when the SP/RP Partner requests this Federation Authentication Method to be used at runtime
  • addSPPartnerAuthnMethod() to define a mapping on an SP Partner , taking as parameters:
    • The name of the SP Partner
    • The Federation Authentication Method
    • The OAM Authentication Scheme name
    • A default flag indicating if this scheme should be the one used for authentication, when the SP/RP Partner requests this Federation Authentication Method to be used at runtime

In the next section, I will show examples on how to use the addSPPartnerProfileAuthnMethod() with the SAML 2.0 protocol.

Note: SAML 1.1 does not support a way for the SP to request a specific Federation Authentication Method.

Example


Test Setup

In this setup, OIF is acting as an IdP and is integrated with a remote SAML 2.0 SP partner identified by AcmeSP. By default:

  • LDAPScheme is the default Authentication Scheme
  • Only urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is defined
  • This Federation Authentication Method is mapped to:
    • LDAPScheme, marked as the default scheme used for authentication
    • FAAuthScheme
    • BasicScheme
    • BasicFAScheme
  • This mapping is defined in the saml20-sp-partner-profile SP Partner Profile which is the default OOTB SP Partner Profile for SAML 2.0, and the profile referenced by AcmeSP (getFedPartnerProfile("AcmeSP", "sp") )

In this test, I will perform Federation SSO with OIF/IdP configured to:

  • Perform Federation SSO with the SP not specifying a Federation Authentication Method
  • Perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method
  • Defining the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mapping to LDAPScheme, mark LDAPScheme as the default scheme for this mapping, and perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method
  • Adding BasicScheme to the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mapping, and perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method
  • Setting BasicScheme as the default scheme for the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mapping, and perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method

SP not Requesting a Fed Authn Method

In a typical Federation SSO operation, the SP would not request a specific Federation Authentication Method to be used to challenge the user.

The SAML 2.0 AuthnRequest would be similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.com/oamfed/idp/samlv20" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://acme.com/sp</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>

Since the settings are OOTB, the global default Authentication Scheme would be used for authentication, which is LDAPScheme.

Test: during the Federation SSO operation where the SP does not request a specific Federation Authentication Method to be used, the user would be challenged by OAM using LDAPScheme.

SP Requesting a Fed Authn Method

In this flow, the SP requests OIF/IdP to use a specific Federation Authentication Method to be used to challenge the user. This method is urn:oasis:names:tc:SAML:2.0:ac:classes:Password, and this will be requested by the SP for all subsequent tests in this article.

The SAML 2.0 AuthnRequest would be similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.com/oamfed/idp/samlv20" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://acme.com/sp</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
  <samlp:RequestedAuthnContext Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Since OOTB the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method is not defined in OIF/IdP, the server would return an error to the SP, indicating that this Federation Authentication Method is unknown at OIF/IdP: the server would send a SAML 2.0 Response with the low level status code set to urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.

The SAML 2.0 Response would be similar to:

<samlp:Response ...>
   <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
      </samlp:StatusCode>
   </samlp:Status>
</samlp:Response>

Test: during the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the operation would result in an error.

Creating Fed Authn Mapping

To correct the error seen above, I will need to define the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method mapped to LDAPScheme: that way, when the SP will request that method, LDAPScheme will be used.

Note: by doing so, I am removing the existing mapping between urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport and LDAPScheme, and will only be mapped to BasicScheme, BasicFAScheme and FAAuthScheme.

To create the mapping, execute the following steps:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the addSPPartnerProfileAuthnMethod() command:
    addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "LDAPScheme")
  • Exit the WLST environment:
    exit()

I did not specify that LDAPScheme should be used as the default scheme if an SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password during Federation SSO, because the WLST command is defined such as if the isDefault parameter is missing, it is assumed to be true.

Test: during the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the user would be challenged via LDAPScheme.

Adding BasicScheme to the Fed Authn Mapping

In this example, I will add the BasicScheme to the list of schemes mapped to the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method, but I will not indicate that BasicScheme should be used if the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password at runtime to challenge the user.

Note: by doing so, I am removing the existing mapping between urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport and BasicScheme, and will only be mapped to BasicFAScheme and FAAuthScheme.

To create the mapping, execute the following steps:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the addSPPartnerProfileAuthnMethod() command:
    addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme", isDefault="false")
  • Exit the WLST environment:
    exit()

I specified that the BasicScheme should not be used as the default scheme if an SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password during Federation SSO.

Test: during the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the user would be challenged via LDAPScheme.

Setting BasicScheme to be used for User Challenge

In this example, I will indicate that BasicScheme should be used if the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password at runtime to challenge the user. The command issued will be similar to the previous command, except that the isDefault parameter will be set to true:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the addSPPartnerProfileAuthnMethod() command:
    addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme", isDefault="true")
  • Exit the WLST environment:
    exit()

Test: during the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the user would be challenged via BasicScheme.


In the next article, I will cover how OIF/SP can be configured to request a Federation Authentication Method from a remote IdP at runtime during Federation SSO.
Cheers,
Damien Carru


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today