Fed Authentication Method Requests in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

Protocols


OIF/SP can request a specific Federation Authentication Method to be used at the remote IdP Partner, only if the protocol used between the two servers supports such a mechanism:

  • SAML 2.0 defines the RequestedAuthnContext element in the SAML 2.0 AuthnRequest message
  • SAML 1.1 does not define a way for the SP to request a Federation Authentication Method
  • OpenID 2.0 defines the PAPE extension where the SP can specify the policies to be used

WLST Commands


OIF/SP can be configured to request a specific Federation Authentication Method via:

  • An IdP Partner Profile which would apply to all IdP Partners bound to this profile
  • An IdP Partner, which in this case would only apply to this partner

The OIF WLST commands that can be used are:

  • setIdPPartnerProfileRequestAuthnMethod() which will configure the requested Federation Authentication Method in a specific IdP Partner Profile, and accepts the following parameters:
    • partnerProfile: name of the IdP Partner Profile
    • authnMethod: the Federation Authentication Method to request
    • displayOnly: an optional parameter indicating if the method should display the current requested Federation Authentication Method instead of setting it
    • delete: an optional parameter indicating if the method should delete the current requested Federation Authentication Method instead of setting it
  • setIdPPartnerRequestAuthnMethod() which will configure the specified IdP Partner entry with the requested Federation Authentication Method, and accepts the following parameters:
    • partner: name of the IdP Partner
    • authnMethod: the Federation Authentication Method to request
    • displayOnly: an optional parameter indicating if the method should display the current requested Federation Authentication Method instead of setting it
    • delete: an optional parameter indicating if the method should delete the current requested Federation Authentication Method instead of setting it

SAML 2.0


Test Setup

In this setup, OIF is acting as an SP and is integrated with a remote SAML 2.0 IdP partner identified by AcmeIdP:

  • By default, OIF/SP is not configured to request any Federation Authentication Method
  • The remote IdP supports the following Federation Authentication Methods
    • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (default method indicated by the IdP out of band)
    • urn:oasis:names:tc:SAML:2.0:ac:classes:X509

In the following tests, I will perform Federation SSO with OIF/SP configured to:

  • Perform Federation SSO with the SP not requesting a Federation Authentication Method
  • Perform Federation SSO with the SP requesting urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  • Perform Federation SSO with the SP requesting urn:oasis:names:tc:SAML:2.0:ac:classes:X509
  • Perform Federation SSO with the SP requesting urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI

SP not Requesting a Fed Authn Method

In a typical Federation SSO operation, the SP would not request a specific Federation Authentication Method to be used to challenge the user.

The SAML 2.0 AuthnRequest would be similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://acmeidp.com/saml20/sso" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://sp.com</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>

The IdP will challenge the user with its default authentication mechanism (in this case with a mechanism mapped to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)

The SAML 2.0 SSO Response would be similar to:

<samlp:Response ...>
    <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ...>
        <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
        <dsig:Signature>
            ...
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID ...>bob@oracle.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData .../>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://sp.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

SP Requesting PasswordProtectedTransport

In this flow, OIF/SP requests the remote IdP to use urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as the Federation Authentication Method for the user challenge.

To configure OIF/SP so that it will request urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport  from the IdP, I will use the setIdPPartnerRequestAuthnMethod() to configure the IdP Partner:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the setIdPPartnerRequestAuthnMethod() command:
    setIdPPartnerRequestAuthnMethod("AcmeIdP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
  • Exit the WLST environment:
    exit()

The SAML 2.0 AuthnRequest would be similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://acmeidp.com/saml20/sso" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://sp.com</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
  <samlp:RequestedAuthnContext Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The IdP will challenge the user with the authentication mapped to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.

The SAML 2.0 SSO Response would be similar to:

<samlp:Response ...>
    <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ...>
        <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
        <dsig:Signature>
            ...
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID ...>bob@oracle.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData .../>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://sp.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                       urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

SP Requesting X509

In this flow, OIF/SP requests the remote IdP to use urn:oasis:names:tc:SAML:2.0:ac:classes:X509 as the Federation Authentication Method for the user challenge.

To configure OIF/SP so that it will request urn:oasis:names:tc:SAML:2.0:ac:classes:X509 from the IdP, I will use the setIdPPartnerRequestAuthnMethod() to configure the IdP Partner:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the setIdPPartnerRequestAuthnMethod() command:
    setIdPPartnerRequestAuthnMethod("AcmeIdP", "urn:oasis:names:tc:SAML:2.0:ac:classes:X509")
  • Exit the WLST environment:
    exit()

The SAML 2.0 AuthnRequest would be similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://acmeidp.com/saml20/sso" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://sp.com</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
  <samlp:RequestedAuthnContext Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      urn:oasis:names:tc:SAML:2.0:ac:classes:X509
    </saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The IdP will challenge the user with the authentication mapped to urn:oasis:names:tc:SAML:2.0:ac:classes:X509.

The SAML 2.0 SSO Response would be similar to:

<samlp:Response ...>
    <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ...>
        <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
        <dsig:Signature>
            ...
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID ...>bob@oracle.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData .../>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://sp.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                     urn:oasis:names:tc:SAML:2.0:ac:classes:X509
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

SP Requesting SmartcardPKI

In this flow, OIF/SP requests the remote IdP to use urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI as the Federation Authentication Method for the user challenge. This test will result in an error, because the IdP does not support that Federation Authentication Method.

To configure OIF/SP so that it will request urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI from the IdP, I will use the setIdPPartnerRequestAuthnMethod() to configure the IdP Partner:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the setIdPPartnerRequestAuthnMethod() command:
    setIdPPartnerRequestAuthnMethod("AcmeIdP", "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI")
  • Exit the WLST environment:
    exit()

The SAML 2.0 AuthnRequest would be similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://acmeidp.com/saml20/sso" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://sp.com</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
  <samlp:RequestedAuthnContext Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
    </saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The IdP will not challenge the user and instead will return a SAML 2.0 Response with the low level status code set to urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.

The SAML 2.0 Response would be similar to:

<samlp:Response ...>
   <saml:Issuer ...>https://acmeidp.com</saml:Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
      </samlp:StatusCode>
   </samlp:Status>
</samlp:Response>

Note About Comparison

If OIF/SP is configured to request a Federation Authentication Method from a remote IdP Partner, it will set by default the Comparison flag in the SAML 2.0 AuthnRequest to minimum.

This SAML 2.0 parameter can be one of the following:

  • minimum
  • exact
  • maximum
  • better
  • <empty>, and exact will be assumed by the IdP

If it is required to change that flag to another value, an OIF WLST command can be used to update the configuration:

  • At the IdP Partner Profile level, the putStringProperty() method will be used:
    putStringProperty("/fedpartnerprofiles/saml20-idp-partner-profile/PARTNER_PROFILE_NAME", VALUE)
    • PARTNER_PROFILE_NAME is the name of the IdP Partner Profile
    • VALUE is the value that will be stored in the Comparison flag, and must be one of the following values:
      • minimum
      • exact
      • maximum
      • better
      • none
    • An example would be:
      putStringProperty("/fedpartnerprofiles/saml20-idp-partner-profile/saml20-idp-partner-profile", "exact")
  • At the IdP Partner Profile level, the updatePartnerProperty() method will be used:
    updatePartnerProperty(PARTNER_NAME, "idp", "requestauthncomparison", VALUE)
    • PARTNER_NAME is the name of the IdP Partner
    • VALUE is the value that will be stored in the Comparison flag, and must be one of the following values:
      • minimum
      • exact
      • maximum
      • better
      • none
    • An example would be:
      updatePartnerProperty("AcmeIdP", "idp", "requestauthncomparison", "exact")

OpenID 2.0


Test Setup

In this setup, OIF is acting as an SP/RP and is integrated with a remote OpenID 2.0 IdP/OP partner identified by AcmeOP:

  • By default, OIF/SP is not configured to request any Federation Authentication Method
  • The remote IdP supports the following Federation Authentication Methods
    • http://schemas.openid.net/pape/policies/2007/06/phishing-resistant

In the following tests, I will perform Federation SSO with OIF/SP configured to:

  • Perform Federation SSO with the SP not requesting a Federation Authentication Method
  • Perform Federation SSO with the SP requesting http://schemas.openid.net/pape/policies/2007/06/phishing-resistant

SP not Requesting a Fed Authn Method

In a typical Federation SSO operation, the SP would not request a specific Federation Authentication Method to be used to challenge the user.

The OpenID 2.0 SSO Request would be similar to (note that there is no PAPE Request attributes in the request, since the SP/RP did not request anything):

https://acmeOP.com/openid20?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=id-m4wzOs9Vigl-lTxvvWFql0HpGj8-&openid.return_to=https%3A%2F%sp.com%2Foam%2Fserver%2Ffed%2Fsp%2Fsso%3Frefid%3Did-JJ06syDyCELqLWDqRHGcI9sQI1DTBzouDL6qSKiE&openid.realm=https%3A%2F%sp.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.attr0=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.type.attr1=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.required=attr0%2Cattr1

The IdP will challenge the user with its default authentication mechanism, and the SSO Response will not contain any PAPE Response attributes, since the request did not contain any PAPE elements.

The OpenID 2.0 SSO Response would be similar to:

https://sp.com/oam/server/fed/sp/sso?refid=id-JJ06syDyCELqLWDqRHGcI9sQI1DTBzouDL6qSKiE&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Facmeop.com%2Fopenid20&openid.claimed_id=https%3A%2F%2Facmeop.com%2Fopenid20%3Fid%3Did-YxEgHp7b49OrDy9dJP4BWrwbNUQ-&openid.identity=https%3A%2F%2Facmeop.com%2Fopenidv20%3Fid%3Did-YxEgHp7b49OrDy9dJP4BWrwbNUQ-&openid.return_to=https%3A%2F%2Fsp.com%2Foam%2Fserver%2Ffed%2Fsp%2Fsso%3Frefid%3Did-JJ06syDyCELqLWDqRHGcI9sQI1DTBzouDL6qSKiE&openid.response_nonce=2014-03-27T19%3A06%3A59Zid-AI5SSUN4A2yEtUPRSw5-byMbyR8-&openid.assoc_handle=id-m4wzOs9Vigl-lTxvvWFql0HpGj8-&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr0=alice&openid.ax.type.attr1=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr1=alice%40oracle.com&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1&openid.sig=rzSC1Oa%2Bvpba2z%2Fh0HzpS3R2DO8%3D

SP Requesting phishing-resistant

In this flow, OIF/SP requests the remote IdP to use http://schemas.openid.net/pape/policies/2007/06/phishing-resistant as the Federation Authentication Method for the user challenge.

To configure OIF/SP so that it will request http://schemas.openid.net/pape/policies/2007/06/phishing-resistantfrom the IdP, I will use the setIdPPartnerRequestAuthnMethod() to configure the IdP Partner:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the setIdPPartnerRequestAuthnMethod() command:
    setIdPPartnerRequestAuthnMethod("AcmeOP", "http://schemas.openid.net/pape/policies/2007/06/phishing-resistant")
  • Exit the WLST environment:
    exit()

The OpenID 2.0 SSO Request would be similar to (note that there is a PAPE Request attributes in the request this time):

https://acme.com/openid20?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=id-eL-ODTYp5StXeXbmpSEs-eUQtG8-&openid.return_to=https%3A%2F%2Fsp.com%2Foam%2Fserver%2Ffed%2Fsp%2Fsso%3Frefid%3Did-4TmXY8UvwwssPI-IUYjTX-NMxz1wlkAZ7q0ABE-L&openid.realm=https%3A%2F%2Fsp.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.attr0=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.type.attr1=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.required=attr0%2Cattr1&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.preferred_auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fphishing-resistant

The IdP will challenge the user with the authentication mapped to http://schemas.openid.net/pape/policies/2007/06/phishing-resistant and the SSO Response will not contain PAPE Response attributes.

The OpenID 2.0 SSO Response would be similar to:

https://sp.com/oam/server/fed/sp/sso?refid=id-4TmXY8UvwwssPI-IUYjTX-NMxz1wlkAZ7q0ABE-L&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Facmeop.com%2Fopenid20&openid.claimed_id=https%3A%2F%2Facmeop.com%2Fopenid20%3Fid%3Did-YxEgHp7b49OrDy9dJP4BWrwbNUQ-&openid.identity=https%3A%2F%2Facmeop.com%2Fopenid20%3Fid%3Did-YxEgHp7b49OrDy9dJP4BWrwbNUQ-&openid.return_to=https%3A%2F%2Fsp.com%2Foam%2Fserver%2Ffed%2Fsp%2Fsso%3Frefid%3Did-4TmXY8UvwwssPI-IUYjTX-NMxz1wlkAZ7q0ABE-L&openid.response_nonce=2014-03-27T19%3A24%3A21Zid-q61psPKlfNHFelE3XBymqi22jM0-&openid.assoc_handle=id-eL-ODTYp5StXeXbmpSEs-eUQtG8-&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr0=alice&openid.ax.type.attr1=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr1=alice%40oracle.com&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-27T19%3A24%3A20Z&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2F2Fphishing-resistant&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cns.pape%2Cpape.auth_time%2Cpape.auth_policies&openid.sig=WhDkc14KTGVSiqdzvfHoWKaYiCw%3D

In the next article, I will discuss about how to map Federation Authentication Mapping to Authentication Levels in OIF/SP, when creating the OAM User Session after processing the Federation SSO Response.
Cheers,
Damien Carru

 

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
29
30
31
 
       
Today