Fed Authentication Methods in OIF / IdP

This article is a continuation of my previous entry where I explained how OIF/IdP leverages OAM to authenticate users at runtime:

  • OIF/IdP internally forwards the user to OAM and indicates which Authentication Scheme should be used to challenge the user if needed
  • OAM determine if the user should be challenged (user already authenticated, session timed out or not, session authentication level equal or higher than the level of the authentication scheme specified by OIF/IdP…)
  • After identifying the user, OAM internally forwards the user back to OIF/IdP
  • OIF/IdP can resume its operation

In this article, I will discuss how OIF/IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:

  • When processing an Authn Request, where the SP requests a specific Federation Authentication Method with which the user should be challenged
  • When sending an Assertion, where OIF/IdP sets the Federation Authentication Method in the Assertion

Enjoy the reading!

Overview


The various Federation protocols support mechanisms allowing the partners to exchange information on:

  • How the user should be challenged, when the SP/RP makes a request
  • How the user was challenged, when the IdP/OP issues an SSO response

When a remote SP partner redirects the user to OIF/IdP for Federation SSO, the message might contain data requesting how the user should be challenged by the IdP: this is treated as the Requested Federation Authentication Method.

OIF/IdP will need to map that Requested Federation Authentication Method to a local Authentication Scheme, and then invoke OAM for user authentication/challenge with the mapped Authentication Scheme. OAM would authenticate the user if necessary with the scheme specified by OIF/IdP.

Similarly, when an IdP issues an SSO response, most of the time it will need to include an identifier representing how the user was challenged: this is treated as the Federation Authentication Method.

When OIF/IdP issues an Assertion, it will evaluate the Authentication Scheme with which OAM identified the user:

  • If the Authentication Scheme can be mapped to a Federation Authentication Method, then OIF/IdP will use the result of that mapping in the outgoing SSO response:
    • AuthenticationStatement in the SAML Assertion
    • OpenID Response, if PAPE is enabled
  • If the Authentication Scheme cannot be mapped, then OIF/IdP will set the Federation Authentication Method as the Authentication Scheme name in the outgoing SSO response:
    • AuthenticationStatement in the SAML Assertion
    • OpenID Response, if PAPE is enabled

Mappings


In OIF/IdP, the mapping between Federation Authentication Methods and Authentication Schemes has the following rules:

  • One Federation Authentication Method can be mapped to several Authentication Schemes
  • In a Federation Authentication Method <-> Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that will be used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method
  • An Authentication Scheme can be mapped to a single Federation Authentication Method

Let’s examine the following example and the various use cases, based on the SAML 2.0 protocol:

  • Mappings defined as:
    • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport mapped to
      • LDAPScheme, marked as the default scheme used for authentication
      • BasicScheme
    • urn:oasis:names:tc:SAML:2.0:ac:classes:X509 mapped to
      • X509Scheme, marked as the default scheme used for authentication
  • Use cases:
    • SP sends an AuthnRequest specifying urn:oasis:names:tc:SAML:2.0:ac:classes:X509 as the RequestedAuthnContext: OIF/IdP will authenticate the use with X509Scheme since it is the default scheme mapped for that method.
    • SP sends an AuthnRequest specifying urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as the RequestedAuthnContext: OIF/IdP will authenticate the use with LDAPScheme since it is the default scheme mapped for that method, not the BasicScheme
    • SP did not request any specific methods, and user was authenticated with BasisScheme: OIF/IdP will issue an Assertion with urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as the FederationAuthenticationMethod
    • SP did not request any specific methods, and user was authenticated with LDAPScheme: OIF/IdP will issue an Assertion with urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as the FederationAuthenticationMethod
    • SP did not request any specific methods, and user was authenticated with BasisSessionlessScheme: OIF/IdP will issue an Assertion with BasisSessionlessScheme as the FederationAuthenticationMethod, since that scheme could not be mapped to any Federation Authentication Method (in this case, the administrator would need to correct that and create a mapping)

Configuration


Mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent, since the methods are defined in the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0).

As such, the WLST commands to set those mappings will involve:

  • Either the SP Partner Profile and affect all Partners referencing that profile, which do not override the Federation Authentication Method to OAM Authentication Scheme mappings
  • Or the SP Partner entry, which will only affect the SP Partner

It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all the mappings defined in the SP Partner Profile will be ignored.

Authentication Schemes


As discussed in the previous article, during Federation SSO, OIF/IdP will internally forward the user to OAM for authentication/verification and specify which Authentication Scheme to use.

OAM will determine if a user needs to be challenged:

  • If the user is not authenticated yet
  • If the user is authenticated but the session timed out
  • If the user is authenticated, but the authentication scheme level of the original authentication is lower than the level of the authentication scheme requested by OIF/IdP

So even though an SP requests a specific Federation Authentication Method to be used to challenge the user, if that method is mapped to an Authentication Scheme and that at runtime OAM deems that the user does not need to be challenged with that scheme (because the user is already authenticated, session did not time out, and the session authn level is equal or higher than the one for the specified Authentication Scheme), the flow won’t result in a challenge operation.

Protocols


SAML 2.0

The SAML 2.0 specifications define the following Federation Authentication Methods for SAML 2.0 flows:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
  • urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
  • urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony
  • urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
  • urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
  • urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
  • urn:oasis:names:tc:SAML:2.0:ac:classes:X509
  • urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PGP
  • urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI
  • urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig
  • urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI
  • urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  • urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword
  • urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony
  • urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony
  • urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
  • urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
  • urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
  • urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken

Out of the box, OIF/IdP has the following mappings for the SAML 2.0 protocol:

  • Only urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is defined
  • This Federation Authentication Method is mapped to:
    • LDAPScheme, marked as the default scheme used for authentication
    • FAAuthScheme
    • BasicScheme
    • BasicFAScheme
  • This mapping is defined in the saml20-sp-partner-profile SP Partner Profile which is the default OOTB SP Partner Profile for SAML 2.0

An example of an AuthnRequest message sent by an SP to an IdP with the SP requesting a specific Federation Authentication Method to be used to challenge the user would be:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.com/oamfed/idp/samlv20" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://acme.com/sp</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
  <samlp:RequestedAuthnContext Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

An example of an Assertion issued by an IdP would be:

<samlp:Response ...>
    <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ...>
        <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
        <dsig:Signature>
            ...
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID ...>bob@oracle.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData .../>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://acme.com/sp</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

An administrator would be able to specify a mapping between a SAML 2.0 Federation Authentication Method and one or more OAM Authentication Schemes

SAML 1.1

The SAML 1.1 specifications define the following Federation Authentication Methods for SAML 1.1 flows:

  • urn:oasis:names:tc:SAML:1.0:am:unspecified
  • urn:oasis:names:tc:SAML:1.0:am:HardwareToken
  • urn:oasis:names:tc:SAML:1.0:am:password
  • urn:oasis:names:tc:SAML:1.0:am:X509-PKI
  • urn:ietf:rfc:2246
  • urn:oasis:names:tc:SAML:1.0:am:PGP
  • urn:oasis:names:tc:SAML:1.0:am:SPKI
  • urn:ietf:rfc:3075
  • urn:oasis:names:tc:SAML:1.0:am:XKMS
  • urn:ietf:rfc:1510
  • urn:ietf:rfc:2945

Out of the box, OIF/IdP has the following mappings for the SAML 1.1 protocol:

  • Only urn:oasis:names:tc:SAML:1.0:am:password is defined
  • This Federation Authentication Method is mapped to:
    • LDAPScheme, marked as the default scheme used for authentication
    • FAAuthScheme
    • BasicScheme
    • BasicFAScheme
  • This mapping is defined in the saml11-sp-partner-profile SP Partner Profile which is the default OOTB SP Partner Profile for SAML 1.1

An example of an Assertion issued by an IdP would be:

<samlp:Response ...>
    <samlp:Status>
        <samlp:StatusCode Value="samlp:Success"/>
    </samlp:Status>
    <saml:Assertion Issuer="https://idp.com/oam/fed" ...>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
            <saml:Subject>
                <saml:NameIdentifier ...>bob@oracle.com</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                   <saml:ConfirmationMethod>
                       urn:oasis:names:tc:SAML:1.0:cm:bearer
                   </saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
        </saml:AuthnStatement>
        <dsig:Signature>
            ...
        </dsig:Signature>
    </saml:Assertion>
</samlp:Response>

Note: SAML 1.1 does not define an AuthnRequest message.

An administrator would be able to specify a mapping between a SAML 1.1 Federation Authentication Method and one or more OAM Authentication Schemes

OpenID 2.0

The OpenID 2.0 PAPE specifications define the following Federation Authentication Methods for OpenID 2.0 flows:

  • http://schemas.openid.net/pape/policies/2007/06/phishing-resistant
  • http://schemas.openid.net/pape/policies/2007/06/multi-factor
  • http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical

Out of the box, OIF/IdP does not define any mappings for the OpenID 2.0 Federation Authentication Methods.

For OpenID 2.0, the configuration will involve mapping a list of OpenID 2.0 policies to a list of Authentication Schemes.

An example of an OpenID 2.0 Request message sent by an SP/RP to an IdP/OP would be:

https://idp.com/openid?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.realm=https%3A%2F%2Facme.com%2Fopenid&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.attr0=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.if_available=attr0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=0

An example of an Open ID 2.0 SSO Response issued by an IdP/OP would be:

https://acme.com/openid?refid=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=1&openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.attr1=My+name+is+Bobby+Smith&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr2=bob&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=bob%40oracle.com&openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.attr4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fphishing-resistant&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax.type.attr2%2Cax.value.attr2%2Cax.type.attr3%2Cax.value.attr3%2Cax.type.attr4%2Cax.value.attr4%2Cns.pape%2Cpape.auth_time%2Cpape.auth_policies&openid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D


In the next article, I will provide examples on how to configure OIF/IdP for the various protocols, to map OAM Authentication Schemes to Federation Authentication Methods.
Cheers,
Damien Carru

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today