Integrating ADFS 2.0/3.0 SP with OIF IdP

As a continuation of my previous articles, I will today describe how to integrate ADFS 2.0/3.0 as an SP and OIF as an IdP.

Be sure to have read my previous entry covering the pre-requisites.

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

ADFS Setup


To add OIF as an IdP in ADFS SP, perform execute the following steps:

  • Go to the machine where ADFS is deployed
  • If ADFS 2.0 is used
    • Click Start Menu -> Progams -> Administrative Tools -> AD FS 2.0 Management
    • Expand ADFS 2.0 -> Trust Relationships
  • If ADFS 3.0 is used
    • In Server Manager, click Tools -> AD FS Management
    • Expand AD FS -> Trust Relationships
  • Right click on Claims Provider Trusts and select Add Claims Provider Trust
  • The Add Claims Provider Trust window will appear

Execute the following steps:

  • Click Start
  • Select Import data about the claims provider from a file
  • Click browse and select the local OIF IdP SAML 2.0 Metadata file (it is required for the OIF endpoints to be SSL terminated, otherwise ADFS will not import the metadata. See my previous pre-requisites article about SSL)

Execute the following steps:

  • Click Next
  • If a Warning window appear about unsupported features in ADFS, continue by clicking OK (this relates to the SAML Attribute Authority feature listed in the OIF IdP SAML 2.0 Metadata)

Execute the following steps:

  • Enter a name for the new SAML 2.0 Identity Provider

Execute the following steps:

  • Click Next
  • A summary window will be displayed

Execute the following steps:

  • Click Next
  • Leave Open the Edit Claims box checked

Execute the following steps:

  • Click Close
  • The Edit Rule window will appear

Execute the following steps:

  • Click Add Rule
  • Select Pass Through or Filter an Incoming Claim

Execute the following steps:

  • Click Next
  • Enter a name for the Claim Rule
  • Select NameID as the Incoming Claim Type
  • Select Email as the Incoming name ID format
  • Select
    • Pass through all claim values if you want to accept any email addresses
    • Pass through only claim values that match a specific email suffix value if you want to only accept a specific set of email addresses (in our example, I will select this choice as all users will have an @acme.com email address)

Execute the following steps:

  • Click Finish
  • The list of claim rules will be displayed
  • Click OK

As mentioned in the pre-requisites article, if you want to configure ADFS to use/accept SHA-1 signatures, perform the following steps (Note: if you don’t configure ADFS to use/accept SHA-1 signatures, you will have to configure OIF to use SHA-256 for signatures):

  • Go to the machine where ADFS is deployed
  • If ADFS 2.0 is used
    • Click Start Menu -> Progams -> Administrative Tools -> AD FS 2.0 Management
    • Expand ADFS 2.0 -> Trust Relationships
  • If ADFS 3.0 is used
    • In Server Manager, click Tools -> AD FS Management
    • Expand AD FS -> Trust Relationships
  • Right click on the newly created Claims Provider Trust and select Properties
  • Select the Advanced Tab
  • Select SHA-1
  • Click OK

OIF Setup


To add ADFS as an SP partner in OIF, execute the following steps:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Identity Provider Administration
  • Click on the “Create Service Provider Partner” button
  • In the Create screen:
    • Enter a name for the partner
    • Select SAML 2.0 as the Protocol
    • Click Load Metadata and upload the SAML 2.0 Metadata file for the SP
    • Select the NameID format to set in the SAML 2.0 Assertion (Email Address NameID format in this case)
    • Enter how the NameID value will be set: User ID Store Attribute, and mail attribute in this case
    • Select the default Attribute Profile that will indicate how to populate the SAML Assertion with attributes.
    • Click Save

As mentioned in the pre-requisites article, if you want to configure OIF to use SHA-256 for signatures, perform the following steps (Note: if you don’t configure OIF to use SHA-256 for signatures, you will have to configure ADFS to use/accept SHA-1 signatures):

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the configureFedDigitalSignature() command:
    configureFedDigitalSignature(partner="PARTNER_NAME", partnerType="idp/sp", algorithm="SHA-256/SHA-1")
    • Replace PARTNER_NAME with the name of the partner added
    • Set the partnerType to idp or sp
    • Set the algorithm to SHA-256 or SHA-1
    • An example would be:
      configureFedDigitalSignature(partner="ADFSSP", partnerType="sp”, algorithm="SHA-256")
  • Exit the WLST environment:
    exit()

Test


To test, access the OIF IdP initiated SSO page:

  • URL:
    http(s)://oam-runtime-host:oam-runtime-port/oamfed/idp/initiatesso?providerid=PARTNER_NAME
    • Replace PARTNER_NAME with the name of the SP partner
    • Example would be:
      https://acme.com/oamfed/idp/initiatesso?providerid=ADFSSP
  • OAM/OIF will challenge for authentication
  • You will be redirected to ADFS SP with a SAML Assertion


In the next article, I will show how to enable and implement Authorization Policies for Federation SSO when OIF is acting as an IdP.
Cheers,
Damien Carru



Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today