Oracle Identity Federation has been released!

Oracle Identity Federation (OIF) has been released as part of Oracle Fusion Middleware 11gR2 Release 2 (!

This new version of OIF provides Identity Provider (IdP) and Service Provider (SP), a.k.a. Relying Party (RP), support for the SAML 2.0, SAML 1.1 and OpenID 2.0 protocols.

The admin interfaces have been revamped to provide a comprehensive and easy way for administrators to manage Federation partnership on a day-to-day basis: while the UI allows the basic administration of Federation settings, which would cover most of the daily use cases, the OIF WLST command scripting tools allow advanced configuration of the Federation servers and its partners.

In this article, I will discuss about the features included in OIF

  • Native Integration with OAM
  • Protocols
  • Additional Features

Native Integration with OAM

OIF is now part of Oracle Access Manager (OAM) and is natively integrated with the server's SSO features. This allows the different OIF component's to tightly interact with OAM's components:

  • IdP module responsible to authenticate users on behalf of remote Service Providers:
    • Integrates with OAM SSO server for user authentication
    • Leverages the various OAM Authentication Schemes to challenge users
    • Bundled in the OIF J2EE Web Application in the OAM J2EE Application
    • Integrates with the OAM Token Issuance Policy when creating SAML/User Assertions
  • SP module responsible to delegate authentication of a user to a remote Identity Provider:
    • Bundled as a collection of OAM Authentication Plugins in an OAM Authentication Module
    • Available as an OAM Authentication Scheme: a non-authenticated user requesting access to a resource protected by an OAM Federation Scheme will result in a Federation SSO operation being triggered with a remote IdP
    • Able to save attributes present in the SAML/OpenID Assertions into the OAM session

The following diagram depicts the internal architecture of OIF


The protocols supported by the Federation server include:
  • SAML 2.0
    • SSO/IdP
      • HTTP-Redirect, HTTP-POST, PAOS bindings when receiving an AuthnRequest message
      • Artifact, HTTP-POST bindings when sending an SSO Response with Assertion
    • SSO/SP:
      • HTTP-Redirect, HTTP-POST bindings when sending an AuthnRequest message
      • Artifact, HTTP-POST bindings when receiving an SSO Response with Assertion
    • Logout IdP/SP:  HTTP-Redirect, HTTP-POST bindings
    • Attribute Authority
    • Attribute Request
    • Identity Provider Discovery
  • SAML 1.1
    • SSO/IdP: Artifact, HTTP-POST bindings when sending an SSO Response with Assertion
    • SSO/SP: Artifact, HTTP-POST bindings when receiving an SSO Response with Assertion
    • Attribute Authority
    • Attribute Request
  • OpenID 2.0 IdP/SP
    • Authentication 2.0
    • Attribute Exchange 1.0
    • Provider Authentication Policy Extension 1.0
    • Simple Registration Extension 1.0

Additional Features

On top of supporting the above list of SAML and OpenID protocols, OIF provides other features aimed at facilitating the use of Federation SSO for most scenarios:

  • Identity Provider Discovery:
    • When a Federation SSO operation is triggered, if the IdP is not determined yet, OIF/SP is capable of interacting with an IdP Discovery Service whose task will be to select the IdP to be used.
    • The IdP Discovery Service is typically a standalone service implemented and managed by an integrator that will determine the IdP to be used at runtime. The determination could be implemented based on the user's location, one some cookies saved in the user's browser...
    • OIF provides a basic IdP Discovery Service listing to the users the list of registered IdP partners and inviting the user to select the one to use for the Federation SSO operation
  • Authorization during IdP SSO:
    • When OIF/IdP performs a Federation SSO operation on behalf of a remote SP, it can evaluate if the user is allowed to perform a Federation SSO with that SP Partner
    • The authorization is based on Token Issuance Policies, with:
      • The resource being the SP partner
      • The constraint being always true, of based on the user's identity/group
  • Expression language for SAML Token Issuance:
    • During the SAML Assertion creation, the OIF/IdP can include SAML Attributes with values based on
      • LDAP User record
      • OAM Session data
      • User's browser information
    • The administrator uses an expression to set SAML Attribute values similar to the one used for OAM Policy Responses
  • SAML Attributes available as OAM Session attributes
    • When OIF acts as an SP, the attributes from the SAML/OpenID Assertion will be stored in the OAM User Session
    • Those attributes will then be available for
      • Policy constraints
      • Policy Responses to be injected in the HTTP request for web applications protected by a WebGate agent
  • User Authentication:
    • OIF/IdP integrates with OAM to authenticate users via the available Authentication Schemes
    • OIF/IdP can use a specific default Authentication Scheme on a per SP Partner basis

In the next article, I will be discussing about the basic use of OIF (enabling OIF, retrieving SAML 2.0 metadata, services location...)



This is a Great article.
But it might help to understand main difference compare to OIF 11gR1 standlone.
So, including few notes in each relevant sections in this article to talk about on those main/key differences would be helpful.

Posted by guest on April 26, 2015 at 04:06 AM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service


« July 2016