Sending Attributes with OIF/ IdP

In this article, I will cover how OIF can be easily configured to send attributes with the SSO Assertion to the partner during the Federation SSO operation. Those attributes can be set to data retrieved from:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)

Note that configuring how SAML NameID values are set is similar to how attributes are configured in OIF.

Enjoy the reading!

Attributes in SSO Response


During the Federation SSO operation, the IdP will issue a token targeted for the SP which will contain three kinds of data
  • User information: data about the user that will also allow the SP to identify the user (userID, email address…)
  • Federation authentication information: how the user was authenticated, when was the user challenged, when does the user’s session expire…
  • Token related information used to validate the token’s issuance, to ensure that the IdP was the entity which created the token, that the token has not yet expired…

The OIF/IdP server is able to send information as SAML / OpenID attributes to the SP/RP that can be based on:

  • Static string
  • User information:
    • User ID
    • Identity Store name
    • User global unique identifier (guid)
    • List of groups assigned to the user
    • Value of an attribute stored in the LDAP user record
  • OAM user’s session:
    • Session’s authentication level
    • Name of the Authentication Scheme used to challenge the client
    • Number of opened sessions for the client
    • Date in XML format when the session was created
    • Date in XML format when the session will expire
    • Value of an attribute stored in the OAM session. Note that this attribute might have been stored by another OAM component (for example OAM, OIF/SP…)
  • Browser’s HTTP request:
    • Value of specific HTTP Header
    • Value of specific cookie
    • Client’s IP address
  • Combination of the above data as a single attribute: for example, the IdP could be configured to send the value of an attribute based on the UserID, Identity Store Name and the user’s session count.

The above applies for sending attributes in SAML Assertions and OpenID SSO Responses, but it is also valid for setting the SAML NameID value in a SAML Assertion.

Configuring OIF/IdP


There are several ways to configure OIF/IdP for SAML NameID and SAML/OpenID attributes:

  • Via the OAM Administration Console
    • The SAML NameID can be configured by
      • Indicating the LDAP user attribute to be used
      • Setting an expression based on LDAP user record, session data, http request data or static data
    • A SAML/OpenID attribute can be configured by indicating:
      • The LDAP user attribute to be used
      • One of the following user data:
        • User ID
        • Identity Store name
        • User global unique identifier (guid)
        • List of groups assigned to the user
        • An OAM session attribute to be used
      • One of the following session data:
        • Session’s authentication level
        • Name of the Authentication Scheme used to challenge the client
        • Number of opened sessions for the client
        • Date in XML format when the session was created
        • Date in XML format when the session will expire
      • An HTTP header to be used
      • A cookie to be used
      • The browser’s IP address
      • A static string
      • An expression based on LDAP user record, session data, http request data or static data
  • Via a WLST command
    • The SAML NameID can be configured by setting an expression based on LDAP user record, session data, http request data or static data
    • A SAML/OpenID attribute can be configured by indicating an expression based on LDAP user record, session data, http request data or static data

Expressions


OIF/IdP is configured to send attributes/NameID via the use of an expression language similar to the one used in the OAM Authorization Policy Responses. Below is the list of possible elements that can be used to configure a NameID/Attribute.

Type
Data
Expression
Example
User User ID
$user.userid $user.userid

Identity Store Name
$user.id_domain $user.id_domain

User GUID
$user.guid $user.guid

Comma separated list of groups which the user is member of
$user.groups
$user.groups

LDAP User Attribute $user.attr.ATTR_NAME, with ATTR_NAME being the name of an LDAP User Attribute $user.attr.givenname
OAM user’s session
Authentication Level
$session.authn_level $session.authn_level

Authentication Scheme
$session.authn_scheme $session.authn_scheme

Session Count
$session.count $session.count

Session Creation Date
$session.creation $session.creation

Session Expiration Date
$session.expiration $session.expiration

Session Attribute
$session.attr.ATTR_NAME, with ATTR_NAME being the name of an OAM Session Attribute

$session.attr.fed.partner

(this session attribute is set by OIF/SP when receiving an Assertion from a remote IdP and contains the IdP’s partner name; I will discuss more about those attributes in a future article) 

Browser’s HTTP request HTTP Header value
$request.httpheader.HTTP_HEADER_NAME, with HTTP_HEADER_NAME being the name of an HTTP Header $user.httpheader.user-agent

Cookie value
$request.cookie.COOKIE_NAME, with COOKIE_NAME being the name of a cookie $user.cookie.JSESSIONID

Client’s IP Address $request.client_ip $request.client_ip

Note about Always Send

The SP Attribute Profile is used for various protocols, including:

  • SAML SSO, where the SP cannot request any attributes at runtime
  • SAML SOAP Attribute exchange, where the SP can request any attributes at runtime
  • OpenID 2.0, where the SP can request any attributes at runtime

The “Always Send” option seen in the SP Attribute Profile section allows an administrator to instruct OIF/IdP to always send the attribute in an Assertion even if it was not requested by the SP partner.


In the next article, I will be showcasing two examples:

  • How to configure OIF/IdP via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
  • How to configure OIF/IdP via the OIF WLST commands to send attributes to an OpenID 2.0 RP Partner

Cheers,
Damien Carru


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today