Using Test SP App in OIF/ SP

In this article, I will talk about how to enable and use the Test SP Application in OIF/SP, which is very useful when OIF is an SP and Federation agreements are set up. It provides the following capabilities:

  • Test the Federation SSO flows
  • Verify if the mapping rules work
  • See which attributes are sent by the IdP, how they are named and how they are processed by OIF/SP
  • See the Federation token (SAML Assertion or OpenID SSO Response)

This tool is very useful to diagnose issues in the SAML/OpenID flows, before rolling Federation SSO out.

This is a Web Application that will exercise the SP functionality of OIF via a browser without creating any OAM session:

  • The application is accessed via a browser
  • Federation SSO is started with the specified IdP
  • You authenticate at the IdP
  • OIF/SP processes the SAML Assertion / OpenID SSO response
  • The application displays the result and SAML Assertion / OpenID SSO response

Enabling / Disabling the Test SP Engine


Out of the box, the Test SP application is disabled and you will need to enable it before being able to use it.

Note: once you’re done using the Test SP App, you should disable it.

To enable or disable the Test SP app, you will need to execute the following OIF WLST commands:

  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the configureTestSPEngine() command:
    • To enable the Test SP Engine:
      configureTestSPEngine("true")
    • To disable the Test SP Engine:
      configureTestSPEngine("false")
  • Exit the WLST environment:
    exit()

Using the Test SP Engine


Starting Federation SSO

Starting the Federation SSO flow involves:

  • Going to the Test SP application via a browser
  • Selecting the IdP to perform Federation SSO with
  • Start the operation

The URL to use to access the Test SP application is:
http(s)://oam-runtime-host:oam-runtime-port/oamfed/user/testspsso

The Test SP application will display a drop down with a list of IdPs to perform Federation SSO with:

  • Either you select an IdP
  • Or you choose the one references as the Default, which will instruct OIF/SP to use the Default SSO IdP

Once you select the IdP, click on the “Start SSO” button that will trigger the Federation SSO with the specified IdP:

  • You will be redirected to the IdP, similarly to a normal Federation SSO operation (the IdP will not be aware that you are using the Test SP application bundled with OIF: the IdP is only aware that OIF/SP is performing the Federation SSO)
  • The IdP will either:
    • Challenge you for your credentials, and then send a SAML/OpenID response
    • Send an SAML/OpenID response (either because you are already authenticated, or because an error occurred)

Result of the Test SP Operation

When the IdP redirects the user with the SAML Assertion / OpenID Response to OIF/SP, the server will validate the response, map it to an LDAP user record and return the result to the Test SP application which will display:

  • The result of the authentication operation
  • The canonical user ID to which the response was mapped which contains
    • The Identity Store name
    • The user’s DN
    • The user’s ID
  • The authentication instant
  • The IdP partner name
  • Attributes from the SSO Response that will be stored in the OAM session (see my next article for more information)
  • The decrypted/decoded SSO response

Diagnosing Issues


If the Federation SSO between an IdP and OIF/SP is not working, the Test SP engine can be a good tool with the OAM/OIF logs to diagnose the problems.

Mapping Issues

If the incoming SSO Assertion cannot be mapped to a local LDAP user record, the Test SP application can show:

  • The error message
  • The NameID/attributes sent by the IdP
  • The SSO message sent by the IdP, which contains the NameID/attributes

In this example, the IdP’s and OIF/SP’s administrators agreed to use SAML 2.0 and identify the user via the email address. The issue here is that the email address for alice at the IdP is alice.appleton@oralce.com, while in the LDAP directory used by OIF/SP, the email is alice@oracle.com

The Test SP application will show the following information at the end of the flow:

  • The authentication operation failed
  • The Assertion could not be mapped to a local user record
  • The data extracted from the Assertion as well as the message itself

The OIF log files will show the following error message as well as the SAML message:

<Feb 28, 2014 7:18:05 AM PST> <Warning> <oracle.security.fed.eventhandler.fed.profiles.sp.sso.assertion.Saml20AssertionProcessor> <FED-15108> <User was not found during attribute based authentication using NameID mapping for name identifier: alice.appleton@oracle.com name identifier format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and message : <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso" ID="id-aWfL5-f37nhQWh0WWjHbobsVetM-" InResponseTo="id-hqkZGMV-wEO5-CulpYxArIvr91Y14dA-WSRYZ8zP" IssueInstant="2014-02-28T15:18:05Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-PoOD-BDUeoiSY4ajPCQ86yjZWkw-" IssueInstant="2014-02-28T15:18:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-PoOD-BDUeoiSY4ajPCQ86yjZWkw-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>X5ojFxrpBOS4klosM5jcBOF8Bqg=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>VJKJOBOowHZ4lVkHjX4w2YHi+0ZAa4ez/+D+ketAQcOxxtwOZPcBYERwkMgazudMh0XEMbIkwsBTVwb4tX+uV327Gjlp1hXc0uYnm2n8mZfen9Ppru6jTES4N7PoD3mOpCfFEHBUJg118DihWGLfzBWw7LMLaN2A+dMhQwBMXAw=</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">alice.appleton@oracle.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-hqkZGMV-wEO5-CulpYxArIvr91Y14dA-WSRYZ8zP" NotOnOrAfter="2014-02-28T15:23:05Z" Recipient="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-02-28T15:18:05Z" NotOnOrAfter="2014-02-28T15:23:05Z"><saml:AudienceRestriction><saml:Audience>http://adc00pcc.us.oracle.com:23002/oam/fed</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-28T15:18:05Z" SessionIndex="id-2i7BY1gGnhukoBSDmrvkBIaG-NI-" SessionNotOnOrAfter="2014-02-28T16:18:05Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>.>

Response Validation Issues

If the incoming SSO Assertion cannot be validated, the Test SP application can show:

  • The error message
  • The SSO message sent by the IdP

In this example, the IdP’s and OIF/SP’s administrators agreed to use SAML 2.0 but the IdP is not signing the Assertion as required by OIF/SP (typically the Assertion is signed: for this example I disabled the signature on the IdP to showcase the error)

The Test SP application will show the following information at the end of the flow:

  • The authentication operation failed
  • The Assertion could not be validated
  • The SAML message

The OIF log files will show the following error message as well as the SAML message:

<Feb 28, 2014 7:23:05 AM PST> <Error> <oracle.security.fed.eventhandler.fed.profiles.utils.CheckUtils> <FEDSTS-18003> <Assertion is not signed.>
<Feb 28, 2014 7:23:05 AM PST> <Error> <oracle.security.fed.eventhandler.fed.profiles.sp.sso.v20.ProcessResponseEventHandler> <FED-18012> <Assertion cannot be validated: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso" ID="id-De7M27k5CWpBsuGzgaxwHgwqV1g-" InResponseTo="id-fX4nHKLCMcA-ZjHvsKfCORDZLmIDcQMpVYjqmxQb" IssueInstant="2014-02-28T15:23:05Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-EAdQSXj-royYNuuWbaBWZVdBtu8-" IssueInstant="2014-02-28T15:23:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">alice@oracle.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-fX4nHKLCMcA-ZjHvsKfCORDZLmIDcQMpVYjqmxQb" NotOnOrAfter="2014-02-28T15:28:05Z" Recipient="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-02-28T15:23:05Z" NotOnOrAfter="2014-02-28T15:28:05Z"><saml:AudienceRestriction><saml:Audience>http://adc00pcc.us.oracle.com:23002/oam/fed</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-28T15:23:05Z" SessionIndex="id--0QWpaU2AV-L7UpNvLH5Bn7Z5Xk-" SessionNotOnOrAfter="2014-02-28T16:23:05Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>.>


In the next article, I will describe how to integrate OIF (11.1.2.2.0 or later) with ADFS 2.0 for Federation SSO using the SAML 2.0 protocol.
Cheers,
Damien Carru



Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today