Monday Apr 21, 2014

Using Fed Attributes: OAM Authorization and HTTP Headers

In this article, I will discuss how attributes received in SAML/OpenID SSO messages can be used in OAM Authorization Policies and how they can be provided to protected web applications.

At runtime, when OIF/SP successfully processes a SAML / OpenID SSO Response message, the server will save some of the information from the response in the OAM session, as attributes that can be used in OAM authorization policies

  • In conditions for authorization rules
  • In responses to provide the SAML/OpenID attributes to protected web applications

The SAML / OpenID SSO Response information is saved in the OAM session as attributes referenced by the following identifiers:

  • The IdP partner name, referenced by $session.attr.fed.partner
  • The NameID value from the SSO response, referenced by $session.attr.fed.nameidvalue
  • The NameID format from the SSO response, for SAML protocols, referenced by $session.attr.fed.nameidformat
  • The attributes contained either in the SAML Assertion’s AttributeStatement or in the OpenID SSO Response, referenced by $session.attr.fed.attr.ATTR_NAME, with ATTR_NAME being
    • Either the local session attribute name, if an IdP Attribute Profile mapping was applied (see previous article)
    • Or the attribute name from the SSO response, if no IdP Attribute Profile mapping was applied for this attribute

Enjoy the reading!

[Read More]

Friday Apr 18, 2014

Processing Incoming Attributes with OIF / SP

When OIF acts as a Service Provider, it:

  • Validates the incoming SSO response from the IdP
  • Maps the SSO response to an LDAP user record
  • Extracts the user identifier and optional attributes contained in the SSO response and stores them in the OAM session.

Those attributes stored in the OAM session can later be used:

  • In Authorization Policies, where the conditions/rules will evaluate the attributes in the OAM session
  • As Policy Responses to provide those attributes to web applications protected by WebGate/OAM, as HTTP Headers or cookies

In this article, I will discuss how OIF acting as a Service Provider can be configured to:

  • Process attributes contained in an incoming SAML Assertion or OpenID SSO Response to map the names of incoming attributes to local names.
  • Request attributes from the OP via the OpenID protocol (SAML does not provide a way for SPs at runtime to request attributes from the IdP during a Federation SSO operation)

Enjoy the reading!

[Read More]

Friday Mar 21, 2014

Example: Sending Attributes with OIF/ IdP

In this article, I will cover two examples on how to configure OIF/IdP to send attributes:
  • Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
  • Via the OIF WLST commands to send attributes to an OpenID 2.0 RP Partner
The sent attributes will be based on:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)
Enjoy the reading![Read More]

Monday Mar 17, 2014

Sending Attributes with OIF/ IdP

In this article, I will cover how OIF can be easily configured to send attributes with the SSO Assertion to the partner during the Federation SSO operation. Those attributes can be set to data retrieved from:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)

Note that configuring how SAML NameID values are set is similar to how attributes are configured in OIF.

Enjoy the reading!

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today