Tuesday Jan 27, 2015

Custom Authentication Module in OIF/SP

In a previous article, I showed how to create a custom Authentication plugin and include it in an existing Federation Authentication Module. In this article I will create a new custom Authentication Module in OIF/SP that will be made of the existing OIF Federation Authentication Plugins and a custom plugin which will

  • Evaluate the requested protected resource
  • Determine the IdP to be used in the Federation SSO operation
  • Request a higher Federation Authentication Method from the IdP, depending on the resource being requested

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide,  which describes how to develop such a module.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Authentication Module

Enjoy the reading!

[Read More]

Thursday Dec 04, 2014

Using OAM Pre Authentication Advanced Rules in OIF IdP

Today I will showcase how to use the OAM Authentication Advanced Rule with OIF as an IdP with the following use case:

  • OIF acts as the IdP
  • A specific scheme is used to challenge all the users
  • The OAM Authentication Policy for that scheme is configured to have a Pre-Authentication Advanced Rule that will evaluate if the browser is a desktop browser or a mobile browser
    • If the user is using a desktop/laptop, then the configured Authentication Scheme will be used
    • Otherwise if the user is on a mobile, another scheme targeted for mobile platforms will be used, which will facilitate user interaction by using a mobile login page
For more information about the Pre Authentication Advanced Rules in OAM, refer to the OAM/OIF 11.1.2.2.0 Administrator's Guide[Read More]

Friday Nov 07, 2014

Custom Post-Authentication Module in OIF / SP

In this article, I will show how to implement a custom authentication plugin that will be invoked after Federation SSO is complete and that will:

  • Access the information contained in the SAML Assertion (IdP name, user attributes...)
  • Update the LDAP user attributes based on the SAML User attributes

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 3, which describes how to develop such a module: http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/authnapi.htm.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Federation Authentication Module

Enjoy the reading!

[Read More]

Thursday Jul 17, 2014

Mapping Fed Authn Methods to Authn Levels in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

[Read More]

Thursday Jul 03, 2014

Fed Authentication Method Requests in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

[Read More]

Friday Jun 20, 2014

Fed Authentication Method Requests in OIF / IdP

In my previous article, I explained how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, for OIF/IdP to be able to map the OAM Authentication Scheme to a Federation Authentication Method when issuing an SSO Response.

In this post, I will describe how to set up OIF/IdP, so that an SP can request the user to be authenticated via a specific OAM Authentication Scheme.

The approach is based on the Federation Authentication Methods and their mappings to OAM Authentication Schemes. In a recent article, I explained that:

  • Each defined Federation Authentication Method can be mapped to several Authentication Schemes
  • In a Federation Authentication Method <-> Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that will be used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method

The examples will show how to indicate to OIF/IdP which Authentication Scheme to use to challenge the user, when the SP requests a specific Federation Authentication Method to be used.

[Read More]

Friday Jun 06, 2014

Configuring Fed Authentication Methods in OIF / IdP

In this article, I will provide examples on how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, based on the concepts introduced in my previous entry.

I will show examples for the three protocols supported by OIF:

  • SAML 2.0 SSO
  • SAML 1.1 SSO
  • OpenID 2.0

Enjoy the reading!

[Read More]

Wednesday May 28, 2014

Fed Authentication Methods in OIF / IdP

This article is a continuation of my previous entry where I explained how OIF/IdP leverages OAM to authenticate users at runtime:

  • OIF/IdP internally forwards the user to OAM and indicates which Authentication Scheme should be used to challenge the user if needed
  • OAM determine if the user should be challenged (user already authenticated, session timed out or not, session authentication level equal or higher than the level of the authentication scheme specified by OIF/IdP…)
  • After identifying the user, OAM internally forwards the user back to OIF/IdP
  • OIF/IdP can resume its operation

In this article, I will discuss how OIF/IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:

  • When processing an Authn Request, where the SP requests a specific Federation Authentication Method with which the user should be challenged
  • When sending an Assertion, where OIF/IdP sets the Federation Authentication Method in the Assertion

Enjoy the reading!

[Read More]

Monday May 19, 2014

Authentication in OIF / IdP

In this article, I will discuss about authentication when OIF acts as an IdP and how the server can be configured to use specific OAM Authentication Schemes to challenge the user.

When OIF 11gR1 acting as an IdP and OAM 11g were integrated together, OIF was delegating the user authentication to OAM via the use of WebGate:

  • OHS had to be installed in and configured to act as a reverse HTTP proxy for OIF
  • WebGate had to be installed on OHS and registered with OAM
  • OAM had to be configured to protect an OIF URL with
    • An Authentication Policy
    • An Authorization Policy
  • Set up the OIF logout URL in OAM
  • OIF had to be configured to use the OAM 11g Authentication Engine
    • Enter the HTTP header containing the userID injected by WebGate
    • Set up the OAM logout URL

In OIF 11gR2 and OAM 11gR2, the two components are tightly integrated together:

  • No initial setup is required to integrate the two products
  • No WebGate/OHS is required for IdP authentication
  • OIF/IdP can leverage any OAM Authentication Scheme

Note: given the advanced nature of the configuration, OIF authentication setup can only be managed via OIF WLST commands.

Enjoy the reading!

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today