Monday Apr 14, 2014

Authorization in OIF / IdP

In this article, I will show how to enable and implement Authorization Policies for Federation SSO when OIF is acting as an IdP.

When OIF authenticates a user on behalf of remote SAML / OpenID 2.0 partners, it will issue a token (SAML or OpenID) containing information about the user that the partner will consume to identify the user. As a part of the creation of the token, OIF/IdP can be configured to evaluate a Token Issuance Policy that will indicate if the user is allowed to perform Federation SSO with that particular SP/RP.

The Token Issuance Policy will be constructed with:

  • The SP Partner Name as the resource
  • One or more constraints
    • The true constraint which is used to indicate that OIF/IdP should issue tokens for all users for the SP partners listed in the policy
    • The Identity constraint made of
      • List of users: OIF/IdP will ensure that the user performing Federation SSO between OIF and the remote SP belongs to that list
      • Or list of groups: OIF/IdP will ensure that the user performing Federation SSO between OIF and the remote SP belongs to a group listed in the constraint

Enjoy the reading!

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« September 2015
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today