Tuesday Jan 27, 2015

Custom Authentication Module in OIF/SP

In a previous article, I showed how to create a custom Authentication plugin and include it in an existing Federation Authentication Module. In this article I will create a new custom Authentication Module in OIF/SP that will be made of the existing OIF Federation Authentication Plugins and a custom plugin which will

  • Evaluate the requested protected resource
  • Determine the IdP to be used in the Federation SSO operation
  • Request a higher Federation Authentication Method from the IdP, depending on the resource being requested

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide,  which describes how to develop such a module.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Authentication Module

Enjoy the reading!

[Read More]

Tuesday Dec 23, 2014

Implementing an IdP Discovery Service

As discussed in my previous article, OIF/SP can be configured to use a remote IdP Discovery Service whose function is to determine which IdP to use for the Federation SSO operation.

The "Identity Provider Discovery Service Protocol and Profile" SAML 2.0 specification published by OASIS defines the interaction protocol between a SAML 2.0 SP and an IdP Discovery Service.

In this article, I will implement a sample IdP Discovery Service, and then I will configure OIF/SP to use that service:

  • The service needs to support the protocol defined by the "Identity Provider Discovery Service Protocol and Profile" SAML 2.0 specification
  • The service will be an HTTP service and can be deployed anywhere
  • OIF/SP will be configured to redirect the user to that remote service when starting a Federation SSO operation.

Enjoy the reading!

[Read More]

Thursday Dec 04, 2014

Using OAM Pre Authentication Advanced Rules in OIF IdP

Today I will showcase how to use the OAM Authentication Advanced Rule with OIF as an IdP with the following use case:

  • OIF acts as the IdP
  • A specific scheme is used to challenge all the users
  • The OAM Authentication Policy for that scheme is configured to have a Pre-Authentication Advanced Rule that will evaluate if the browser is a desktop browser or a mobile browser
    • If the user is using a desktop/laptop, then the configured Authentication Scheme will be used
    • Otherwise if the user is on a mobile, another scheme targeted for mobile platforms will be used, which will facilitate user interaction by using a mobile login page
For more information about the Pre Authentication Advanced Rules in OAM, refer to the OAM/OIF 11.1.2.2.0 Administrator's Guide[Read More]

Friday Nov 07, 2014

Custom Post-Authentication Module in OIF / SP

In this article, I will show how to implement a custom authentication plugin that will be invoked after Federation SSO is complete and that will:

  • Access the information contained in the SAML Assertion (IdP name, user attributes...)
  • Update the LDAP user attributes based on the SAML User attributes

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 3, which describes how to develop such a module: http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/authnapi.htm.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Federation Authentication Module

Enjoy the reading!

[Read More]

Wednesday Oct 22, 2014

Determining which IdP to use for Federation SSO

As a Service Provider, when triggering a Federation SSO operation, the main challenge sometimes lies with determining which IdP will be selected for the SSO flow, in cases where the SP has trust agreements with multiple IdPs.

OIF/SP has different mechanism to select the IdP for the Federation SSO operation, including:

  • Having the OAM Federation Scheme indicating the IdP to be used
  • Having a custom OAM Authentication Plugin setting the IdP to be used
  • Using a SAML 2.0 IdP Discovery Service if the IdP was neither specified by the Scheme nor by a custom plugin
  • Using the Default SSO IdP if no IdP Discovery Service is used

This article will explore each mechanism more closely.

[Read More]

Monday Oct 06, 2014

Federation Proxy in OIF / IdP

In this article, I will explain the concept of Federation Proxy and how OIF/IdP can easily be configured to become an SP and delegate authentication to another remote IdP instead of authenticating the user locally.

Federation Proxy is typically used when a Federation hub acts as:

  • An IdP for SP Partners, where the IdP aggregates Federation trust between those SPs and itself
  • An SP with remote IdP Partners

This approach has the advantage of:

  • Reducing trust management overhead:
    • Each new IdP Partner added to the Federation hub will be automatically available to all the SP partners integrated with the Federation hub
    • Each new SP Partner added to the Federation hub won't need to be defined at the IdP Partners    
  • Providing a layered Federation trust model, where the Federation hub hides the Federation deployment to the IdP Partners

Enjoy the reading!

[Read More]

Friday Sep 19, 2014

DCC HTTP Reverse Proxy with OAM/OIF

Today I will discuss about the Detached Credential Collector (DCC) HTTP Reverse Proxy feature that has been introduced in the 11.1.2.2.0 release.

In a deployment where this feature is enabled, a WebGate SSO Agent:

  • Becomes a reverse HTTP proxy for the OAM and OIF services
  • Interacts with the user over HTTP/HTTPS
  • Routes the incoming HTTP requests for the OAM/OIF servers to the SSO and Federation servers over the secure OAM NAP protocol.
  • Returns to the HTTP client the response sent by OAM/OIF over the NAP protocol

In this mode, all interactions between the users/clients and OAM/OIF will be done via the WebGate DCC HTTP Reverse Proxy: no users will access directly the OAM/OIF servers anymore.

This new DCC HTTP Reverse Proxy capability is different from the previous DCC for HTTP-Basic/FORM based login, with the latter not working for the Federation SSO flows (IdP or SP mode).

Enjoy the reading!

[Read More]

Friday Sep 05, 2014

Crypto Settings in OIF

In this article, I will cover the various crypto configuration properties in OIF that are used to affect the Federation SSO exchanges, including:

  • Hashing algorithm used for signatures
    • SHA-1
    • SHA-256
  • Which outgoing SAML messages will be signed
  • Which incoming SAML messages will require to be signed
  • Whether or not to include the X.509 signing certificate in the outgoing signed XML message
  • Whether or not to encrypt SAML 2.0 messages:
    • Assertion
    • NameID
    • Attribute

Enjoy the reading!

[Read More]

Friday Aug 15, 2014

AuthnRequest Settings in OIF / SP

In this article, I will list the various OIF/SP settings that affect how an AuthnRequest message is created in OIF in a Federation SSO flow.

The AuthnRequest message is used by an SP to start a Federation SSO operation and to indicate to the IdP how the operation should be executed:

  • How the user should be challenged at the IdP
  • Whether or not the user should be challenged at the IdP, even if a session already exists at the IdP for this user
  • Which NameID format should be requested in the SAML Assertion
  • Which binding (Artifact or HTTP-POST) should be requested from the IdP to send the Assertion
  • Which profile should be used by OIF/SP to send the AuthnRequest message

Enjoy the reading!

[Read More]

Friday Aug 01, 2014

Integrating Google Apps with OIF / IdP

Google Apps provide a set of services that companies sometimes leverage for their day to day activities, which allow their employees to offload mail, calendar, document storage... in the Google cloud.

When a company purchases Google Apps for its employees, it needs to create user accounts in Google and provide the employees with their account information:

  • Username and password to access Google Apps
  • How to set/reset their password in Google Apps (initially, or if the password needs to be reset periodically)

Every time the user needs to access Google Apps, an authentication operation will take place where the user will enter the Google Apps credentials, which will be different from the on-premise company's user credentials.

Google Apps supports the SAML 2.0 SSO protocol as a Service Provider, where the Google Apps service for the company can be integrated with the on-premise Federation SSO IdP server in order to:

  • Provide true SSO capabilities for the user: the user authentication state is propagated from the on-premise security domain to Google Apps
  • Not force the user to manage and remember a different set of credentials
  • Allow the on-premise administrator to control more efficiently password policies locally.

In this article, I will describe step by step how to integrate Google Apps as an SP with OIF as an IdP via the SAML 2.0 SSO protocol.

Important note: enabling Federation SSO for a domain will also affect the administrators for that domain who will need to authenticate via Federation SSO thereafter.

Enjoy the reading!

[Read More]

Thursday Jul 17, 2014

Mapping Fed Authn Methods to Authn Levels in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

[Read More]

Thursday Jul 03, 2014

Fed Authentication Method Requests in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

[Read More]

Friday Jun 20, 2014

Fed Authentication Method Requests in OIF / IdP

In my previous article, I explained how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, for OIF/IdP to be able to map the OAM Authentication Scheme to a Federation Authentication Method when issuing an SSO Response.

In this post, I will describe how to set up OIF/IdP, so that an SP can request the user to be authenticated via a specific OAM Authentication Scheme.

The approach is based on the Federation Authentication Methods and their mappings to OAM Authentication Schemes. In a recent article, I explained that:

  • Each defined Federation Authentication Method can be mapped to several Authentication Schemes
  • In a Federation Authentication Method <-> Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that will be used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method

The examples will show how to indicate to OIF/IdP which Authentication Scheme to use to challenge the user, when the SP requests a specific Federation Authentication Method to be used.

[Read More]

Friday Jun 06, 2014

Configuring Fed Authentication Methods in OIF / IdP

In this article, I will provide examples on how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, based on the concepts introduced in my previous entry.

I will show examples for the three protocols supported by OIF:

  • SAML 2.0 SSO
  • SAML 1.1 SSO
  • OpenID 2.0

Enjoy the reading!

[Read More]

Wednesday May 28, 2014

Fed Authentication Methods in OIF / IdP

This article is a continuation of my previous entry where I explained how OIF/IdP leverages OAM to authenticate users at runtime:

  • OIF/IdP internally forwards the user to OAM and indicates which Authentication Scheme should be used to challenge the user if needed
  • OAM determine if the user should be challenged (user already authenticated, session timed out or not, session authentication level equal or higher than the level of the authentication scheme specified by OIF/IdP…)
  • After identifying the user, OAM internally forwards the user back to OIF/IdP
  • OIF/IdP can resume its operation

In this article, I will discuss how OIF/IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:

  • When processing an Authn Request, where the SP requests a specific Federation Authentication Method with which the user should be challenged
  • When sending an Assertion, where OIF/IdP sets the Federation Authentication Method in the Assertion

Enjoy the reading!

[Read More]

Monday May 19, 2014

Authentication in OIF / IdP

In this article, I will discuss about authentication when OIF acts as an IdP and how the server can be configured to use specific OAM Authentication Schemes to challenge the user.

When OIF 11gR1 acting as an IdP and OAM 11g were integrated together, OIF was delegating the user authentication to OAM via the use of WebGate:

  • OHS had to be installed in and configured to act as a reverse HTTP proxy for OIF
  • WebGate had to be installed on OHS and registered with OAM
  • OAM had to be configured to protect an OIF URL with
    • An Authentication Policy
    • An Authorization Policy
  • Set up the OIF logout URL in OAM
  • OIF had to be configured to use the OAM 11g Authentication Engine
    • Enter the HTTP header containing the userID injected by WebGate
    • Set up the OAM logout URL

In OIF 11gR2 and OAM 11gR2, the two components are tightly integrated together:

  • No initial setup is required to integrate the two products
  • No WebGate/OHS is required for IdP authentication
  • OIF/IdP can leverage any OAM Authentication Scheme

Note: given the advanced nature of the configuration, OIF authentication setup can only be managed via OIF WLST commands.

Enjoy the reading!

[Read More]

Friday May 02, 2014

JIT Custom User Provisioning in OIF / SP cont’d

This article is a continuation of my previous entry about User Provisioning in OIF/SP, where I described how to use the built-in module in OIF/SP to create user records during a Federation SSO operation, if the user did not have a local account.

In this article, I will show how to build a custom User Provisioning module in OIF/SP. This will be based on the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 16, which describes how to develop such a module.

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Configure OIF to use the newly uploaded plugin

For this example, I will use the sample code listed in the OAM/OIF 11.1.2.2.0 Developer’s Guide.

Enjoy the reading!

[Read More]

Monday Apr 28, 2014

JIT User Provisioning in OIF / SP

In this article, I will discuss on how to add user provisioning to OIF/SP which allows the server to create a user record on the fly during Federation SSO, if the user does not have an account yet.

During a Federation SSO operation, OIF/SP will validate the incoming SSO response (SAML or OpenID) and will attempt to map it to a local LDAP user record based on information contained in the SSO response (typically user attributes):

  • If the mapping returns a single user record, the operation is a success and an OAM session is created for that user record
  • If the mapping returns several LDAP records, then the operation is a non-recoverable failure:
    • Either the mapping configuration is incorrect
    • Or there are invalid LDAP user records in the directory
  • If the mapping does not return any records, this means that
    • Either the mapping configuration is incorrect
    • Or the configuration is correct, but the user does not have a record in the local directory: in this case, OIF/SP can be set up to automatically create an LDAP user record based on the data contained in the SSO response, and ensure that subsequent Federation SSO mapping operations for that user will map to the same new LDAP user record

OIF/SP will validate the SSO response, process the attributes using rules defined in the IdP Attribute Profile for the IdP partner, and if needed will invoke the User Provisioning module configured in OIF/SP:

  • Either the included User Provisioning module
  • Or a custom implementation of a User Provisioning module

After the invocation of the User Provisioning module (default or custom), the server will create a session for the user. Subsequent Federation SSO operations for the same user will result in OIF/SP mapping the SSO response to that newly created LDAP record.

Enjoy the reading!

[Read More]

Monday Apr 21, 2014

Using Fed Attributes: OAM Authorization and HTTP Headers

In this article, I will discuss how attributes received in SAML/OpenID SSO messages can be used in OAM Authorization Policies and how they can be provided to protected web applications.

At runtime, when OIF/SP successfully processes a SAML / OpenID SSO Response message, the server will save some of the information from the response in the OAM session, as attributes that can be used in OAM authorization policies

  • In conditions for authorization rules
  • In responses to provide the SAML/OpenID attributes to protected web applications

The SAML / OpenID SSO Response information is saved in the OAM session as attributes referenced by the following identifiers:

  • The IdP partner name, referenced by $session.attr.fed.partner
  • The NameID value from the SSO response, referenced by $session.attr.fed.nameidvalue
  • The NameID format from the SSO response, for SAML protocols, referenced by $session.attr.fed.nameidformat
  • The attributes contained either in the SAML Assertion’s AttributeStatement or in the OpenID SSO Response, referenced by $session.attr.fed.attr.ATTR_NAME, with ATTR_NAME being
    • Either the local session attribute name, if an IdP Attribute Profile mapping was applied (see previous article)
    • Or the attribute name from the SSO response, if no IdP Attribute Profile mapping was applied for this attribute

Enjoy the reading!

[Read More]

Thursday Feb 20, 2014

Oracle Identity Federation 11.1.2.2.0 has been released!

Oracle Identity Federation (OIF) has been released as part of Oracle Fusion Middleware 11gR2 Release 2 (11.1.2.2.0)!

This new version of OIF provides Identity Provider (IdP) and Service Provider (SP), a.k.a. Relying Party (RP), support for the SAML 2.0, SAML 1.1 and OpenID 2.0 protocols.

The admin interfaces have been revamped to provide a comprehensive and easy way for administrators to manage Federation partnership on a day-to-day basis: while the UI allows the basic administration of Federation settings, which would cover most of the daily use cases, the OIF WLST command scripting tools allow advanced configuration of the Federation servers and its partners.

In this article, I will discuss about the features included in OIF 11.1.2.2.0:

  • Native Integration with OAM
  • Protocols
  • Additional Features

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today