Tuesday Jan 27, 2015

Custom Authentication Module in OIF/SP

In a previous article, I showed how to create a custom Authentication plugin and include it in an existing Federation Authentication Module. In this article I will create a new custom Authentication Module in OIF/SP that will be made of the existing OIF Federation Authentication Plugins and a custom plugin which will

  • Evaluate the requested protected resource
  • Determine the IdP to be used in the Federation SSO operation
  • Request a higher Federation Authentication Method from the IdP, depending on the resource being requested

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide,  which describes how to develop such a module.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Authentication Module

Enjoy the reading!

[Read More]

Tuesday Dec 23, 2014

Implementing an IdP Discovery Service

As discussed in my previous article, OIF/SP can be configured to use a remote IdP Discovery Service whose function is to determine which IdP to use for the Federation SSO operation.

The "Identity Provider Discovery Service Protocol and Profile" SAML 2.0 specification published by OASIS defines the interaction protocol between a SAML 2.0 SP and an IdP Discovery Service.

In this article, I will implement a sample IdP Discovery Service, and then I will configure OIF/SP to use that service:

  • The service needs to support the protocol defined by the "Identity Provider Discovery Service Protocol and Profile" SAML 2.0 specification
  • The service will be an HTTP service and can be deployed anywhere
  • OIF/SP will be configured to redirect the user to that remote service when starting a Federation SSO operation.

Enjoy the reading!

[Read More]

Thursday Dec 04, 2014

Using OAM Pre Authentication Advanced Rules in OIF IdP

Today I will showcase how to use the OAM Authentication Advanced Rule with OIF as an IdP with the following use case:

  • OIF acts as the IdP
  • A specific scheme is used to challenge all the users
  • The OAM Authentication Policy for that scheme is configured to have a Pre-Authentication Advanced Rule that will evaluate if the browser is a desktop browser or a mobile browser
    • If the user is using a desktop/laptop, then the configured Authentication Scheme will be used
    • Otherwise if the user is on a mobile, another scheme targeted for mobile platforms will be used, which will facilitate user interaction by using a mobile login page
For more information about the Pre Authentication Advanced Rules in OAM, refer to the OAM/OIF 11.1.2.2.0 Administrator's Guide[Read More]

Friday Nov 07, 2014

Custom Post-Authentication Module in OIF / SP

In this article, I will show how to implement a custom authentication plugin that will be invoked after Federation SSO is complete and that will:

  • Access the information contained in the SAML Assertion (IdP name, user attributes...)
  • Update the LDAP user attributes based on the SAML User attributes

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 3, which describes how to develop such a module: http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/authnapi.htm.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Federation Authentication Module

Enjoy the reading!

[Read More]

Wednesday Oct 22, 2014

Determining which IdP to use for Federation SSO

As a Service Provider, when triggering a Federation SSO operation, the main challenge sometimes lies with determining which IdP will be selected for the SSO flow, in cases where the SP has trust agreements with multiple IdPs.

OIF/SP has different mechanism to select the IdP for the Federation SSO operation, including:

  • Having the OAM Federation Scheme indicating the IdP to be used
  • Having a custom OAM Authentication Plugin setting the IdP to be used
  • Using a SAML 2.0 IdP Discovery Service if the IdP was neither specified by the Scheme nor by a custom plugin
  • Using the Default SSO IdP if no IdP Discovery Service is used

This article will explore each mechanism more closely.

[Read More]

Monday Oct 06, 2014

Federation Proxy in OIF / IdP

In this article, I will explain the concept of Federation Proxy and how OIF/IdP can easily be configured to become an SP and delegate authentication to another remote IdP instead of authenticating the user locally.

Federation Proxy is typically used when a Federation hub acts as:

  • An IdP for SP Partners, where the IdP aggregates Federation trust between those SPs and itself
  • An SP with remote IdP Partners

This approach has the advantage of:

  • Reducing trust management overhead:
    • Each new IdP Partner added to the Federation hub will be automatically available to all the SP partners integrated with the Federation hub
    • Each new SP Partner added to the Federation hub won't need to be defined at the IdP Partners    
  • Providing a layered Federation trust model, where the Federation hub hides the Federation deployment to the IdP Partners

Enjoy the reading!

[Read More]

Friday Sep 19, 2014

DCC HTTP Reverse Proxy with OAM/OIF

Today I will discuss about the Detached Credential Collector (DCC) HTTP Reverse Proxy feature that has been introduced in the 11.1.2.2.0 release.

In a deployment where this feature is enabled, a WebGate SSO Agent:

  • Becomes a reverse HTTP proxy for the OAM and OIF services
  • Interacts with the user over HTTP/HTTPS
  • Routes the incoming HTTP requests for the OAM/OIF servers to the SSO and Federation servers over the secure OAM NAP protocol.
  • Returns to the HTTP client the response sent by OAM/OIF over the NAP protocol

In this mode, all interactions between the users/clients and OAM/OIF will be done via the WebGate DCC HTTP Reverse Proxy: no users will access directly the OAM/OIF servers anymore.

This new DCC HTTP Reverse Proxy capability is different from the previous DCC for HTTP-Basic/FORM based login, with the latter not working for the Federation SSO flows (IdP or SP mode).

Enjoy the reading!

[Read More]

Friday Sep 05, 2014

Crypto Settings in OIF

In this article, I will cover the various crypto configuration properties in OIF that are used to affect the Federation SSO exchanges, including:

  • Hashing algorithm used for signatures
    • SHA-1
    • SHA-256
  • Which outgoing SAML messages will be signed
  • Which incoming SAML messages will require to be signed
  • Whether or not to include the X.509 signing certificate in the outgoing signed XML message
  • Whether or not to encrypt SAML 2.0 messages:
    • Assertion
    • NameID
    • Attribute

Enjoy the reading!

[Read More]

Friday Aug 15, 2014

AuthnRequest Settings in OIF / SP

In this article, I will list the various OIF/SP settings that affect how an AuthnRequest message is created in OIF in a Federation SSO flow.

The AuthnRequest message is used by an SP to start a Federation SSO operation and to indicate to the IdP how the operation should be executed:

  • How the user should be challenged at the IdP
  • Whether or not the user should be challenged at the IdP, even if a session already exists at the IdP for this user
  • Which NameID format should be requested in the SAML Assertion
  • Which binding (Artifact or HTTP-POST) should be requested from the IdP to send the Assertion
  • Which profile should be used by OIF/SP to send the AuthnRequest message

Enjoy the reading!

[Read More]

Friday Aug 01, 2014

Integrating Google Apps with OIF / IdP

Google Apps provide a set of services that companies sometimes leverage for their day to day activities, which allow their employees to offload mail, calendar, document storage... in the Google cloud.

When a company purchases Google Apps for its employees, it needs to create user accounts in Google and provide the employees with their account information:

  • Username and password to access Google Apps
  • How to set/reset their password in Google Apps (initially, or if the password needs to be reset periodically)

Every time the user needs to access Google Apps, an authentication operation will take place where the user will enter the Google Apps credentials, which will be different from the on-premise company's user credentials.

Google Apps supports the SAML 2.0 SSO protocol as a Service Provider, where the Google Apps service for the company can be integrated with the on-premise Federation SSO IdP server in order to:

  • Provide true SSO capabilities for the user: the user authentication state is propagated from the on-premise security domain to Google Apps
  • Not force the user to manage and remember a different set of credentials
  • Allow the on-premise administrator to control more efficiently password policies locally.

In this article, I will describe step by step how to integrate Google Apps as an SP with OIF as an IdP via the SAML 2.0 SSO protocol.

Important note: enabling Federation SSO for a domain will also affect the administrators for that domain who will need to authenticate via Federation SSO thereafter.

Enjoy the reading!

[Read More]

Thursday Jul 17, 2014

Mapping Fed Authn Methods to Authn Levels in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

[Read More]

Thursday Jul 03, 2014

Fed Authentication Method Requests in OIF / SP

In my previous posts, I explained how to configure OIF/IdP to map Federation Authentication Methods to OAM Authentication Schemes for authentication and to allow an SP to request at runtime a user to be authenticated via a specific OAM Authentication Scheme.

In this article, I will now look at OIF/SP and how it can be set up to request a specific Federation Authentication Method to be used by the remote IdP Partner at runtime, to challenge the user.

Enjoy the reading!

[Read More]

Friday Jun 20, 2014

Fed Authentication Method Requests in OIF / IdP

In my previous article, I explained how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, for OIF/IdP to be able to map the OAM Authentication Scheme to a Federation Authentication Method when issuing an SSO Response.

In this post, I will describe how to set up OIF/IdP, so that an SP can request the user to be authenticated via a specific OAM Authentication Scheme.

The approach is based on the Federation Authentication Methods and their mappings to OAM Authentication Schemes. In a recent article, I explained that:

  • Each defined Federation Authentication Method can be mapped to several Authentication Schemes
  • In a Federation Authentication Method <-> Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that will be used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method

The examples will show how to indicate to OIF/IdP which Authentication Scheme to use to challenge the user, when the SP requests a specific Federation Authentication Method to be used.

[Read More]

Friday Jun 06, 2014

Configuring Fed Authentication Methods in OIF / IdP

In this article, I will provide examples on how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, based on the concepts introduced in my previous entry.

I will show examples for the three protocols supported by OIF:

  • SAML 2.0 SSO
  • SAML 1.1 SSO
  • OpenID 2.0

Enjoy the reading!

[Read More]

Wednesday May 28, 2014

Fed Authentication Methods in OIF / IdP

This article is a continuation of my previous entry where I explained how OIF/IdP leverages OAM to authenticate users at runtime:

  • OIF/IdP internally forwards the user to OAM and indicates which Authentication Scheme should be used to challenge the user if needed
  • OAM determine if the user should be challenged (user already authenticated, session timed out or not, session authentication level equal or higher than the level of the authentication scheme specified by OIF/IdP…)
  • After identifying the user, OAM internally forwards the user back to OIF/IdP
  • OIF/IdP can resume its operation

In this article, I will discuss how OIF/IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:

  • When processing an Authn Request, where the SP requests a specific Federation Authentication Method with which the user should be challenged
  • When sending an Assertion, where OIF/IdP sets the Federation Authentication Method in the Assertion

Enjoy the reading!

[Read More]

Monday May 19, 2014

Authentication in OIF / IdP

In this article, I will discuss about authentication when OIF acts as an IdP and how the server can be configured to use specific OAM Authentication Schemes to challenge the user.

When OIF 11gR1 acting as an IdP and OAM 11g were integrated together, OIF was delegating the user authentication to OAM via the use of WebGate:

  • OHS had to be installed in and configured to act as a reverse HTTP proxy for OIF
  • WebGate had to be installed on OHS and registered with OAM
  • OAM had to be configured to protect an OIF URL with
    • An Authentication Policy
    • An Authorization Policy
  • Set up the OIF logout URL in OAM
  • OIF had to be configured to use the OAM 11g Authentication Engine
    • Enter the HTTP header containing the userID injected by WebGate
    • Set up the OAM logout URL

In OIF 11gR2 and OAM 11gR2, the two components are tightly integrated together:

  • No initial setup is required to integrate the two products
  • No WebGate/OHS is required for IdP authentication
  • OIF/IdP can leverage any OAM Authentication Scheme

Note: given the advanced nature of the configuration, OIF authentication setup can only be managed via OIF WLST commands.

Enjoy the reading!

[Read More]

Wednesday May 14, 2014

Partner Profiles in OIF

In this article, I will discuss about the concept of Partner Profile in the OIF configuration.

During any Federation runtime operation between OIF (as an IdP or SP) and remote partners, numerous configuration properties are evaluated that will affect how OIF will execute the operation.

Some of the configuration parameters driving the protocol exchange are specific to the partner with which OIF is interacting (like how the NameID should be populated if OIF acts as a SAML 2.0 IdP), while others can be common to a group of partners (like whether or not to sign SAML 2.0 Assertions when OIF acts as an IdP).

Instead of having each partner entry in the OIF configuration containing all the OIF parameters required to perform the Federation runtime operations, OIF makes use of a Partner Profile which:

  • Contains a set of settings that are common to all partners referencing that partner profile
  • Is specific to
    • A type, either IdP or SP
    • A protocol: SAML 2.0, SAML 1.1 or OpenID 2.0

A Partner Profile in OIF typically contains configuration settings that are generally not changed often and that are considered advanced. For the day-to-day operations, the administration capabilities provided in the OAM Administration Console or via the OIF WLST commands are enough for most cases.

For advanced cases requiring configuration changes, an administrator would have the choice to:

  • Either update the Partner configuration entry, so changes would only apply to the partner
  • Or update the Partner Profile entry, so changes would apply to all partners bound to the Partner Profile

Important note: given the advanced nature of the configuration, Partner Profiles can only be managed via OIF WLST commands.

[Read More]

Friday May 09, 2014

Integrating Office 365 with OIF/IdP

This is a continuation of my previous article where I will configure OIF (11.1.2.2.0 or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

Be sure to have read the article about pre-requisites.

[Read More]

Monday May 05, 2014

Integrating Office 365 with OIF/IdP Pre-Requisites

In the next two articles, I will describe how to integrate OIF (11.1.2.2.0 or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

The integration will cover:

  • Browser Federation SSO integration: this is the flow the user will exercise when accessing the www.office365.com resources via a browser:
    • The www.office365.com will prompt the user to enter its email address
    • The server will detect that Federation SSO should be used for that domain and will start a Federation SSO flow the OIF/IdP
    • OIF/IdP will challenge the user, create a SAML Assertion and redirect the user to www.office365.com
    • www.office365.com will grant access to the user
  • ActiveSync mail integration: in this flow, the user will use a mail application configured for Office 365
    • When the mail application is started, it will send the user’s credentials (email address and IdP password) to Office 365
    • www.office365.com will make a direct connection over SSL to the IdP and will use the SAML 2.0 ECP protocol to send a SAML AuthnRequest and the user’s credentials via HTTP Basic Authentication
    • The OIF/IdP will validate those credentials and return a SAML Assertion via the ECP protocol
    • Office 365 will grant access to the mail application

It is important to note that integration with Office 365 for non SAML 2.0 components will not work, such as:

  • Lync clients
  • OWA Mobile Apps
[Read More]

Friday May 02, 2014

JIT Custom User Provisioning in OIF / SP cont’d

This article is a continuation of my previous entry about User Provisioning in OIF/SP, where I described how to use the built-in module in OIF/SP to create user records during a Federation SSO operation, if the user did not have a local account.

In this article, I will show how to build a custom User Provisioning module in OIF/SP. This will be based on the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 16, which describes how to develop such a module.

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Configure OIF to use the newly uploaded plugin

For this example, I will use the sample code listed in the OAM/OIF 11.1.2.2.0 Developer’s Guide.

Enjoy the reading!

[Read More]

Monday Apr 28, 2014

JIT User Provisioning in OIF / SP

In this article, I will discuss on how to add user provisioning to OIF/SP which allows the server to create a user record on the fly during Federation SSO, if the user does not have an account yet.

During a Federation SSO operation, OIF/SP will validate the incoming SSO response (SAML or OpenID) and will attempt to map it to a local LDAP user record based on information contained in the SSO response (typically user attributes):

  • If the mapping returns a single user record, the operation is a success and an OAM session is created for that user record
  • If the mapping returns several LDAP records, then the operation is a non-recoverable failure:
    • Either the mapping configuration is incorrect
    • Or there are invalid LDAP user records in the directory
  • If the mapping does not return any records, this means that
    • Either the mapping configuration is incorrect
    • Or the configuration is correct, but the user does not have a record in the local directory: in this case, OIF/SP can be set up to automatically create an LDAP user record based on the data contained in the SSO response, and ensure that subsequent Federation SSO mapping operations for that user will map to the same new LDAP user record

OIF/SP will validate the SSO response, process the attributes using rules defined in the IdP Attribute Profile for the IdP partner, and if needed will invoke the User Provisioning module configured in OIF/SP:

  • Either the included User Provisioning module
  • Or a custom implementation of a User Provisioning module

After the invocation of the User Provisioning module (default or custom), the server will create a session for the user. Subsequent Federation SSO operations for the same user will result in OIF/SP mapping the SSO response to that newly created LDAP record.

Enjoy the reading!

[Read More]

Monday Apr 21, 2014

Using Fed Attributes: OAM Authorization and HTTP Headers

In this article, I will discuss how attributes received in SAML/OpenID SSO messages can be used in OAM Authorization Policies and how they can be provided to protected web applications.

At runtime, when OIF/SP successfully processes a SAML / OpenID SSO Response message, the server will save some of the information from the response in the OAM session, as attributes that can be used in OAM authorization policies

  • In conditions for authorization rules
  • In responses to provide the SAML/OpenID attributes to protected web applications

The SAML / OpenID SSO Response information is saved in the OAM session as attributes referenced by the following identifiers:

  • The IdP partner name, referenced by $session.attr.fed.partner
  • The NameID value from the SSO response, referenced by $session.attr.fed.nameidvalue
  • The NameID format from the SSO response, for SAML protocols, referenced by $session.attr.fed.nameidformat
  • The attributes contained either in the SAML Assertion’s AttributeStatement or in the OpenID SSO Response, referenced by $session.attr.fed.attr.ATTR_NAME, with ATTR_NAME being
    • Either the local session attribute name, if an IdP Attribute Profile mapping was applied (see previous article)
    • Or the attribute name from the SSO response, if no IdP Attribute Profile mapping was applied for this attribute

Enjoy the reading!

[Read More]

Friday Apr 18, 2014

Processing Incoming Attributes with OIF / SP

When OIF acts as a Service Provider, it:

  • Validates the incoming SSO response from the IdP
  • Maps the SSO response to an LDAP user record
  • Extracts the user identifier and optional attributes contained in the SSO response and stores them in the OAM session.

Those attributes stored in the OAM session can later be used:

  • In Authorization Policies, where the conditions/rules will evaluate the attributes in the OAM session
  • As Policy Responses to provide those attributes to web applications protected by WebGate/OAM, as HTTP Headers or cookies

In this article, I will discuss how OIF acting as a Service Provider can be configured to:

  • Process attributes contained in an incoming SAML Assertion or OpenID SSO Response to map the names of incoming attributes to local names.
  • Request attributes from the OP via the OpenID protocol (SAML does not provide a way for SPs at runtime to request attributes from the IdP during a Federation SSO operation)

Enjoy the reading!

[Read More]

Monday Apr 14, 2014

Authorization in OIF / IdP

In this article, I will show how to enable and implement Authorization Policies for Federation SSO when OIF is acting as an IdP.

When OIF authenticates a user on behalf of remote SAML / OpenID 2.0 partners, it will issue a token (SAML or OpenID) containing information about the user that the partner will consume to identify the user. As a part of the creation of the token, OIF/IdP can be configured to evaluate a Token Issuance Policy that will indicate if the user is allowed to perform Federation SSO with that particular SP/RP.

The Token Issuance Policy will be constructed with:

  • The SP Partner Name as the resource
  • One or more constraints
    • The true constraint which is used to indicate that OIF/IdP should issue tokens for all users for the SP partners listed in the policy
    • The Identity constraint made of
      • List of users: OIF/IdP will ensure that the user performing Federation SSO between OIF and the remote SP belongs to that list
      • Or list of groups: OIF/IdP will ensure that the user performing Federation SSO between OIF and the remote SP belongs to a group listed in the constraint

Enjoy the reading!

[Read More]

Friday Apr 11, 2014

Integrating ADFS 2.0/3.0 SP with OIF IdP

As a continuation of my previous articles, I will today describe how to integrate ADFS 2.0/3.0 as an SP and OIF as an IdP.

Be sure to have read my previous entry covering the pre-requisites.

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

[Read More]

Monday Apr 07, 2014

Integrating ADFS 2.0/3.0 IdP with OIF SP

As a continuation of my previous article, I will today describe how to integrate ADFS 2.0/3.0 as an IdP and OIF as an SP.

Be sure to have read my previous entry covering the pre-requisites.

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

[Read More]

Friday Apr 04, 2014

Integrating ADFS 2.0/3.0 with OIF: Pre-Requisites

In the next three articles, I will describe how to integrate OIF (11.1.2.2.0 or later) with ADFS 2.0/3.0 for Federation SSO using the SAML 2.0 protocol. The integration will cover:

  • Pre-requisites (this article)
  • ADFS 2.0/3.0 as the IdP and OIF as the SP (read article here)
  • ADFS 2.0/3.0 as the SP and OIF as the IdP (read article here)

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

In this first article, I will discuss the pre-requisites.[Read More]

Monday Mar 31, 2014

Using Test SP App in OIF/ SP

In this article, I will talk about how to enable and use the Test SP Application in OIF/SP, which is very useful when OIF is an SP and Federation agreements are set up. It provides the following capabilities:

  • Test the Federation SSO flows
  • Verify if the mapping rules work
  • See which attributes are sent by the IdP, how they are named and how they are processed by OIF/SP
  • See the Federation token (SAML Assertion or OpenID SSO Response)

This tool is very useful to diagnose issues in the SAML/OpenID flows, before rolling Federation SSO out.

This is a Web Application that will exercise the SP functionality of OIF via a browser without creating any OAM session:

  • The application is accessed via a browser
  • Federation SSO is started with the specified IdP
  • You authenticate at the IdP
  • OIF/SP processes the SAML Assertion / OpenID SSO response
  • The application displays the result and SAML Assertion / OpenID SSO response
[Read More]

Friday Mar 28, 2014

Create SAML 1.1 / OpenID 2.0 IdP Partners in OIF/ SP

This article is a continuation of my previous entry where I discussed how to create SAML 2.0 IdP Partners in OIF/SP. In this article, I will cover how to set up a Federation agreement between OIF acting as an SP and a remote IdP Partner via the SAML 1.1 or OpenID 2.0 protocols:

  • Set up a remote SAML 1.1 IdP Partner
  • Set up a remote OpenID 2.0 IdP Partner

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

[Read More]

Monday Mar 24, 2014

Create SAML 2.0 IdP Partners in OIF/ SP

After having discussed in previous articles how to manage OIF/IdP, I will cover the administration of OIF/SP. In this post, I will explain how to set up a Federation agreement between OIF acting as a SAML 2.0 SP and a remote SAML 2.0 IdP Partner, including:

  • Set up a remote SAML 2.0 IdP Partner with SAML 2.0 Metadata
  • Set up a remote SAML 2.0 IdP Partner without SAML 2.0 Metadata
  • Configuring OIF/SP to map an incoming SAML Assertion to an LDAP user

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

Enjoy the reading!

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today