Friday Aug 15, 2014

AuthnRequest Settings in OIF / SP

In this article, I will list the various OIF/SP settings that affect how an AuthnRequest message is created in OIF in a Federation SSO flow.

The AuthnRequest message is used by an SP to start a Federation SSO operation and to indicate to the IdP how the operation should be executed:

  • How the user should be challenged at the IdP
  • Whether or not the user should be challenged at the IdP, even if a session already exists at the IdP for this user
  • Which NameID format should be requested in the SAML Assertion
  • Which binding (Artifact or HTTP-POST) should be requested from the IdP to send the Assertion
  • Which profile should be used by OIF/SP to send the AuthnRequest message

Enjoy the reading!

[Read More]

Friday May 02, 2014

JIT Custom User Provisioning in OIF / SP cont’d

This article is a continuation of my previous entry about User Provisioning in OIF/SP, where I described how to use the built-in module in OIF/SP to create user records during a Federation SSO operation, if the user did not have a local account.

In this article, I will show how to build a custom User Provisioning module in OIF/SP. This will be based on the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 16, which describes how to develop such a module.

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Configure OIF to use the newly uploaded plugin

For this example, I will use the sample code listed in the OAM/OIF 11.1.2.2.0 Developer’s Guide.

Enjoy the reading!

[Read More]

Monday Apr 28, 2014

JIT User Provisioning in OIF / SP

In this article, I will discuss on how to add user provisioning to OIF/SP which allows the server to create a user record on the fly during Federation SSO, if the user does not have an account yet.

During a Federation SSO operation, OIF/SP will validate the incoming SSO response (SAML or OpenID) and will attempt to map it to a local LDAP user record based on information contained in the SSO response (typically user attributes):

  • If the mapping returns a single user record, the operation is a success and an OAM session is created for that user record
  • If the mapping returns several LDAP records, then the operation is a non-recoverable failure:
    • Either the mapping configuration is incorrect
    • Or there are invalid LDAP user records in the directory
  • If the mapping does not return any records, this means that
    • Either the mapping configuration is incorrect
    • Or the configuration is correct, but the user does not have a record in the local directory: in this case, OIF/SP can be set up to automatically create an LDAP user record based on the data contained in the SSO response, and ensure that subsequent Federation SSO mapping operations for that user will map to the same new LDAP user record

OIF/SP will validate the SSO response, process the attributes using rules defined in the IdP Attribute Profile for the IdP partner, and if needed will invoke the User Provisioning module configured in OIF/SP:

  • Either the included User Provisioning module
  • Or a custom implementation of a User Provisioning module

After the invocation of the User Provisioning module (default or custom), the server will create a session for the user. Subsequent Federation SSO operations for the same user will result in OIF/SP mapping the SSO response to that newly created LDAP record.

Enjoy the reading!

[Read More]

Monday Apr 21, 2014

Using Fed Attributes: OAM Authorization and HTTP Headers

In this article, I will discuss how attributes received in SAML/OpenID SSO messages can be used in OAM Authorization Policies and how they can be provided to protected web applications.

At runtime, when OIF/SP successfully processes a SAML / OpenID SSO Response message, the server will save some of the information from the response in the OAM session, as attributes that can be used in OAM authorization policies

  • In conditions for authorization rules
  • In responses to provide the SAML/OpenID attributes to protected web applications

The SAML / OpenID SSO Response information is saved in the OAM session as attributes referenced by the following identifiers:

  • The IdP partner name, referenced by $session.attr.fed.partner
  • The NameID value from the SSO response, referenced by $session.attr.fed.nameidvalue
  • The NameID format from the SSO response, for SAML protocols, referenced by $session.attr.fed.nameidformat
  • The attributes contained either in the SAML Assertion’s AttributeStatement or in the OpenID SSO Response, referenced by $session.attr.fed.attr.ATTR_NAME, with ATTR_NAME being
    • Either the local session attribute name, if an IdP Attribute Profile mapping was applied (see previous article)
    • Or the attribute name from the SSO response, if no IdP Attribute Profile mapping was applied for this attribute

Enjoy the reading!

[Read More]

Friday Apr 18, 2014

Processing Incoming Attributes with OIF / SP

When OIF acts as a Service Provider, it:

  • Validates the incoming SSO response from the IdP
  • Maps the SSO response to an LDAP user record
  • Extracts the user identifier and optional attributes contained in the SSO response and stores them in the OAM session.

Those attributes stored in the OAM session can later be used:

  • In Authorization Policies, where the conditions/rules will evaluate the attributes in the OAM session
  • As Policy Responses to provide those attributes to web applications protected by WebGate/OAM, as HTTP Headers or cookies

In this article, I will discuss how OIF acting as a Service Provider can be configured to:

  • Process attributes contained in an incoming SAML Assertion or OpenID SSO Response to map the names of incoming attributes to local names.
  • Request attributes from the OP via the OpenID protocol (SAML does not provide a way for SPs at runtime to request attributes from the IdP during a Federation SSO operation)

Enjoy the reading!

[Read More]

Friday Mar 28, 2014

Create SAML 1.1 / OpenID 2.0 IdP Partners in OIF/ SP

This article is a continuation of my previous entry where I discussed how to create SAML 2.0 IdP Partners in OIF/SP. In this article, I will cover how to set up a Federation agreement between OIF acting as an SP and a remote IdP Partner via the SAML 1.1 or OpenID 2.0 protocols:

  • Set up a remote SAML 1.1 IdP Partner
  • Set up a remote OpenID 2.0 IdP Partner

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

[Read More]

Friday Mar 21, 2014

Example: Sending Attributes with OIF/ IdP

In this article, I will cover two examples on how to configure OIF/IdP to send attributes:
  • Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
  • Via the OIF WLST commands to send attributes to an OpenID 2.0 RP Partner
The sent attributes will be based on:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)
Enjoy the reading![Read More]

Monday Mar 17, 2014

Sending Attributes with OIF/ IdP

In this article, I will cover how OIF can be easily configured to send attributes with the SSO Assertion to the partner during the Federation SSO operation. Those attributes can be set to data retrieved from:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)

Note that configuring how SAML NameID values are set is similar to how attributes are configured in OIF.

Enjoy the reading!

[Read More]

Friday Mar 14, 2014

Create SAML 1.1 / OpenID 2.0 SP Partners in OIF/ IdP

This article is a continuation of my previous entry where I discussed how to create SAML 2.0 SP Partners in OIF/IdP. In this article, I will cover how to set up a Federation agreement between OIF acting as an IdP and a remote SP Partner via the SAML 1.1 or OpenID 2.0 protocols:

  • Set up a remote SAML 1.1 SP Partner
  • Set up a remote OpenID 2.0 SP Partner

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

[Read More]

Tuesday Feb 25, 2014

OIF/OSTS Service Information

OIF and OSTS are two products designed to provide Federation capabilities across security domains:
  • Cross domain SSO for browser based Web SSO flows
  • Cross domain Web Services Security (WSS) for SOAP clients and servers via the WS-Trust protocol

Federation between services is based on trust which is established by exchanging

  • X.509 certificates used for sign/verify and encrypt/decrypt the Federation messages
  • Locations of the Federation services
  • SAML 2.0 Metadata if supported by the partners, when SAML 2.0 Federation SSO is used

In this article, I will discuss about the various kinds of information one has to know in order to be able to set up a Federation agreement between OIF and remote partners, including:

  • How to enable OIF/OSTS services
  • SAML/OpenID Identifiers for OIF/OSTS
  • SAML 2.0 Metadata
  • Certificates
  • Service endpoints
[Read More]

Thursday Feb 20, 2014

Oracle Identity Federation 11.1.2.2.0 has been released!

Oracle Identity Federation (OIF) has been released as part of Oracle Fusion Middleware 11gR2 Release 2 (11.1.2.2.0)!

This new version of OIF provides Identity Provider (IdP) and Service Provider (SP), a.k.a. Relying Party (RP), support for the SAML 2.0, SAML 1.1 and OpenID 2.0 protocols.

The admin interfaces have been revamped to provide a comprehensive and easy way for administrators to manage Federation partnership on a day-to-day basis: while the UI allows the basic administration of Federation settings, which would cover most of the daily use cases, the OIF WLST command scripting tools allow advanced configuration of the Federation servers and its partners.

In this article, I will discuss about the features included in OIF 11.1.2.2.0:

  • Native Integration with OAM
  • Protocols
  • Additional Features

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today