Thursday Apr 16, 2015

SAML 2.0 Setup: Metadata vs No-Metadata

This article will cover the benefits of using SAML 2.0 Metadata when establishing trust between two SAML 2.0 Federation servers, as opposed to provide and enter information manually by typing/copying/pasting URLs, certificates.[Read More]

Tuesday Jan 27, 2015

Custom Authentication Module in OIF/SP

In a previous article, I showed how to create a custom Authentication plugin and include it in an existing Federation Authentication Module. In this article I will create a new custom Authentication Module in OIF/SP that will be made of the existing OIF Federation Authentication Plugins and a custom plugin which will

  • Evaluate the requested protected resource
  • Determine the IdP to be used in the Federation SSO operation
  • Request a higher Federation Authentication Method from the IdP, depending on the resource being requested

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide,  which describes how to develop such a module.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Authentication Module

Enjoy the reading!

[Read More]

Tuesday Dec 23, 2014

Implementing an IdP Discovery Service

As discussed in my previous article, OIF/SP can be configured to use a remote IdP Discovery Service whose function is to determine which IdP to use for the Federation SSO operation.

The "Identity Provider Discovery Service Protocol and Profile" SAML 2.0 specification published by OASIS defines the interaction protocol between a SAML 2.0 SP and an IdP Discovery Service.

In this article, I will implement a sample IdP Discovery Service, and then I will configure OIF/SP to use that service:

  • The service needs to support the protocol defined by the "Identity Provider Discovery Service Protocol and Profile" SAML 2.0 specification
  • The service will be an HTTP service and can be deployed anywhere
  • OIF/SP will be configured to redirect the user to that remote service when starting a Federation SSO operation.

Enjoy the reading!

[Read More]

Thursday Dec 04, 2014

Using OAM Pre Authentication Advanced Rules in OIF IdP

Today I will showcase how to use the OAM Authentication Advanced Rule with OIF as an IdP with the following use case:

  • OIF acts as the IdP
  • A specific scheme is used to challenge all the users
  • The OAM Authentication Policy for that scheme is configured to have a Pre-Authentication Advanced Rule that will evaluate if the browser is a desktop browser or a mobile browser
    • If the user is using a desktop/laptop, then the configured Authentication Scheme will be used
    • Otherwise if the user is on a mobile, another scheme targeted for mobile platforms will be used, which will facilitate user interaction by using a mobile login page
For more information about the Pre Authentication Advanced Rules in OAM, refer to the OAM/OIF 11.1.2.2.0 Administrator's Guide[Read More]

Friday Nov 07, 2014

Custom Post-Authentication Module in OIF / SP

In this article, I will show how to implement a custom authentication plugin that will be invoked after Federation SSO is complete and that will:

  • Access the information contained in the SAML Assertion (IdP name, user attributes...)
  • Update the LDAP user attributes based on the SAML User attributes

For more information on how to design a custom Authentication Plugin, refer to the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 3, which describes how to develop such a module: http://docs.oracle.com/cd/E40329_01/dev.1112/e27134/authnapi.htm.  

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Create a new Federation Authentication Module

Enjoy the reading!

[Read More]

Wednesday Oct 22, 2014

Determining which IdP to use for Federation SSO

As a Service Provider, when triggering a Federation SSO operation, the main challenge sometimes lies with determining which IdP will be selected for the SSO flow, in cases where the SP has trust agreements with multiple IdPs.

OIF/SP has different mechanism to select the IdP for the Federation SSO operation, including:

  • Having the OAM Federation Scheme indicating the IdP to be used
  • Having a custom OAM Authentication Plugin setting the IdP to be used
  • Using a SAML 2.0 IdP Discovery Service if the IdP was neither specified by the Scheme nor by a custom plugin
  • Using the Default SSO IdP if no IdP Discovery Service is used

This article will explore each mechanism more closely.

[Read More]

Monday Oct 06, 2014

Federation Proxy in OIF / IdP

In this article, I will explain the concept of Federation Proxy and how OIF/IdP can easily be configured to become an SP and delegate authentication to another remote IdP instead of authenticating the user locally.

Federation Proxy is typically used when a Federation hub acts as:

  • An IdP for SP Partners, where the IdP aggregates Federation trust between those SPs and itself
  • An SP with remote IdP Partners

This approach has the advantage of:

  • Reducing trust management overhead:
    • Each new IdP Partner added to the Federation hub will be automatically available to all the SP partners integrated with the Federation hub
    • Each new SP Partner added to the Federation hub won't need to be defined at the IdP Partners    
  • Providing a layered Federation trust model, where the Federation hub hides the Federation deployment to the IdP Partners

Enjoy the reading!

[Read More]

Friday Sep 19, 2014

DCC HTTP Reverse Proxy with OAM/OIF

Today I will discuss about the Detached Credential Collector (DCC) HTTP Reverse Proxy feature that has been introduced in the 11.1.2.2.0 release.

In a deployment where this feature is enabled, a WebGate SSO Agent:

  • Becomes a reverse HTTP proxy for the OAM and OIF services
  • Interacts with the user over HTTP/HTTPS
  • Routes the incoming HTTP requests for the OAM/OIF servers to the SSO and Federation servers over the secure OAM NAP protocol.
  • Returns to the HTTP client the response sent by OAM/OIF over the NAP protocol

In this mode, all interactions between the users/clients and OAM/OIF will be done via the WebGate DCC HTTP Reverse Proxy: no users will access directly the OAM/OIF servers anymore.

This new DCC HTTP Reverse Proxy capability is different from the previous DCC for HTTP-Basic/FORM based login, with the latter not working for the Federation SSO flows (IdP or SP mode).

Enjoy the reading!

[Read More]

Friday Sep 05, 2014

Crypto Settings in OIF

In this article, I will cover the various crypto configuration properties in OIF that are used to affect the Federation SSO exchanges, including:

  • Hashing algorithm used for signatures
    • SHA-1
    • SHA-256
  • Which outgoing SAML messages will be signed
  • Which incoming SAML messages will require to be signed
  • Whether or not to include the X.509 signing certificate in the outgoing signed XML message
  • Whether or not to encrypt SAML 2.0 messages:
    • Assertion
    • NameID
    • Attribute

Enjoy the reading!

[Read More]

Friday Aug 15, 2014

AuthnRequest Settings in OIF / SP

In this article, I will list the various OIF/SP settings that affect how an AuthnRequest message is created in OIF in a Federation SSO flow.

The AuthnRequest message is used by an SP to start a Federation SSO operation and to indicate to the IdP how the operation should be executed:

  • How the user should be challenged at the IdP
  • Whether or not the user should be challenged at the IdP, even if a session already exists at the IdP for this user
  • Which NameID format should be requested in the SAML Assertion
  • Which binding (Artifact or HTTP-POST) should be requested from the IdP to send the Assertion
  • Which profile should be used by OIF/SP to send the AuthnRequest message

Enjoy the reading!

[Read More]

Friday Aug 01, 2014

Integrating Google Apps with OIF / IdP

Google Apps provide a set of services that companies sometimes leverage for their day to day activities, which allow their employees to offload mail, calendar, document storage... in the Google cloud.

When a company purchases Google Apps for its employees, it needs to create user accounts in Google and provide the employees with their account information:

  • Username and password to access Google Apps
  • How to set/reset their password in Google Apps (initially, or if the password needs to be reset periodically)

Every time the user needs to access Google Apps, an authentication operation will take place where the user will enter the Google Apps credentials, which will be different from the on-premise company's user credentials.

Google Apps supports the SAML 2.0 SSO protocol as a Service Provider, where the Google Apps service for the company can be integrated with the on-premise Federation SSO IdP server in order to:

  • Provide true SSO capabilities for the user: the user authentication state is propagated from the on-premise security domain to Google Apps
  • Not force the user to manage and remember a different set of credentials
  • Allow the on-premise administrator to control more efficiently password policies locally.

In this article, I will describe step by step how to integrate Google Apps as an SP with OIF as an IdP via the SAML 2.0 SSO protocol.

Important note: enabling Federation SSO for a domain will also affect the administrators for that domain who will need to authenticate via Federation SSO thereafter.

Enjoy the reading!

[Read More]

Friday May 09, 2014

Integrating Office 365 with OIF/IdP

This is a continuation of my previous article where I will configure OIF (11.1.2.2.0 or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

Be sure to have read the article about pre-requisites.

[Read More]

Monday May 05, 2014

Integrating Office 365 with OIF/IdP Pre-Requisites

In the next two articles, I will describe how to integrate OIF (11.1.2.2.0 or later) as an IdP with Office 365 for Federation SSO using the SAML 2.0 protocol.

The integration will cover:

  • Browser Federation SSO integration: this is the flow the user will exercise when accessing the www.office365.com resources via a browser:
    • The www.office365.com will prompt the user to enter its email address
    • The server will detect that Federation SSO should be used for that domain and will start a Federation SSO flow the OIF/IdP
    • OIF/IdP will challenge the user, create a SAML Assertion and redirect the user to www.office365.com
    • www.office365.com will grant access to the user
  • ActiveSync mail integration: in this flow, the user will use a mail application configured for Office 365
    • When the mail application is started, it will send the user’s credentials (email address and IdP password) to Office 365
    • www.office365.com will make a direct connection over SSL to the IdP and will use the SAML 2.0 ECP protocol to send a SAML AuthnRequest and the user’s credentials via HTTP Basic Authentication
    • The OIF/IdP will validate those credentials and return a SAML Assertion via the ECP protocol
    • Office 365 will grant access to the mail application

It is important to note that integration with Office 365 for non SAML 2.0 components will not work, such as:

  • Lync clients
  • OWA Mobile Apps
[Read More]

Friday May 02, 2014

JIT Custom User Provisioning in OIF / SP cont’d

This article is a continuation of my previous entry about User Provisioning in OIF/SP, where I described how to use the built-in module in OIF/SP to create user records during a Federation SSO operation, if the user did not have a local account.

In this article, I will show how to build a custom User Provisioning module in OIF/SP. This will be based on the OAM/OIF 11.1.2.2.0 Developer’s Guide, chapter 16, which describes how to develop such a module.

I will focus here on how to:

  • Implement the plugin
  • Compile it
  • Package it
  • Upload the plugin to OAM
  • Configure OIF to use the newly uploaded plugin

For this example, I will use the sample code listed in the OAM/OIF 11.1.2.2.0 Developer’s Guide.

Enjoy the reading!

[Read More]

Monday Apr 28, 2014

JIT User Provisioning in OIF / SP

In this article, I will discuss on how to add user provisioning to OIF/SP which allows the server to create a user record on the fly during Federation SSO, if the user does not have an account yet.

During a Federation SSO operation, OIF/SP will validate the incoming SSO response (SAML or OpenID) and will attempt to map it to a local LDAP user record based on information contained in the SSO response (typically user attributes):

  • If the mapping returns a single user record, the operation is a success and an OAM session is created for that user record
  • If the mapping returns several LDAP records, then the operation is a non-recoverable failure:
    • Either the mapping configuration is incorrect
    • Or there are invalid LDAP user records in the directory
  • If the mapping does not return any records, this means that
    • Either the mapping configuration is incorrect
    • Or the configuration is correct, but the user does not have a record in the local directory: in this case, OIF/SP can be set up to automatically create an LDAP user record based on the data contained in the SSO response, and ensure that subsequent Federation SSO mapping operations for that user will map to the same new LDAP user record

OIF/SP will validate the SSO response, process the attributes using rules defined in the IdP Attribute Profile for the IdP partner, and if needed will invoke the User Provisioning module configured in OIF/SP:

  • Either the included User Provisioning module
  • Or a custom implementation of a User Provisioning module

After the invocation of the User Provisioning module (default or custom), the server will create a session for the user. Subsequent Federation SSO operations for the same user will result in OIF/SP mapping the SSO response to that newly created LDAP record.

Enjoy the reading!

[Read More]

Monday Apr 21, 2014

Using Fed Attributes: OAM Authorization and HTTP Headers

In this article, I will discuss how attributes received in SAML/OpenID SSO messages can be used in OAM Authorization Policies and how they can be provided to protected web applications.

At runtime, when OIF/SP successfully processes a SAML / OpenID SSO Response message, the server will save some of the information from the response in the OAM session, as attributes that can be used in OAM authorization policies

  • In conditions for authorization rules
  • In responses to provide the SAML/OpenID attributes to protected web applications

The SAML / OpenID SSO Response information is saved in the OAM session as attributes referenced by the following identifiers:

  • The IdP partner name, referenced by $session.attr.fed.partner
  • The NameID value from the SSO response, referenced by $session.attr.fed.nameidvalue
  • The NameID format from the SSO response, for SAML protocols, referenced by $session.attr.fed.nameidformat
  • The attributes contained either in the SAML Assertion’s AttributeStatement or in the OpenID SSO Response, referenced by $session.attr.fed.attr.ATTR_NAME, with ATTR_NAME being
    • Either the local session attribute name, if an IdP Attribute Profile mapping was applied (see previous article)
    • Or the attribute name from the SSO response, if no IdP Attribute Profile mapping was applied for this attribute

Enjoy the reading!

[Read More]

Friday Apr 18, 2014

Processing Incoming Attributes with OIF / SP

When OIF acts as a Service Provider, it:

  • Validates the incoming SSO response from the IdP
  • Maps the SSO response to an LDAP user record
  • Extracts the user identifier and optional attributes contained in the SSO response and stores them in the OAM session.

Those attributes stored in the OAM session can later be used:

  • In Authorization Policies, where the conditions/rules will evaluate the attributes in the OAM session
  • As Policy Responses to provide those attributes to web applications protected by WebGate/OAM, as HTTP Headers or cookies

In this article, I will discuss how OIF acting as a Service Provider can be configured to:

  • Process attributes contained in an incoming SAML Assertion or OpenID SSO Response to map the names of incoming attributes to local names.
  • Request attributes from the OP via the OpenID protocol (SAML does not provide a way for SPs at runtime to request attributes from the IdP during a Federation SSO operation)

Enjoy the reading!

[Read More]

Friday Apr 11, 2014

Integrating ADFS 2.0/3.0 SP with OIF IdP

As a continuation of my previous articles, I will today describe how to integrate ADFS 2.0/3.0 as an SP and OIF as an IdP.

Be sure to have read my previous entry covering the pre-requisites.

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

[Read More]

Monday Apr 07, 2014

Integrating ADFS 2.0/3.0 IdP with OIF SP

As a continuation of my previous article, I will today describe how to integrate ADFS 2.0/3.0 as an IdP and OIF as an SP.

Be sure to have read my previous entry covering the pre-requisites.

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

[Read More]

Friday Apr 04, 2014

Integrating ADFS 2.0/3.0 with OIF: Pre-Requisites

In the next three articles, I will describe how to integrate OIF (11.1.2.2.0 or later) with ADFS 2.0/3.0 for Federation SSO using the SAML 2.0 protocol. The integration will cover:

  • Pre-requisites (this article)
  • ADFS 2.0/3.0 as the IdP and OIF as the SP (read article here)
  • ADFS 2.0/3.0 as the SP and OIF as the IdP (read article here)

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

In this first article, I will discuss the pre-requisites.[Read More]

Friday Mar 28, 2014

Create SAML 1.1 / OpenID 2.0 IdP Partners in OIF/ SP

This article is a continuation of my previous entry where I discussed how to create SAML 2.0 IdP Partners in OIF/SP. In this article, I will cover how to set up a Federation agreement between OIF acting as an SP and a remote IdP Partner via the SAML 1.1 or OpenID 2.0 protocols:

  • Set up a remote SAML 1.1 IdP Partner
  • Set up a remote OpenID 2.0 IdP Partner

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

[Read More]

Monday Mar 24, 2014

Create SAML 2.0 IdP Partners in OIF/ SP

After having discussed in previous articles how to manage OIF/IdP, I will cover the administration of OIF/SP. In this post, I will explain how to set up a Federation agreement between OIF acting as a SAML 2.0 SP and a remote SAML 2.0 IdP Partner, including:

  • Set up a remote SAML 2.0 IdP Partner with SAML 2.0 Metadata
  • Set up a remote SAML 2.0 IdP Partner without SAML 2.0 Metadata
  • Configuring OIF/SP to map an incoming SAML Assertion to an LDAP user

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

Enjoy the reading!

[Read More]

Friday Mar 21, 2014

Example: Sending Attributes with OIF/ IdP

In this article, I will cover two examples on how to configure OIF/IdP to send attributes:
  • Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
  • Via the OIF WLST commands to send attributes to an OpenID 2.0 RP Partner
The sent attributes will be based on:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)
Enjoy the reading![Read More]

Monday Mar 17, 2014

Sending Attributes with OIF/ IdP

In this article, I will cover how OIF can be easily configured to send attributes with the SSO Assertion to the partner during the Federation SSO operation. Those attributes can be set to data retrieved from:
  • The LDAP user record (attributes, DN…)
  • The OAM user session (attributes, session count…)
  • The browser’s HTTP request (cookie, user-agent…)

Note that configuring how SAML NameID values are set is similar to how attributes are configured in OIF.

Enjoy the reading!

[Read More]

Friday Mar 14, 2014

Create SAML 1.1 / OpenID 2.0 SP Partners in OIF/ IdP

This article is a continuation of my previous entry where I discussed how to create SAML 2.0 SP Partners in OIF/IdP. In this article, I will cover how to set up a Federation agreement between OIF acting as an IdP and a remote SP Partner via the SAML 1.1 or OpenID 2.0 protocols:

  • Set up a remote SAML 1.1 SP Partner
  • Set up a remote OpenID 2.0 SP Partner

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

[Read More]

Monday Mar 10, 2014

Creating SAML 2.0 SP Partners in OIF / IdP

In this article, I will discuss about the various kinds of information one has to know in order to be able to set up a Federation agreement between OIF acting as a SAML 2.0 IdP and a remote SAML 2.0 SP Partner, including:

  • Set up a remote SAML 2.0 SP Partner with SAML 2.0 Metadata
  • Set up a remote SAML 2.0 SP Partner without SAML 2.0 Metadata

The article will describe how to perform the above tasks either via the UI, or via the use of the OIF WLST commands.

Enjoy the reading!

[Read More]

Tuesday Mar 04, 2014

Key and Certificate Management/Rollover in OIF/STS

As part of the Federation and WS-Trust protocol interaction, OIF/OSTS will need to use PKI Keys and Certificates for non repudiation and integrity via the use of digital signatures and confidentiality via digital encryption.

In this article, I discuss about the Keys and Certificates management, including how to:

  • Generate new keys and certificates
  • Configure OIF and OSTS to use the new keys and certificates
  • Implement a key rollover on a per partner basis
  • Distribute the new certificates to partners
[Read More]

Tuesday Feb 25, 2014

OIF/OSTS Service Information

OIF and OSTS are two products designed to provide Federation capabilities across security domains:
  • Cross domain SSO for browser based Web SSO flows
  • Cross domain Web Services Security (WSS) for SOAP clients and servers via the WS-Trust protocol

Federation between services is based on trust which is established by exchanging

  • X.509 certificates used for sign/verify and encrypt/decrypt the Federation messages
  • Locations of the Federation services
  • SAML 2.0 Metadata if supported by the partners, when SAML 2.0 Federation SSO is used

In this article, I will discuss about the various kinds of information one has to know in order to be able to set up a Federation agreement between OIF and remote partners, including:

  • How to enable OIF/OSTS services
  • SAML/OpenID Identifiers for OIF/OSTS
  • SAML 2.0 Metadata
  • Certificates
  • Service endpoints
[Read More]

Thursday Feb 20, 2014

Oracle Identity Federation 11.1.2.2.0 has been released!

Oracle Identity Federation (OIF) has been released as part of Oracle Fusion Middleware 11gR2 Release 2 (11.1.2.2.0)!

This new version of OIF provides Identity Provider (IdP) and Service Provider (SP), a.k.a. Relying Party (RP), support for the SAML 2.0, SAML 1.1 and OpenID 2.0 protocols.

The admin interfaces have been revamped to provide a comprehensive and easy way for administrators to manage Federation partnership on a day-to-day basis: while the UI allows the basic administration of Federation settings, which would cover most of the daily use cases, the OIF WLST command scripting tools allow advanced configuration of the Federation servers and its partners.

In this article, I will discuss about the features included in OIF 11.1.2.2.0:

  • Native Integration with OAM
  • Protocols
  • Additional Features

[Read More]
About

Damien Carru is a member of the Oracle Identity Management organization, focusing on Federation and SSO. This blog will cover Federation use cases involving Oracle Access Manager, Oracle Identity Federation and Oracle Security Token Service

Search

Categories
Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today