Federation SSO process can be initiated when Identity Federation is working as an IdP or SP.
The IdP Initiated Federation SSO Service has three query parameters: providerid, returnurl, and acsurl.
When Identity Federation is working as an IdP, the URL for initiating Federation SSO is:
http://public-oam-host:public-oam-port/oamfed/idp/initiatesso
The query parameters are:
providerid: name of the SP partner with which to perform Federation SSO or the issuer ID / provider ID of the SP partner with which to perform Federation SSO. (required)
returnurl: the SP URL where the user will be redirected after a successful Federation SSO (optional)
acsurl: the SAML 2.0 Assertion Consumer Service URL where Identity Federation will redirect the user with the SAML 2.0 Assertion. This URL must be declared in the SP SAML 2.0 Metadata. (optional)
The default behavior of the feature is, during SSO, IDP sends the Group attributes in comma separated format if the user belongs to multiple groups and always send
is set to true. As an enhanced behavior, During SSO, IdP sends the Group attributes in separate SAML statements instead of comma separated if the multivaluegroups
flag is set to true.
The following SSO protocols support Multi-Valued Groups SAML Attributes
SAML 2.0
SAML 1.1
To enable this feature, OAM configuration should be updated depending on the requirement. Themultivaluegroups
attribute setting is disabled by default and is not present in oam-config.xml. The User has to add this setting in oam-config.xml using WLST commands and set it to true to enable multiple attribute statements for Group attribute.
Add multivaluegroups
attribute setting to oam-config.xml at the Partner level or Partner Profile level or Global level using WLST commands and set it to true.
<Setting Name
="multivaluegroups
" Type
="xsd:boolean
">true</Setting
>
Enable or disable the multivaluegroups
at partner level
updatePartnerProperty(partnerName="spPartnername"
, partnerType="SP",propName="multivaluegroups",propValue="true/false",type="boolean");
Enable or disable the multivaluegroups
at partner profile level
putBooleanProperty("/fedpartnerprofiles/saml20-sp-partner-profile/multivaluegroups","true/false");
Enable or disable the multivaluegroups
at global level
putBooleanProperty("/idpglobal/multivaluegroups","true/false");
The SP Initiated Federation SSO Service has two query parameters: providerid and returnurl.
When Identity Federation is working as an SP, the URL for initiating Federation SSO is:
http://public-oam-host:public-oam-port/oamfed/sp/initiatesso
The query parameters are:
providerid: name of the IdP partner with which to perform Federation SSO or the issuer ID / provider ID of the IdP partner with which to perform Federation SSO. (required)
returnurl: the URL where the user will be redirected after a successful Federation SSO (optional)
OAM Federation service is enhanced to support standard SAML2v-based interfaces and elements.
This section describes the following topics:
The attribute consuming service includes three elements: AttributeConsumingService
, AttributeConsumingServiceIndex
, and NameQualifier
.
AttributeConsumingService
The AttributeConsumingService
element is included in the SP metadata. This element contains the following fields:
ServiceName
ServiceDescription
index
isDefault
RequestedAttribute
contains the following fields:
acsIndex
rqstAttrName
Note:
TherqstAttrName
field can be any user defined value such as name
, fiscal number
, email
, and so on.rqstAttrNameFormat
rqstAttrFriendlyName
rqstAttrIsRequired
Sample SP metadata:
<md:AttributeConsumingService index="1" isDefault="false"> <md:ServiceName>serviceName1</md:ServiceName> <md:ServiceDescription>serviceDesc1</md:ServiceDescription> <md:RequestedAttribute FriendlyName="friendlyName1" Name="email" NameFormat="sample:urn:format" isRequired="true"/> </md:AttributeConsumingService> <md:AttributeConsumingService index="1" isDefault="true"> <md:ServiceName>Updated-Service-Name1</md:ServiceName> <md:ServiceDescription>updatedServiceDesc</md:ServiceDescription> <md:RequestedAttribute FriendlyName="friendlyName1" Name="email" NameFormat="sample:urn:format" isRequired="true"/> <md:RequestedAttribute FriendlyName="" Name="empNum" NameFormat="empFormat1" isRequired="false"/> <md:RequestedAttribute FriendlyName="fname" Name="empFirstName" NameFormat="firstnameformat1" isRequired="true"/> </md:AttributeConsumingService>
AttributeConsumingService
TheAttributeConsumingServiceIndex
element is included in the SAML 2.0 authentication request. In the runtime SSO, pass the attributeconsumingserviceindex
parameter in the SP initiated URL, so that AttributeConsumingServiceIndex
is displayed in the authnrequest
.
For example, http://sp-host:sp-managed-port/oamfed/sp/initiatesso?providerid=http://idp-host:idp-managed-port/oam/fed&returnurl=http://sp-host:webgate-port/cgi-bin/headers.cgi&attributeconsumingserviceindex=1
Sample authentication request:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <samlp:AuthnRequest xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AttributeConsumingServiceIndex="1" ID="id-atMY1jR9Vh7PBcWSjdqmyxIc1JNMSFD-zQ1d7lf8" Version="2.0" IssueInstant="2016-09-15T22:32:37Z" Destination="http://slc05ynv.us.oracle.com:21328/oamfed/idp/samlv20"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://slc06fcv.us.oracle.com:23768/oam/fed</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true"/> </samlp:AuthnRequest>
NameQualifier
The NameQualifier
element is included in the <samlp:issuer>
tag.
Example:
<saml:Issuer NameQualifier=" http://spid-sp.it" Format=" urn:oasis:names:tc:SAML:2.0:nameid format:entity"> SPID-sp-test </saml:Issuer>
By default, NameQualifier
is set to false. You can set NameQualifier
to true
in the oam-config.xml file using the WLST commands. For more information on WLST commands, see the WLST Command Reference for WebLogic Server.
The following table illustrates how to enable or disable the NameQualifier
element using the WLST commands:
Action | WLST Command Examples |
---|---|
Enable NameQualifier at the partner level. |
updatePartnerProperty(partnerName="idp-partner",partnerType="IDP",propName="samlrequestissuernamequalifier",propValue="http://sample.sp.it",type="string") |
Enable NameQualifier at the partner profile level. |
putStringProperty("/fedpartnerprofiles/saml20-idp-partner-profile/samlrequestissuernamequalifier","http://profile-sample.it") |
Enable NameQualifier at the global level. |
putStringProperty("/spglobal/samlrequestissuernamequalifier","http://spglobal.it") |
Disable NameQualifier at the partner level. |
deletePartnerProperty(partnerName="idp-partner",partnerType="IDP",propName="samlrequestissuernamequalifier") |
Disable NameQualifier at the partner profile level. |
deleteStringProperty("/fedpartnerprofiles/saml20-idp-partner-profile/samlrequestissuernamequalifier") |
Disable NameQualifier at the global level. |
deleteStringProperty("/spglobal/samlrequestissuernamequalifier") |
Attribute Consuming Service is supported with ten WebLogic Scripting Tool (WLST) commands.
More information in the following sections:
This command retrieves the default attribute consuming service.
Description
The getDefaultACS
command retrieves the default attribute consuming service.
Syntax
getDefaultACS()
Example 37-1 Example
This example illustrates the use of getDefaultACS
command.
getDefaultACS()
This command retrieves the list of requested attributes under specified attribute consuming service, acsIndex
.
Description
The getAllRqstAttrsForACS
command retrieves the list of requested attributes under the specified attribute consuming service, acsIndex
.
Syntax
getAllRqstAttrsForACS(acsIndex)
Arguments | Definition |
---|---|
acsIndex |
[Mandatory] Index of the attribute consuming service. |
Example 37-2 Example
This example illustrates the use of the getAllRqstAttrsForACS(acsIndex)
command.
getAllRqstAttrsForACS(1)
This command retrieves the list of all attribute consuming service configured.
Description
The getAllACS
command retrieves the list of all attribute consuming service configured.
Syntax
getAllACS()
Example 37-3 Example
getAllACS()
command.
getAllACS()
This command retrieves the specified attribute consuming service, acsIndex
.
Description
The getACS
command retrieves the specified attribute consuming service, acsIndex.
Syntax
getACS(acsIndex)
Arguments | Definitions |
---|---|
acsIndex |
[Mandatory] Index of the attribute consuming service. |
Example 37-4 Example
getACS(acsIndex)
command.
getACS(1)
This command creates a new entry of attribute consuming service with acsIndex
, serviceName
, attributeConsumingIsDefault
, rqstAttrName
, rqstAttrNameFormat
, rqstAttrFriendlyName
, rqstAttrIsRequired
, and serviceDescription
.
Description
This command creates a new entry of attribute consuming service with acsIndex
, serviceName
, attributeConsumingIsDefault
, rqstAttrName
, rqstAttrNameFormat
, rqstAttrFriendlyName
, rqstAttrIsRequired
, and serviceDescription
.
It is mandatory to provide details of at least one requested attribute when you create an attribute consuming service. The <xml:lang>
parameter is updated with the server locale automatically.
Note:
you must createaddACS
with acsIndex
to execute GET and DELETE WLST commands.Syntax
addACS(acsIndex, serviceName, rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName="", rqstAttrIsRequired="false", serviceDescription="", attributeConsumingIsDefault="false")
Arguments | Definitions |
---|---|
acsIndex |
[Mandatory] Specifies the index of the attribute consuming service. |
serviceName |
[Mandatory] Specifies the name of the service. |
rqstAttrName |
[Mandatory] Specifies the name of the requested attribute. |
rqstAttrNameFormat |
[Mandatory] Specifies the format of the requested attribute. |
rqstAttrFriendlyName |
[Optional] Specifies the friendly name of the attribute consuming service. |
rqstAttrIsRequired |
[Optional] Determines if the requested attribute is required. The valid values are true and false . |
serviceDescription |
[Optional] Provides the description of the service. The default value is “ “. |
attributeConsumingIsDefault |
[Optional] Accepts the value to set the default attribute consuming service. The default value is false . |
Example 37-5 Example
This example illustrates the use of the addACS
command.
addACS(1, "Updated-Service-Name1", "email", "sample:urn:format", rqstAttrFriendlyName="", rqstAttrIsRequired="false", serviceDescription="updatedServiceDesc", attributeConsumingIsDefault="true")
This command adds a new requested attribute such as rqstAttrName
, rqstAttrNameFormat
, rqstAttrFriendlyName
, and rqstAttrIsRequired
under the list of specified attribute consuming service, acsIndex
.
Description
The addRqstAttrToACS
command adds a new requested attribute such as rqstAttrName
, rqstAttrNameFormat
, rqstAttrFriendlyName
, and rqstAttrIsRequired
under the list of specified attribute consuming service, acsIndex
.
Syntax
addRqstAttrToACS(acsIndex, rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName=None, rqstAttrIsRequired="false"):
Arguments | Definitions |
---|---|
acsIndex |
[Mandatory] Specifies the index of the attribute consuming service. |
rqstAttrName |
[Mandatory] Specifies the name of the requested attribute. |
rqstAttrNameFormat |
[Mandatory] Specifies the format of the requested attribute. |
rqstAttrFriendlyName |
[Optional] Specifies the friendly name of the attribute consuming service. |
rqstAttrIsRequired |
[Optional] Determines if the requested attribute is required. The valid values are true and false . |
Example 37-6 Example
This example illustrates the use of the addRqstAttrToACS
command.
addRqstAttrToACS(1, "empNumber", "empFormat1", rqstAttrFriendlyName=None, rqstAttrIsRequired="false"):
This commands updates any or all fields of the specified attribute consuming service, oldACSIndex
.
Description
The updateACS
command updates any or all fields (that is, newServiceName
, newServiceDescription
, newAttributeLang
, newIsDefault
, and newACSIndex
) of the specified attribute consuming service, oldACSIndex
.
Syntax
updateACS(oldACSIndex, newServiceName=None, newServiceDescription=None, newAttributeLang=None, newIsDefault=None, newACSIndex=None)
Arguments | Definitions |
---|---|
oldACSIndex |
[Mandatory] Specifies the name of the existing attribute consuming service index. |
newServiceName |
[Optional] Specifies the updated name for the attribute consuming service. |
newServiceDescription |
[Optional] Specifies the updated description of the attribute consuming service. |
newAttributeLang |
[Optional] Specifies the updated "xml:lang" for the attribute consuming service name and description. |
newIsDefault |
[Optional] Accepts the values such as true or false to set the new default value to attribute consuming service. The valid values are true and false . |
newACSIndex |
[Optional] Specifies the name of the new attribute consuming service index. |
Example 37-7 Example
updateACS
command.
Note:
At least one optional parameter is required withacsIndex
to successfully update the ACS.newServiceName
field, use the following command:
updateACS(1, newServiceName="SampleAttributeName");
newServiceName
and isdefault
, use the following command:
updateACS(1, newServiceName="SampleAttributeName", newIsDefault="true");
This command updates all the fields of the specified requested attribute, oldRqstAttrName
under the specified attribute consuming service, acsIndex
.
Description
The updateRqstAttrForACS
command updates all the fields of the specified requested attribute, oldRqstAttrName
under the specified attribute consuming service, acsIndex
.
Syntax
updateRqstAttrForACS(acsIndex, oldRqstAttrName, newRqstAttrName=None, newRqstAttrFriendlyName=None, newRqstAttrNameFormat=None, newRqstAttrIsRequired=None)
Arguments | Definitions |
---|---|
acsIndex |
[Mandatory] Specifies the index of the attribute consuming service. |
oldRqstAttrName |
[Mandatory] Specifies the name of the existing requested attribute that updates the fields. |
newRqstAttrName |
[Optional] Specifies the updated name of the requested attribute. |
newRqstAttrFriendlyName |
[Optional] Specifies the updated friendly name of the requested attribute. |
newRqstAttrNameFormat |
[Optional] Specifies the updated format of the requested attribute name. |
newRqstAttrIsRequired |
[Optional] Determines if the requested attribute is required from the attribute consuming service. The valid values are true and false . |
Example 37-8 Example
updateRqstAttrForACS
command.
Note:
At least one optional parameter is required withacsIndex
to successfully update the specified requested attribute.newRqstAttrName
, use the following command:
updateRqstAttrForACS(acsIndex, oldRqstAttrName, newRqstAttrName="SAMPLE_RQST_ATTR");
newRqstAttrName
and newRqstAttrNameFormat
of the requested attribute, use the following command:
updateRqstAttrForACS(acsIndex, oldRqstAttrName, newRqstAttrName="SAMPLE_RQST_ATTR", newRqstAttrNameFormat="urn:oasis:sample");
This command deletes the specified attribute consuming service, acsIndex
.
Description
The deleteACS
command deletes the specified attribute consuming service, acsIndex
.
Syntax
deleteACS(acsIndex)
Arguments | Definition |
---|---|
acsIndex |
[Mandatory] Specifies the index of the attribute consuming service. |
Example 37-9 Example
deleteACS
command.
deleteACS(1)
This command deletes the requested attribute, rqstAttrName
, from the specified Attribute Consuming Service, acsIndex
.
Description
The deleteRqstAttrForACS
command deletes the requested attribute, rqstAttrName
, from the specified attribute consuming service, acsIndex
.
Syntax
deleteRqstAttrForACS(acsIndex, rqstAttrName)
Arguments | Definition |
---|---|
acsIndex |
[Mandatory] Specifies the index of the attribute consuming service. |
rqstAttrName |
[Mandatory] Specifies the name of the requested attribute. |
Example 37-10 Example
deleteRqstAttrForACS
command.
deleteRqstAttrForACS(1, rqstAttrName="empFirstName")