37.5 Initiating Federation SSO

Federation SSO process can be initiated when Identity Federation is working as an IdP or SP.

This section describes the following topics:

• IdP Initiated Federation SSO Service

• SP Initiated Federation SSO Service

37.5.1 IdP Initiated Federation SSO Service

The IdP Initiated Federation SSO Service has three query parameters: providerid, returnurl, and acsurl.

When Identity Federation is working as an IdP, the URL for initiating Federation SSO is:

http://public-oam-host:public-oam-port/oamfed/idp/initiatesso

The query parameters are:

• providerid: name of the SP partner with which to perform Federation SSO or the issuer ID / provider ID of the SP partner with which to perform Federation SSO. (required)

• returnurl: the SP URL where the user will be redirected after a successful Federation SSO (optional)

• acsurl: the SAML 2.0 Assertion Consumer Service URL where Identity Federation will redirect the user with the SAML 2.0 Assertion. This URL must be declared in the SP SAML 2.0 Metadata. (optional)

Multivalue Attributes in SAML Assertion

37.5.1.1 Multivalue Attributes in SAML Assertion

The default behavior of the feature is, during SSO, IDP sends the Group attributes in comma separated format if the user belongs to multiple groups and always send is set to true. As an enhanced behavior, During SSO, IdP sends the Group attributes in separate SAML statements instead of comma separated if the multivaluegroups flag is set to true.

The following SSO protocols support Multi-Valued Groups SAML Attributes

• SAML 2.0

• SAML 1.1

1. To enable this feature, OAM configuration should be updated depending on the requirement. Themultivaluegroups attribute setting is disabled by default and is not present in oam-config.xml. The User has to add this setting in oam-config.xml using WLST commands and set it to true to enable multiple attribute statements for Group attribute.

2. Add multivaluegroups attribute setting to oam-config.xml at the Partner level or Partner Profile level or Global level using WLST commands and set it to true.

   <Setting Name="multivaluegroups" Type="xsd:boolean">true</Setting>

   • Enable or disable the multivaluegroups at partner level

     updatePartnerProperty(partnerName="spPartnername", partnerType="SP",propName="multivaluegroups",propValue="true/false",type="boolean");

   • Enable or disable the multivaluegroups at partner profile level

     putBooleanProperty("/fedpartnerprofiles/saml20-sp-partner-profile/multivaluegroups","true/false");

   • Enable or disable the multivaluegroups at global level

     putBooleanProperty("/idpglobal/multivaluegroups","true/false");

37.5.2 SP Initiated Federation SSO Service

The SP Initiated Federation SSO Service has two query parameters: providerid and returnurl.

When Identity Federation is working as an SP, the URL for initiating Federation SSO is:

http://public-oam-host:public-oam-port/oamfed/sp/initiatesso

The query parameters are:

• providerid: name of the IdP partner with which to perform Federation SSO or the issuer ID / provider ID of the IdP partner with which to perform Federation SSO. (required)

• returnurl: the URL where the user will be redirected after a successful Federation SSO (optional)

37.5.3 Attribute Consuming Service

OAM Federation service is enhanced to support standard SAML2v-based interfaces and elements.

This section describes the following topics:

• Elements of Attribute Consuming Service

• WLST Commands for Attribute Consuming Service

37.5.3.1 Elements Of Attribute Consuming Service

The attribute consuming service includes three elements: AttributeConsumingService, AttributeConsumingServiceIndex, and NameQualifier.

AttributeConsumingService

The AttributeConsumingService element is included in the SP metadata. This element contains the following fields:

• ServiceName

• ServiceDescription

• index

• isDefault

• RequestedAttribute contains the following fields:

  • acsIndex

  • rqstAttrName

    Note:

    The rqstAttrName field can be any user defined value such as name, fiscal number, email, and so on.

  • rqstAttrNameFormat

  • rqstAttrFriendlyName

  • rqstAttrIsRequired

Sample SP metadata:

<md:AttributeConsumingService index="1" isDefault="false">
        <md:ServiceName>serviceName1</md:ServiceName> 
        <md:ServiceDescription>serviceDesc1</md:ServiceDescription> 
        <md:RequestedAttribute FriendlyName="friendlyName1" Name="email" NameFormat="sample:urn:format" isRequired="true"/>
</md:AttributeConsumingService>
 
<md:AttributeConsumingService index="1" isDefault="true"> 
        <md:ServiceName>Updated-Service-Name1</md:ServiceName>
        <md:ServiceDescription>updatedServiceDesc</md:ServiceDescription>
        <md:RequestedAttribute FriendlyName="friendlyName1" Name="email" NameFormat="sample:urn:format" isRequired="true"/>
        <md:RequestedAttribute FriendlyName="" Name="empNum" NameFormat="empFormat1" isRequired="false"/>
        <md:RequestedAttribute FriendlyName="fname" Name="empFirstName" NameFormat="firstnameformat1" isRequired="true"/> 
</md:AttributeConsumingService>

AttributeConsumingService

TheAttributeConsumingServiceIndex element is included in the SAML 2.0 authentication request. In the runtime SSO, pass the attributeconsumingserviceindex parameter in the SP initiated URL, so that AttributeConsumingServiceIndex is displayed in the authnrequest.

For example, http://sp-host:sp-managed-port/oamfed/sp/initiatesso?providerid=http://idp-host:idp-managed-port/oam/fed&returnurl=http://sp-host:webgate-port/cgi-bin/headers.cgi&attributeconsumingserviceindex=1

Sample authentication request:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
        <samlp:AuthnRequest xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AttributeConsumingServiceIndex="1" ID="id-atMY1jR9Vh7PBcWSjdqmyxIc1JNMSFD-zQ1d7lf8" Version="2.0" IssueInstant="2016-09-15T22:32:37Z" Destination="http://slc05ynv.us.oracle.com:21328/oamfed/idp/samlv20">
                <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://slc06fcv.us.oracle.com:23768/oam/fed</saml:Issuer>
                <samlp:NameIDPolicy AllowCreate="true"/>
        </samlp:AuthnRequest>     

NameQualifier

The NameQualifier element is included in the <samlp:issuer> tag.

Example:

<saml:Issuer NameQualifier=" http://spid-sp.it"
Format=" urn:oasis:names:tc:SAML:2.0:nameid format:entity"> SPID-sp-test </saml:Issuer>

By default, NameQualifier is set to false. You can set NameQualifier to true in the oam-config.xml file using the WLST commands. For more information on WLST commands, see the WLST Command Reference for WebLogic Server.

The following table illustrates how to enable or disable the NameQualifier element using the WLST commands:

Action	WLST Command Examples
Enable NameQualifier at the partner level.	updatePartnerProperty(partnerName="idp-partner",partnerType="IDP",propName="samlrequestissuernamequalifier",propValue="http://sample.sp.it",type="string")
Enable NameQualifier at the partner profile level.	putStringProperty("/fedpartnerprofiles/saml20-idp-partner-profile/samlrequestissuernamequalifier","http://profile-sample.it")
Enable NameQualifier at the global level.	putStringProperty("/spglobal/samlrequestissuernamequalifier","http://spglobal.it")
Disable NameQualifier at the partner level.	deletePartnerProperty(partnerName="idp-partner",partnerType="IDP",propName="samlrequestissuernamequalifier")
Disable NameQualifier at the partner profile level.	deleteStringProperty("/fedpartnerprofiles/saml20-idp-partner-profile/samlrequestissuernamequalifier")
Disable NameQualifier at the global level.	deleteStringProperty("/spglobal/samlrequestissuernamequalifier")

37.5.3.2 WLST Commands For Attribute Consuming Service

Attribute Consuming Service is supported with ten WebLogic Scripting Tool (WLST) commands.

More information in the following sections:

• getDefaultACS
• getAllRqstAttrsForACS
• getAllACS
• getACS
• addACS
• addRqstAttrToACS
• updateACS
• updateRqstAttrForACS
• deleteACS
• deleteRqstAttrForACS

37.5.3.2.1 getDefaultACS

This command retrieves the default attribute consuming service.

Description

The getDefaultACS command retrieves the default attribute consuming service.

Syntax

getDefaultACS()

Example 37-1 Example

This example illustrates the use of getDefaultACS command.

getDefaultACS()

37.5.3.2.2 getAllRqstAttrsForACS

This command retrieves the list of requested attributes under specified attribute consuming service, acsIndex.

Description

The getAllRqstAttrsForACS command retrieves the list of requested attributes under the specified attribute consuming service, acsIndex.

Syntax

getAllRqstAttrsForACS(acsIndex) 

Arguments	Definition
acsIndex	[Mandatory] Index of the attribute consuming service.

Example 37-2 Example

This example illustrates the use of the getAllRqstAttrsForACS(acsIndex) command.

getAllRqstAttrsForACS(1)

37.5.3.2.3 getAllACS

This command retrieves the list of all attribute consuming service configured.

Description

The getAllACS command retrieves the list of all attribute consuming service configured.

Syntax

getAllACS()

Example 37-3 Example

This example illustrates the use of the getAllACS() command.

getAllACS()

37.5.3.2.4 getACS

This command retrieves the specified attribute consuming service, acsIndex.

Description

The getACS command retrieves the specified attribute consuming service, acsIndex.

Syntax

getACS(acsIndex)

Arguments	Definitions
acsIndex	[Mandatory] Index of the attribute consuming service.

Example 37-4 Example

This example illustrates the use of the getACS(acsIndex) command.

getACS(1)

37.5.3.2.5 addACS

This command creates a new entry of attribute consuming service with acsIndex, serviceName, attributeConsumingIsDefault, rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName, rqstAttrIsRequired, and serviceDescription.

Description

This command creates a new entry of attribute consuming service with acsIndex, serviceName, attributeConsumingIsDefault, rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName, rqstAttrIsRequired, and serviceDescription.

It is mandatory to provide details of at least one requested attribute when you create an attribute consuming service. The <xml:lang> parameter is updated with the server locale automatically.

Note:

you must create addACS with acsIndex to execute GET and DELETE WLST commands.

Syntax

addACS(acsIndex, serviceName, rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName="", rqstAttrIsRequired="false", serviceDescription="", attributeConsumingIsDefault="false")

Arguments	Definitions
acsIndex	[Mandatory] Specifies the index of the attribute consuming service.
serviceName	[Mandatory] Specifies the name of the service.
rqstAttrName	[Mandatory] Specifies the name of the requested attribute.
rqstAttrNameFormat	[Mandatory] Specifies the format of the requested attribute.
rqstAttrFriendlyName	[Optional] Specifies the friendly name of the attribute consuming service.
rqstAttrIsRequired	[Optional] Determines if the requested attribute is required. The valid values are true and false.
serviceDescription	[Optional] Provides the description of the service. The default value is “ “.
attributeConsumingIsDefault	[Optional] Accepts the value to set the default attribute consuming service. The default value is false.

Example 37-5 Example

This example illustrates the use of the addACS command.

addACS(1, "Updated-Service-Name1", "email", "sample:urn:format", rqstAttrFriendlyName="", rqstAttrIsRequired="false", serviceDescription="updatedServiceDesc", attributeConsumingIsDefault="true")

37.5.3.2.6 addRqstAttrToACS

This command adds a new requested attribute such as rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName, and rqstAttrIsRequired under the list of specified attribute consuming service, acsIndex.

Description

The addRqstAttrToACS command adds a new requested attribute such as rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName, and rqstAttrIsRequired under the list of specified attribute consuming service, acsIndex.

Syntax

addRqstAttrToACS(acsIndex, rqstAttrName, rqstAttrNameFormat, rqstAttrFriendlyName=None, rqstAttrIsRequired="false"): 

Arguments	Definitions
acsIndex	[Mandatory] Specifies the index of the attribute consuming service.
rqstAttrName	[Mandatory] Specifies the name of the requested attribute.
rqstAttrNameFormat	[Mandatory] Specifies the format of the requested attribute.
rqstAttrFriendlyName	[Optional] Specifies the friendly name of the attribute consuming service.
rqstAttrIsRequired	[Optional] Determines if the requested attribute is required. The valid values are true and false.

Example 37-6 Example

This example illustrates the use of the addRqstAttrToACS command.

addRqstAttrToACS(1, "empNumber", "empFormat1", rqstAttrFriendlyName=None, rqstAttrIsRequired="false"): 

37.5.3.2.7 updateACS

This commands updates any or all fields of the specified attribute consuming service, oldACSIndex.

Description

The updateACS command updates any or all fields (that is, newServiceName, newServiceDescription, newAttributeLang, newIsDefault, and newACSIndex) of the specified attribute consuming service, oldACSIndex.

Syntax

updateACS(oldACSIndex, newServiceName=None, newServiceDescription=None, newAttributeLang=None, newIsDefault=None, newACSIndex=None)

Arguments	Definitions
oldACSIndex	[Mandatory] Specifies the name of the existing attribute consuming service index.
newServiceName	[Optional] Specifies the updated name for the attribute consuming service.
newServiceDescription	[Optional] Specifies the updated description of the attribute consuming service.
newAttributeLang	[Optional] Specifies the updated "xml:lang" for the attribute consuming service name and description.
newIsDefault	[Optional] Accepts the values such as true or false to set the new default value to attribute consuming service. The valid values are true and false.
newACSIndex	[Optional] Specifies the name of the new attribute consuming service index.

Example 37-7 Example

This example illustrates the use of theupdateACS command.

Note:

At least one optional parameter is required with acsIndex to successfully update the ACS.

• To update only the newServiceName field, use the following command:

  updateACS(1, newServiceName="SampleAttributeName");
  

• To update both newServiceName and isdefault, use the following command:

  updateACS(1, newServiceName="SampleAttributeName", newIsDefault="true");
  

37.5.3.2.8 updateRqstAttrForACS

This command updates all the fields of the specified requested attribute, oldRqstAttrName under the specified attribute consuming service, acsIndex.

Description

The updateRqstAttrForACS command updates all the fields of the specified requested attribute, oldRqstAttrName under the specified attribute consuming service, acsIndex.

Syntax

updateRqstAttrForACS(acsIndex, oldRqstAttrName, newRqstAttrName=None, newRqstAttrFriendlyName=None, newRqstAttrNameFormat=None, newRqstAttrIsRequired=None)

Arguments	Definitions
acsIndex	[Mandatory] Specifies the index of the attribute consuming service.
oldRqstAttrName	[Mandatory] Specifies the name of the existing requested attribute that updates the fields.
newRqstAttrName	[Optional] Specifies the updated name of the requested attribute.
newRqstAttrFriendlyName	[Optional] Specifies the updated friendly name of the requested attribute.
newRqstAttrNameFormat	[Optional] Specifies the updated format of the requested attribute name.
newRqstAttrIsRequired	[Optional] Determines if the requested attribute is required from the attribute consuming service. The valid values are true and false.

Example 37-8 Example

This example illustrates the use of the updateRqstAttrForACS command.

Note:

At least one optional parameter is required with acsIndex to successfully update the specified requested attribute.

• To update only newRqstAttrName, use the following command:

  updateRqstAttrForACS(acsIndex, oldRqstAttrName, newRqstAttrName="SAMPLE_RQST_ATTR");
  

• To update newRqstAttrName and newRqstAttrNameFormat of the requested attribute, use the following command:

  updateRqstAttrForACS(acsIndex, oldRqstAttrName, newRqstAttrName="SAMPLE_RQST_ATTR", newRqstAttrNameFormat="urn:oasis:sample");
  

37.5.3.2.9 deleteACS

This command deletes the specified attribute consuming service, acsIndex.

Description

The deleteACS command deletes the specified attribute consuming service, acsIndex.

Syntax

deleteACS(acsIndex)

Arguments	Definition
acsIndex	[Mandatory] Specifies the index of the attribute consuming service.

Example 37-9 Example

This example illustrates the use of the deleteACS command.

deleteACS(1)

37.5.3.2.10 deleteRqstAttrForACS

This command deletes the requested attribute, rqstAttrName, from the specified Attribute Consuming Service, acsIndex.

Description

The deleteRqstAttrForACS command deletes the requested attribute, rqstAttrName, from the specified attribute consuming service, acsIndex.

Syntax

deleteRqstAttrForACS(acsIndex, rqstAttrName)

Arguments	Definition
acsIndex	[Mandatory] Specifies the index of the attribute consuming service.
rqstAttrName	[Mandatory] Specifies the name of the requested attribute.

Example 37-10 Example

This example illustrates the use of the deleteRqstAttrForACS command.

deleteRqstAttrForACS(1, rqstAttrName="empFirstName")