40.5 Testing Identity Federation Configuration

After performing the procedure that is described in the previous topic, you have completed all the steps to configure federation in SP mode.

To recap, these steps are:

  1. Enabling the Identity Federation service using Oracle Access Management Console.
  2. Creating an IdP partner or using an existing IdP partner.
  3. Ensuring that IdP setup including SAML attributes, global logout, and nameID format are configured.
  4. Configuring an authentication/authorization policy that uses FederationScheme with federation response attributes; and
  5. Protecting a resource with this policy.

To test this configuration, access the resource that is protected by the authentication policy and verify that access is granted or denied according to the policy.

40.5.1 Test SP Module

Identity Federation provides a Test SP module that enables you to Test Federation SSO with an IdP Partner and view the result of the Federation SSO operation as well as the assertion sent by the Identity Provider.

40.5.1.1 Enabling or Disabling the Test SP Module

You can enable or disable the Test SP Module.

  1. Enter the WLST environment: 
    $OH/common/bin/wlst.sh
  2. Connect to the Admin Server: 
    connect()
  3. Move to the domain runtime location: 
    domainRuntime()
  4. Execute the following WLST command to enable the Test SP Module: 
    configureTestSPEngine("true")
  5. Execute the following WLST command to disable the Test SP Module: 
    configureTestSPEngine("false")

40.5.2 Accessing the Test SP Module and Performing a Federation SSO Operation

You can access the Test SP module and perform a federation SSO operation with an IdP partner.

  1. Access the following service: 
    http(s)://oam-hostname:oam-port/oamfed/user/testspsso
  2. Select the IdP with which to perform a federation SSO (note: only enabled IdP partners are listed).
  3. Start the federation SSO operation. The browser will be redirected to the IdP Partner for authentication and redirected back to Identity Federation with a federation response.
  4. Identity Federation will process the federation assertion and the Test SP module will display the result of the processing (note: no Access Manager session will be created as a result of the operation).

40.5.3 Troubleshooting Errors During Federation Configuration After an Upgrade

IAM Suite is the OOTB Application Domain created when OAM 11.1.2 is installed. This Application Domain can be renamed after installation but when upgrading OAM to 11.1.2.2.0, it must be renamed back to IAM Suite otherwise the upgrade operation will fail with the following error seen in the WLS admin logs.

java.lang.NullPointerException
at
oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr
apHandler.createFedAuthnResource(FedR2PS2BootstrapHandler.java:505)
at
oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.FedR2PS2Bootstr
apHandler.doBootstrap(FedR2PS2BootstrapHandler.java:151)
at
oracle.security.am.common.policy.tools.upgrade.r2ps2.bootstrap.R2PS2BootstrapH
elper.doBootstrap(R2PS2BootstrapHelper.java:70)
at
oracle.security.am.common.policy.tools.PolicyComponentLifecycle.initialize(Pol
.
icyComponentLifecycle.java:99)

If the IAM Suite Application Domain has been renamed after installation, it is required to rename it back to its original IAM Suite name prior to beginning the upgrade process. After the upgrade process is complete, the name can be changed back to a custom name.