Using Fed Attributes: OAM Authorization and HTTP Headers

This article describes how attributes received in SAML/OpenID SSO messages can be used in OAM Authorization Policies and how they can be provided to protected web applications.

At runtime, when OAM/SP successfully processes a SAML / OpenID SSO Response message, the server saves some of the information from the response in the OAM session, as attributes that can be used in OAM authorization policies

• In conditions for authorization rules

• In responses to provide the SAML/OpenID attributes to protected web applications

The SAML / OpenID SSO Response information is saved in the OAM session as attributes referenced by the following identifiers:

• The IdP partner name, referenced by $session.attr.fed.partner

• The NameID value from the SSO response, referenced by $session.attr.fed.nameidvalue

• The NameID format from the SSO response, for SAML protocols, referenced by $session.attr.fed.nameidformat

• The attributes contained either in the SAML Assertion’s AttributeStatement or in the OpenID SSO Response, referenced by $session.attr.fed.attr.ATTR_NAME, with ATTR_NAME being

• Either the local session attribute name, if an IdP Attribute Profile mapping was applied

• Or the attribute name from the SSO response, if no IdP Attribute Profile mapping was applied for this attribute

Overview

A typical OAM environment is made of the following:

• LDAP directory

• OAM admin server, with the OAM admin console OAM runtime server

• Web applications

• WebGate agents protecting web application on HTTP servers (OHS, IIS…)

When an authenticated user requests access to a protected resource:

• WebGate intercepts the call and ensures that the user is authenticated

• The user is authorized to access the resource by evaluating authorization policies for this resource

• WebGate injects data, as cookies or HTTP headers, into the HTTP request that will be forwarded to the protected resource

The OAM Authorization Policies used to evaluate whether a user can access a resource or not can be based on various conditions:

• Identity: Condition based on the users identity or groups to which the user belongs

• IP Address: Condition based on the user’s IP address

• Temporal: Condition based on time

• Attributes: Condition based on attributes (LDAP, HTTP request or session attributes).

An administrator could use the Federation data received in the SAML/OpenID SSO message in an authorization rule, by using an attribute condition that evaluates the Federation attributes.

The OAM Authorization Responses which are used to inject data into the HTTP request to make it available to protected web applications are based on

• User LDAP attributes

• HTTP request data

• Static strings

• OAM session attributes

Similarly to the OAM Authorization Policies, an administrator can inject federation data into the HTTP request via the use of OAM session attributes referencing the federation entries ($session.attr.fed.partner, $session.attr.fed.attr.ATTR_NAME…)

Federation SSO Setup

Use the same SAML 2.0 Federation setup that was configured for the previously, where:

• OAM acts as a Service Provider

• The IdP (AcmeIdP) sends a SAML Assertion with

  • NameID set to userID

  • Attributes sent

  • email set to user’s email address

  • fname set to user’s first name

  • surname set to user’s last name

  • title set to user’s last job title

• OAM/SP configured with an IdP Attribute Profile to

  • Map fname to firstname

  • Map surname to lastname

  • Leave email as is

Two users will be used:

Alice:

• userID: alice

• email: <alice@oracle.com>

• first name: Alice

• last name: Appleton

• title: manager

Bob:

• userID: bob

• email: <bob@oracle.com>

• first name: Bobby

• last name: Smith

• title: engineer

The XML SAML Response with the Assertion sent back by the IdP is:

<samlp:Response ..>
    <saml:Issuer ...>http://acme.com
/idp</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ...>
        <saml:Issuer ...>http://acme.com /idp</saml:Issuer>
        <dsig:Signature ...>
        ...
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID ...>alice</saml:NameID>
            ...
        </saml:Subject>         <saml:Conditions ...>
         ...
        </saml:Conditions>         <saml:AuthnStatement ...>
        ...
        </saml:AuthnStatement>
        <saml:AttributeStatement ...>
            <saml:Attribute Name="email" ...>
                <saml:AttributeValue
...>alice@oracle.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="title" ...>
                <saml:AttributeValue
...>manager</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="surname" ...>
                <saml:AttributeValue
...>Appleton</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="fname" ...>
                <saml:AttributeValue
...>Alice</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

The Test SP page shows different results, since OAM/SP processed the attributes according to the rules where:

• email was not changed

• title was not changed

• fname was mapped to firstname

• surname was mapped to lastname

Description of the illustration Test_Federation_SSO.jpg

Protected Web Application

In this example, use the following components:

• OHS is installed

• A WebGate agent has been configured for this OHS instance

• An OAM Application Domain has been created for this WebGate, which protects all the resources on the OHS server

• Authentication Policy:

  • Name: Protected Resource Policy

  • Authentication Scheme: FederationScheme

• Authorization Policy:

  • Name: Protected Resource Policy

  • Resources

  • /** and /…/*

  • Linked to Protected Resource Policy

• Authentication Policy and “Protected Resource Policy” Authorization Policy

• The /cgi-bin/printenv resource on OHS prints out data when processing the HTTP Request sent by the browser

• HTTP Headers

• Request data (path, query string…)

• Server data (IP address, port…)

An example of a browser accessing the resource without being protected by OAM/WebGate results in the following display (in the test, the web application will be protected as listed above):

Description of the illustration Protected_web_Application.jpg

Authorization Conditions

The following example shows how to construct an Authorization Policy using a Federation attributes stored in the OAM session for a resource with the following constraints:

• Users are authenticated via Federation SSO (so the resource is protected via a FederationScheme Authentication Policy)

• The IdPs provide the job title of the user, and it is known locally as title (if the IdP sends the job title via a name different than title, then an IdP Attribute Profile needs to be used to map it to the local title name)

• Only users with the manager title should have access to the resource

To create such an authorization policy, execute the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager , Application Domains

3. Search and click on the Application Domain for the resource

4. Click on the Authorization Policies

5. Open the Authorization Policy protecting the resource (Protected Resource Policy in this example)

6. Click on the Conditions tab

7. Click Add to define a new condition:

   1. Name: TitleCondition

   2. Type: Attribute

8. Click Add Selected



Description of the illustration Add_Condition.jpg

9. Select the newly created condition

10. In the Condition Details window, click Add:

    • Namespace: Session

    • Attribute Name: Other

    • Enter the attribute name: fed.title

    • Operator: Equals

    • Attribute Value: manager

11. Click OK



Description of the illustration Add_Attr_Condition.jpg

12. Click on the Rules tab

13. Remove the TRUE condition if present in the Allow Rule , Selected Conditions

14. Add the TitleCondition to the Allow Rule , Selected Conditions

15. Click Apply

Description of the illustration Authorization_Policy.jpg

To test, in a new browser access the protected resource. You will be redirected to the IdP.

If you authenticate at the IdP with alice, the browser shows the following at the end of the now, showing the Remote User HTTP header set to alice (since the IdP provided the title attribute set to manager and OAM only allows access to users with the OAM session attribute fed.title set to manager):

Description of the illustration Document_root.jpg

If you authenticate at the IdP with bob, the browser shows the following at the end of the now, showing an error (since the IdP provided the title attribute set to engineer and OAM only allows access to users with the OAM session attribute fed.title set to manager):

Description of the illustration OAM_Operation_error.jpg

Injecting Fed Attributes

The following example shows how to inject SAML / OpenID attributes collected from the SSO response as HTTP Headers for the protected Web with the following constraints:

• Users are authenticated via Federation SSO (so the resource is protected via a FederationScheme Authentication Policy)

• The IdPs provide the job title of the user, and it is known locally as title (if the IdP sends the job title via a name different than title, then an IdP Attribute Profile needs to be used to map it to the local title name)

• OAM/WebGate is configured to inject:

  • Email address as emailaddress

  • First name as firstname

  • Last name as lastname

The configuration is done via the use of Authorization Response objects in an Authorization Policy definition

To configure such an authorization policy, execute the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager , Application Domains

3. Search and click on the Application Domain for the resource

4. Click on the Authorization Policies

5. Open the Authorization Policy protecting the resource (Protected Resource Policy in this example)

6. Click on the Responses tab

7. Click Add to create the entry for the email address:

   • Type: Header

   • Name: emailaddress

   • Value: $session.attr.fed.attr.email

8. Click Add

   

   Description of the illustration Add_Response.jpg

9. Click Add to create the entry for the first name:

   • Type: Header

   • Name: firstname

   • Value: $session.attr.fed.attr.firstname

10. Click Add

11. Click Add to create the entry for the last name:

    • Type: Header

    • Name: lastname

    • Value: $session.attr.fed.attr.lastname

12. Click Add

13. Click Apply

Description of the illustration ACS_Authorization_Policy.jpg

To test, in a new browser access the protected resource. You will be redirected to the IdP where authentication occurs.

OAM/WebGate then injects the Authorization Response items based on the OAM Session attributes (received from the IdP) and the protected web application displays those (my test page displays an HTTP header as HTTP_NAME, with NAME being the name of the HTTP Header).

Description of the illustration Authorization_Response.jpg

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Using Fed Attributes- OAM Authorization and HTTP Headers

F61887-01

September 2022

Copyright © 2022, Oracle and/or its affiliates.