Configuring Fed Authentication Methods in OAM and IdP
This article provides examples of how to configure IdP to map OAM Authentication Schemes to Federation Authentication Methods. This article also shows examples of the three protocols supported by OAM:
- SAML 2.0 SSO
- SAML 1.1 SSO
- OpenID 2.0
Configuration
Mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent, since the methods are defined in the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0).
The WLST commands to set those mappings involves:
- Either the SP Partner Profile and affect all Partners referencing that profile, which do not override the Federation Authentication Method to OAM Authentication Scheme mappings
- Or the SP Partner entry, which only affects the SP Partner
It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all the mappings defined in the SP Partner Profile is ignored.
WLST Commands
The two OAM WLST commands that can be used to define mapping Federation Authentication Methods to OAM Authentication Schemes are:
addSPPartnerProfileAuthnMethod()
to define a mapping on an SP Partner Profile, taking as parameters:- The name of the SP Partner Profile
- The Federation Authentication Method
- The OAM Authentication Scheme name
addSPPartnerAuthnMethod()
to define a mapping on an SP Partner , taking as parameters:- The name of the SP Partner
- The Federation Authentication Method
- The OAM Authentication Scheme name
the next sections show some examples oF how to use those methods:
- For SAML 2.0, configure the SP Partner Profile, that applies all the mappings to SP Partners referencing this profile, unless they override mapping definition
- For SAML 1.1, configure the SP Partner.
- For OpenID 2.0, configure the SP/RP Partner
SAML 2.0
Test Setup
In this setup, OAM is acting as an IdP and is integrated with a remote SAML 2.0 SP partner identified by AcmeSP. In this test, perform Federation SSO with IdP configured to:
- Use
LDAPScheme
as the Authentication Scheme - Use
BasicScheme
as the Authentication Scheme - Map
BasicSessionScheme
to theurn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method
- Use
OAMLDAPPluginAuthnScheme
as the Authentication Scheme - Map
OAMLDAPPluginAuthnScheme
to theurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Federation Authentication Method
LDAPScheme as Authentication Scheme
Using the OOTB settings regarding user authentication in OAM, the user is challenged via a FORM based login page based on the LDAPScheme
.
Also the default Federation Authentication Method mappings configuration maps only the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
to LDAPScheme
(also marked as the default scheme used for authentication), FAAuthScheme
, BasicScheme
and BasicFAScheme
.
After authentication via FORM, IdP issues an Assertion similar to
<samlp:Response ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<dsig:Signature>
...
</dsig:Signature>
<saml:Subject>
<saml:NameID ...>bob@oracle.com</saml:NameID>
<saml:SubjectCon<rmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectCon<rmationData .../>
</saml:SubjectCon<rmation>
</saml:Subject>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz"
SessionNotOnOrAfter="2014-03-21T21:53:55Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
BasicScheme as Authentication Scheme
For this test, switch the default Authentication Scheme for the SP Partner Profile to BasicScheme
instead of LDAPScheme
. Use the OAM WLST setSPPartnerProfileDefaultScheme()
command and specify which scheme to be used as the default for the SP Partner Profile referenced by AcmeSP
(which is saml20-sppartner-profile in this case: getFedPartnerProfile("AcmeSP", "sp")
):
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
setSPPartnerProfileDefaultScheme()
command:setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", "BasicScheme")
- Exit the WLST environment:
exit()
The user is challenged via HTTP Basic Authentication defined in the BasicScheme
for AcmeSP
.
Also, as noted earlier, the default Federation Authentication Method mappings configuration maps only the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
to LDAPScheme
(also marked as the default scheme used for authentication), FAAuthScheme
, BasicScheme
and BasicFAScheme
.
After authentication via HTTP Basic Authentication, IdP issues an Assertion similar to:
<samlp:Response ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<dsig:Signature>
...
</dsig:Signature>
<saml:Subject>
<saml:NameID ...>bob@oracle.com</saml:NameID>
<saml:SubjectCon<rmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectCon<rmationData .../>
</saml:SubjectCon<rmation>
</saml:Subject>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz"
SessionNotOnOrAfter="2014-03-21T21:53:55Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement> </saml:Assertion> </samlp:Response>
Mapping BasicScheme
To change the Federation Authentication Method mapping for the BasicScheme
to urn:oasis:names:tc:SAML:2.0:ac:classes:Password
instead of urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
for the saml20sp-partner-profile SAML 2.0 SP Partner Profile (the profile to which my AcmeSP
Partner is bound to), execute the addSPPartnerProfileAuthnMethod()
method:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
addSPPartnerProfileAuthnMethod()
command:addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme")
- Exit the WLST environment:
exit()
After authentication via HTTP Basic Authentication, IdP issues an Assertion similar to (see that the AuthnContextClassRef
was changed from PasswordProtectedTransport
to Password):
<samlp:Response ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<dsig:Signature>
...
</dsig:Signature>
<saml:Subject>
<saml:NameID ...>bob@oracle.com</saml:NameID>
<saml:SubjectCon<rmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectCon<rmationData .../>
</saml:SubjectCon<rmation>
</saml:Subject>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz"
SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes: Password
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion> </samlp:Response>
OAMLDAPPluginAuthnScheme as Authentication Scheme
For this test, switch the default Authentication Scheme for the SP Partner Profile to OAMLDAPPluginAuthnScheme
instead of BasicScheme
. Use the OAM WLST setSPPartnerProfileDefaultScheme()
command and specify which scheme to be used as the default for the SP Partner Profile referenced by AcmeSP
(which is saml20-sppartner-profile in this case: getFedPartnerProfile("AcmeSP", "sp")
):
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
setSPPartnerProfileDefaultScheme()
command:setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", "OAMLDAPPluginAuthnScheme")
- Exit the WLST environment:
exit()
The user is challenged via FORM defined in the OAMLDAPPluginAuthnScheme
for AcmeSP
.
Contrarily to LDAPScheme
and BasicScheme
, the OAMLDAPPluginAuthnScheme
is not mapped by default to any Federation Authentication Methods. IdP will not be able to find a Federation Authentication Method and sets the method in the SAML Assertion to the OAM Authentication Scheme name.
After authentication via FORM, IdP issues an Assertion similar to (see the AuthnContextClassRef
set to OAMLDAPPluginAuthnScheme
):
<samlp:Response ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<dsig:Signature>
...
</dsig:Signature>
<saml:Subject>
<saml:NameID ...>bob@oracle.com</saml:NameID>
<saml:SubjectCon<rmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectCon<rmationData .../>
</saml:SubjectCon<rmation>
</saml:Subject>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz"
SessionNotOnOrAfter="2014-03-21T21:53:55Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
OAMLDAPPluginAuthnScheme
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Mapping OAMLDAPPluginAuthnScheme
To add the OAMLDAPPluginAuthnScheme
to the Federation Authentication Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
mapping, execute the addSPPartnerProfileAuthnMethod()
method:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
addSPPartnerProfileAuthnMethod()
command:addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "OAMLDAPPluginAuthnScheme")
- Exit the WLST environment:
exit()
After authentication via FORM, IdP now issues an Assertion similar to (see that the method was changed from OAMLDAPPluginAuthnScheme
to PasswordProtectedTransport
):
<samlp:Response ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ...>
<saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
<dsig:Signature>
...
</dsig:Signature>
<saml:Subject>
<saml:NameID ...>bob@oracle.com</saml:NameID>
<saml:SubjectCon<rmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectCon<rmationData .../>
</saml:SubjectCon<rmation>
</saml:Subject>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz"
SessionNotOnOrAfter="2014-03-21T21:53:55Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement> </saml:Assertion> </samlp:Response>
SAML 1.1
Test Setup
In this setup, OAM is acting as an IdP and is integrated with a remote SAML 1.1 SP partner identified by AcmeSP
.
In this test, perform Federation SSO with IdP configured to:
- Use
LDAPScheme
as the Authentication Scheme - Use
OAMLDAPPluginAuthnScheme
as the Authentication Scheme - Map
OAMLDAPPluginAuthnScheme
to theurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Federation Authentication Method - Use
LDAPScheme
as the Authentication Scheme - Map
LDAPScheme
to theurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Federation Authentication Method
LDAPScheme as Authentication Scheme
Using the OOTB settings regarding user authentication in OAM, the user is challenged via a FORM based login page based on the LDAPScheme
.
Also the default Federation Authentication Method mappings configuration maps only the urn:oasis:names:tc:SAML:1.0:am:password
to LDAPScheme
(also marked as the default scheme used for authentication), FAAuthScheme
, BasicScheme
and BasicFAScheme
.
After authentication via FORM, IdP issues an Assertion similar to
<samlp:Response ...>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/> </samlp:Status>
<saml:Assertion Issuer="https://idp.com/oam/fed" ...>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdenti<er ...>bob@oracle.com</saml:NameIdenti<er>
<saml:SubjectCon<rmation>
<saml:Con<rmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:Con<rmationMethod>
</saml:SubjectCon<rmation>
</saml:Subject>
</saml:AuthnStatement>
<dsig:Signature>
...
</dsig:Signature>
</saml:Assertion> </samlp:Response>
OAMLDAPPluginAuthnScheme as Authentication Scheme
For this test, switch the default Authentication Scheme for the SP Partner to OAMLDAPPluginAuthnScheme
instead of LDAPScheme
. Use the OAM WLST setSPPartnerDefaultScheme()
command and specify which scheme to be used as the default for the SP Partner:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
setSPPartnerDefaultScheme()
command:setSPPartnerDefaultScheme("AcmeSP", "OAMLDAPPluginAuthnScheme")
- Exit the WLST environment:
exit()
The user is challenged via FORM defined in the OAMLDAPPluginAuthnScheme
for AcmeSP.
Contrarily to LDAPScheme
, the OAMLDAPPluginAuthnScheme
is not mapped by default to any Federation Authentication Methods (in the SP Partner Profile). IdP will not be able to find a Federation Authentication Method and sets the method in the SAML Assertion to the OAM Authentication Scheme name.
After authentication via FORM, IdP issues an Assertion similar to (see the AuthenticationMethod
set to OAMLDAPPluginAuthnScheme
)
<samlp:Response ...>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion Issuer="https://idp.com/oam/fed" ...>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="OAMLDAPPluginAuthnScheme>
<saml:Subject>
<saml:NameIdenti<er ...>bob@oracle.com</saml:NameIdenti<er>
<saml:SubjectCon<rmation>
<saml:Con<rmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:Con<rmationMethod>
</saml:SubjectCon<rmation>
</saml:Subject>
</saml:AuthnStatement>
<dsig:Signature>
...
</dsig:Signature> </saml:Assertion> </samlp:Response>
Mapping OAMLDAPPluginAuthnScheme
To map the OAMLDAPPluginAuthnScheme
to the Federation Authentication Method urn:oasis:names:tc:SAML:1.0:am:password
for this SP Partner only, execute the addSPPartnerAuthnMethod()
method:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
addSPPartnerAuthnMethod()
command:addSPPartnerAuthnMethod("AcmeSP", "urn:oasis:names:tc:SAML:1.0:am:password", "OAMLDAPPluginAuthnScheme")
- Exit the WLST environment:
exit()
After authentication via FORM, IdP now issues an Assertion similar to (see that the method was changed from OAMLDAPPluginAuthnScheme
to password):
<samlp:Response ...>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/> </samlp:Status>
<saml:Assertion Issuer="https://idp.com/oam/fed" ...>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdenti<er ...>bob@oracle.com</saml:NameIdenti<er>
<saml:SubjectCon<rmation>
<saml:Con<rmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:Con<rmationMethod>
</saml:SubjectCon<rmation>
</saml:Subject>
</saml:AuthnStatement>
<dsig:Signature>
...
</dsig:Signature> </saml:Assertion> </samlp:Response>
LDAPScheme as Authentication Scheme
As a result of defining a Federation Authentication Mapping at the Partner level, all mappings at the SP Partner Profile level will be ignored.
For this test, switch the default Authentication Scheme for this SP Partner back to LDAPScheme
, and the Assertion issued by IdP will not be able to map this LDAPScheme
to a Federation Authentication Method anymore, since
- A Federation Authentication Method mapping is defined at the SP Partner level and thus the mappings defined at the SP Partner Profile are ignored
- The
LDAPScheme
is not listed in the mapping at the Partner level
Use the OAM WLST setSPPartnerDefaultScheme()
command and specify which scheme to be used as the default for this SP Partner:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
setSPPartnerDefaultScheme()
command:setSPPartnerDefaultScheme("AcmeSP", "LDAPScheme")
- Exit the WLST environment:
exit()
After authentication via FORM, IdP issues an Assertion similar to (see the AuthenticationMethod
set to LDAPScheme
):
<samlp:Response ...>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/> </samlp:Status>
<saml:Assertion Issuer="https://idp.com/oam/fed" ...>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="LDAPScheme">
<saml:Subject>
<saml:NameIdenti<er ...>bob@oracle.com</saml:NameIdenti<er>
<saml:SubjectCon<rmation>
<saml:Con<rmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:Con<rmationMethod>
</saml:SubjectCon<rmation>
</saml:Subject>
</saml:AuthnStatement>
<dsig:Signature>
...
</dsig:Signature>
</saml:Assertion> </samlp:Response>
Mapping LDAPScheme at Partner Level
To fix this issue, add the LDAPScheme
to the Federation Authentication Method urn:oasis:names:tc:SAML:1.0:am:password
mapping for this SP Partner only. Execute the addSPPartnerAuthnMethod()
method:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
addSPPartnerAuthnMethod()
command:addSPPartnerAuthnMethod("AcmeSP", "urn:oasis:names:tc:SAML:1.0:am:password", "LDAPScheme")
- Exit the WLST environment:
exit()
After authentication via FORM, IdP now issues an Assertion similar to (see that the method was changed from LDAPScheme
to password):
<samlp:Response ...>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion Issuer="https://idp.com/oam/fed" ...>
<saml:Conditions ...>
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdenti<er ...>bob@oracle.com</saml:NameIdenti<er>
<saml:SubjectCon<rmation>
<saml:Con<rmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:Con<rmationMethod>
</saml:SubjectCon<rmation>
</saml:Subject>
</saml:AuthnStatement>
<dsig:Signature>
...
</dsig:Signature>
</saml:Assertion> </samlp:Response>
OpenID 2.0
In the OpenID 2.0 flows, the RP must request use of PAPE, in order for IdP/OP to include PAPE information. For OpenID 2.0, the configuration involves mapping a list of OpenID 2.0 policies to a list of Authentication Schemes. The WLST command takes a list of policies, delimited by the ‘,’ character, instead of SAML 2.0 or SAML 1.1 where a single Federation Authentication Method had to be specified.
Test Setup
In this setup, OAM is acting as an IdP/OP and is integrated with a remote OpenID 2.0 SP/RP partner identified by AcmeRP. In this test, perform Federation SSO with IdP configured to:
- Use LDAPScheme as the Authentication Scheme
- Map LDAPScheme to the
http://schemas.openid.net/pape/policies/2007/0/phishing-resistant
andhttp://openid-policies/password-protected
policies Federation Authentication Methods (the second one is a custom for this use case)
LDAPScheme as Authentication Scheme
Using the OOTB settings regarding user authentication in OAM, the user is challenged via a FORM based login page based on the LDAPScheme
.
No Federation Authentication Method is defined OOTB for OpenID 2.0, so if the IdP/OP issue an SSO response with a PAPE Response element, it specifies the scheme name instead of Federation Authentication Methods
After authentication via FORM, IdP issues an SSO Response similar to
https://acme.com/openid?refid=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=hUp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.aUr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.aUr0=1&openid.ax.type.aUr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.aUr1=My+name+is+Bobby+Smith&openid.ax.type.aUr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.aUr2=bob&openid.ax.type.aUr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.aUr3=bob%40oracle.com&openid.ax.type.aUr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.aUr4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=LDAPScheme&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.aUr0%2Cax.value.aUr0%2Cax.type.aUr1%2Cax.value.aUr1%2Cax.type.aUr2%2Cax.value.aUr2%2Cax.type.aUr3%2Cax.vopenid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D
Mapping LDAPScheme
To map the LDAP Scheme to the http://schemas.openid.net/pape/policies/2007/0/phishing-resistant
and http://openid-policies/password-protected
policies Federation Authentication Methods, execute the addSPPartnerAuthnMethod()
method (the policies are comma separated):
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
addSPPartnerAuthnMethod()
command:addSPPartnerAuthnMethod("AcmeRP", "http://schemas.openid.net/pape/policie/2007/06/phishing-resistant,http://openid-policies/password-protected""LDAPScheme")
- Exit the WLST environment:
exit()
After authentication via FORM, IdP now issues an Assertion similar to (see that the method was changed from LDAPScheme
to the two policies):
https://acme.com/openid?refid=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=hUp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.aUr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.aUr0=1&openid.ax.type.aUr1=http%3A%2%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.aUr1=My+name+is+Bobby+Smith&openid.ax.type.aUr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.aUr2=bob&openid.ax.type.aUr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.aUr3=bob%40oracle.com&openid.ax.type.aUr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.aUr4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fphishingresistant+hUp%3A%2F%2Fopenid-policies%2Fpassword-protected&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.aUr0%2Cax.value.aUr0%2Cax.type.aUr1%2Cax.value.aUr1%2Cax.type.aUr2%2Cax.value.aUr2%2Cax.type.aUr3%2Cax.vopenid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Configuring Fed Authentication Methods in OAM and IdP
F59898-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.