Configuring Oracle Access Manager for Federated Identity Using SAML 2.0

The procedures in this section have been described from the perspective of the service provider. Refer to your IdP documentation for instructions on configuring your IdP for federated identity. After your IdP has been enabled for identity federation, complete the tasks from the in the order that they appear:

  1. Oracle Access Manager Administration Console as an administrator.
  2. Enabling Identity Federation
  3. Creating an Identity Store for Account Linking
  4. (Optional) Enabling Automatic User Provisioning for the Local Identity Store used by Service Providers
  5. Creating an Identity Provider Partner
  6. Exporting SAML 2.0 Service Provider Metadata
  7. Creating a SAML Authentication Policy
  8. Assigning an Authentication Policy to Application Resources

Enabling Identity Federation

Prior to configuring Oracle Access Manager for Federated Identity using SAML, you need to enable Identity Federation and Security Token Service.

Enabling Security Token Services provides the following capabilities across security domains:

  • Cross domain SSO for browser based Web SSO flows
  • Cross domain Web Services Security (WSS) for SOAP clients and servers by means of the WS-Trust protocol

Enabling Identity Federation establishes trust between services by exchanging the following:

  • X.509 certificates used for sign/verify and encrypt/decrypt the Federated messages
  • Locations of the Federated services
  • SAML 2.0 metadata

To enable identity federation:

  1. In the Launch Pad tab, under Configuration, select the Available Services.
  2. In the Available Services tab, click Enable for the following services:
    • Identity Federation
    • Security Token Service

Creating an Identity Store for Account Linking

When defining an identity provider partner record, the service provider requires local user accounts to be mapped for imposing its access control model. The process of mapping SAML user accounts from the IdP to the local user accounts at the service provider is known as account linking. In this case, external user accounts that are authenticated by the identity provider need to be mapped to generic local user accounts with permission to access resources.

To create an identity store for account linking:

  1. In the Launch Pad tab, under Configuration, click User Identity Stores.
  2. In the User Identity Stores tab, under OAM ID Stores, complete the following:
    1. Select the identity store that you use for SSO and then click Edit.
    2. For later use, record the values in the identity store fields.

      Note:

      The name of the tab reflects the name of the identity store that you select.
  3. In the User Identity Stores tab, under OAM ID Stores, click Create.
  4. In the Create: User Identity Store tab, complete the following:
    1. In the Store Name field, enter a name for the identity store.

      For example, FederationStore

    2. In the Login ID Attribute, under Users and Groups, enter the LDAP attribute which identifies a unique login ID for your users.
    3. In the relevant fields, enter the information that you recorded from the identity store earlier.
    4. Click Apply.
  5. Enable automatic user provisioning for the local identity store used by service providers by completing the tasks in Enabling Automatic User Provisioning for the Local Identity Store used by Service Providers.

Enabling Automatic User Provisioning for the Local Identity Store used by Service Providers

When creating a local identity store mapping for SAML users, it is recommended that you ensure a corresponding user account for an identity provider user ahead of time. For example, if a user does not exist in the local store, the SAML assertion map to that user in the local identity store will fail. To handle an identity mapping failure, Oracle Access Manager Identity Federation features a plug-in that you can enable to automatically provision a missing identity to the local identity store during a federated SSO operation which enables the federated SSO to proceed.

Note:

This is an optional task. If you do not enable automatic user provisioning and a user does not exist in this generic LDAP server, then the authentication / SAML assertion can fail.

To enable automatic user provisioning for the local identity store used by service providers:

  1. Navigate to <Oracle_Access_Manager_Middleware_Home>/common/bin and then complete the following based on your operating system to open the WebLogic Scripting Tool:
    • If using Linux, run wlst.sh.
    • If using Windows, run wlst.cmd.
  2. Connect to the WLS admin server by running the following:

    connect()

  3. Navigate to the domain runtime branch by running the following:

    domainRuntime()

  4. Enable automatic user provisioning by running the following:

    putBooleanProperty("/fedserverconfig/userprovisioningenabled", "true")

  5. Exit the WebLogic Scripting Tool environment by running the following:

    exit()

Creating an Identity Provider Partner

An identity provider is responsible for managing, authenticating, and asserting a set of user identities for its service provider partners. In order for the Identity Federation service to perform SSO with external identity providers, they must be defined as trusted partners.

To create an Identity Provider Partner:

  1. In the Launch Pad tab, under Identity Federation, click Service Provider Administration.
  2. In the Service Provider Administration tab, click Create Identity Provider Partner.
  3. In the Create Identity Provider Partner tab, under General, complete the following:
    1. In the Name field, enter a unique name for the identity provider partner.

      For example, FederatedProviderPartner

    2. In the Description field, enter a unique description for the identity provider partner.
    3. Select the Enable Partner check box.
    4. Deselect the Default Identity Provider Partner check box.
  4. In the Create Identity Provider Partner tab, under Service Information, complete the following:
    1. In the Protocol list, select SAML 2.0.
    2. For Service Details, select Load from provider metadata.
    3. For Metadata File, click Browse and then select a metadata file.

      Note:

      The XML metadata file should be provided by an IdP.
  5. In the Create Identity Provider Partner tab, under User Mapping, complete the following:
    1. In the User Identity Store list, select the identity store that you created in Creating an Identity Store for Account Linking.

      For example, FederationStore

    2. Select the Map assertion Name ID to User ID Store attribute option.
    3. In the Map assertion Name ID to User ID Store attribute field, enter the LDAP attribute which identifies the unique login ID for your users. This should match the defined value in Creating an Identity Store for Account Linking.
    4. Click Save.

    The Identity Provider Partner tabs opens. The name of tab has the name of the identity provider partner that you entered.

  6. In the Identity Provider Partner tab, complete the following:
    1. Click Create Authentication Scheme and Module.

      The name of the authentication scheme and module is a combination of the name of the identity provider that you created with either FederationScheme or FederationModule appended to it. For example, FederatedProviderPartnerFederationScheme or FederatedProviderPartnerFederationModule.

    2. In the Advanced pane, complete the following:
      • Select Enable global logout.
      • Select HTTP POST SSO Response Binding.
      • In the Authentication Request NameID Format list, select None.
    3. Click Save.

Exporting SAML 2.0 Service Provider Metadata

Establishing trust between federation partners is a prerequisite to perform any federation SSO operation between federation servers. Establishing trust involves exchanging certificate information. If a protocol relies on PKI X.509 certificates to secure message exchanges, as well as the locations and URLs of the services that implement the federation protocol, you can create a service provider SAML 2.0 metadata file in XML format for use by IdP containing information about profiles that the service provider supports. Sites acting as identity providers can import this metadata file to establish a relationship with the service provider.

To export SAML 2.0 service provider metadata:

  1. In the Launch Pad tab, under Configuration, click Federation Settings.
  2. In the Federation Settings tab, under General, click Export SAML 2.0 Metadata.
  3. For later use, record the location to which you export the SAML 2.0 metadata.
  4. Provide the metadata file to the IdP when establishing a service provider partner.

Creating a SAML Authentication Policy

When the IdP partner is created, an authentication module and scheme were also created to impose an access control model to protect Primavera application resources. The authentication scheme and module must then be mapped to an authentication policy in the application domain that is created to protect Primavera application resources.

To create an authentication policy and map the federated identity authentication scheme:

  1. In the Launch Pad tab, under Access Manager, click Application Domains.
  2. In the Application Domain tab, complete the following:
    1. Click Search.
    2. Click the name of an application domain.
  3. In the Application Domain tab, open the Authentication Policies tab.

    Note:

    The name of the tab is the name of the application domain that you clicked.
  4. In the Authentication Policies tab, click Create Authentication Policy.
  5. In the Create Authentication Policy tab, complete the following:
    1. In the Name field, enter a name for the authentication policy.
    2. In the Description field, enter a description of the authentication policy.
    3. In the Authentication Scheme list, select the authentication scheme that you created in Creating an Identity Provider Partner.

      For example, FederatedProviderPartnerFederationScheme

    4. Click Apply.

Assigning an Authentication Policy to Application Resources

To assign an authentication policy to application resources:

  1. In the Launch Pad tab, under Access Manager, click Application Domains.
  2. In the Application Domain tab, complete the following:
    1. Click Search.
    2. Click the name of an application domain.
  3. In the Application Domain tab, open the Resources tab.

    Note:

    The name of the tab is the name of the application domain that you clicked.
  4. In the Resources tab, complete the following:
    1. Select a resource.

      Note:

      You can only select one resource at a time. Select the resources that apply to your P6 EPPM and P6 Professional deployment. For example, if you want to enable federated identity for P6 Professional, select P6 Professional Cloud Connect.
    2. In the Search Results toolbar, click Edit.
  5. In the Resource tab, complete the following:

    Note:

    The name of the tab is the name of the resource that you clicked.
    1. In the Authentication Policy list, under Protection, select the authentication policy that you created using Creating a SAML Authentication Policy.
    2. Click Apply.
  6. Repeat this procedure for each resource in every application domain that is associated with a Primavera application.