34.4 Cryptographic Settings in Oracle Identity Federation
This chapter describes the crypto configuration properties in OIF that are used to affect the Federation SSO exchanges.
34.4.1 Hashing Algorithms
Oracle Identity Federation (OIF) supports the consumption and issuance of SAML messages signed with the SHA-1 hashing algorithm or SHA-256 hashing algorithm.
- For XML Digital signatures HTTP-POST or Artifact bindings are used.
- For Query signatures HTTP-Redirect binding is used.
34.4.2 Examples on SHA-1 Signed Messages
https://acme.com/idp/saml20?SAMLRequest=hVPLbtswEPwVgT1LpB6tY8JyoNZ1q9ZujVgJ3N4Yio5ZSKTMpaz470v5ESQB4gA8LWZ2ZnaXo%2BvHuvJ2woDUKkVhQJAnFNelVA8pui2m%2FhXywDJVskorkaK9AHQ9HgGrq4Zmrd2oG7FtBVjPNVJAS5COuLG2oRh3XRd0caDNA44IIZgMsUP1kA%%2B%2FruIoOPN0IOU8aba1MxeDtpXXKj1AeoOxUq7R%2BMX0py%2Fko5iQiKsWd3rj%2FAzyfPN%2FnJd88lCV5Lv37URBuFrGzWTVVaWRgAgL6sq3X0xgln3NaxpBcLjo%2BrLzzH%2BDw%3D%3D&RelayState=id-AkgTE5PMRAZTaKRcZHT-2rIse-oPhCxyI00Xycbf&SigAlg=hSp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=rjZFsFuaFKv77JbspdDwT2wGV366iL3zvWc%2B1aybu%2FW%2BpFwLOfTJBtVsKfwJre1nGCU5SEvFD%2FBBURkxOG1KhR3k%2FrOw%2Bj7g7RlHfSaHKaAO3p6aAGQYPCpz%2Fd0%2BKArDAL%2FDNoH46G6Pnf7VWSb6a2COUiTV6118KaPbexrnJtE
<samlp:Response ...<samlp:Response ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="id-BgLUimKUWYyS3JQbf2geeP9EwS-eGKxOPTuPvxgJ" ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-excc14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/>
<dsig:Reference URI="#id-BgLUimKUWYyS3JQbf2geeP9EwS-eGKxOPTuPvxgJ">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>uS85cIFf4z9KcHH/z60fNRPLoyo=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>NiTyPtOEjyG...SpVjbhKxY=</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
...
</saml:Subject>
<saml:Conditions ...>
...
</saml:Conditions>
<saml:AuthnStatement ...>
...
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
34.4.3 Examples on SHA-256 Signed Messages
https://acme.com/idp/saml20?SAMLRequest=hVNdb9owFP0rkfec%2BCbAVixClY2hIdGWDui6vhnbFEuOndoOKfv1c%2Fio2kqlkp%2BuzrnnnHuvB5fPpYq2wjppdI7SBFAkNDNc6sccLRfj%2BAJFzlPNqTJa5GgnHLocDhwtVUWK2m%2F0b%2FFUC%2Bej0Eg7wp0MxI33FcG4aZqk6STGPuIMADD0c%2F%2FFLDswb9bFN2dNp61G584V4vJ3o4PJUi7MYTXWaRd0vtKoP%2BAolHYsdTU71nHbJQzgEo8JbULASlTImGmJN%2B6%2FT5eC44lr3A7%2F20G6HAzZC9lo7GxJfXng7aVEGq9h4ZD8dLv0PCNNGPvpLMOQIYNLVv9AX4lebrZ69B1MpoZJdnuUxtpkr63UVKpCs6tcA5FhVKmRelayState=id-BiQreMi9cMY3oFI9PKMNKtuOjpuFS2PrW4R8KKvd&SigAlg=hSp%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=PvyMUD%2FKXnCc0drlN1pvoK171znJkajEHLgtzE4I7YFQIvP4wp3M%2FV7y08x0Qkv0jwo9K4VBG%2BQUBFtXr41ZDp%2BHOb7GlmaY973n7X2UDlbUbVlrJX%2FqS1GyyNY6MSMcO5K0J7VJcQXf8CvGEcVHr%2FZhPjihnAO2vi%2Bej3fbfgo%3D
<samlp:Response ...<samlp:Response ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="id-5B4KZ-PeUzikxtC-Cr9g6uFQ-muwj3ZmC4PUW4wT" ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-excc14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsasha256"/>
<dsig:Reference URI="#id-5B4KZ-PeUzikxtC-Cr9g6uFQ-muwj3ZmC4PUW4wT">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>Ppx/...L9ooHtsvgxvI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>G6yppQXy...SzHz2oa+zA=</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
...
</saml:Subject>
<saml:Conditions ...>
...
</saml:Conditions>
<saml:AuthnStatement ...>
...
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
34.4.4 Configuring OIF to use SHA-1 or SHA-256 Hashing Algorithm
- At a partner level
- At a partner profile level, where all partners referencing this profile will be affected unless they were configured at a partner level for SHA-1/SHA-256 signatures
- Enter the WLST
environment.
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server.
connect()
- Navigate to the Domain Runtime
branch.
domainRuntime()
- Run the
configureFedDigitalSignature()
command.configureFedDigitalSignature(partner="", partnerProfile="", partnerType="", default="false", algorithm="SHA-256", displayOnly="false", delete="false")
You can set the following parameters:partner
: To configure a specific partnerpartnerProfile
: To configure a specific partner profilepartnerType
: Indicates the type of partner/partner profile (idp or sp)algorithm
: Indicates which hashing algorithm to use (SHA-1 or SHA-256)displayOnly
: Indicates whether or not the command should display the setting on this partner/partner profile instead of setting it. If set to true, this command will not modify the configuration (true or false)delete
: Indicates whether or not the command should delete the setting on this partner/partner profile instead of setting it. If set to true, this command will delete the configuration and the parent configuration (partner profile or global) will be used (true or false)
An example would be:configureFedDigitalSignature(partner="AcmeIdP", partnerType="idp", algorithm="SHA-256")
- Exit WLST environment.
exit()
34.4.5 Signing Outgoing Messages
- Out of the Box (OOTB) Boolean settings for the outgoing SAML messages
- SAML 2.0 AuthnRequest at different levels
- Properties defined at SP/IP partner profiles
34.4.5.1 OOTB Configurations for Outgoing SAML Messages
Following are the Out-of-the-box (OOTB) Boolean settings that indicate when OIF need to sign outgoing SAML messages (if set to true, OIF signs the outgoing message).
saml20sendsignedauthnrequest
: SAML 2.0 AuthnRequest (true)
sendsignedrequestsoap
: SAML 1.1 Request via the Artifact/SOAP binding (true)
sendsignedassertion
: SAML 1.1 Assertion (true)sendsignedresponseassertionpost
: SAML 1.1 Response containing an Assertion over the HTTP-POST binding (false)sendsignedresponseassertionsoap
: SAML 1.1 Response containing an Assertion over the Artifact/SOAP binding (false)sendsignedresponsesoap
: SAML 1.1 Response not containing an Assertion over the Artifact/SOAP binding (true)
sendsignedrequestpost
: SAML 2.0 Request over the HTTP-POST binding (true)sendsignedrequestquery
: SAML 2.0 Request over the HTTP-Redirect binding (true)sendsignedrequestsoap
: SAML 2.0 Request over the Artifact/SOAP binding (true)sendsignedresponsepost
: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (true)sendsignedresponsequery
: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (true)sendsignedresponsesoap
: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (true)
sendsignedassertion
: SAML 2.0 Assertion (true)sendsignedrequestpost
: SAML 2.0 Request over the HTTP-POST binding (true)sendsignedrequestquery
: SAML 2.0 Request over the HTTP-Redirect binding (true)sendsignedrequestsoap
: SAML 2.0 Request over the Artifact/SOAP binding (true)sendsignedresponseassertionpost
: SAML 2.0 Response containing an Assertion over the HTTP-POST binding (false)sendsignedresponseassertionsoap
: SAML 2.0 Response containing an Assertion over the Artifact/SOAP binding (false)sendsignedresponsepost
: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (true)sendsignedresponsequery
: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (true)sendsignedresponsesoap
: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (true)
34.4.5.2 Configuring SAML 2.0 AuthnRequest
- Global level
- IdP Partner Profile level
- IdP Partner level
- Partner Profile level
- Partner level
- Enter the WLST environment:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- To configure at a global
level:
putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true/false")
Set the value to true to have OIF sign the outgoing AuthnRequest.
An example would be:putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true")
- To configure SAML 2.0 IdP at a Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/sendsignedauthnrequest", "true/false")
Replace
PARTNER_PROFILE
by a SAML 2.0 IdP Partner Profile name.Set the value to true to have OIF sign the outgoing AuthnRequest.
An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedauthnrequest", "true")
- To configure SAML 2.0 at a IdP Partner
level:
updatePartnerProperty("PARTNER", "idp", "sendsignedauthnrequest", "true/false", "boolean")
Replace
PARTNER
by a SAML 2.0 IdP Partner name.Set the value to true to have OIF sign the outgoing AuthnRequest.
An example would be:updatePartnerProperty("AcmeIdP", "idp", "sendsignedauthnrequest", "false", "boolean")
- To configure at a Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/PROPERTY_NAME", "true/false")
Replace
PARTNER_PROFILE
by a Partner Profile name.Replace
PROPERTY_NAME
by the name of the property to set the value to true or false.An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedrequestquery", "true")
- To configure at a Partner
level:
updatePartnerProperty("PARTNER", "PARTNER_TYPE", "PROPERTY_NAME","true/false", "boolean")
Replace
PARTNER
by a Partner name.Replace
PARTNER_TYPE
by the type of the specified Partner (IdP or SP).Replace
PROPERTY_NAME
by the name of the property to set the value to true or false.An example would be:updatePartnerProperty("AcmeSP", "sp", "sendsignedrequestquery", "true","boolean")
34.4.5.3 Changing SAML 2.0 Metadata
saml20sendsignedauthnrequest
property at a global
level changes the following attribute in the SAML 2.0 Metadata generated by OIF.
- The
AuthnRequestsSigned
attribute in theSPSSODescriptor
element is set based onsaml20sendsignedauthnrequest
property.
<md:EntityDescriptor ...>
<dsig:Signature>
...
</dsig:Signature>
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" ...>
...
</md:IDPSSODescriptor>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
...>
</md:SPSSODescriptor>
</md:EntityDescriptor>
34.4.6 Signing Incoming Messages
- OOTB Boolean settings for the incoming SAML messages
- SAML 2.0 AuthnRequest at different levels
- SAML 1.1 Assertion at different levels
- SAML 2.0 Assertion at different levels
- Properties defined at SP/IP partner profiles
34.4.6.1 OOTB Boolean Settings for Incoming SAML Messages
Following are the Out-of-the-box (OOTB) Boolean settings that indicate when OIF need to require incoming SAML messages (if set to true, OIF requires the incoming message).
saml20requiresignedauthnrequest
: SAML 2.0 AuthnRequest (false)saml11requiresignedassertion
: SAML 1.1 Assertion contained in a Response message (true)saml20requiresignedassertion
: SAML 2.0 Assertion contained in a Response message (true)
requiresignedresponseassertionpost
: SAML 1.1 Response via the HTTP-POST binding (false)requiresignedresponseassertionsoap
: SAML 1.1 Response via the Artifact/SOAP binding (false)
requiresignedrequestsoap
: SAML 1.1 Request via the Artifact/SOAP binding (false)
requiresignedrequestpost
: SAML 2.0 Request over the HTTP-POST binding (false)requiresignedrequestquery
: SAML 2.0 Request over the HTTP-Redirect binding (false)requiresignedrequestsoap
: SAML 2.0 Request over the Artifact/SOAP binding (false)requiresignedresponseassertionpost
: SAML 2.0 Response containing an Assertion over the HTTP-POST binding (false)requiresignedresponseassertionsoap
: SAML 2.0 Response containing an Assertion over the Artifact/SOAP binding (false)requiresignedresponsepost
: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (false)requiresignedresponsequery
: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (false)requiresignedresponsesoap
: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (false)
requiresignedrequestpost
: SAML 2.0 Request over the HTTP-POST binding (false)requiresignedrequestquery
: SAML 2.0 Request over the HTTP-Redirect binding (false)requiresignedrequestsoap
: SAML 2.0 Request over the Artifact/SOAP binding (false)requiresignedresponsepost
: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (false)requiresignedresponsequery
: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (false)requiresignedresponsesoap
: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (false)
Note:
If an incoming message is signed, even though OIF does not require this type of message to be signed, OIF verifies the message and returns an error if signature validation fails.34.4.6.2 Configuring SAML 2.0 AuthnRequest
- Global level
- IdP Partner Profile level
- IdP Partner level
- Partner Profile level
- Partner level
- Enter the WLST environment:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- To configure at a global
level:
putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true/false")
Set the value to true to have OIF sign the outgoing AuthnRequest.
An example would be:putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true")
- To configure SAML 2.0 IdP at a Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/sendsignedauthnrequest", "true/false")
Replace
PARTNER_PROFILE
by a SAML 2.0 IdP Partner Profile name.Set the value to true to have OIF sign the outgoing AuthnRequest.
An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedauthnrequest", "true")
- To configure SAML 2.0 at a IdP Partner
level:
updatePartnerProperty("PARTNER", "idp", "sendsignedauthnrequest", "true/false", "boolean")
Replace
PARTNER
by a SAML 2.0 IdP Partner name.Set the value to true to have OIF sign the outgoing AuthnRequest.
An example would be:updatePartnerProperty("AcmeIdP", "idp", "sendsignedauthnrequest", "false", "boolean")
- To configure at a Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/PROPERTY_NAME", "true/false")
Replace
PARTNER_PROFILE
by a Partner Profile name.Replace
PROPERTY_NAME
by the name of the property to set the value to true or false.An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedrequestquery", "true")
- To configure at a Partner
level:
updatePartnerProperty("PARTNER", "PARTNER_TYPE", "PROPERTY_NAME","true/false", "boolean")
Replace
PARTNER
by a Partner name.Replace
PARTNER_TYPE
by the type of the specified Partner (IdP or SP).Replace
PROPERTY_NAME
by the name of the property to set the value to true or false.An example would be:updatePartnerProperty("AcmeSP", "sp", "sendsignedrequestquery", "true","boolean")
34.4.6.3 Configuring SAML 1.1 Assertion for Incoming Messages
- To configure at a global
level:
putBooleanProperty("/spglobal/saml11requiresignedassertion", "true/false")
Set the value to true to have OIF require incoming SAML 1.1 Assertions to be signed.
An example would be:putBooleanProperty("/spglobal/saml11requiresignedassertion", "true")
- To configure at a SAML 1.1 IdP Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/requiresignedassertion", "true/false")
Replace
PARTNER_PROFILE
by a SAML 1.1 IdP Partner Profile name.Set the value to true to have OIF require incoming SAML 1.1 Assertions to be signed.
An example would be:putBooleanProperty("/fedpartnerprofiles/saml11-idp-partner-profile/requiresignedassertion", "true")
- To configure at a SAML 1.1 IdP Partner
level:
updatePartnerProperty("PARTNER", "idp", "requiresignedassertion", "true/false", "boolean")
Replace
PARTNER
by a SAML 1.1 IdP Partner name.Set the value to true to have OIF require incoming SAML 1.1 Assertions to be signed.
An example would be:updatePartnerProperty("AcmeSP", "sp", "requiresignedassertion", "false", "boolean")
34.4.6.4 Configuring SAML 2.0 Assertion for Incoming Messages
- To configure at a global
level:
putBooleanProperty("/spglobal/saml20requiresignedassertion", "true/false")
Set the value to true to have OIF require incoming SAML 2.0 Assertions to be signed.
An example would be:putBooleanProperty("/spglobal/saml20requiresignedassertion", "true")
- To configure at a SAML 2.0 IdP Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/requiresignedassertion", "true/false")
Replace
PARTNER_PROFILE
by a SAML 2.0 IdP Partner Profile name.Set the value to true to have OIF require incoming SAML 2.0 Assertions to be signed.
An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/requiresignedassertion", "true")
- To configure at a SAML 2.0 IdP Partner
level:
updatePartnerProperty("PARTNER", "idp", "requiresignedassertion", "true/false", "boolean")
Replace
PARTNER
by a SAML 2.0 IdP Partner name.Set the value to true to have OIF require incoming SAML 2.0 Assertions to be signed.
An example would be:updatePartnerProperty("AcmeSP", "sp", "requiresignedassertion", "false", "boolean")
34.4.6.5 Changing SAML 2.0 Metadata of Incoming Messages
saml20requiresignedauthnrequest
or
saml20requiresignedassertion
properties at a global level changes
the following attributes in the SAML 2.0 Metadata generated by OIF.
- The
WantAuthnRequestsSigned
attribute in theIDPSSODescriptor
element is set based onsaml20requiresignedauthnrequest
property. - The
WantAssertionsSigned
attribute in theSPSSODescriptor
element is set based onsaml20requiresignedassertion
property.
<md:EntityDescriptor ...>
<dsig:Signature>
...
</dsig:Signature>
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" ...>
...
</md:IDPSSODescriptor>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
...>
</md:SPSSODescriptor>
</md:EntityDescriptor>
34.4.7 Configuring X.509 Certificate in Outgoing Message
The OIF can be configured to send the X.509 signing certificate in an outgoing XML SAML message sent via the HTTP-POST or SOAP binding.
The includecertinsignature
Boolean property indicates whether or not the
certificate will be added to the message.
includecertinsignature
Boolean
property.
- To configure at a Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/includecertinsignature", "true/false")
Replace
PARTNER_PROFILE
by a Partner Profile name.Set the value to true or false.
An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-sp-partner-profile/includecertinsignature", "true")
- To configure at a Partner
level:
updatePartnerProperty("PARTNER", "PARTNER_TYPE", "includecertinsignature", "true/false", "boolean")
Replace
PARTNER
by a Partner name.Replace
PARTNER_TYPE
by the type of the specified Partner (idp or sp).Set the value to true or false.
An example would be:updatePartnerProperty("AcmeSP", "sp", "includecertinsignature", "true", "boolean")
34.4.8 Managing SAML 2.0 Encryption
- Assertions
- NameIDs
- Attributes
OIF allows an administrator to specify which types of data should be encrypted.
34.4.8.1 OOTB Configuration to Encrypt Outgoing SAML Messages
- SAML 2.0 IdP Partner Profile
sendencryptednameid
: Indicates ifNameID
contained inLogoutRequest
messages should be encrypted (false)- SAML 2.0 SP Partner Profile
sendencryptedattribute
: Indicates if each attribute contained in a SAML Assertion should be encrypted (false)sendencryptednameid
: Indicates ifNameID
contained inLogoutRequest
, Assertion messages should be encrypted (false)
sendencryptedassertion
on the partner entry: Indicates if the Assertion should be encrypted (false)
34.4.8.2 Encrypting Outgoing Assertion
- Login to the OAM Administration Console:
https://oam-admin-host:oam-adminport/oamconsole.
- Navigate to Identity Federation, Identity Provider Administration.
- Open SP Partner.
- In the Advanced section, select the
Encrypt Assertion
checkbox. - Click Save.
- Enter the WLST
environment:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime
branch:
domainRuntime()
- Execute the
updatePartnerProperty()
command:updatePartnerProperty("PARTNER", "sp", "sendencryptedassertion", "true/false", "boolean")
Replace
PARTNER
by a Partner name.Set the value to true or false.
An example would be:updatePartnerProperty("AcmeSP", "sp", "sendencryptedassertion", "true", "boolean")
- Exit the WLST environment:
exit()
34.4.8.3 Configuring NameID and Attributes Properties
- Enter the WLST
environment:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- To configure at a Partner Profile
level:
putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/PROPERTY_NAME", "true/false")
Replace
PARTNER_PROFILE
by a Partner Profile name.Replace PROPERTY_NAME by the name of the property to set.
Set the value to true or false.
An example would be:putBooleanProperty("/fedpartnerprofiles/saml20-sp-partner-profile/sendencryptedaSribute", "true")
- To configure at a Partner
level:
updatePartnerProperty("PARTNER", "PARTNER_TYPE", "PROPERTY_NAME", "true/false", "boolean")
Replace
PARTNER
by a Partner name.Replace
PARTNER_TYPE
by the type of the specified Partner (idp or sp).Replace
PROPERTY_NAME
by the name of the property to set.Set the value to true or false.
An example would be:updatePartnerProperty("AcmeSP", "sp", "sendencryptedaSribute", "true", "boolean")
- Exit the WLST environment:
exit()
34.4.9 Encryption Algorithm
defaultencryptionmethod
string property to one of the
following values:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
for AES-128 CBChttp://www.w3.org/2001/04/xmlenc#aes192-cbc
for AES-192 CBChttp://www.w3.org/2001/04/xmlenc#aes256-cbc
for AES-256 CBChttp://www.w3.org/2001/04/xmlenc#tripledes-cbc
for 3DES CBC
By default, that property is set to
http://www.w3.org/2001/04/xmlenc#aes128-cbc
(AES-128 CBC).
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- To configure at a Partner Profile
level:
putStringProperty("/fedpartnerprofiles/PARTNER_PROFILE/defaultencryptionmethod", "ALGORITHM")
Replace
PARTNER_PROFILE
by a Partner Profile name.Replace
ALGORITHM
by one of the above algorithm values.An example would be:putStringProperty("/fedpartnerprofiles/saml20-sp-partner-profile/defaultencryptionmethod", "http://www.w3.org/2001/04/xmlenc#tripledes-cbc")
- To configure at a Partner
level:
updatePartnerProperty("PARTNER", "PARTNER_TYPE", "defaultencryptionmethod", "ALGORITHM", "string")
Replace
PARTNER
by a Partner name.Replace
PARTNER_TYPE
by the type of the specified Partner (idp or sp).Replace
ALGORITHM
by one of the above algorithm values.An example would be:updatePartnerProperty("AcmeSP", "sp", "defaultencryptionmethod", "http://www.w3.org/2001/04/xmlenc#tripledes-cbc", "string")
- Exit the WLST environment:
exit()