Authorization in OAM and IdP

In this article, let us learn how to enable and implement Authorization Policies for Federation SSO when OAM is acting as an IdP. When OAM authenticates a user on behalf of remote SAML / OpenID 2.0 partners, it issues a token (SAML or OpenID) containing information about the user that the partner consumes to identify the user. As a part of the creation of the token, IdP can be configured to evaluate a Token Issuance Policy that indicates if the user is allowed to perform Federation SSO with that particular SP/RP. The Token Issuance Policy is constructed with:

• The SP Partner Name as the resource
• One or more constraints
• The true constraint which is used to indicate that IdP should issue tokens for all users for the SP partners listed in the policy
• The Identity constraint made of
• List of users: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to that list
• Or list of groups: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to a group listed in the constraint

Enabling / Disabling Authorization in IdP

Out of the box, Authorization is disabled in IdP. As such there is no Authorization enforcement when OAM issues a SAML/OpenID token.

Note: Once authorization is enabled, all IdP Federation SSO operations requires a successful authorization policy evaluation. So if you have existing Federation agreements, no Token Issuance Policy and that you enable authorization, the Federation SSO operation fails until the required Token Issuance Policies are created.

To enable or disable the Authorization in IdP, execute the following OAM WLST commands:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Execute the configureFedSSOAuthz() command:
5. To enable authorization: configureFedSSOAuthz("true")
6. To disable authorization: configureFedSSOAuthz("false")
7. Exit the WLST environment: exit()

Token Issuance Policy

Overview

As mentioned earlier, a Token Issuance Policy is made of two objects:

• A list of resources, with each resource containing the name of the SP Partner
• A list of constraints, each constraint being one of the following:
• The true constraint which is used to indicate that IdP should issue tokens for all users for the SP partners listed in the policy
• The Identity constraint made of
• List of users: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to that list
• Or list of groups: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to a group listed in the constraint
• Rules using the constraints

During a Federation SSO operation, after user authentication, IdP checks if Authorization is enabled and if yes, it collects the user’s identity and the groups to which it belongs, the SP Partner name and invokes OAM Authorization Engine that indicates whether or not the evaluation was successful.

• If successful, it means that
• The SP Partner name was listed as a resource in one in the Token Issuance Policy
• Evaluation of the constraints for one of the Token Issuance Policies where the SP partner is listed
• Either a true constraint was present
• Or an Identity constraint was present with the user’s identity
• Or with a group to which the user belongs to

In the examples listed in this article, add all the Token Issuance Policies to the IAM Suite Application Domains in the OAM Administration Console.

Test Environment

The test environment showcases usage of the Authorization feature by using examples with:

• Three users in the LDAP directory used by IdP (see below for the LDIF output)
• alice
• bob
• charlie
• Three groups in the LDAP directory
• Engineers, to which bob and charlie belong
• Managers, to which alice belongs
• Employees, to which alice, bob and charlie belong
• Four SP Partners:
• OnlineConference.com
• HR
• TravelSite and
• 401kSP
• Three authorization policies
• Authz #1: only users of group Employees minus bob can access 401kSP
• Authz #2: only users of group Managers and user charlie can access HR
• Authz #3: anybody can access TravelSite and OnlineConference.com

The LDIF output from the test LDAP directory for the three users is:

\# alice, users, us.oracle.com
dn: cn=alice,ou=users,dc=us,dc=oracle,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Alice
uid: alice
cn: alice
sn: Appleton
mail: alice@oracle.com

\# bob, users, us.oracle.com
dn: cn=bob,ou=users,dc=us,dc=oracle,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Bobby
uid: bob
cn: bob
sn: Smith
mail: bob@oracle.com

\# charlie, users, us.oracle.com
dn: cn=charlie,ou=users,dc=us,dc=oracle,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Charlie
uid: charlie
cn: Charlie
sn: Crown
mail: charlie@oracle.com

The LDIF output from the test LDAP directory for the three groups is:

\# Managers, groups, us.oracle.com
dn: cn=Managers,ou=groups,dc=us,dc=oracle,dc=com uniqueMember:
cn=alice,ou=users,dc=us,dc=oracle,dc=com
cn: Managers
objectClass: groupOfUniqueNames
objectClass: top

\# Employees, groups, us.oracle.com
dn: cn=Employees,ou=groups,dc=us,dc=oracle,dc=com
uniqueMember:
cn=charlie,ou=users,dc=us,dc=oracle,dc=com
uniqueMember:
cn=alice,ou=users,dc=us,dc=oracle,dc=com
uniqueMember:
cn=bob,ou=users,dc=us,dc=oracle,dc=com
cn: Employees
objectClass: groupOfUniqueNames
objectClass: top

\# Engineers, groups, us.oracle.com
dn: cn=Engineers,ou=groups,dc=us,dc=oracle,dc=com
uniqueMember: cn=bob,ou=users,dc=us,dc=oracle,dc=com
uniqueMember: cn=charlie,ou=users,dc=us,dc=oracle,dc=com
cn: Engineers
objectClass: groupOfUniqueNames
objectClass: top

Examples

Use Case #1

In this use case:

• 401kSP is the name of the SAML 2.0 SP partner
• IdP must allow users belonging to the Employees group to do Federation SSO with that SP Partner
• IdP must disallow bob to do Federation SSO with that SP Partner

To configure IdP for this use case, perform the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager, Application Domains

3. Click Search

4. Click in IAM Suite in the list of results and click on the Token Issuance Policies tab

5. Click Create Token Issuance Policy

6. Enter a name (for example EmployeesPolicy)

   

   Description of the illustration Token_Issuance_Policy_Screen.jpg

Execute the following steps:

1. Click on Conditions tab
2. Click Add to add a constraint for the employees group
3. Enter the details of the constraints:
4. Name: for example EmployeesGroup
5. Type: Token Requestor Identity

Description of the illustration Add_Conditions_Screen.jpg

Execute the following steps:

1. Click Add Selected

2. Select the newly created constraint to configure it

3. In the conditions details, click Add and select Add Identities

4. Select the Identity Store where user exist click Search

5. Select the Employees Group

   

   Description of the illustration Add_Indentities_Screen.jpg

6. Click Add Selected

   

   Description of the illustration Create_Token_Issuance_policy_Screen.jpg

Execute the following steps:

1. Click Add to add another constraint for user bob
2. Enter the details of the constraints:

• Name: for example BobUser
• Type: Token Requestor Identity

Description of the illustration Add_Condition_Bob.jpg

Execute the following steps:

1. Click Add Selected

2. Select the newly created constraint to configure it

3. In the conditions details, click Add and select Add Identities

4. Select the Identity Store where user exist click Search

5. Select the user bob

   

   Description of the illustration Add_Identities_Bob.jpg

6. Click Add Selected

   

   Description of the illustration Condition_Details_Screen.jpg

Execute the following steps:

1. Click on the Rules tab

2. In the Allow Rule section, select the EmployeesGroup condition and add it to the Selected Conditions, since we want to allow users belonging to the Employees group to do Federation SSO with the partners listed in this policy

3. In the Deny Rule section, select the BobUser condition and add it to the Selected Conditions, since we want to disallow bob to do Federation SSO with the partners listed in this policy

4. Click Apply

   

   Description of the illustration Rules_Screen.jpg

Execute the following steps to create a new resource and add it to the EmployeesPolicy Token Issuance Policy:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole
2. Navigate to Access Manager , Application Domains
3. Click Search
4. Click in IAM Suite in the list of results click on the Resources tab.
5. Click on New Resource and create a new resource for the Token Issuance Policy:

• Type: TokenServiceRP
• Resource URL, name of the SP Partner as it was created in the Federation Admin section: 401kSP
• Operations: all
• Token Issuance Policy: EmployeesPolicy

1. Click Apply

   

   Description of the illustration Resources_Screen.jpg

Use Case #2

In this use case:

• HR is the name of the SAML 2.0 SP partner
• IdP must allow users belonging to the Managers group to do Federation SSO with that SP Partner
• IdP must allow charlie to do Federation SSO with that SP Partner

To configure IdP for this use case, perform the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole
2. Navigate to Access Manager , Application Domains
3. Click Search
4. Click in IAM Suite in the list of results and click on the Token Issuance Policies tab
5. Click Create Token Issuance Policy
6. Enter a name (for example HRPolicy)
7. Click on Conditions tab
8. Click Add to add a constraint for the employees group
9. Enter the details of the constraints:

• Name: for example HRCondition
• Type: Token Requestor Identity

1. Click Add Selected

2. Select the newly created constraint to configure it

3. In the conditions details, click Add and select Add Identities

4. Select the Identity Store where user exist, click Search

5. Select the Managers Group and the charlie user click Add Selected

   

   Description of the illustration HRCondition_Screen.jpg

Execute the following steps:

1. Click on the Rules tab

2. In the Allow Rule section, select the HRCondition condition and add it to the Selected Conditions, since we want to allow users belonging to the Managers group and user charlie to do Federation SSO with the partners listed in this policy

3. Click Apply

   

   Description of the illustration HRCondition_Rules_Screen.jpg

Execute the following steps to create a new resource and add it to the HRPolicy Token Issuance Policy:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole
2. Navigate to Access Manager , Application Domains
3. Click Search
4. Click in IAM Suite in the list of results and click on the Resources tab
5. Click on New Resource and create a new resource for the Token Issuance Policy:
   • Type: TokenServiceRP
   • Resource URL, name of the SP Partner as it was created in the Federation Admin section: HR
   • Operations: all
   • Token Issuance Policy: HRPolicy
6. Click Apply

Use Case #3

In this use case:

• TravelSite is the name of the first SAML 2.0 SP partner
• OnlineConference.com is the name of the second SAML 2.0 SP partner
• IdP must allow all users to do Federation SSO with those SP Partners

To configure IdP for this use case, perform the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole
2. Navigate to Access Manager , Application Domains
3. Click Search
4. Click in IAM Suite in the list of results click on the Token Issuance Policies tab
5. Click Create Token Issuance Policy
6. Enter a name (for example AllUsersPolicy)
7. Click on Conditions tab
8. Click Add to add a constraint for all the users.
9. Enter the details of the constraints:

• Name: for example TrueCondition
• Type: True

Description of the illustration TrueCondition_Screen.jpg

1. Click Add Selected

   

   Description of the illustration TrueCondition_Added_Screen.jpg

Execute the following steps:

1. Click on the Rules tab

2. In the Allow Rule section, select the TrueCondition condition and add it to the Selected Conditions, since we want to allow all users to do Federation SSO with the partners listed in this policy

3. Click Apply

   

   Description of the illustration Rules_TrueCondition_Screen.jpg

Execute the following steps to create a new resource and add it to the HRPolicy Token Issuance Policy for the TravelSite and OnlineConference.com partners:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole
2. Navigate to Access Manager , Application Domains
3. Click Search
4. Click in IAM Suite in the list of results and click on the Resources tab
5. Click on New Resource and create a new resource for the Token Issuance Policy for TravelSite:
• Type: TokenServiceRP
• Resource URL, name of the SP Partner as it was created in the Federation Admin section: TravelSite
• Operations: all
• Token Issuance Policy: AllUsersPolicy Apply
6. Click on New Resource and create a new resource for the Token Issuance Policy for OnlineConference.com:
• Type: TokenServiceRP
• Resource URL, name of the SP Partner as it was created in the Federation Admin section: OnlineConference.com
• Operations: all
• Token Issuance Policy: AllUsersPolicy
7. Click Apply

Summary

To view the Resources for the SP Partners created above, perform the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager , Application Domains

3. Click Search

4. Click in IAM Suite in the list of results click on the Resources tab

5. Select TokenServiceRP as the Resource Type Click Search The list of resources of type TokenServiceRP will be displayed

   • MissingRP and UnknownRP are related to OSTS Authorization Policies
   • HR, TravelSite, OnlineConference.com and 401kSP are displayed

   

   Description of the illustration Summary_Screen.jpg

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Authorization in OAM and IdP

F59887-01

September 2022

Copyright © 2022, Oracle and/or its affiliates.