Authorization in OAM and IdP
In this article, let us learn how to enable and implement Authorization Policies for Federation SSO when OAM is acting as an IdP. When OAM authenticates a user on behalf of remote SAML / OpenID 2.0 partners, it issues a token (SAML or OpenID) containing information about the user that the partner consumes to identify the user. As a part of the creation of the token, IdP can be configured to evaluate a Token Issuance Policy that indicates if the user is allowed to perform Federation SSO with that particular SP/RP. The Token Issuance Policy is constructed with:
- The SP Partner Name as the resource
- One or more constraints
- The true constraint which is used to indicate that IdP should issue tokens for all users for the SP partners listed in the policy
- The Identity constraint made of
- List of users: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to that list
- Or list of groups: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to a group listed in the constraint
Enabling / Disabling Authorization in IdP
Out of the box, Authorization is disabled in IdP. As such there is no Authorization enforcement when OAM issues a SAML/OpenID token.
Note: Once authorization is enabled, all IdP Federation SSO operations requires a successful authorization policy evaluation. So if you have existing Federation agreements, no Token Issuance Policy and that you enable authorization, the Federation SSO operation fails until the required Token Issuance Policies are created.
To enable or disable the Authorization in IdP, execute the following OAM WLST commands:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
configureFedSSOAuthz()
command: - To enable authorization:
configureFedSSOAuthz("true")
- To disable authorization:
configureFedSSOAuthz("false")
- Exit the WLST environment:
exit()
Token Issuance Policy
Overview
As mentioned earlier, a Token Issuance Policy is made of two objects:
- A list of resources, with each resource containing the name of the SP Partner
- A list of constraints, each constraint being one of the following:
- The true constraint which is used to indicate that IdP should issue tokens for all users for the SP partners listed in the policy
- The Identity constraint made of
- List of users: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to that list
- Or list of groups: IdP ensures that the user performing Federation SSO between OAM and the remote SP belongs to a group listed in the constraint
- Rules using the constraints
During a Federation SSO operation, after user authentication, IdP checks if Authorization is enabled and if yes, it collects the user’s identity and the groups to which it belongs, the SP Partner name and invokes OAM Authorization Engine that indicates whether or not the evaluation was successful.
- If successful, it means that
- The SP Partner name was listed as a resource in one in the Token Issuance Policy
- Evaluation of the constraints for one of the Token Issuance Policies where the SP partner is listed
- Either a true constraint was present
- Or an Identity constraint was present with the user’s identity
- Or with a group to which the user belongs to
In the examples listed in this article, add all the Token Issuance Policies to the IAM Suite Application Domains in the OAM Administration Console.
Test Environment
The test environment showcases usage of the Authorization feature by using examples with:
- Three users in the LDAP directory used by IdP (see below for the LDIF output)
- alice
- bob
- charlie
- Three groups in the LDAP directory
- Engineers, to which bob and charlie belong
- Managers, to which alice belongs
- Employees, to which alice, bob and charlie belong
- Four SP Partners:
- OnlineConference.com
- HR
- TravelSite and
- 401kSP
- Three authorization policies
- Authz #1: only users of group Employees minus bob can access 401kSP
- Authz #2: only users of group Managers and user charlie can access HR
- Authz #3: anybody can access TravelSite and OnlineConference.com
The LDIF output from the test LDAP directory for the three users is:
\# alice, users, us.oracle.com
dn: cn=alice,ou=users,dc=us,dc=oracle,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Alice
uid: alice
cn: alice
sn: Appleton
mail: alice@oracle.com
\# bob, users, us.oracle.com
dn: cn=bob,ou=users,dc=us,dc=oracle,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Bobby
uid: bob
cn: bob
sn: Smith
mail: bob@oracle.com
\# charlie, users, us.oracle.com
dn: cn=charlie,ou=users,dc=us,dc=oracle,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Charlie
uid: charlie
cn: Charlie
sn: Crown
mail: charlie@oracle.com
The LDIF output from the test LDAP directory for the three groups is:
\# Managers, groups, us.oracle.com
dn: cn=Managers,ou=groups,dc=us,dc=oracle,dc=com uniqueMember:
cn=alice,ou=users,dc=us,dc=oracle,dc=com
cn: Managers
objectClass: groupOfUniqueNames
objectClass: top
\# Employees, groups, us.oracle.com
dn: cn=Employees,ou=groups,dc=us,dc=oracle,dc=com
uniqueMember:
cn=charlie,ou=users,dc=us,dc=oracle,dc=com
uniqueMember:
cn=alice,ou=users,dc=us,dc=oracle,dc=com
uniqueMember:
cn=bob,ou=users,dc=us,dc=oracle,dc=com
cn: Employees
objectClass: groupOfUniqueNames
objectClass: top
\# Engineers, groups, us.oracle.com
dn: cn=Engineers,ou=groups,dc=us,dc=oracle,dc=com
uniqueMember: cn=bob,ou=users,dc=us,dc=oracle,dc=com
uniqueMember: cn=charlie,ou=users,dc=us,dc=oracle,dc=com
cn: Engineers
objectClass: groupOfUniqueNames
objectClass: top
Examples
Use Case #1
In this use case:
- 401kSP is the name of the SAML 2.0 SP partner
- IdP must allow users belonging to the Employees group to do Federation SSO with that SP Partner
- IdP must disallow bob to do Federation SSO with that SP Partner
To configure IdP for this use case, perform the following steps:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
-
Navigate to Access Manager, Application Domains
-
Click Search
-
Click in IAM Suite in the list of results and click on the Token Issuance Policies tab
-
Click Create Token Issuance Policy
-
Enter a name (for example EmployeesPolicy)
Description of the illustration Token_Issuance_Policy_Screen.jpg
Execute the following steps:
- Click on Conditions tab
- Click Add to add a constraint for the employees group
- Enter the details of the constraints:
Name
: for exampleEmployeesGroup
Type
: Token Requestor Identity
Description of the illustration Add_Conditions_Screen.jpg
Execute the following steps:
-
Click Add Selected
-
Select the newly created constraint to configure it
-
In the conditions details, click Add and select Add Identities
-
Select the Identity Store where user exist click Search
-
Select the Employees Group
-
Click Add Selected
Description of the illustration Create_Token_Issuance_policy_Screen.jpg
Execute the following steps:
- Click Add to add another constraint for user bob
- Enter the details of the constraints:
Name
: for example BobUserType
: Token Requestor Identity
Description of the illustration Add_Condition_Bob.jpg
Execute the following steps:
-
Click Add Selected
-
Select the newly created constraint to configure it
-
In the conditions details, click Add and select Add Identities
-
Select the Identity Store where user exist click Search
-
Select the user bob
-
Click Add Selected
Description of the illustration Condition_Details_Screen.jpg
Execute the following steps:
-
Click on the Rules tab
-
In the Allow Rule section, select the
EmployeesGroup
condition and add it to the Selected Conditions, since we want to allow users belonging to the Employees group to do Federation SSO with the partners listed in this policy -
In the Deny Rule section, select the
BobUser
condition and add it to the Selected Conditions, since we want to disallow bob to do Federation SSO with the partners listed in this policy -
Click Apply
Execute the following steps to create a new resource and add it to the EmployeesPolicy Token Issuance Policy:
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
- Navigate to Access Manager , Application Domains
- Click Search
- Click in IAM Suite in the list of results click on the Resources tab.
- Click on New Resource and create a new resource for the Token Issuance Policy:
Type
: TokenServiceRPResource URL
, name of the SP Partner as it was created in the Federation Admin section: 401kSPOperations
: allToken Issuance Policy
: EmployeesPolicy
Use Case #2
In this use case:
- HR is the name of the SAML 2.0 SP partner
- IdP must allow users belonging to the Managers group to do Federation SSO with that SP Partner
- IdP must allow charlie to do Federation SSO with that SP Partner
To configure IdP for this use case, perform the following steps:
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
- Navigate to Access Manager , Application Domains
- Click Search
- Click in IAM Suite in the list of results and click on the Token Issuance Policies tab
- Click Create Token Issuance Policy
- Enter a name (for example
HRPolicy
) - Click on Conditions tab
- Click Add to add a constraint for the employees group
- Enter the details of the constraints:
Name
: for example HRConditionType
: Token Requestor Identity
-
Click Add Selected
-
Select the newly created constraint to configure it
-
In the conditions details, click Add and select Add Identities
-
Select the Identity Store where user exist, click Search
-
Select the Managers Group and the
charlie
user click Add Selected
Execute the following steps:
-
Click on the Rules tab
-
In the Allow Rule section, select the
HRCondition
condition and add it to the Selected Conditions, since we want to allow users belonging to the Managers group and user charlie to do Federation SSO with the partners listed in this policy -
Click Apply
Description of the illustration HRCondition_Rules_Screen.jpg
Execute the following steps to create a new resource and add it to the HRPolicy Token Issuance Policy:
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
- Navigate to Access Manager , Application Domains
- Click Search
- Click in IAM Suite in the list of results and click on the Resources tab
- Click on New Resource and create a new resource for the Token Issuance Policy:
Type
: TokenServiceRPResource URL
, name of the SP Partner as it was created in the Federation Admin section: HROperations
: allToken Issuance Policy
: HRPolicy
- Click Apply
Use Case #3
In this use case:
- TravelSite is the name of the first SAML 2.0 SP partner
- OnlineConference.com is the name of the second SAML 2.0 SP partner
- IdP must allow all users to do Federation SSO with those SP Partners
To configure IdP for this use case, perform the following steps:
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
- Navigate to Access Manager , Application Domains
- Click Search
- Click in IAM Suite in the list of results click on the Token Issuance Policies tab
- Click Create Token Issuance Policy
- Enter a name (for example
AllUsersPolicy
) - Click on Conditions tab
- Click Add to add a constraint for all the users.
- Enter the details of the constraints:
Name
: for example TrueConditionType
: True
Description of the illustration TrueCondition_Screen.jpg
-
Click Add Selected
Description of the illustration TrueCondition_Added_Screen.jpg
Execute the following steps:
-
Click on the Rules tab
-
In the Allow Rule section, select the
TrueCondition
condition and add it to the Selected Conditions, since we want to allow all users to do Federation SSO with the partners listed in this policy -
Click Apply
Description of the illustration Rules_TrueCondition_Screen.jpg
Execute the following steps to create a new resource and add it to the HRPolicy
Token Issuance Policy for the TravelSite
and OnlineConference.com partners:
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
- Navigate to Access Manager , Application Domains
- Click Search
- Click in IAM Suite in the list of results and click on the Resources tab
- Click on New Resource and create a new resource for the Token Issuance Policy for
TravelSite
: Type
: TokenServiceRPResource URL
, name of the SP Partner as it was created in the Federation Admin section: TravelSiteOperations
: allToken Issuance Policy
: AllUsersPolicy Apply- Click on New Resource and create a new resource for the Token Issuance Policy for
OnlineConference.com
: Type
: TokenServiceRPResource UR
L, name of the SP Partner as it was created in the Federation Admin section:OnlineConference.com
Operations
: allToken Issuance Policy
: AllUsersPolicy- Click Apply
Summary
To view the Resources for the SP Partners created above, perform the following steps:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
-
Navigate to Access Manager , Application Domains
-
Click Search
-
Click in IAM Suite in the list of results click on the Resources tab
-
Select
TokenServiceRP
as the Resource Type Click Search The list of resources of typeTokenServiceRP
will be displayedMissingRP
andUnknownRP
are related to OSTS Authorization PoliciesHR
,TravelSite
,OnlineConference.com
and401kSP
are displayed
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Authorization in OAM and IdP
F59887-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.