Create SAML 1.1 and OpenID 2.0 IdP Partners in OAM and SP
This article covers how to set up a Federation agreement between OAM acting as an SP and a remote IdP Partner via the SAML 1.1 or OpenID 2.0 protocols:
- Set up a remote SAML 1.1 IdP Partner
- Set up a remote OpenID 2.0 IdP Partner
The article describes how to perform the above tasks either via the UI, or via the use of the OAM WLST commands.
SAML 1.1
OAM Administration Console
To create a new SAML 1.1 IdP Partner, execute the following steps (ensure first that you have all the data from the IdP partner, such as certificates, IdP identifiers and URLs):
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. - Navigate to Identity Federation, Service Provider Administration.
- Click on the Create Identity Provider Partner button.
- In the Create screen:
- Enter a name for the partner.
- Enter the Issuer /
ProviderID
of the IdP Partner. - If the
SuccinctID
is left blank, OAM/SP computes it by digesting the Provider ID using the SHA-1 algorithm (should be left blank). - Enter the SSO Service URL for that IdP Partner: this is the URL where the user is redirected from OAM/SP with a SAML AuthnRequest to the IdP.
- If the partner supports the SAML 2.0 Artifact protocol, enter the SOAP Service URL where OAM/SP connects to retrieve the SAML Assertion during an SSO Artifact operation.
- Upload the IdP Signing Certificate file:
- either in PEM format (where the file contains as the first line —–BEGIN CERTIFICATE—–, then the certificate in Base64 encoded format, then the last line as —–END CERTIFICATE—–)
- or in DER format where the certificate is stored in binary encoding
- Assertion Mapping section:
- Optionally set the OAM Identity Store that should be used. Note: In the example, we left the field blank to use the default OAM Identity Store).
- Optionally set the user search base DN. Note: In the example, we left the field blank to use the user search base DN configured in the Identity Store
- Select how the mapping occurs.
Note: In the example, We are mapping the Assertion via the
NameID
to the LDAP mail attribute. - Select the Attribute Profile that is used to map the names of the attributes in the incoming SAML Assertion to local names.
- Click Save.
- After the partner is created, the Edit Partner screen is shown with:
- The settings set in the previous screen modifiable.
- An Advanced Settings section displayed.
- HTTP Basic Authentication: If the Artifact binding is used, OAM/SP needs to connect to the IdP directly over SOAP to retrieve the SAML Assertion. Sometimes the IdP enables HTTP Basic Authentication on the SOAP channel, and OAM/SP needs to provide username/password to the IdP (those credentials will be agreed between the IdP’s and SP’s administrators).
Description of the illustration OAM_Admin_Console.jpg
Description of the illustration Edit_Partner_Screen.jpg
[Description of the illustration Edit_Partner_Screen.jpg](files/Edit_Partner_Screen.txt)
WLST
To create a new SAML 1.1 IdP Partner using the OAM WLST commands, execute the following steps (ensure that you have all the data from the IdP partner, such as certificates, IdP identifiers and URLs):
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. -
Connect to the WLS Admin server:
connect()
. -
Navigate to the Domain Runtime branch:
domainRuntime()
. -
Create SAML 1.1 IdP Partner that calls acmeIdP in OAM:
addSAML11IdPFederationPartner("acmeIdP", "https://acme.com/idp", "https://acme.com/saml11/sso", "https://acme.com/saml11/soap"
. -
By default, the new SP partner is configured to:
-
Use the default OAM Identity Store
-
Use the user search base DN of the Identity Store (not overridden)
-
Map the SAML Assertion using the
NameID
, matching the LDAP mail attribute. -
Use the default Identity Provider Attribute Profile.
-
No certificate has been uploaded for this IdP partner.
-
Exit the WLST environment:
exit()
.
Modifying Federation Settings via WLST
This section lists how to change the common IdP Partner settings via the OAM WLST commands:
- SAML Assertion Mapping settings
- OAM Identity Store and User Search Base DN for SAML Assertion Mapping
- SAML Signing Certificate
- IdP Partner Attribute Profile for an IdP Partner
Assume that you are already in the WLST environment and connected using:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. - Connect to the WLS Admin server:
connect()
. - Navigate to the Domain Runtime branch:
domainRuntime()
.
SAML Assertion Mapping setting
To configure mapping settings for a SAML IdP Partner:
- Use the following command to map the Assertion via the NameID:
setIdPPartnerMappingNameID(partnerName, userstoreAttr)
partnerName
is the name that was used to create the IdP PartneruserstoreAttr
: LDAP user attribute to match the NameID value.
- Use the following command to map the Assertion via a SAML Attribute:
setIdPPartnerMappingAVribute(partnerName, assertionAttr, userstoreAttr)
partnerName
is the name that was used to create the IdP PartnerassertionAttr
: Name of the SAML Attribute.userstoreAttr
: LDAP user attribute to match the SAML Attribute value.
- Use the following command to map the Assertion via an LDAP query:
setIdPPartnerMappingAVributeQuery(partnerName, attrQuery)
partnerName
is the name that was used to create the IdP PartnerattrQuery
: The LDAP query to be used (for example(&(givenname=%firstname%) (sn=%lastname%))
).
OAM Identity Store and User Search Base DN
To configure OAM/SP to use a specific OAM Identity Store and/or a specific User Search Base DN when mapping the incoming SAML Assertion, execute the following command setPartnerIDStoreAndBaseDN()
:
- Use the following command to set the OAM Identity Store only:
setPartnerIDStoreAndBaseDN(partnerName, "idp", storeName="oid")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner typestoreName
: References the OAM Identity Store to use
- Use the following command to set the Search Base DN only:
setPartnerIDStoreAndBaseDN(partnerName, "idp",searchBaseDN="ou=managers,dc=acme,dc=com")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner typesearchBaseDN
: Indicates the search base DN to use- Use the following command to set the OAM Identity Store and Search Base DN:
setPartnerIDStoreAndBaseDN(partnerName,"idp", storeName="oid", searchBaseDN="ou=managers,dc=acme,dc=com")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner typestoreName
: References the OAM Identity Store to usesearchBaseDN
: Indicates the search base DN to use- Use the following command to remove the OAM Identity Store and Search Base DN from the IdP partner entry:
setPartnerIDStoreAndBaseDN(partnerName, "idp", delete="true")
partnerName
is the name that was used to create the IdP Partner- idp indicates the partner type
SAML Signing Certificate
There are various WLST commands available to manage signing and encryption certificates:
getFederationPartnerSigningCert()
which prints the partner’s signing certificate in Base64 encoded format:getFederationPartnerSigningCert("acmeIdP", "idp")
- With
acmeIdP
being the name of partner created earlier idp
indicates the partner typesetFederationPartnerSigningCert()
which uploads the signing certificate file passed as a parameter to theIdP
Partner configuration:setFederationPartnerSigningCert("acmeIdP","idp", "/tmp/cert.file")
- With
acmeIdP
being the name of partner created earlier idp
indicates the partner type- the third parameter indicates the location on the file system of the file containing the certificate:
- either in PEM format (where the file contains as the first line —–BEGIN CERTIFICATE—–, then the certificate in Base64 encoded format, then the last line as —–END CERTIFICATE—–)
- or in DER format where the certificate is stored in binary encoding
deleteFederationPartnerSigningCert()
which removes the signing certificate from the IdP partner entry:deleteFederationPartnerSigningCert("acmeIdP","idp")
- With acmeIdP being the name of partner created earlier
idp
indicates the partner type
IdP Partner Attribute Profile
To configure the IdP Partner Attribute Profile for a specific IdP Partner, use the following commands: To configure an IdP Partner to use a specific IdP Partner Attribute Profile, execute:
setIdPPartnerAttributeProfile(partnerName, attrProfileID)
partnerName
is the name that was used to create the IdP PartnerattrProfileID
is the IdP Partner Attribute Profile ID- To list the existing the IdP Partner Attribute Profiles, execute:
listIdPPartnerAttributeProfileIDs()
Examples
The below commands could be used to add a SAML 1.1 IdP partner (in this example we chose to specify an Identity Store):
addSAML11IdPFederationPartner("acmeIdP", "https://acme.com/idp", "https://acme.com/saml1 /sso", "https://acme.com/saml11/soap" setFederationPartnerSigningCert("acmeIdP", "idp","/tmp/acme-idp-cert.pem") setPartnerIDStoreAndBaseDN("acmeIdP", "idp", "oid") setIdPPartnerMappingNameID("acmeIdP", "mail")
OpenID 2.0
OAM Administration Console
To create a new OpenID 2.0 IdP/OP Partner, execute the following steps (ensure that you have all the data from the IdP/OP partner, such as discovery and SSO URLs):
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. - Navigate to Identity Federation, Service Provider Administration.
- Click on the Create Identity Provider Partner button.
- In the Create screen:
- Enter a name for the partner.
- Select OpenID 2.0 as the Protocol.
- Select how to interact with the OpenID OP.
- Either by specifying the OpenID Discovery URL where the OP’s XRDS is published.
- Or by specifying the OpenID SSO URL where the user should be redirected for OpenID SSO.
- Enter the URL corresponding to the Service Details choice.
- Mapping section:
- Optionally set the OAM Identity Store that should be used. Note: In the example, we left the field blank to use the default OAM Identity Store.
- Optionally set the user search base DN. Note: In the example, we left the field blank to use the user search base DN configured in the Identity Store).
- Select how the mapping occurs. Note: In the example, we are mapping the OpenID Response via an attribute called http://axschema.org /contact/email to the LDAP mail attribute). Note: Mapping via NameID is not possible with the OpenID protocol.
- Select the Attribute Profile that is used to map the names of the attributes in the incoming SAML Assertion to local names.
- Click Save.
Description of the illustration Create_Idty_Provider_Screen.jpg
After the partner is created, the Edit Partner screen is shown with:
- The settings set in the previous screen modifiable
- An Advanced Settings section displayed:
- Enable OpenID UI Extension: Indicates to the OAM/SP/RP to include in the OpenID request the UI Extension and set the mode to popup, if supported by the OP.
- OpenID UI Extension Language Preference: Indicates to the OAM/SP/RP to include in the OpenID request the UI Extension and set the language field to the Accept-Language HTTP header value sent by the user’s browser, if supported by the OP.
- Enable OpenID UI Extension Relying Party Icon: indicates to the OAM/SP/RP to include in the OpenID request the UI Extension and set the icon fag, if supported by the OP.
Description of the illustration Edit_Partner_Adv_Settings_Screen.jpg
The OpenID 2.0 protocol mainly relies on user attributes being shared between the OP and the RP during the OpenID 2.0 SSO exchange. OAM/RP can map the names of the attributes in the incoming SSO response to local names, and this is done via the IdP Attribute Profile.
WLST
To create a new OpenID 2.0 OP Partner using the OAM WLST commands, execute the following steps (ensure that you have all the data from the OP partner, such as IdP/OP realm and URLs):
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. - Connect to the WLS Admin server:
connect()
. - Navigate to the Domain Runtime branch:
domainRuntime()
. - Create OpenID 2.0 OP Partner that calls
acmeOP
in OAM:addOpenID20IdPFederationPartner("acmeOP","https://acme.com/openid/sso","https://acme.com/openid/xrds")
. - By default, the new SP partner is configured to:
- Use the default OAM Identity Store.
- Use the user search base DN of the Identity Store (not overridden).
- Assertion Mapping will not be configured.
- Use the default Service Provider Attribute Profile.
- Exit the WLST environment:
exit()
.
Modifying Federation Settings via WLST
This section lists how to change the common IdP/OP Partner settings via the OAM WLST commands:
- OpenID SSO Response Mapping settings
- OAM Identity Store and User Search Base DN for OpenID SSO Response
- IdP Partner Attribute Profile for an IdP Partner
We assume that you are already in the WLST environment and connected using:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. - Connect to the WLS Admin server:
connect()
. - Navigate to the Domain Runtime branch:
domainRuntime()
.
OpenID SSO Response Mapping settings
To configure mapping settings for an OpenID IdP Partner:
- Use the following command to map the SSO Response via a SAML Attribute:
setIdPPartnerMappingAVribute(partnerName, assertionAttr, userstoreAttr)
partnerName
is the name that was used to create the IdP Partner
assertionAttr
: Name of the OpenID Attribute.userstoreAttr
: LDAP user attribute to match the SAML Attribute value.- Use the following command to map the SSO Response via an LDAP query:
setIdPPartnerMappingAVributeQuery(partnerName, attrQuery)
partnerName
is the name that was used to create the IdP PartnerattrQuery
: The LDAP query to be used (for example(&(givenname=%firstname%) (sn=%lastname%))
).
OAM Identity Store and User Search Base DN
To configure OAM/SP to use a specific OAM Identity Store and/or a specific User Search Base DN when mapping the incoming OpenID SSO Response, execute the following command setPartnerIDStoreAndBaseDN()
:
- Use the following command to set the OAM Identity Store only:
setPartnerIDStoreAndBaseDN(partnerName,"idp", storeName="oid")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner typestoreName
: References the OAM Identity Store to use- Use the following command to set the Search Base DN only:
setPartnerIDStoreAndBaseDN(partnerName,"idp",searchBaseDN="ou=managers,dc=acme,dc=com")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner typesearchBaseDN
: Indicates the search base DN to use- Use the following command to set the OAM Identity Store and Search Base DN:
setPartnerIDStoreAndBaseDN(partnerName,"idp", storeName="oid", searchBaseDN="ou=managers,dc=acme,dc=com")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner typestoreName
: References the OAM Identity Store to usesearchBaseDN
: Indicates the search base DN to use- Use the following command to remove the OAM Identity Store and Search Base DN from the IdP partner entry:
setPartnerIDStoreAndBaseDN(partnerName,"idp", delete="true")
partnerName
is the name that was used to create the IdP Partneridp
indicates the partner type
IdP Partner Attribute Profile
To configure the IdP Partner Attribute Profile for a specific IdP Partner, use the following commands: To configure an IdP Partner to use a specific IdP Partner Attribute Profile, execute:
setIdPPartnerAttributeProfile(partnerName, attrProfileID)
partnerName
is the name that was used to create the IdP PartnerattrProfileID
is the IdP Partner Attribute Profile ID- To list the existing the IdP Partner Attribute Profiles, execute:
listIdPPartnerAttributeProfileIDs()
Examples
The below commands could be used to add an OpenID 2.0 OP partner (in this example we chose not to specify an Identity Store):
addOpenID20IdPFederationPartner("acmeOP", "https://acme.com/openid/sso", "https://acme.com/openid/xrds") setIdPPartnerMappingAVribute("acmeOP", "http://axschema.org/contact/email", "mail"
OpenID for Google / Yahoo
OAM administration tools provide an easy way to add Google or Yahoo as an OpenID 2.0 OP/IdP. OAM creates the necessary artifacts to perform Federation SSO with Google or Yahoo via the OpenID protocol.
For Google:
- OAM requests the country, mail, firstname, lastname and language attributes.
- The SSO response mapping is done via the mail attribute.
For Yahoo
- OAM requests the country, mail, firstname, lastname, gender and language attributes.
- The SSO response mapping is done via the mail attribute.
OAM Administration Console
To create Google or Yahoo as a new OpenID 2.0 IdP/OP Partner, execute the following steps:
- Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. - Navigate to Identity Federation , Service Provider Administration.
- Click on the Create Identity Provider Partner button.
- In the Create screen:
- Enter a name for the partner.
- Select OpenID 2.0 as the Protocol.
- Select
- Google provider default settings if you want to add Google.
- Yahoo provider default settings if you want to add Yahoo.
- Click Save.
Description of the illustration OAM_Admin_Console_Google_Yahoo.jpg
WLST
To create Google or Yahoo as a new OpenID 2.0 IdP/OP Partner using the OAM WLST commands, execute the following steps:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. - Connect to the WLS Admin server:
connect()
. - Navigate to the Domain Runtime branch:
domainRuntime()
. - Create OpenID 2.0 OP Partner:
- For Google (the partner name is google):
addOpenID20GoogleIdPFederationPartner()
. - For Yahoo (the partner name is yahoo):
addOpenID20YahooIdPFederationPartner()
.
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Create SAML 1.1 and OpenID 2.0 IdP Partners in OAM and SP
F59899-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.