Fed Authentication Method Requests in OAM and IdP
This article describes how to set up IdP, so that an SP can request the user to be authenticated via a specific OAM Authentication Scheme.
The approach is based on the Federation Authentication Methods and their mappings to OAM Authentication Schemes.
-
Each defined Federation Authentication Method can be mapped to several Authentication Schemes.
-
In a Federation Authentication Method Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that is used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method.
The examples show how to indicate to IdP which Authentication Scheme to use to challenge the user, when the SP requests a specific Federation Authentication Method to be used.
Configuration
Mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent. As the methods are defined in the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0), the following can be done:
-
Either the SP Partner Profile and affect all Partners referencing that profile, which do not override the Federation Authentication Method to OAM Authentication Scheme mappings
-
Or the SP Partner entry, which only affects the SP Partner
Note: It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all the mappings defined in the SP Partner Profile is ignored.
WLST Commands
The same OAM WLST commands used to map Federation Authentication Methods to OAM Authentication Schemes are used to indicate a scheme to be used when an SP request a user to be challenged via a specificFederation
Authentication Method:
-
addSPPartnerProfileAuthnMethod()
to define a mapping on an SP Partner Profile, taking as parameters:-
The name of the SP Partner Profile
-
The Federation Authentication Method
-
The OAM Authentication Scheme name
-
A default
Xag
indicating if this scheme should be the one used for authentication, when the SP/RP Partner requests this Federation Authentication Method to be used at runtime.
-
-
addSPPartnerAuthnMethod()
to define a mapping on an SP Partner , taking as parameters:-
The name of the SP Partner
-
The Federation Authentication Method
-
The OAM Authentication Scheme name
-
A default
Xag
indicating if this scheme should be the one used for authentication, when the SP/RP Partner requests this Federation Authentication Method to be used at runtime.
-
The following examples show how to use the addSPPartnerProfileAuthnMethod()
with the SAML 2.0 protocol.
Note: SAML 1.1 does not support a way for the SP to request a specific Federation Authentication Method.
Example
Test Setup
In this setup, OAM is acting as an IdP and is integrated with a remote SAML 2.0 SP partner identified by AcmeSP
. By default:
-
LDAPScheme
is the default Authentication Scheme -
Only
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
is defined -
The Federation Authentication Method is mapped to:
-
LDAPScheme
, marked as the default scheme used for authentication -
FAAuthScheme
-
BasicScheme
-
BasicFAScheme
-
This mapping is defined in the saml20-sppartner-profile SP Partner Profile, which is the default OOTB SP Partner Profile for SAML 2.0, and the profile referenced by
AcmeSP
(getFedPartnerProfile("AcmeSP", "sp") )
.
-
In this test, Federation SSO with IdP is configured to:
-
Perform Federation SSO with the SP not specifying a Federation Authentication Method.
-
Perform Federation SSO with the SP specifying
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method. -
Defining the
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
mapping toLDAPScheme
, markLDAPScheme
as the default scheme for this mapping, and perform Federation SSO with the SP specifyingurn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method. -
Adding
BasicScheme
to theurn:oasis:names:tc:SAML:2.0:ac:classes:Password
mapping, and perform Federation SSO with the SP specifyingurn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method. -
Setting
BasicScheme
as the default scheme for theurn:oasis:names:tc:SAML:2.0:ac:classes:Password
mapping, and perform Federation SSO with the SP specifyingurn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method.
SP not Requesting a Fed Authn Method
In a typical Federation SSO operation, the SP does not request a specific Federation Authentication Method to be used to challenge the user.
The SAML 2.0 AuthnRequest is similar to:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://idp.com/oamfed/idp/samlv20
ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-"
IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
<saml:Issuer ...>https://acme.com/sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspeci<ed"/> </samlp:AuthnRequest>
As the settings are OOTB, the global default Authentication Scheme is used for authentication, which is LDAPScheme
.
Test: During the Federation SSO operation where the SP does not request a specific Federation Authentication Method to be used, the user is challenged by OAM using LDAPScheme
.
SP Requesting a Fed Authn Method
In this flow, the SP requests IdP to use a specific Federation Authentication Method to challenge the user. This method is urn:oasis:names:tc:SAML:2.0:ac:classes:Password
, and this is requested by the SP for all subsequent tests in this article.
The SAML 2.0 AuthnRequest is similar to:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://idp.com/oamfed/idp/samlv20
ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-"
IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
<saml:Issuer ...>https://acme.com/sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspeci<ed"/> <samlp:RequestedAuthnContext
Comparison="minimum">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
As OOTB the urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Federation Authentication Method is not defined in IdP, the server returns an error to the SP, indicating that this Federation Authentication Method is unknown at IdP: the server sends a SAML 2.0 Response with the low level status code set to urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext
.
The SAML 2.0 Response is similar to:
<samlp:Response ...>
<saml:Issuer ...>https://idp.com
/oam/fed</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
Test: During the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method to be used, the operation results in an error.
Creating Fed Authn Mapping
To correct the error seen above, define the urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Federation Authentication Method mapped to LDAPScheme
: that way, when the SP requests that method, LDAPScheme
is used.
Note: By doing so, we are removing the existing mapping between
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
andLDAPScheme
will only be mapped toBasicScheme
,BasicFAScheme
andFAAuthScheme
.
To create the mapping, execute the following steps:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
-
Connect to the WLS Admin server:
connect()
-
Navigate to the Domain Runtime branch:
domainRuntime()
-
Execute the
addSPPartnerProfileAuthnMethod()
command:addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:Password","LDAPScheme")
-
Exit the WLST environment:
exit()
I did not specify that LDAPScheme
should be used as the default scheme if an SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password
during Federation SSO, because the WLST command is defined such as if the isDefault
parameter is missing, it is assumed to be true.
Test: during the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method to be used, the user is challenged via LDAPScheme
.
Adding BasicScheme to the Fed Authn Mapping
In this example, the BasicScheme
is added to the list of schemes mapped to the urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Federation Authentication Method, BasicScheme
is not used if the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password
at runtime to challenge the user.
Note: By doing so, we are removing the existing mapping between
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
, andBasicScheme
will only be mapped toBasicFAScheme
andFAAuthScheme
.
To create the mapping, execute the following steps:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
-
Connect to the WLS Admin server:
connect()
-
Navigate to the Domain Runtime branch:
domainRuntime()
-
Execute the
addSPPartnerProfileAuthnMethod()
command:addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme", isDefault="false")
-
Exit the WLST environment:
exit()
Do not use BasicScheme
as the default scheme if an SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password
during Federation SSO.
Test: During the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method to be used, the user is challenged via LDAPScheme
.
Setting BasicScheme to be used for User Challenge
Use BasicScheme
if the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password
at runtime to challenge the user. The command issued is similar to the previous command, except that the isDefault
parameter is set to true:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
-
Connect to the WLS Admin server:
connect()
-
Navigate to the Domain Runtime branch:
domainRuntime()
-
Execute the
addSPPartnerProfileAuthnMethod()
command:addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme", isDefault="true")
-
Exit the WLST environment:
exit()
Test: During the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password
as the Federation Authentication Method to be used, the user is challenged via BasicScheme
.
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Fed Authentication Method Requests in OAM - IdP
F60234-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.