Fed Authentication Method Requests in OAM and IdP

This article describes how to set up IdP, so that an SP can request the user to be authenticated via a specific OAM Authentication Scheme.

The approach is based on the Federation Authentication Methods and their mappings to OAM Authentication Schemes.

• Each defined Federation Authentication Method can be mapped to several Authentication Schemes.

• In a Federation Authentication Method Authentication Schemes mapping, a single Authentication Scheme is marked as the default scheme that is used to authenticate a user, if the SP/RP partner requests the user to be authenticated via a specific Federation Authentication Method.

The examples show how to indicate to IdP which Authentication Scheme to use to challenge the user, when the SP requests a specific Federation Authentication Method to be used.

Configuration

Mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent. As the methods are defined in the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0), the following can be done:

• Either the SP Partner Profile and affect all Partners referencing that profile, which do not override the Federation Authentication Method to OAM Authentication Scheme mappings

• Or the SP Partner entry, which only affects the SP Partner

Note: It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all the mappings defined in the SP Partner Profile is ignored.

WLST Commands

The same OAM WLST commands used to map Federation Authentication Methods to OAM Authentication Schemes are used to indicate a scheme to be used when an SP request a user to be challenged via a specificFederation Authentication Method:

• addSPPartnerProfileAuthnMethod() to define a mapping on an SP Partner Profile, taking as parameters:

  • The name of the SP Partner Profile

  • The Federation Authentication Method

  • The OAM Authentication Scheme name

  • A default Xag indicating if this scheme should be the one used for authentication, when the SP/RP Partner requests this Federation Authentication Method to be used at runtime.

• addSPPartnerAuthnMethod() to define a mapping on an SP Partner , taking as parameters:

  • The name of the SP Partner

  • The Federation Authentication Method

  • The OAM Authentication Scheme name

  • A default Xag indicating if this scheme should be the one used for authentication, when the SP/RP Partner requests this Federation Authentication Method to be used at runtime.

The following examples show how to use the addSPPartnerProfileAuthnMethod() with the SAML 2.0 protocol.

Note: SAML 1.1 does not support a way for the SP to request a specific Federation Authentication Method.

Example

Test Setup

In this setup, OAM is acting as an IdP and is integrated with a remote SAML 2.0 SP partner identified by AcmeSP. By default:

• LDAPScheme is the default Authentication Scheme

• Only urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is defined

• The Federation Authentication Method is mapped to:

  • LDAPScheme, marked as the default scheme used for authentication

  • FAAuthScheme

  • BasicScheme

  • BasicFAScheme

  • This mapping is defined in the saml20-sppartner-profile SP Partner Profile, which is the default OOTB SP Partner Profile for SAML 2.0, and the profile referenced by AcmeSP (getFedPartnerProfile("AcmeSP", "sp") ).

In this test, Federation SSO with IdP is configured to:

• Perform Federation SSO with the SP not specifying a Federation Authentication Method.

• Perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method.

• Defining the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mapping to LDAPScheme, mark LDAPScheme as the default scheme for this mapping, and perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method.

• Adding BasicScheme to the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mapping, and perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method.

• Setting BasicScheme as the default scheme for the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mapping, and perform Federation SSO with the SP specifying urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method.

SP not Requesting a Fed Authn Method

In a typical Federation SSO operation, the SP does not request a specific Federation Authentication Method to be used to challenge the user.

The SAML 2.0 AuthnRequest is similar to:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://idp.com/oamfed/idp/samlv20
ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-"
IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://acme.com/sp</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspeci<ed"/> </samlp:AuthnRequest>

As the settings are OOTB, the global default Authentication Scheme is used for authentication, which is LDAPScheme.

Test: During the Federation SSO operation where the SP does not request a specific Federation Authentication Method to be used, the user is challenged by OAM using LDAPScheme.

SP Requesting a Fed Authn Method

In this flow, the SP requests IdP to use a specific Federation Authentication Method to challenge the user. This method is urn:oasis:names:tc:SAML:2.0:ac:classes:Password, and this is requested by the SP for all subsequent tests in this article.

The SAML 2.0 AuthnRequest is similar to:

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://idp.com/oamfed/idp/samlv20
ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-"
IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://acme.com/sp</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspeci<ed"/>   <samlp:RequestedAuthnContext
Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

As OOTB the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method is not defined in IdP, the server returns an error to the SP, indicating that this Federation Authentication Method is unknown at IdP: the server sends a SAML 2.0 Response with the low level status code set to urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.

The SAML 2.0 Response is similar to:

<samlp:Response ...>
   <saml:Issuer ...>https://idp.com
/oam/fed</saml:Issuer>
   <samlp:Status>
      <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
         <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
      </samlp:StatusCode>
   </samlp:Status>
</samlp:Response>

Test: During the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the operation results in an error.

Creating Fed Authn Mapping

To correct the error seen above, define the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method mapped to LDAPScheme: that way, when the SP requests that method, LDAPScheme is used.

Note: By doing so, we are removing the existing mapping between urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport and LDAPScheme will only be mapped to BasicScheme, BasicFAScheme and FAAuthScheme.

To create the mapping, execute the following steps:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the addSPPartnerProfileAuthnMethod() command: addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:Password","LDAPScheme")

5. Exit the WLST environment: exit()

I did not specify that LDAPScheme should be used as the default scheme if an SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password during Federation SSO, because the WLST command is defined such as if the isDefault parameter is missing, it is assumed to be true.

Test: during the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the user is challenged via LDAPScheme.

Adding BasicScheme to the Fed Authn Mapping

In this example, the BasicScheme is added to the list of schemes mapped to the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method, BasicScheme is not used if the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password at runtime to challenge the user.

Note: By doing so, we are removing the existing mapping between urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, and BasicScheme will only be mapped to BasicFAScheme and FAAuthScheme.

To create the mapping, execute the following steps:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the addSPPartnerProfileAuthnMethod() command: addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme", isDefault="false")

5. Exit the WLST environment: exit()

Do not use BasicScheme as the default scheme if an SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password during Federation SSO.

Test: During the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the user is challenged via LDAPScheme.

Setting BasicScheme to be used for User Challenge

Use BasicScheme if the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password at runtime to challenge the user. The command issued is similar to the previous command, except that the isDefault parameter is set to true:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the addSPPartnerProfileAuthnMethod() command: addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme", isDefault="true")

5. Exit the WLST environment: exit()

Test: During the Federation SSO operation where the SP requests urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the Federation Authentication Method to be used, the user is challenged via BasicScheme.

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Fed Authentication Method Requests in OAM - IdP

F60234-01

September 2022

Copyright © 2022, Oracle and/or its affiliates.