OAM and OSTS Service Information
OAM and OSTS are two products designed to provide Federation capabilities across security domains:
-
Cross domain SSO for browser based Web SSO flows
-
Cross domain Web Services Security (WSS) for SOAP clients and servers via the WS-Trust protocol
Federation between services is based on trust which is established by exchanging
-
X.509 certificates used for sign/verify and encrypt/decrypt the Federation messages Locations of the Federation services
-
SAML 2.0 Metadata if supported by the partners, when SAML 2.0 Federation SSO is used
This article discusses the various kinds of information one has to know in order to be able to set up a Federation agreement between OAM and remote partners, including:
-
How to enable OAM/OSTS services
-
SAML/OpenID Identifiers for OAM/OSTS
-
SAML 2.0 Metadata
-
Certificates
-
Service endpoints
Enabling OAM / OSTS Services
OAM/OSTS Enablement
Out of the box, the OAM and OSTS components are disabled in the OAM server, and need to be enabled prior to using them. To enable OAM and/or OSTS, you need to:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. -
Navigate to Configuration , Available Services.
-
Enable the components you need.
Description of the illustration Available_services.jpg
To verify that OAM is correctly enabled, you can attempt to download OAM SAML 2.0 Metadata from http(s)://oam-runtime-host:oam-runtimeport/oamfed/idp/metadata
OAM Services
After having turned on the OAM component, all OAM services are enabled:
-
IdP
-
SP
-
SAML Attribute Authority
-
SAML Attribute Requester
To selectively enable or disable those above services, use the OAM WLST command configureFederationService()
:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. -
Connect to the WLS Admin server:
connect()
. -
Navigate to the Domain Runtime branch:
domainRuntime()
. -
Execute the
configureFederationService()
command:configureFederationService(<SERVICE>,<true/false>)
. -
Replace
<SERVICE>
byidp
,sp
,attributeresponder
orattributerequester
. -
Set true to enable the service or false to disable it.
For example, to disable the SAML Attribute Authority service, execute:
configureFederationService("attributeresponder","false")
SAML Issuer / OpenID Realm
When communicating via the SAML protocols, Federation servers identify themselves via the Issuer element in the SAML messages. This is also known as the Entity ID or the Provider ID. This identifier must be unique among partners so that one identifier references a single entity.
In the OpenID 2.0 protocol, the Relying Party or Service Provider can be identified via the Realm element.
OAM
During installation, the Provider ID used in SAML operations and the Realm used in OpenID 2.0 exchanges are set to:
-
SAML Provider ID:
http://oam-runtime-hostname:oam-runtime-port/oam/fed
-
OpenID 2.0 Realm:
http://oam-runtime-hostname:oam-runtimeport
To change the Provider ID, perform the following steps:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. -
Navigate to Configuration , Federation Settings.
-
Set the Provider ID to the desired value.
- Click Apply.
Note #1: The Succinct ID which is the SHA-1 hash of the Provider ID and used in SAML Artifact protocol is re-generated.
Note #2: After resetting the Provider ID, you need to notify all the existing partners of the change and redistribute SAML 2.0 Metadata if necessary.
Description of the illustration Federation_Settings.jpg
OSTS
During installation, the Provider ID used in SAML Issuance Templates is set to:
`http://oam-runtime-hostname:oam-runtimeport/oam/fed`
To change or retrieve the Provider ID from an Issuance Template, perform the following steps:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. -
Navigate to Configuration , Security Token Service Settings , Token Issuance Templates.
-
Click on the desired SAML Issuance Template.
-
Click on the Issuance Properties tab.
-
The Provider ID is the Assertion Issuer property. Set the corresponding field to update the Provider ID for this SAML Issuance Template.
-
Click Apply.
Description of the illustration Issuance_Properties.jpg
SAML 2.0 Metadata
The SAML 2.0 SSO protocol define the Metadata XML document which is used by Federation servers to publish all information the partners need to be aware of in order to exchange SAML 2.0 messages.
The SAML 2.0 Metadata of a Federation server includes:
-
The X.509 signing certificate to allow the remote partner to verify messages signed by the Federation server.
-
The X.509 encryption certificate to allow the remote partner to encrypt messages that only the Federation server will be able to decrypt Roles supported by the Federation server:
-
IdP
-
SP
-
SAML Attribute Authority
-
SAML Attribute Requester
-
Services for each of those roles
-
SSO, Logout
-
Type of SAML binding used to communicate with those services (HTTP-Redirect, HTTPPOST, Artifact, SOAP…)
-
Location indicating the endpoint where a service is published
-
ResponseLocation
indicating the endpoint were a service is published for response messages
The OAM Metadata can be retrieved from the OAM Administration Console:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. -
Navigate to Configuration , Federation Settings.
-
Click on the Export Metadata button.
-
Save the file on your local computer.
Description of the illustration Export_Metadata.jpg
The OAM Metadata can also be retrieved by accessing a URL on the OAM runtime server: http://oam-runtime-host:oam-runtime-port/oamfed/idp/metadata
.
Note: It is possible to generate OAM Metadata for specific signing and encryption keys by using the following URL (read article about Key Management in OAM/OSTS for more information)
http://oam-runtime-host:oam-runtime-port/oamfed/idp/metadata?signid=<SIGN_KEYENTRY_ID>&encid=<ENC_KEYENTRY_ID>
.
-
The
signid
query parameter contains the key entry ID for the signing certificate. Replace<SIGN_KEYENTRY_ID>
-
The
encid
query parameter contains the key entry ID for the encryption certificate. Replace<SIGN_KEYENTRY_ID>
-
An example is:
http://oam.com/oamfed/idp/metadata?signid=osts_signing&encid=osts_encryption
Certificates
For SAML 2.0 partners not supporting the consumption of SAML 2.0 Metadata, or for SAML 1.1 partner or even STS partners, the administrator needs to provide the signing certificate and possibly the encryption certificate as standalone files.
The OAM/OSTS Settings section in the administration console lists the key entries used by the system (read article about Key Management in OAM/OSTS for more information)
To view the current key entries known to OAM/OSTS:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
. -
Navigate to Configuration , Federation Settings / Security Token Service Settings.
-
In the Keystore section, see the list of Key IDs, each representing a key entry in OAM/OSTS, and each referencing a key entry in the OAM Keystore (different key IDs can reference the same key entry in the OAM Keystore).
Description of the illustration key_entries.jpg
To retrieve the certificate file of a specific key ID, open a browser and use the following URL to generate the certificate in PEM format:
-
For OAM:
-
http://oam-runtime-host:oam-runtimeport/oamfed/idp/cert?id=<KEYENTRY_ID>
-
The id query parameter contains the key entry ID for the certificate. Replace
<KEYENTRY_ID>
-
An example is:
http://oam.com/oamfed/idp/cert?id=saml-signing
-
-
For OSTS:
-
http://oam-runtime-host:oam-runtimeport/sts/servlet/samlcert?id=<KEYENTRY_ID>
-
The id query parameter contains the key entry ID for the certificate. Replace
<KEYENTRY_ID>
-
An example is:
http://oam.com/sts/servlet/samlcert?id=samlsigning
-
OAM Endpoints
This section lists the various endpoints published by OAM, some specific to a protocol, others protocol agnostic.
Note: It is important to access the OAM services via the public endpoints (load balancer, HTTP reverse proxy…) in order for HTTP cookies set in the browser to be sent back by the browser. In this list, only paths is listed, not the public protocol/hostname/port.
SAML 2.0
The IdP SAML 2.0 endpoints are:
-
SSO Service to receive AuthnRequest messages
-
HTTP-Redirect binding:
/oamfed/idp/samlv20
-
HTTP-POST binding:
/oamfed/idp/samlv20
-
SOAP binding for ECP clients:
/oamfed /idp/soap
-
-
Artifact Service for SP to send SOAP
- ArtifactResolve messages during SSO Artifact:
/oamfed/idp/soap
- ArtifactResolve messages during SSO Artifact:
-
Logout Service to receive
LogoutRequest
andLogoutResponse
messages -
LogoutRequest
:-
HTTP-Redirect binding:
/oamfed/idp/samlv20
-
HTTP-POST binding:
/oamfed/idp/samlv20
-
-
LogoutResponse
:-
HTTP-Redirect binding:
/oamfed/idp/samlv20
-
HTTP-POST binding:
/oamfed/idp/samlv20
-
The SP SAML 2.0 endpoints are:
-
Assertion Consumer Service to receive SAML Assertions
-
HTTP-POST binding:
/oam/server/fed/sp/sso
-
Artifact binding:
/oam/server/fed/sp/sso
-
-
Logout Service to receive
LogoutRequest
andLogoutResponse
messages -
LogoutRequest
:-
HTTP-Redirect binding:
/oamfed/sp/samlv20
-
HTTP-POST binding:
/oamfed/sp/samlv20
-
-
LogoutResponse
-
HTTP-Redirect binding:
/oamfed/sp/samlv20
-
HTTP-POST binding:
/oamfed/sp/samlv20
-
The SAML 2.0 Attribute Authority/Responder endpoints are:
- SOAP Service for SAML Attribute Requester to send SOAP Attribute Query messages:
/oamfed/aa/soap
The SAML 2.0 Attribute Requester does not publish any endpoint.
SAML 1.1
The IdP SAML 1.1 endpoints are:
-
SSO Service to start SAML 1.1 Federation SSO
- URL:
/oamfed/idp/samlv11sso
- URL:
-
Query parameters (URL encode properly the query parameter values)
-
providerid: indicates the SP partner name or SP Provider ID with which to start Federation SSO
-
TARGET: indicates the value to send as the TARGET to the SP. Typically, this contains the URL where the user should be redirected after the Federation SSO operation
-
-
Artifact Service for SP to send SOAP
ArtifactResolve
messages during SSO Artifact:/oamfed/idp/soapv11
The SP SAML 1.1 endpoints are:
-
Assertion Consumer Service to receive SAML Assertions
-
URL:
/oam/server/fed/sp/sso
The SAML 1.1 Attribute Authority/Responder endpoints are:
- SOAP Service for SAML Attribute Requester to send SOAP Attribute Query messages:
/oamfed/aa/soapv11
The SAML 1.1 Attribute Requester does not publish any endpoint.
OpenID 2.0
The IdP OpenID 2.0 endpoints are:
-
SSO Service to receive OpenID Authn Request messages from RPs
- URL:
/oamfed/idp/openidv20
- URL:
-
Discovery Service where XRDS is published:
- URL:
/oamfed/idp/openidv20
- URL:
The SP OpenID 2.0 endpoints are:
-
SSO Service to receive OpenID Authn Response messages from Ops
-
URL:
/oam/server/fed/sp/sso
-
RP Realm: see SAML Issuer / OpenID Realm section about that identifier
-
Other Services
There are a few services that are protocol agnostic:
-
IdP initiated SSO Service
- URL:
/oamfed/idp/initiatesso
- URL:
-
Query parameters (URL encode properly the query parameter values)
-
providerid: indicates the SP partner name or SP Provider ID with which to start Federation SSO
-
returnurl: indicates where the user should be redirected after the Federation SSO operation
-
-
SP initiated SSO
- URL:
/oamfed/sp/initiatesso
- URL:
-
Query parameters (URL encode properly the query parameter values)
-
providerid: indicates the IdP partner name or IdP Provider ID with which to start Federation SSO
-
returnurl: indicates where the user should be redirected after the Federation SSO operation
-
-
Test SP which allows you to test OAM/SP with a remote IdP partner
- URL:
/oamfed/user/testspsso
- URL:
Note: Prior to using this service, you must enable it via the
configureTestSPEngine()
command:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. -
Connect to the WLS Admin server:
connect()
. -
Navigate to the Domain Runtime branch:
domainRuntime()
. -
Execute the
configureTestSPEngine ()
command:configureTestSPEngine(<true/false>)
. -
Set true to enable the service or false to disable it
- For example, to enable the Test SP service, execute:
configureTestSPEngine("true")
- For example, to enable the Test SP service, execute:
OSTS Endpoints
OSTS publishes SOAP endpoints based on how the Security Token Service is configured.
The Security Token Service , Endpoints section in the OAM Administration Console lists the endpoints defined for OSTS and how they are protected by the OWSM Agent.
Description of the illustration Endpoints.jpg
For a given endpoint (for example /wss11user
), the following URLs are published:
-
Over SOAP 1.2:
/sts/wss11user
-
WSDL for operations over SOAP 1.2:
/sts/wss11user?wsdl
-
Over SOAP 1.1:
/sts/wss11user/soap11
-
WSDL for operations over SOAP 1.1:
/sts/wss11user/soap11?wsdl
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
OAM and OSTS Service Information
F61372-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.