Authentication in IdP

This article discusses about authentication when OAM acts as an IdP and how the server can be configured to use specific OAM Authentication Schemes to challenge the user. When OAM 11gR1 acting as an IdP and OAM 11g were integrated together, OAM was delegating the user authentication to OAM via the use of WebGate:

• OHS had to be installed in and configured to act as a reverse HTTP proxy for OAM
• WebGate had to be installed on OHS and registered with OAM
• OAM had to be configured to protect an OAM URL with
  • An Authentication Policy
  • An Authorization Policy
  • Set up the OAM logout URL in OAM
• OAM had to be configured to use the OAM 11g Authentication Engine
  • Enter the HTTP header containing the userID injected by WebGate
• Set up the OAM logout URL in OAM 11gR2 and OAM 11gR2, the two components are tightly integrated together:
  • No initial setup is required to integrate the two products
  • No WebGate/OHS is required for IdP authentication
  • IdP can leverage any OAM Authentication Scheme

Note: Given the advanced nature of the configuration, OAM authentication setup can only be managed via OAM WLST commands.

Overview

In the 11.1.2.2.0 or later release of OAM, the OAM J2EE Web Application and the OAM J2EE Web Application are contained in the same OAM J2EE EAR Application which is deployed in a standalone WLS instance. This deployment approach allows the two modules to internally forward the incoming user’s HTTP request from OAM to OAM and vice versa. This allows the IdP application to trigger a local OAM authentication operation that challenges and identify the user. At runtime, when authentication is required by IdP in a Federation operation, IdP will:

• Internally forward the user to OAM
• Indicate to OAM which Authentication Scheme to use for user authentication
• OAM determines if a user needs to be challenged:
  • If the user is not authenticated yet
  • If the user is authenticated but the session timed out
  • If the user is authenticated, but the authentication scheme level of the original authentication is lower than the level of the authentication scheme requested by IdP
  • If the user needs to be challenged, OAM will do so based on the rules of the authentication scheme specified by IdP. Once OAM has (optionally) authenticated the user and created a session, it internally forwards the user back to IdP with identity and session information. IdP resumes the Federation operation it was performing. Out of the box, IdP is configured to use the LDAPScheme as the OAM Authentication Scheme to challenge and identify users: this is set as the default global scheme for IdP. It is possible for an administrator:
    • To set the global default OAM Authentication Scheme to be used to authenticate users.
    • On an SP Partner Profile to set the OAM Authentication Scheme to be used to authenticate users for SP partners bound to this SP Partner Profile. If defined, this setting takes precedence over the global default OAM Authentication Scheme
    • On an SP Partner to set the default OAM Authentication Scheme to be used to authenticate users for this SP partner. If defined, this setting takes precedence over the OAM Authentication Scheme defined in the SP Partner Profile referenced by this SP Partner or takes precedence over the global default OAM Authentication Scheme

Testing Setup

Use the following testing environment:

• IdP
• One SAML 2.0 SP Partner called AcmeSP
• Another SAML 2.0 SP Partner called HRsp

Execute several test cases:

• Global Default Authentication:
• Both AcmeSP and HRsp uses the default SAML 2.0 SP Partner Profile
• No Authentication Scheme will be set at the SP Partner level
• No Authentication Scheme will be set at the SP Partner Profile level
• The global default authentication will be used as is (OOTB:LDAPScheme), and a Federation SSO operation will be performed
• The global default authentication will be set to BasicScheme (HTTP Basic Authentication), and a Federation SSO operation will be performed
• SP Partner Profile Authentication:
• AcmeSP uses the default SAML 2.0 SP Partner Profile
• HRsp uses the another SAML 2.0 SP Partner Profile
• No Authentication Scheme will be set at the SP Partner level
• No Authentication Scheme will be set at the default SAML 2.0 SP Partner Profile level, but the new SAML 2.0 SP Partner Profile will be configured to use BasicScheme
• The global default authentication will be set to LDAPScheme
• A Federation SSO will be performed with AcmeSP
• A Federation SSO will be performed with HRsp
• SP Partner Authentication:
• Both AcmeSP and HRsp uses the default SAML 2.0 SP Partner Profile
• The Authentication Scheme for the default SAML 2.0 SP Partner Profile will be set to BasicScheme
• The Authentication Scheme for the AcmeSP will be set to LDAPScheme
• The global default authentication will be set to LDAPScheme
• A Federation SSO will be performed with AcmeSP
• A Federation SSO will be performed with HRsp
• Step up Authentication via different Authentication Levels
• Both AcmeSP and HRsp uses the default SAML 2.0 SP Partner Profile
• The Authentication Scheme for the default SAML 2.0 SP Partner Profile will be set to BasicScheme
• The Authentication Scheme for the AcmeSP will be set to LDAPScheme
• The global default authentication will be set to LDAPScheme
• LDAPScheme will be configured to have its level set to 3
• BasicScheme will be left unchanged with its level set to 2

Test #1:

• Federation SSO will be performed with AcmeSP
• User is challenged via LDAPScheme
• In the same browser, Federation SSO will be performed with HRsp
• The user won’t be challenged

Test #2:

• Federation SSO will be performed with HRsp
• User is challenged via BasicScheme
• In the same browser, Federation SSO will be performed with AcmeSP
• User will be challenged via LDAPScheme The following sections, each one describing a test case, will be in a chronological order, with each section starting where the previous section left off.

Note: If HTTP Basic Authentication will be used at the IdP, the WebLogic domain where OAM are running needs to be configured to not validate the HTTP Basic Authentication for unsecured resources.

HTTP Basic Authentication

By default, if a browser sends HTTP Basic Authentication credentials to OAM, the WLS server attempts to validate those before letting OAM process the request: this can result in authentication failures, particularly if the WLS domain was not configured with WLS LDAP Authenticators for each Identity Store created in OAM.

Note: Even if the WLS domain was configured correctly to have a WLS LDAP Authenticator for each Identity Store created in OAM, this results in two authentication operations, one by WLS, and the other one required by OAM to create an OAM session.

It is possible to disable the automatic validation of HTTP Basic Authentication credentials sent to [unsecured applications]{.underline} in the WLS domain where OAM is running. See section “Understanding BASIC Authentication with Unsecured Resources” of the Oracle Fusion Middleware Programming Security for Oracle WebLogic Server guide for more information. To disable the automatic validation of HTTP Basic Authentication credentials sent to [unsecured applications]{.underline} in the WLS domain, execute the following steps:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Start an edit session: edit() startEdit()
4. Navigate to the SecurityConfiguration node: cd('SecurityConfiguration')
5. Navigate to the domain (replace DOMAIN_NAME with the name of the WLS domain where OAM is installed): cd('DOMAIN_NAME')
6. Set the EnforceValidBasicAuthCredentials setting to false to disable tomatic validation of HTTP Basic Authentication credentials sent to unsecured applications: set('EnforceValidBasicAuthCredentials', 'false')
7. Save and activate the changes: save() activate()
8. Restart the servers in the WLS domain for the changes to take effect

Global Default Authentication

The first step is to create and configure SP Partners in IdP for SAML 2.0 SSO. After having set that up, the list of SP Partners in IdP looks like:

Description of the illustration accessmanagement.jpg

Performing Federation SSO involving either of those AcmeSP or HRsp with IdP results in the OAM server challenging the user using the default global Authentication Scheme configured to be LDAPScheme OOTB:

Description of the illustration accessmanager.jpg

To switch the default global Authentication Scheme to BasicScheme, use the OAM WLST setIdPDefaultScheme() command and specify which scheme to be used as the default:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the setIdPDefaultScheme() command: setIdPDefaultScheme("BasicScheme")

5. Exit the WLST environment: exit() Performing Federation SSO involving either of those AcmeSP or HRsp with IdP results in the OAM server challenging the user using the OAM BasicScheme instead of LDAPScheme:

   

   Description of the illustration windowssecurity.jpg

To switch back the default global Authentication Scheme to LDAPScheme, perform the following operations:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Execute the setIdPDefaultScheme() command : setIdPDefaultScheme("LDAPScheme")
5. Exit the WLST environment: exit()

Performing Federation SSO involving either of those AcmeSP or HRsp with IdP results in the OAM server challenging the user via the LDAPScheme.

SP Partner Profile Authentication

From the previous test cases, the setup is as:

• AcmeSP and HRsp exist in IdP
• The default global Authentication Scheme in IdP is LDAPScheme
• Both AcmeSP and HRsp are using the default SAML 2.0 SP Partner Profile

To configure HRsp to use a new SP Partner Profile, execute the following commands:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Create the new SP Partner Profile from the default SAML 2.0 SP Partner Profile: createFedPartnerProfileFrom("new-saml20-pp", "saml20-sp-partner-profile")
5. Bind HRsp Partner to the new SP Partner Profile: setFedPartnerProfile("HRsp", "sp", "newsaml20-pp")
6. Exit the WLST environment: exit()

At this point, performing Federation SSO involving either of those AcmeSP or HRsp with IdP results in the OAM server challenging the user via the LDAPScheme. To configure the new SP Partner Profile to have BasicScheme as the default Authentication Scheme, use the OAM WLST setSPPartnerProfileDefaultScheme() command:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Set the default Authentication Scheme for the new SP Partner Profile to BasicScheme: setSPPartnerProfileDefaultScheme("newsaml20-pp", "BasicScheme")
5. Exit the WLST environment: exit()

Now, performing Federation SSO with:

• AcmeSP results in IdP challenging the user via the LDAPScheme.
• HRsp results in IdP challenging the user via the BasicScheme.

Bind HRsp back to the default SP Partner Profile, and then delete the SP Partner Profile I created in this test:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Bind HRsp Partner to the default SP Partner Profile: setFedPartnerProfile("HRsp", "sp", "saml20-sp-partner-profile")
5. Delete the new SP Partner Profile: deleteFedPartnerProfile("new-saml20-pp")
6. Exit the WLST environment: exit()

After executing those commands, performing Federation SSO involving either of those AcmeSP or HRsp with IdP results in the OAM server challenging the user via the LDAPScheme.

SP Partner Authentication

From the previous test cases, the setup is as:

• AcmeSP and HRsp exist in IdP
• The default global Authentication Scheme in IdP is LDAPScheme
• Both AcmeSP and HRsp are using the default SAML 2.0 SP Partner Profile

To configure the default SAML 2.0 SP Partner Profile to use BasicScheme as the Authentication Scheme, perform the following operations:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Set the default Authentication Scheme for the new SP Partner Profile to BasicScheme: setSPPartnerProfileDefaultScheme("saml20-sppartner-profile", "BasicScheme")
5. Exit the WLST environment: exit()

At this point, performing Federation SSO involving either of those AcmeSP or HRsp with IdP results in the OAM server challenging the user via the BasicScheme. To configure the AcmeSP SP Partner to have LDAPScheme as the default Authentication Scheme, use the OAM WLST setSPPartnerDefaultScheme() command:

1. Enter the WLST environment by executing: \$IAM_ORACLE_HOME/common/bin/wlst.sh
2. Connect to the WLS Admin server: connect()
3. Navigate to the Domain Runtime branch: domainRuntime()
4. Set the default Authentication Scheme for the AcmeSP SP Partner to LDAPScheme: setSPPartnerDefaultScheme("AcmeSP", "LDAPScheme")
5. Exit the WLST environment: exit()

Now, performing Federation SSO with:

• AcmeSP results in IdP challenging the user via the LDAPScheme.
• HRsp results in IdP challenging the user via the BasicScheme.

Step Up Authentication via Different Authn Levels

From the previous test cases, the setup is as:

• AcmeSP and HRsp exist in IdP
• The default global Authentication Scheme in IdP is LDAPScheme
• Both AcmeSP and HRsp are using the default SAML 2.0 SP Partner Profile
• The default SAML 2.0 SP Partner Profile is configured with the default Authentication Scheme set to BasicScheme
• The AcmeSP SP Partner is configured with the default Authentication Scheme set to LDAPScheme At this point, performing Federation SSO with:
• AcmeSP results in IdP challenging the user via the LDAPScheme.
• HRsp results in IdP challenging the user via the BasicScheme.

OOTB, the Authentication Level for both LDAPScheme and BasicScheme is set to 2. To change the Authentication Level of the LDAPScheme to 3, perform the following operations:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager, Authentication Schemes

3. Click Search and select LDAPScheme

4. Set the Authentication Level to 3

5. Click Apply

   

   Description of the illustration Authenticationlevel.jpg

After those changes, if the user is already authenticated at OAM and that the user performs a Federation SSO operation with IdP, OAM ensures that the scheme which was used to authenticate the user in the first place has a level higher or equal to the scheme configured for the current SP Partner with which Federation SSO is exercised. For example:

• If the user is first authenticated via LDAPScheme, it won’t be re-challenged when a second Federation SSO operation is performed with the default Authentication Scheme for that second low being BasicScheme:
• Federation SSO is started with AcmeSP Partner
• User is challenged by OAM via LDAPScheme
• IdP issues an Assertion and redirects the user to AcmeSP
• In the same browser, Federation SSO is started with HRsp
• OAM won’t challenge the user, because the user is already authenticated, the session hasn’t timed out and the level of the scheme used to create the session (which was 3 for LDAPScheme) is higher or equal than the default scheme configured for this current Federation SSO (which is 2 for BasicScheme)
• IdP issues an Assertion and redirects the user to HRsp
• If the user is first authenticated via BasicScheme, it will be re-challenged when a second Federation SSO operation is performed with the default Authentication Scheme for that second low being LDAPScheme:
• Federation SSO is started with HRsp Partner
• User is challenged by OAM via BasicScheme
• IdP issues an Assertion and redirects the user to HRsp
• In the same browser, Federation SSO is started with AcmeSP
• OAM challenges the user, because the user is already authenticated, the session hasn’t timed out [but]{.underline} the level of the scheme used to create the session (which was 2 for BasicScheme) is lower than the default scheme configured for this current Federation SSO (which is 3 for LDAPScheme)
• IdP issues an Assertion and redirects the user to AcmeSP

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Authentication in OAM and IdP

F59731-01

September 2022

Copyright © 2022, Oracle and/or its affiliates.