Authentication in IdP
This article discusses about authentication when OAM acts as an IdP and how the server can be configured to use specific OAM Authentication Schemes to challenge the user.
When OAM 11gR1 acting as an IdP and OAM 11g were integrated together, OAM was delegating the user authentication to OAM via the use of WebGate
:
- OHS had to be installed in and configured to act as a reverse HTTP proxy for OAM
WebGate
had to be installed on OHS and registered with OAM- OAM had to be configured to protect an OAM URL with
- An Authentication Policy
- An Authorization Policy
- Set up the OAM logout URL in OAM
- OAM had to be configured to use the OAM 11g Authentication Engine
- Enter the HTTP header containing the
userID
injected byWebGate
- Enter the HTTP header containing the
- Set up the OAM logout
URL in OAM 11gR2 and OAM 11gR2, the two components are tightly integrated together:
- No initial setup is required to integrate the two products
- No WebGate/OHS is required for IdP authentication
- IdP can leverage any OAM Authentication Scheme
Note: Given the advanced nature of the configuration, OAM authentication setup can only be managed via OAM WLST commands.
Overview
In the 11.1.2.2.0 or later release of OAM, the OAM J2EE Web Application and the OAM J2EE Web Application are contained in the same OAM J2EE EAR Application which is deployed in a standalone WLS instance. This deployment approach allows the two modules to internally forward the incoming user’s HTTP request from OAM to OAM and vice versa. This allows the IdP application to trigger a local OAM authentication operation that challenges and identify the user. At runtime, when authentication is required by IdP in a Federation operation, IdP will:
- Internally forward the user to OAM
- Indicate to OAM which Authentication Scheme to use for user authentication
- OAM determines if a user needs to be challenged:
- If the user is not authenticated yet
- If the user is authenticated but the session timed out
- If the user is authenticated, but the authentication scheme level of the original authentication is lower than the level of the authentication scheme requested by IdP
- If the user needs to be challenged, OAM will do so based on the rules of the authentication scheme specified by IdP. Once OAM has (optionally) authenticated the user and created a session, it internally forwards the user back to IdP with identity and session information. IdP resumes the Federation operation it was performing.
Out of the box, IdP is configured to use the
LDAPScheme
as the OAM Authentication Scheme to challenge and identify users: this is set as the default global scheme for IdP. It is possible for an administrator:- To set the global default OAM Authentication Scheme to be used to authenticate users.
- On an SP Partner Profile to set the OAM Authentication Scheme to be used to authenticate users for SP partners bound to this SP Partner Profile. If defined, this setting takes precedence over the global default OAM Authentication Scheme
- On an SP Partner to set the default OAM Authentication Scheme to be used to authenticate users for this SP partner. If defined, this setting takes precedence over the OAM Authentication Scheme defined in the SP Partner Profile referenced by this SP Partner or takes precedence over the global default OAM Authentication Scheme
Testing Setup
Use the following testing environment:
- IdP
- One SAML 2.0 SP Partner called
AcmeSP
- Another SAML 2.0 SP Partner called
HRsp
Execute several test cases:
- Global Default Authentication:
- Both
AcmeSP
andHRsp
uses the default SAML 2.0 SP Partner Profile - No Authentication Scheme will be set at the SP Partner level
- No Authentication Scheme will be set at the SP Partner Profile level
- The global default authentication will be used as is (
OOTB
:LDAPScheme
), and a Federation SSO operation will be performed - The global default authentication will be set to
BasicScheme
(HTTP Basic Authentication), and a Federation SSO operation will be performed - SP Partner Profile Authentication:
AcmeSP
uses the default SAML 2.0 SP Partner ProfileHRsp
uses the another SAML 2.0 SP Partner Profile- No Authentication Scheme will be set at the SP Partner level
- No Authentication Scheme will be set at the default SAML 2.0 SP Partner Profile level, but the new SAML 2.0 SP Partner Profile will be configured to use
BasicScheme
- The global default authentication will be set to
LDAPScheme
- A Federation SSO will be performed with
AcmeSP
- A Federation SSO will be performed with
HRsp
- SP Partner Authentication:
- Both
AcmeSP
andHRsp
uses the default SAML 2.0 SP Partner Profile - The Authentication Scheme for the default SAML 2.0 SP Partner Profile will be set to
BasicScheme
- The Authentication Scheme for the
AcmeSP
will be set toLDAPScheme
- The global default authentication will be set to
LDAPScheme
- A Federation SSO will be performed with
AcmeSP
- A Federation SSO will be performed with
HRsp
- Step up Authentication via different Authentication Levels
- Both
AcmeSP
andHRsp
uses the default SAML 2.0 SP Partner Profile - The Authentication Scheme for the default SAML 2.0 SP Partner Profile will be set to
BasicScheme
- The Authentication Scheme for the
AcmeSP
will be set toLDAPScheme
- The global default authentication will be set to
LDAPScheme
LDAPScheme
will be configured to have its level set to 3BasicScheme
will be left unchanged with its level set to 2
Test #1:
- Federation SSO will be performed with
AcmeSP
- User is challenged via
LDAPScheme
- In the same browser, Federation SSO will be performed with
HRsp
- The user won’t be challenged
Test #2:
- Federation SSO will be performed with
HRsp
- User is challenged via
BasicScheme
- In the same browser, Federation SSO will be performed with
AcmeSP
- User will be challenged via
LDAPScheme
The following sections, each one describing a test case, will be in a chronological order, with each section starting where the previous section left off.
Note: If HTTP Basic Authentication will be used at the IdP, the WebLogic domain where OAM are running needs to be configured to not validate the HTTP Basic Authentication for unsecured resources.
HTTP Basic Authentication
By default, if a browser sends HTTP Basic Authentication credentials to OAM, the WLS server attempts to validate those before letting OAM process the request: this can result in authentication failures, particularly if the WLS domain was not configured with WLS LDAP Authenticators for each Identity Store created in OAM.
Note: Even if the WLS domain was configured correctly to have a WLS LDAP Authenticator for each Identity Store created in OAM, this results in two authentication operations, one by WLS, and the other one required by OAM to create an OAM session.
It is possible to disable the automatic validation of HTTP Basic Authentication credentials sent to [unsecured applications]{.underline} in the WLS domain where OAM is running. See section “Understanding BASIC Authentication with Unsecured Resources” of the Oracle Fusion Middleware Programming Security for Oracle WebLogic Server guide for more information. To disable the automatic validation of HTTP Basic Authentication credentials sent to [unsecured applications]{.underline} in the WLS domain, execute the following steps:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Start an edit session:
edit()
startEdit()
- Navigate to the SecurityConfiguration node:
cd('SecurityConfiguration')
- Navigate to the domain (replace DOMAIN_NAME with the name of the WLS domain where OAM is installed):
cd('DOMAIN_NAME')
- Set the
EnforceValidBasicAuthCredentials
setting to false to disable tomatic validation of HTTP Basic Authentication credentials sent to unsecured applications:set('EnforceValidBasicAuthCredentials', 'false')
- Save and activate the changes:
save()
activate()
- Restart the servers in the WLS domain for the changes to take effect
Global Default Authentication
The first step is to create and configure SP Partners in IdP for SAML 2.0 SSO. After having set that up, the list of SP Partners in IdP looks like:
Description of the illustration accessmanagement.jpg
Performing Federation SSO involving either of those AcmeSP
or HRsp
with IdP results in the OAM server challenging the user using the default global Authentication Scheme configured to be LDAPScheme
OOTB:
Description of the illustration accessmanager.jpg
To switch the default global Authentication Scheme to BasicScheme
, use the OAM WLST setIdPDefaultScheme()
command and specify which scheme to be used as the default:
-
Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
-
Connect to the WLS Admin server:
connect()
-
Navigate to the Domain Runtime branch:
domainRuntime()
-
Execute the
setIdPDefaultScheme()
command:setIdPDefaultScheme("BasicScheme")
-
Exit the WLST environment:
exit()
Performing Federation SSO involving either of thoseAcmeSP
orHRsp
with IdP results in the OAM server challenging the user using the OAMBasicScheme
instead ofLDAPScheme
:
To switch back the default global Authentication Scheme to LDAPScheme
, perform the following operations:
- Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Execute the
setIdPDefaultScheme()
command :setIdPDefaultScheme("LDAPScheme")
- Exit the WLST environment:
exit()
Performing Federation SSO involving either of those AcmeSP
or HRsp
with IdP results in the OAM server challenging the user via the LDAPScheme
.
SP Partner Profile Authentication
From the previous test cases, the setup is as:
AcmeSP
andHRsp
exist in IdP- The default global Authentication Scheme in IdP is
LDAPScheme
- Both
AcmeSP
andHRsp
are using the default SAML 2.0 SP Partner Profile
To configure HRsp
to use a new SP Partner Profile, execute the following commands:
- Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Create the new SP Partner Profile from the default SAML 2.0 SP Partner
Profile:
createFedPartnerProfileFrom("new-saml20-pp", "saml20-sp-partner-profile")
- Bind HRsp Partner to the new SP Partner Profile:
setFedPartnerProfile("HRsp", "sp", "newsaml20-pp")
- Exit the WLST environment:
exit()
At this point, performing Federation SSO involving either of those AcmeSP
or HRsp
with IdP results in the OAM server challenging the user via the LDAPScheme
.
To configure the new SP Partner Profile to have BasicScheme
as the default Authentication Scheme, use the OAM WLST setSPPartnerProfileDefaultScheme()
command:
- Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Set the default Authentication Scheme for the new SP Partner Profile to
BasicScheme
:setSPPartnerProfileDefaultScheme("newsaml20-pp", "BasicScheme")
- Exit the WLST environment:
exit()
Now, performing Federation SSO with:
AcmeSP
results in IdP challenging the user via theLDAPScheme
.HRsp
results in IdP challenging the user via theBasicScheme
.
Bind HRsp
back to the default SP Partner Profile, and then delete the SP Partner Profile I created in this test:
- Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Bind HRsp Partner to the default SP Partner Profile:
setFedPartnerProfile("HRsp", "sp", "saml20-sp-partner-profile")
- Delete the new SP Partner Profile:
deleteFedPartnerProfile("new-saml20-pp")
- Exit the WLST environment:
exit()
After executing those commands, performing Federation SSO involving either of those AcmeSP
or HRsp
with IdP results in the OAM server challenging the user via the LDAPScheme
.
SP Partner Authentication
From the previous test cases, the setup is as:
AcmeSP
andHRsp
exist in IdP- The default global Authentication Scheme in IdP is
LDAPScheme
- Both
AcmeSP
andHRsp
are using the default SAML 2.0 SP Partner Profile
To configure the default SAML 2.0 SP Partner Profile to use BasicScheme
as the Authentication Scheme, perform the following operations:
- Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Set the default Authentication Scheme for the new SP Partner Profile to
BasicScheme
:setSPPartnerProfileDefaultScheme("saml20-sppartner-profile", "BasicScheme")
- Exit the WLST environment:
exit()
At this point, performing Federation SSO involving either of those AcmeSP
or HRsp
with IdP results in the OAM server challenging the user via the BasicScheme
.
To configure the AcmeSP
SP Partner to have LDAPScheme
as the default Authentication Scheme, use the OAM WLST setSPPartnerDefaultScheme()
command:
- Enter the WLST environment by executing:
\$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
- Set the default Authentication Scheme for the
AcmeSP
SP Partner toLDAPScheme
:setSPPartnerDefaultScheme("AcmeSP", "LDAPScheme")
- Exit the WLST environment:
exit()
Now, performing Federation SSO with:
AcmeSP
results in IdP challenging the user via theLDAPScheme
.HRsp
results in IdP challenging the user via theBasicScheme
.
Step Up Authentication via Different Authn Levels
From the previous test cases, the setup is as:
AcmeSP
andHRsp
exist in IdP- The default global Authentication Scheme in IdP is
LDAPScheme
- Both
AcmeSP
andHRsp
are using the default SAML 2.0 SP Partner Profile - The default SAML 2.0 SP Partner Profile is configured with the default Authentication Scheme set to
BasicScheme
- The
AcmeSP
SP Partner is configured with the default Authentication Scheme set toLDAPScheme
At this point, performing Federation SSO with: AcmeSP
results in IdP challenging the user via theLDAPScheme
.HRsp
results in IdP challenging the user via theBasicScheme
.
OOTB, the Authentication Level for both LDAPScheme
and BasicScheme
is set to 2. To change the Authentication Level of the LDAPScheme
to 3, perform the following operations:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
-
Navigate to Access Manager, Authentication Schemes
-
Click Search and select
LDAPScheme
-
Set the Authentication Level to 3
-
Click Apply
After those changes, if the user is already authenticated at OAM and that the user performs a Federation SSO operation with IdP, OAM ensures that the scheme which was used to authenticate the user in the first place has a level higher or equal to the scheme configured for the current SP Partner with which Federation SSO is exercised. For example:
- If the user is first authenticated via
LDAPScheme
, it won’t be re-challenged when a second Federation SSO operation is performed with the default Authentication Scheme for that second low beingBasicScheme
: - Federation SSO is started with
AcmeSP
Partner - User is challenged by OAM via
LDAPScheme
- IdP issues an Assertion and redirects the user to
AcmeSP
- In the same browser, Federation SSO is started with
HRsp
- OAM won’t challenge the user, because the user is already authenticated, the session hasn’t timed out and the level of the scheme used to create the session (which was 3 for
LDAPScheme
) is higher or equal than the default scheme configured for this current Federation SSO (which is 2 forBasicScheme
) - IdP issues an Assertion and redirects the user to
HRsp
- If the user is first authenticated via
BasicScheme
, it will be re-challenged when a second Federation SSO operation is performed with the default Authentication Scheme for that second low beingLDAPScheme
: - Federation SSO is started with
HRsp
Partner - User is challenged by OAM via
BasicScheme
- IdP issues an Assertion and redirects the user to
HRsp
- In the same browser, Federation SSO is started with
AcmeSP
- OAM challenges the user, because the user is already authenticated, the session hasn’t timed out [but]{.underline} the level of the scheme used to create the session (which was 2 for
BasicScheme
) is lower than the default scheme configured for this current Federation SSO (which is 3 forLDAPScheme
) - IdP issues an Assertion and redirects the user to
AcmeSP
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Authentication in OAM and IdP
F59731-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.