Fed Authentication Methods in OAM and IdP

This article is about how IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:

Overview

The various Federation protocols support mechanisms allowing the partners to exchange information on:

When a remote SP partner redirects the user to IdP for Federation SSO, the message might contain data requesting how the user should be challenged by the IdP: this is treated as the Requested Federation Authentication Method.

IdP needs to map that Requested Federation Authentication Method to a local Authentication Scheme, and then invoke OAM for user authentication/challenge with the mapped Authentication Scheme. OAM authenticates the user if necessary with the scheme specified by IdP.

Similarly, when an IdP issues an SSO response, most of the time it must include an identifier representing how the user was challenged: this is treated as the Federation Authentication Method.

When IdP issues an Assertion, it evaluates the Authentication Scheme with which OAM identified the user:

Mappings

In IdP, the mapping between Federation Authentication Methods and Authentication Schemes has the following rules:

Let’s examine the following example and the various use cases, based on the SAML 2.0 protocol:

Mappings defined as:

Use Cases:

Configuration

Mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent as the methods are defined in the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0).

As such, the WLST commands to set those mappings involve:

Note: It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all the mappings de2ned in the SP Partner Profile is ignored.

Authentication Scheme

During Federation SSO, IdP internally forwards the user to OAM for authentication/verification and specify which Authentication Scheme to use.

OAM determines if a user needs to be challenged:

So even though an SP requests a specific Federation Authentication Method to be used to challenge the user, if that method is mapped to an Authentication Scheme and that at runtime OAM deems that the user does not need to be challenged with that scheme (because the user is already authenticated, session did not time out, and the session authn level is equal or higher than the one for the specified Authentication Scheme), the bow does not result in a challenge operation.

Protocols

SAML 2.0

The SAML 2.0 specifications define the following Federation Authentication Methods for SAML 2.0 flows:

Out of the box, IdP has the following mappings for the SAML 2.0 protocol:

An example of an AuthnRequest message sent by an SP to an IdP with the SP requesting a specific Federation Authentication Method to be used to challenge the user will be:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://idp.com/oamfed/idp/samlv20" ID="id-8bWn
A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0">
  <saml:Issuer ...>https://acme.com/sp</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="false"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspeciGed"/>   <samlp:RequestedAuthnContext Comparison="minimum">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

An example of an Assertion issued by an IdP will be:

<samlp:Response ...>
    <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ...>
        <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer>
        <dsig:Signature>
            ...
        </dsig:Signature>
        <saml:Subject>
            <saml:NameID ...>bob@oracle.com</saml:NameID>
            <saml:SubjectConGrmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConGrmationData .../>
            </saml:SubjectConGrmation>         </saml:Subject>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://acme.com/sp</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz"
SessionNotOnOrAfter="2014-03-21T21:53:55Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>             </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

An administrator must be able to specify a mapping between a SAML 2.0 Federation Authentication Method and one or more OAM Authentication Schemes

SAML 1.1

The SAML 1.1 specifications define the following Federation Authentication Methods for SAML 1.1 flows:

Out of the box, IdP has the following mappings for the SAML 1.1 protocol:

This mapping is defined in the saml11-sp-partner-profile SP Partner Profile, which is the default OOTB SP Partner Profile for SAML 1.1

An example of an Assertion issued by an IdP will be:

<samlp:Response ...>
    <samlp:Status>
        <samlp:StatusCode Value="samlp:Success"/>
    </samlp:Status>
    <saml:Assertion Issuer="https://idp.com/oam/fed" ...>
        <saml:Conditions ...>
            <saml:AudienceRestriction>
                <saml:Audience>https://acme.com/sp/ssov11</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
            <saml:Subject>
                <saml:NameIdentiGer ...>bob@oracle.com</saml:NameIdentiGer>
                <saml:SubjectConGrmation>
                   <saml:ConGrmationMethod>
                       urn:oasis:names:tc:SAML:1.0:cm:bearer
                   </saml:ConGrmationMethod>
                </saml:SubjectConGrmation>
            </saml:Subject>
        </saml:AuthnStatement>
        <dsig:Signature>
            ...
        </dsig:Signature>     </saml:Assertion> </samlp:Response>

Note: SAML 1.1 does not define an AuthnRequest message.

An administrator is able to specify a mapping between a SAML 1.1 Federation Authentication Method and one or more OAM Authentication Schemes.

OpenID 2.0

The OpenID 2.0 PAPE specifications define the following Federation Authentication Methods for OpenID 2.0 flows:

Out of the box, IdP does not define any mappings for the OpenID 2.0 Federation Authentication Methods.

For OpenID 2.0, the configuration involves mapping a list of OpenID 2.0 policies to a list of Authentication Schemes.

An example of an OpenID 2.0 Request message sent by an SP/RP to an IdP/OP will be:

https://idp.com/openid?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2FidentiGer_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2FidentiGer_select&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3FreGd%3Did9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.realm=https%3A%2F%2Facme.com%2Fopenid&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.aer0=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.if_available=aer0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=0

An example of an Open ID 2.0 SSO Response issued by an IdP/OP will be:

https://acme.com/openid?reGd=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3FreGd%3Did9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.aer0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.aer0=1&openid.ax.type.aer1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.aer1=My+name+is+Bobby+Smith&openid.ax.type.aer2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.aer2=bob&openid.ax.type.aer3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.aer3=bob%40oracle.com&openid.ax.type.aer4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.aer4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fphishing-resistant&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.aer0%2Cax.value.aer0%2Cax.type.aer1%2Cax.value.aer1%2Cax.type.aer2%2Cax.value.aer2%openid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.