Partner Profiles in OAM

This article discusses about the concept of Partner Profile in the OAM configuration.

During any Federation runtime operation between OAM (as an IdP or SP) and remote partners, numerous configuration properties are evaluated that affects how OAM executes the operation.

Some of the configuration parameters driving the protocol exchange are specific to the partner with which OAM is interacting (like how the NameID should be populated if OAM acts as a SAML 2.0 IdP), while others can be common to a group of partners (like whether or not to sign SAML 2.0 Assertions when OAM acts as an IdP).

Instead of having each partner entry in the OAM configuration containing all the OAM parameters required to perform the Federation runtime operations, OAM makes use of a Partner Profile which:

A Partner Profile in OAM typically contains configuration settings that are generally not changed often and that are considered advanced. For the day-to-day operations, the administration capabilities provided in the OAM Administration Console or via the OAM WLST commands are enough for most cases.

For advanced cases requiring configuration changes, an administrator would have the choice to:

Important Note: Given the advanced nature of the configuration, Partner Profiles can only be managed via OAM WLST commands.

Default Partner Profile

Out of the box, OAM defines default Partner Profiles which contain the default settings for their respective Federation protocols and service types. The default settings are tailored for the common use cases encountered in production deployments today, and as such you would not need to change those except for specific use cases.

After installation, the following Partner Profiles are defined in the OAM configuration:

WLST Commands

Settings contained in a Partner Profile entry are deemed advanced properties, and as such as only manageable via OAM WLST commands, while basic settings changes or day-to-day operations can be performed either via the OAM Administration Console or via OAM WLST commands.

The next sections show how to use the various OAM WLST Partner Profile commands to:

It is sometimes desirable to create new Partner Profile entries when several partners have a common set of use cases which differ from the configuration defined in the Partner Profile entry they are bound to. Instead of having each Partner override a setting (for example signing messages using SHA-256 digest algorithm instead of the default SHA-1 defined in their Partner Profile entries), the better approach consists in:

For more information on the OAM WLST commands, please refer to the Oracle documentation.

WLST Environment

We assume that you are already in the WLST environment and connected using:

  1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server: connect()
  3. Navigate to the Domain Runtime branch: domainRuntime()

Listing Partner Profile

The listFedPartnerProfiles() WLST command lists all Partner Profiles currently present in OAM, and displays:

For example, an execution of the command displays the following:

wls:/test_domain/domainRuntime> listFedPartnerProfiles()
Partner Profile ID  |  Type  |  Protocol Version saml20-sp-partner-profile  |  sp  |  saml20 saml20-idp-partner-profile  |  idp  |  saml20 saml11-sp-partner-profile  |  sp  |  saml11 saml11-idp-partner-profile  |  idp  |  saml11 openid20-sp-partner-profile  |  sp  |  openid20 openid20-idp-partner-profile  |  idp  |  openid20

Listing Partners for a Specific Partner Profile

The listFedPartnersForProfile() command lists all partners bound to the Partner Profile specified as a parameter.

Executing the command to display all partners referencing the saml20-sp-partnerprofile Partner Profile (which is the default OOTB profile for SAML 2.0 SP Partners) displays the following:

wls:/test_domain/domainRuntime> listFedPartnersForProfile("saml20-sp-partnerprofile")

Listing Partner Profile for a Specific Partner

The getFedPartnerProfile() command displays the Partner Profile used by the Partner and the partner type specified as parameters (the partner type is either idp or sp)

Executing the command to display the Partner Profile referenced by the ACMEADFS SP Partner displays the following:

wls:/test_domain/domainRuntime> getFedPartnerProfile("ACME-ADFS", "sp") saml20-sp-partner-profile

Displaying the Content of a Partner Profile

The displayFedPartnerProfile() WLST command displays on the command line the settings defined in the entry specified as a parameter.

Executing the command to show the Partner Profile displays the following:

wls:/test_domain/domainRuntime> displayFedPartnerProfile("saml20-sp-partnerprofile") includecertinsignature=0 nameidqualifier= forceconsent=0 authnmethodmappings={urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APasswordProtectedTransport=LDAPS1,OAM10gScheme-0,FAAuthScheme-1,BasicScheme-1,BasicFAScheme-1} sendsignedrequestquery=1 forceconsenturl= sendencryptednameid=0 sendsignedresponsequery=1 setconsentenabled=0 sessionaOributeforceauthn=0defaultauthnrequestnameidformat=orafed-emailaddress version=saml20 requesOimeout=2000 audiencerestrictionenabled=1 setconsentvalue= sendsignedresponsesoap=1 allowfederationcreation=1 sendsignedresponseassertionpost=0 reauthenticate=3600 description= sendaOribute=1defaultencryptionmethod=hOp://www.w3.org/2001/04/xmlenc#aes128-cbc requiresignedrequestquery=0 requiresignedresponsepost=0 audiencerestrictionvalue= sendsignedrequestsoap=1 sendsignedrequestpost=1 sendencryptedaOribute=0 partnerprofiletype=sp requiresignedresponsesoap=0 requiresignedrequestpost=0requiresignedresponsequery=0 partnerprofileid=saml20-sp-partner-profile sendsignedresponsepost=1 requiresignedrequestsoap=0 sendsignedassertion=1 sendsignedresponseassertionsoap=0 assertionvalidityinterval=300

Creating a new Partner Profile

This section shows how to create a new Partner Profile from an existing one, by using the createFedPartnerProfileFrom() method which takes as arguments:

Executing the command to create a new SAML 2.0 SP Partner Profile based on the OOTB one displays the following:

wls:/test_domain/domainRuntime> createFedPartnerProfileFrom("new-saml20pp", "saml20-sp-partner-profile")

Command was successful.

Updating a Partner Profile

This section shows an example of a WLST configuration change command involving a Partner Profile. As mentioned previously, we created this Partner Profile for Partners for which SHA-256 needs to be used in outgoing Digital Signatures. Use the configureFedDigitalSignature() command to configure the new Partner Profile called new-saml20-pp to use SHA-256.

The command takes the Partner Profile name, the profile type as well as the hashing algorithm to use as parameters:

wls:/test_domain/domainRuntime>configureFedDigitalSignature(partnerProfile="new-saml20-pp", partnerType="sp", algorithm="SHA-256")

Command was successful.

Binding a Partner to a Partner Profile

Once the new Partner Profile is created (and configured) existing Partners can be bound to it.

In our example, three SP Partners are listed:

We only want adc00peq and ACME-ADFS to be switched to the new Partner Profile. Use the setFedPartnerProfile() command and specify the Partner, its type and the new Partner Profile to use:

wls:/test_domain/domainRuntime> setFedPartnerProfile("adc00peq", "sp", "newsaml20-pp")

Command was successful.

wls:/test_domain/domainRuntime> setFedPartnerProfile("ACME-ADFS", "sp", "new-saml20-pp")

Command was successful.

Listing the partners bound to the new profile shows adc00peq and ACMEADFS, while listing the partners to the saml20-sp-partner-profile profile would only show Office365:

wls:/test_domain/domainRuntime> listFedPartnersForProfile("new-saml20-pp")

adc00peq

ACME-ADFS

wls:/test_domain/domainRuntime> listFedPartnersForProfile("saml20-sp-partnerprofile")

Office365

In our example, IdP would now sign using the SHA-256 digest algorithm for adc00peq and ACME-ADFS, while it would still use SHA-1 for the Office365

Deleting a Partner Profile

Partner Profiles can be deleted via the deleteFedPartnerProfile() which takes the name of the profile as a parameter, but prior executing the command, you must ensure that no Partner entries are currently bound to this Partner Profile.

If we attempt to delete the new-saml20-pp Partner Profile while it is still referenced by the adc00peq and ACME-ADFS SP Partners, the method returns an error:

wls:/test_domain/domainRuntime> deleteFedPartnerProfile("new-saml20-pp")

The Federation Partner Profile is in use by a Partner

First, the two partners must be switched back to another Partner Profile (saml20-sp-partner-profile in this example), and then the deleteFedPartnerProfile() can be invoked:

wls:/test_domain/domainRuntime> setFedPartnerProfile("adc00peq", "sp", "saml20-sp-partner-profile")

Command was successful.

wls:/test_domain/domainRuntime> setFedPartnerProfile("ACME-ADFS", "sp", "saml20-sp-partner-profile")

Command was successful.

wls:/test_domain/domainRuntime> deleteFedPartnerProfile("new-saml20-pp")

Command was successful.

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.