Partner Profiles in OAM
This article discusses about the concept of Partner Profile in the OAM configuration.
During any Federation runtime operation between OAM (as an IdP or SP) and remote partners, numerous configuration properties are evaluated that affects how OAM executes the operation.
Some of the configuration parameters driving the protocol exchange are specific to the partner with which OAM is interacting (like how the NameID should be populated if OAM acts as a SAML 2.0 IdP), while others can be common to a group of partners (like whether or not to sign SAML 2.0 Assertions when OAM acts as an IdP).
Instead of having each partner entry in the OAM configuration containing all the OAM parameters required to perform the Federation runtime operations, OAM makes use of a Partner Profile which:
-
Contains a set of settings that are common to all partners referencing that partner profile
-
Is specific to
-
A type, either IdP or SP
-
A protocol: SAML 2.0, SAML 1.1 or OpenID 2.0
-
A Partner Profile in OAM typically contains configuration settings that are generally not changed often and that are considered advanced. For the day-to-day operations, the administration capabilities provided in the OAM Administration Console or via the OAM WLST commands are enough for most cases.
For advanced cases requiring configuration changes, an administrator would have the choice to:
-
Either update the Partner configuration entry, so changes would only apply to the partner
-
Or update the Partner Profile entry, so changes would apply to all partners bound to the Partner Profile
Important Note: Given the advanced nature of the configuration, Partner Profiles can only be managed via OAM WLST commands.
Default Partner Profile
Out of the box, OAM defines default Partner Profiles which contain the default settings for their respective Federation protocols and service types. The default settings are tailored for the common use cases encountered in production deployments today, and as such you would not need to change those except for specific use cases.
After installation, the following Partner Profiles are defined in the OAM configuration:
-
saml20-idp-partner-profile:
-
Protocol: SAML 2.0
-
Type: Partner Profile for IdP partners
-
-
saml20-sp-partner-profile:
-
Protocol: SAML 2.0
-
Type: Partner Profile for SP partners
-
-
saml11-idp-partner-profile:
-
Protocol: SAML 1.1
-
Type: Partner Profile for IdP partners
-
-
saml11-sp-partner-profile:
-
Protocol: SAML 1.1
-
Type: Partner Profile for SP partners
-
-
openid20-idp-partner-profile:
-
Protocol: OpenID 2.0
-
Type: Partner Profile for IdP/OP partners
-
-
openid20-sp-partner-profile:
-
Protocol: OpenID 2.0
-
Type: Partner Profile for SP/RP partners
-
WLST Commands
Settings contained in a Partner Profile entry are deemed advanced properties, and as such as only manageable via OAM WLST commands, while basic settings changes or day-to-day operations can be performed either via the OAM Administration Console or via OAM WLST commands.
The next sections show how to use the various OAM WLST Partner Profile commands to:
-
List all the Partner Profiles
-
List the Partners bound to a specific Partner Profile
-
List the Partner Profile used by a Partner
-
Display the content of a Partner Profile
-
Create a new Partner Profile
-
Update a Partner Profile: in this case change the hashing algorithm used in Digital Signatures in outgoing signed messages to SHA-256
-
Bind the Partner Profile to a Partner
-
Delete a Partner Profile
It is sometimes desirable to create new Partner Profile entries when several partners have a common set of use cases which differ from the configuration defined in the Partner Profile entry they are bound to. Instead of having each Partner override a setting (for example signing messages using SHA-256 digest algorithm instead of the default SHA-1 defined in their Partner Profile entries), the better approach consists in:
-
Creating a new Partner Profile by making a copy of the Partner Profile currently used by the Partner
-
Set the Partner to use the new Partner Profile
-
Modify the Partner Profile
For more information on the OAM WLST commands, please refer to the Oracle documentation.
WLST Environment
We assume that you are already in the WLST environment and connected using:
- Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
- Connect to the WLS Admin server:
connect()
- Navigate to the Domain Runtime branch:
domainRuntime()
Listing Partner Profile
The listFedPartnerProfiles()
WLST command lists all Partner Profiles currently present in OAM, and displays:
-
Name
-
Type (SP or IdP)
-
Protocol Version: SAML 2.0, SAML 1.1 or OpenID 2.0
For example, an execution of the command displays the following:
wls:/test_domain/domainRuntime> listFedPartnerProfiles()
Partner Profile ID | Type | Protocol Version saml20-sp-partner-profile | sp | saml20 saml20-idp-partner-profile | idp | saml20 saml11-sp-partner-profile | sp | saml11 saml11-idp-partner-profile | idp | saml11 openid20-sp-partner-profile | sp | openid20 openid20-idp-partner-profile | idp | openid20
Listing Partners for a Specific Partner Profile
The listFedPartnersForProfile()
command lists all partners bound to the Partner Profile specified as a parameter.
Executing the command to display all partners referencing the saml20-sp-partnerprofile Partner Profile (which is the default OOTB profile for SAML 2.0 SP Partners) displays the following:
wls:/test_domain/domainRuntime> listFedPartnersForProfile("saml20-sp-partnerprofile")
-
adc00peq
-
Office365
-
ACME-ADFS
Listing Partner Profile for a Specific Partner
The getFedPartnerProfile()
command displays the Partner Profile used by the Partner and the partner type specified as parameters (the partner type is either idp or sp)
Executing the command to display the Partner Profile referenced by the ACMEADFS SP Partner displays the following:
wls:/test_domain/domainRuntime> getFedPartnerProfile("ACME-ADFS", "sp") saml20-sp-partner-profile
Displaying the Content of a Partner Profile
The displayFedPartnerProfile()
WLST command displays on the command line the settings defined in the entry specified as a parameter.
Executing the command to show the Partner Profile displays the following:
wls:/test_domain/domainRuntime> displayFedPartnerProfile("saml20-sp-partnerprofile") includecertinsignature=0 nameidqualifier= forceconsent=0 authnmethodmappings={urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APasswordProtectedTransport=LDAPS1,OAM10gScheme-0,FAAuthScheme-1,BasicScheme-1,BasicFAScheme-1} sendsignedrequestquery=1 forceconsenturl= sendencryptednameid=0 sendsignedresponsequery=1 setconsentenabled=0 sessionaOributeforceauthn=0defaultauthnrequestnameidformat=orafed-emailaddress version=saml20 requesOimeout=2000 audiencerestrictionenabled=1 setconsentvalue= sendsignedresponsesoap=1 allowfederationcreation=1 sendsignedresponseassertionpost=0 reauthenticate=3600 description= sendaOribute=1defaultencryptionmethod=hOp://www.w3.org/2001/04/xmlenc#aes128-cbc requiresignedrequestquery=0 requiresignedresponsepost=0 audiencerestrictionvalue= sendsignedrequestsoap=1 sendsignedrequestpost=1 sendencryptedaOribute=0 partnerprofiletype=sp requiresignedresponsesoap=0 requiresignedrequestpost=0requiresignedresponsequery=0 partnerprofileid=saml20-sp-partner-profile sendsignedresponsepost=1 requiresignedrequestsoap=0 sendsignedassertion=1 sendsignedresponseassertionsoap=0 assertionvalidityinterval=300
Creating a new Partner Profile
This section shows how to create a new Partner Profile from an existing one, by using the createFedPartnerProfileFrom()
method which takes as arguments:
-
The name of the new Partner Profile
-
The name of the Partner Profile to copy from
Executing the command to create a new SAML 2.0 SP Partner Profile based on the OOTB one displays the following:
wls:/test_domain/domainRuntime> createFedPartnerProfileFrom("new-saml20pp", "saml20-sp-partner-profile")
Command was successful.
Updating a Partner Profile
This section shows an example of a WLST configuration change command involving a Partner Profile. As mentioned previously, we created this Partner Profile for Partners for which SHA-256 needs to be used in outgoing Digital Signatures. Use the configureFedDigitalSignature()
command to configure the new Partner Profile called new-saml20-pp to use SHA-256.
The command takes the Partner Profile name, the profile type as well as the hashing algorithm to use as parameters:
wls:/test_domain/domainRuntime>configureFedDigitalSignature(partnerProfile="new-saml20-pp", partnerType="sp", algorithm="SHA-256")
Command was successful.
Binding a Partner to a Partner Profile
Once the new Partner Profile is created (and configured) existing Partners can be bound to it.
In our example, three SP Partners are listed:
-
adc00peq
-
Office365
-
ACME-ADFS
We only want adc00peq
and ACME-ADFS
to be switched to the new Partner Profile. Use the setFedPartnerProfile()
command and specify the Partner, its type and the new Partner Profile to use:
wls:/test_domain/domainRuntime> setFedPartnerProfile("adc00peq", "sp", "newsaml20-pp")
Command was successful.
wls:/test_domain/domainRuntime> setFedPartnerProfile("ACME-ADFS", "sp", "new-saml20-pp")
Command was successful.
Listing the partners bound to the new profile shows adc00peq
and ACMEADFS
, while listing the partners to the saml20-sp-partner-profile
profile would only show Office365:
wls:/test_domain/domainRuntime> listFedPartnersForProfile("new-saml20-pp")
adc00peq
ACME-ADFS
wls:/test_domain/domainRuntime> listFedPartnersForProfile("saml20-sp-partnerprofile")
Office365
In our example, IdP would now sign using the SHA-256 digest algorithm for adc00peq and ACME-ADFS, while it would still use SHA-1 for the Office365
Deleting a Partner Profile
Partner Profiles can be deleted via the deleteFedPartnerProfile()
which takes the name of the profile as a parameter, but prior executing the command, you must ensure that no Partner entries are currently bound to this Partner Profile.
If we attempt to delete the new-saml20-pp Partner Profile while it is still referenced by the adc00peq
and ACME-ADFS
SP Partners, the method returns an error:
wls:/test_domain/domainRuntime> deleteFedPartnerProfile("new-saml20-pp")
The Federation Partner Profile is in use by a Partner
First, the two partners must be switched back to another Partner Profile (saml20-sp-partner-profile in this example), and then the deleteFedPartnerProfile()
can be invoked:
wls:/test_domain/domainRuntime> setFedPartnerProfile("adc00peq", "sp", "saml20-sp-partner-profile")
Command was successful.
wls:/test_domain/domainRuntime> setFedPartnerProfile("ACME-ADFS", "sp", "saml20-sp-partner-profile")
Command was successful.
wls:/test_domain/domainRuntime> deleteFedPartnerProfile("new-saml20-pp")
Command was successful.
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.