SAML Response with Complex Attributes

Introduction

When Oracle Access Management (OAM) is integrated with a SAML Identity Provider (IdP), in response to saml:AuthnRequest the IdP issues a saml:Response. If the saml:AttributeStatement contains attributes whose data type is other than an XML Schema string then the attribute values will be set to empty strings. An example of such an attribute is:

<saml2:Attribute Name="AddressDetails">
 <saml2:AttributeValue xmlns:xyznamespace="http://foo"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xyznamespace:AdresseType">
   <xyznamespace:Type>Type0</xyznamespace:Type>
   <xyznamespace:Street>Street123</xyznamespace:Street>
   <xyznamespace:LaneNo>100</xyznamespace:LaneNo>
   <xyznamespace:HouseNo>66</xyznamespace:HouseNo>
   <xyznamespace:Section>Section76</xyznamespace:Section>
   <xyznamespace:SubSection>TestSection</xyznamespace:SubSection>
   </saml2:AttributeValue>
</saml2:Attribute>

October 2022 BP adds support for propagating attributes whose XML Schema is not a simple type to protected applications.

Objectives

Setup SAML Service Provider in Oracle Access Management.

Prerequisites

• Install Oracle Access Management and setup Identity Federation Overview of OAM
• Administer Identity Federation in OAM Setup and Configure OAM Identity Federation
• Setup Federation between OAM and 3rd party IDP

Task 1: Enable Complex Attribute Handling in Identity Federation

By default, this feature is not enabled. To enable this feature, you must set the Java System Property oam.saml.customattr to true. Update your OAM startup script (For example, weblogic startWeblogic.sh) to inject the following:

-Doam.saml.customattr=true

Task 2: Check the OAM Response Attribute

Once enabled, the attribute will be processed and populated in the session ($session) like any other saml:attribute. In case of saml:attribute, the session response will contain $session.attr.fed.attr.AddressDetails and can be propagated to an application. The application receives an authorization response header/cookie with a value:

Type=Type0^Street=Street123^LaneNo=100^HouseNo=66^Section=Section76^SubSection=TestSection

Description of the illustration responses.jpg

Acknowledgements

• Authors - Abhijit Bhatode
• Contributors - Oracle Access Management SE Team

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

SAML Response with Complex Attributes in 12c

F72128-01

October 2022

Copyright © 2022, Oracle and/or its affiliates.