SAML Response with Complex Attributes
Introduction
When Oracle Access Management (OAM) is integrated with a SAML Identity Provider (IdP), in response to saml:AuthnRequest
the IdP issues a saml:Response
. If the saml:AttributeStatement
contains attributes whose data type is other than an XML Schema string then the attribute values will be set to empty strings. An example of such an attribute is:
<saml2:Attribute Name="AddressDetails">
<saml2:AttributeValue xmlns:xyznamespace="http://foo"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xyznamespace:AdresseType">
<xyznamespace:Type>Type0</xyznamespace:Type>
<xyznamespace:Street>Street123</xyznamespace:Street>
<xyznamespace:LaneNo>100</xyznamespace:LaneNo>
<xyznamespace:HouseNo>66</xyznamespace:HouseNo>
<xyznamespace:Section>Section76</xyznamespace:Section>
<xyznamespace:SubSection>TestSection</xyznamespace:SubSection>
</saml2:AttributeValue>
</saml2:Attribute>
October 2022 BP adds support for propagating attributes whose XML Schema is not a simple type to protected applications.
Objectives
Setup SAML Service Provider in Oracle Access Management.
Prerequisites
- Install Oracle Access Management and setup Identity Federation Overview of OAM
- Administer Identity Federation in OAM Setup and Configure OAM Identity Federation
- Setup Federation between OAM and 3rd party IDP
Task 1: Enable Complex Attribute Handling in Identity Federation
By default, this feature is not enabled. To enable this feature, you must set the Java System Property oam.saml.customattr
to true
. Update your OAM startup script (For example, weblogic startWeblogic.sh
) to inject the following:
-Doam.saml.customattr=true
Task 2: Check the OAM Response Attribute
Once enabled, the attribute will be processed and populated in the session ($session) like any other saml:attribute
. In case of saml:attribute
, the session response will contain $session.attr.fed.attr.AddressDetails
and can be propagated to an application.
The application receives an authorization response header/cookie with a value:
Type=Type0^Street=Street123^LaneNo=100^HouseNo=66^Section=Section76^SubSection=TestSection
Description of the illustration responses.jpg
Acknowledgements
- Authors - Abhijit Bhatode
- Contributors - Oracle Access Management SE Team
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
SAML Response with Complex Attributes in 12c
F72128-01
October 2022
Copyright © 2022, Oracle and/or its affiliates.