Example: Sending Attributes with OAM and IdP

Following are the examples of how to configure IdP to send attributes:

Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
Via the OAM WLST commands to send attributes to an OpenID 2.0 RP Partner

The sent attributes are based on:

The LDAP user record (attributes, DN…)
The OAM user session (attributes, session count…)
The browser’s HTTP request (cookie, user-agent…)

OAM Administration Console

This section is about how to configure IdP to send attributes via the admin console. The example is based on a Federation with a remote SAML 2.0 SP partner, and the IdP is configured to:

Use the Unspeci9ed NameID format
Use the uid LDAP user attribute to set the NameID value
Send the following attributes:
- Email address with the SAML attribute name set to Email
- An attribute containing a string beginning with “My name is “ and then both the first name and last name, separated by a space. The SAML attribute name is set to Name
- UserID with attribute name set to UserID
- OAM Session count with the SAML attribute name set to SessionCount
- The client’s IP Address with the SAML attribute name set to IPAddress

Create a new SP Attribute Profile, and assign it to acmeSP. Later on, if new SP partners are on boarded, it is possible to assign the existing SP Attribute Profile so that IdP sends the same attributes to those new SPs.

Creating SP Attribute Profile

To create a new SP Attribute Profile, perform the following steps:

Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin- port/oamconsole.
Navigate to Identity Federation , Identity Provider Administration.
Click on the Service Provider Attribute Profiles tab.
Click on the Create SP Attribute Profile button.

Description of the illustration Create_SP_Attribute_Profile.jpg

Set up the basic information about the new SP Attribute Profile:
- Enter a name
- Enter a description if needed
Note: If “Default SP Partner Attribute Profile” is checked, it is pre-assigned SP Attribute Profile when a new SP Partner is created via the UI and will be the SP Attribute Profile used for SP partners which do not have an SP Attribute Profile assigned (for example, the ones created via WLST commands).

Description of the illustration Default_SP_Partner_Attribute_Profile.jpg

Add the necessary attributes I listed earlier. Perform the following operations to add the Email attribute:

Click the Add Entry button in the Attribute Mapping table.
Set up the email attribute:
1. Message Attribute Name: Email
2. Value: select user, then attr, then enter the LDAP Attribute containing the email address, mail in this case
3. Always send: checked

Description of the illustration Add_Email_Attribute.jpg

Perform the following operations to add the Name attribute:

Click the Add Entry button in the Attribute Mapping table.
Set up the Name attribute:
1. Message Attribute Name: Name
2. Value: Select expression, then enter the following string (in this example, the givenname LDAP attribute contains the first name, and sn the last name): My name is $user.attr.givenname $user.attr.sn
3. Always send: checked
Description of the illustration Add_Name_Attribute.jpg

Perform the following operations to add the UserID attribute:

Click the Add Entry button in the Attribute Mapping table.
Set up the UserID attribute:
1. Message Attribute Name: UserID
2. Value: Select user, then userid
3. Always send: checked
Description of the illustration Add_UserID_Attribute.jpg

Perform the following operations to add the SessionCount attribute:

Click the Add Entry button in the Attribute Mapping table.
Set up the SessionCount attribute:
1. Message Attribute Name: SessionCount
2. Value: Select session, then count
3. Always send: checked
Description of the illustration Add_SessionCount_Attribute.jpg

Perform the following operations to add the IPAddress attribute:

Click the Add Entry button in the Attribute Mapping table.
Set up the IPAddress attribute:
1. Message Attribute Name: IPAddress
2. Value: Select request, then client_ip
3. Always send: checked
Description of the illustration Add_IPAddress_Attribute.jpg

The SP Attribute Profile is now configured to send the required attributes to SP partners linked to this profile

Description of the illustration SP_Attribute_Profile.jpg

Update the SP Partner to use the new SP Attribute Profile, as well as configure the NameID settings:

Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin- port/oamconsole.
Navigate to Identity Federation , Identity Provider Administration.
Click on the Search Service Provider Partners.
Open the desired SP Partner.
Select Unspeci9ed as the NameID format.
For NameID, select User ID Store Attribute and then enter uid as the LDAP attribute containing the userID.

Note: Select Expression in the drop-down and entered an expression similar to what was used earlier.

In the Attribute Mapping section, select the newly created SP Attribute Profile as the Attribute Profile.
Click Save.

Description of the illustration SP_Partner_Update.jpg

Note about Always Send

The SP Attribute Profile is used for various protocols, including:

SAML SSO, where the SP cannot request any attributes at runtime
SAML SOAP Attribute exchange, where the SP can request any attributes at runtime
OpenID 2.0, where the SP can request any attributes at runtime
The Always Send option seen in the SP Attribute Profile section allows an administrator to instruct IdP to always send the attribute in an Assertion even if it was not requested by the SP partner.

SAML Assertion

Based on a user with the following characteristics, IdP generates a SAML Assertion similar to the one shown below:

UserID: alice
First name: Alice
Last name: Appleton
Email: alice@idp.com

SAML Assertion generated by IdP for alice:

 <samlp:Response ...>
 <saml:Issuer ...>https://idp.com</saml:Issuer>

  <samlp:Status>

  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

  </samlp:Status>

 <saml:Assertion ...>

  <saml:Issuer ...>https://idp.com</saml:Issuer>

  <dsig:Signature>

  ...

  </dsig:Signature>

 <saml:Subject>

  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid- format:unspeci9ed">alice</saml:NameID>

  ...

 </saml:Subject>
 <saml:Conditions NotBefore="2014-02-26T20:35:00Z" NotOnOrAfter="2014-02-26T22:35:00Z">
 <saml:AudienceRestriction>

  <saml:Audience>https://acme.com/sp</saml:Audience>

 </saml:AudienceRestriction>
 </saml:Conditions>
 <saml:AuthnStatement AuthnInstant="2014-02-26T20:35:00Z" ...>
 <saml:AuthnContext>

  <saml:AuthnContextClassRef>urn:...:Password</saml:AuthnContextClassRef>

 </saml:AuthnContext>
 </saml:AuthnStatement>
 <saml:AAributeStatement>
 <saml:Attribute Name="Name" ...>

  <saml:AAributeValue ...>My name is Alice Appleton</saml:AAributeValue>

  </saml:AAribute>

 <saml:Attribute Name="SessionCount" ...>
 <saml:AAributeValue ...>1</saml:AAributeValue>
 </saml:AAribute>
 <saml:Attribute Name="Email" ...>
 <saml:AAributeValue ...>alice@idp.com</saml:AAributeValue>
 </saml:AAribute>
 <saml:Attribute Name="IPAddress" ...>
 <saml:AAributeValue ...>10.145.120.253</saml:AAributeValue>
 </saml:AAribute>
 <saml:Attribute Name="UserID" ...>
 <saml:AAributeValue ...>alice</saml:AAributeValue>
 </saml:AAribute>
 </saml:AAributeStatement>
 </saml:Assertion>
 </samlp:Response>

WLST Commands

This section is about how to configure IdP to send attributes by using the OAM WLST commands. The example below is based on a Federation with a remote OpenID 2.0 SP partner, and the IdP is configured to:

Send the following attributes:

Email address with the OpenID attribute name set to http://axschema.org/contact/email
An attribute containing a string beginning with “My name is “ and then both the 9rst name and last name, separated by a space. The OpenID attribute name is set to http://openid.net/schema/namePerson/friendly
UserID with the OpenID attribute name set to http://schemas.openid.net/ax/api/user_id
OAM Session count with the OpenID attribute name set to <http://session/count>
The client’s IP Address with attribute name set to http://session/ipaddress

For this, create a new SP Attribute Profile, and assign it to acmeRP. If new RP partners are on boarded, it is possible to assign the existing SP Attribute Profile so that IdP sends the same attributes to those new SPs.

Assume that you are already in the WLST environment and connected using:

Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh.
Connect to the WLS Admin server: connect().
Navigate to the Domain Runtime branch: domainRuntime().

Configure New SP Attribute Profile

To configure the new SP Attribute Profile, execute the following steps:

Create a new SP Attribute Profile createSPPartnerAAributeProfile("openIDAArProfile").
Specify the name of the new SP Attribute Profile.
Create the Email attribute setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://axschema.org/contact/email", "$user.attr.mail").
Specify the name of the SP Attribute Profile to modify.
Specify the OpenID attribute name to http://axschema.org/contact/email.
Set the value to the LDAP Attribute containing the email address, mail in this case: $user.attr.mail.
Create the Name attribute setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://openid.net/schema/namePerson/friendly", "My name is $user.attr.givenname $user.attr.sn").
Specify the name of the SP Attribute Profile to modify.
Specify the OpenID attribute name to http://openid.net/schema/namePerson/friendly.
Set the value to (in this example, the givenname LDAP attribute contains the 9rst name, and sn the last name): My name is $user.attr.givenname $user.attr.sn.
Create the UserID attribute: setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://schemas.openid.net/ax/api/user_id", "$user.userid").
Specify the name of the SP Attribute Profile to modify.
Specify the OpenID attribute name to <http://schemas.openid.net/ax/api/user_id>.
Set the value to the LDAP Attribute containing the email address, mail in this case: $user.attr.uid.
Create the OAM Session Count attribute setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://session/count", "$session.count").
Specify the name of the SP Attribute Profile to modify.
Specify the OpenID attribute name to <http://session/count>.
Set the value to: $session.count.
Create the client’s IP Address attribute setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://session/ipaddress", "$request.client_ip").
Specify the name of the SP Attribute Profile to modify.
Specify the OpenID attribute name to <http://session/ipaddress>.
Set the value to: $request.client_ip.

To update the SP partner to use that SP Attribute Profile, execute:

The setSPPartnerAAributeProfile command: setSPPartnerAAributeProfile("acmeRP", "openIDAArProfile")
Specify the SP partner name
Specify the name of the SP Attribute Profile to use

OpenID Response

Based on a user with the following characteristics, IdP generates an OpenID response similar to the one shown below:

UserID: alice
First name: Alice
Last name: Appleton
Email: alice@idp.com

OpenID Response generated by IdP for alice:

https://acme.com/sp/openidv20?re9d=id-UnaYvk-mDQy6ZQB-4R39L4An4B0-& openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res& openid.op_endpoint=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20& openid.claimed_id=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did- p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D&openid.identity=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did- p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D& openid.return_to=http%3A%2F%2Fadc00peq.us.oracle.com%3A7499%2Ffed%2Fsp%2Fopenidv20%3Fre9d%3Did-UnaYvk-mDQy6ZQB-4R39L4An4B0-&openid.response_nonce=2014-02-26T21%3A35%3A08Zid- uTAXy9lDK7TVvgezZVY3XZ06iSDcZb97zxiOl0qw&openid.assoc_handle=id-n-nN- qW2VAZa75-XJshWpmVHK53Yz0-lTZtrtsJm&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response& openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=2& openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly& openid.ax.value.attr1=My+name+is+Alice+Appleton&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id& openid.ax.value.attr2=alice&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=alice%40idp.com& openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress& openid.ax.value.attr4=10.145.120.253&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax. openid.sig=TeDo%2FouX%2BXRI%2F1G8kJVsw5JOVY8%3D

The decoded URL query parameters related to the attributes are:

Name of attribute #0: openid.ax.type.attr0=http://session/count
Value for attribute #0: openid.ax.value.attr0=2
Name of attribute #1: openid.ax.type.attr1= http://openid.net/schema/namePerson/friendly
Value for attribute #1: openid.ax.value.attr1=My name is Alice Appleton
Name of attribute #2: openid.ax.type.attr2= http://schemas.openid.net/ax/api/user_id
Value for attribute #2: openid.ax.value.attr2=alice
Name of attribute #3: openid.ax.type.attr3=http://axschema.org/contact/email
Value for attribute #3: openid.ax.value.attr3=alice@idp.com
Name of attribute #4: openid.ax.type.attr4=http://session/ipaddress
Value for attribute #4: openid.ax.value.attr4=10.145.120.253

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

Title and Copyright Information

Example- Sending Attributes with OAM and IdP

F61882-01

September 2022