Example: Sending Attributes with OAM and IdP
Following are the examples of how to configure IdP to send attributes:
-
Via the OAM Administration Console to send attributes to a SAML 2.0 SP Partner
-
Via the OAM WLST commands to send attributes to an OpenID 2.0 RP Partner
The sent attributes are based on:
-
The LDAP user record (attributes, DN…)
-
The OAM user session (attributes, session count…)
-
The browser’s HTTP request (cookie, user-agent…)
OAM Administration Console
This section is about how to configure IdP to send attributes via the admin console. The example is based on a Federation with a remote SAML 2.0 SP partner, and the IdP is configured to:
-
Use the Unspeci9ed NameID format
-
Use the uid LDAP user attribute to set the NameID value
-
Send the following attributes:
-
Email address with the SAML attribute name set to Email
-
An attribute containing a string beginning with “My name is “ and then both the first name and last name, separated by a space. The SAML attribute name is set to Name
-
UserID
with attribute name set toUserID
-
OAM Session count with the SAML attribute name set to
SessionCount
-
The client’s IP Address with the SAML attribute name set to
IPAddress
-
Create a new SP Attribute Profile, and assign it to acmeSP. Later on, if new SP partners are on boarded, it is possible to assign the existing SP Attribute Profile so that IdP sends the same attributes to those new SPs.
Creating SP Attribute Profile
To create a new SP Attribute Profile, perform the following steps:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-admin- port/oamconsole
. -
Navigate to Identity Federation , Identity Provider Administration.
-
Click on the Service Provider Attribute Profiles tab.
-
Click on the Create SP Attribute Profile button.
Description of the illustration Create_SP_Attribute_Profile.jpg
-
Set up the basic information about the new SP Attribute Profile:
-
Enter a name
-
Enter a description if needed
Note: If “Default SP Partner Attribute Profile” is checked, it is pre-assigned SP Attribute Profile when a new SP Partner is created via the UI and will be the SP Attribute Profile used for SP partners which do not have an SP Attribute Profile assigned (for example, the ones created via WLST commands).
Description of the illustration Default_SP_Partner_Attribute_Profile.jpg
-
Add the necessary attributes I listed earlier. Perform the following operations to add the Email attribute:
-
Click the Add Entry button in the Attribute Mapping table.
-
Set up the email attribute:
-
Message Attribute Name: Email
-
Value: select user, then
attr
, then enter the LDAP Attribute containing the email address, mail in this case -
Always send: checked
-
Description of the illustration Add_Email_Attribute.jpg
Perform the following operations to add the Name attribute:
-
Click the Add Entry button in the Attribute Mapping table.
-
Set up the Name attribute:
-
Message Attribute Name: Name
-
Value: Select expression, then enter the following string (in this example, the
givenname
LDAP attribute contains the first name, and sn the last name): My name is $user.attr.givenname $user.attr.sn -
Always send: checked
-
Perform the following operations to add the UserID
attribute:
-
Click the Add Entry button in the Attribute Mapping table.
-
Set up the
UserID
attribute:-
Message Attribute Name:
UserID
-
Value: Select user, then
userid
-
Always send: checked
-
Perform the following operations to add the SessionCount
attribute:
-
Click the Add Entry button in the Attribute Mapping table.
-
Set up the
SessionCount
attribute:-
Message Attribute Name:
SessionCount
-
Value: Select session, then count
-
Always send: checked
Description of the illustration Add_SessionCount_Attribute.jpg
-
Perform the following operations to add the IPAddress attribute:
-
Click the Add Entry button in the Attribute Mapping table.
-
Set up the IPAddress attribute:
-
Message Attribute Name: IPAddress
-
Value: Select request, then
client_ip
-
Always send: checked
-
The SP Attribute Profile is now configured to send the required attributes to SP partners linked to this profile
Description of the illustration SP_Attribute_Profile.jpg
Update the SP Partner to use the new SP Attribute Profile, as well as configure the NameID settings:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-admin- port/oamconsole
. -
Navigate to Identity Federation , Identity Provider Administration.
-
Click on the Search Service Provider Partners.
-
Open the desired SP Partner.
-
Select Unspeci9ed as the NameID format.
-
For NameID, select User ID Store Attribute and then enter uid as the LDAP attribute containing the userID.
Note: Select Expression in the drop-down and entered an expression similar to what was used earlier.
-
In the Attribute Mapping section, select the newly created SP Attribute Profile as the Attribute Profile.
-
Click Save.
Description of the illustration SP_Partner_Update.jpg
Note about Always Send
The SP Attribute Profile is used for various protocols, including:
-
SAML SSO, where the SP cannot request any attributes at runtime
-
SAML SOAP Attribute exchange, where the SP can request any attributes at runtime
-
OpenID 2.0, where the SP can request any attributes at runtime
-
The Always Send option seen in the SP Attribute Profile section allows an administrator to instruct IdP to always send the attribute in an Assertion even if it was not requested by the SP partner.
SAML Assertion
Based on a user with the following characteristics, IdP generates a SAML Assertion similar to the one shown below:
-
UserID: alice
-
First name: Alice
-
Last name: Appleton
-
Email: alice@idp.com
SAML Assertion generated by IdP for alice:
<samlp:Response ...>
<saml:Issuer ...>https://idp.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ...>
<saml:Issuer ...>https://idp.com</saml:Issuer>
<dsig:Signature>
...
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid- format:unspeci9ed">alice</saml:NameID>
...
</saml:Subject>
<saml:Conditions NotBefore="2014-02-26T20:35:00Z" NotOnOrAfter="2014-02-26T22:35:00Z">
<saml:AudienceRestriction>
<saml:Audience>https://acme.com/sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-02-26T20:35:00Z" ...>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:...:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AAributeStatement>
<saml:Attribute Name="Name" ...>
<saml:AAributeValue ...>My name is Alice Appleton</saml:AAributeValue>
</saml:AAribute>
<saml:Attribute Name="SessionCount" ...>
<saml:AAributeValue ...>1</saml:AAributeValue>
</saml:AAribute>
<saml:Attribute Name="Email" ...>
<saml:AAributeValue ...>alice@idp.com</saml:AAributeValue>
</saml:AAribute>
<saml:Attribute Name="IPAddress" ...>
<saml:AAributeValue ...>10.145.120.253</saml:AAributeValue>
</saml:AAribute>
<saml:Attribute Name="UserID" ...>
<saml:AAributeValue ...>alice</saml:AAributeValue>
</saml:AAribute>
</saml:AAributeStatement>
</saml:Assertion>
</samlp:Response>
WLST Commands
This section is about how to configure IdP to send attributes by using the OAM WLST commands. The example below is based on a Federation with a remote OpenID 2.0 SP partner, and the IdP is configured to:
Send the following attributes:
-
Email address with the OpenID attribute name set to
http://axschema.org/contact/email
-
An attribute containing a string beginning with “My name is “ and then both the 9rst name and last name, separated by a space. The OpenID attribute name is set to
http://openid.net/schema/namePerson/friendly
-
UserID with the OpenID attribute name set to
http://schemas.openid.net/ax/api/user_id
-
OAM Session count with the OpenID attribute name set to
<http://session/count>
-
The client’s IP Address with attribute name set to
http://session/ipaddress
For this, create a new SP Attribute Profile, and assign it to acmeRP
. If new RP partners are on boarded, it is possible to assign the existing SP Attribute Profile so that IdP sends the same attributes to those new SPs.
Assume that you are already in the WLST environment and connected using:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. -
Connect to the WLS Admin server:
connect()
. -
Navigate to the Domain Runtime branch:
domainRuntime()
.
Configure New SP Attribute Profile
To configure the new SP Attribute Profile, execute the following steps:
-
Create a new SP Attribute Profile
createSPPartnerAAributeProfile("openIDAArProfile")
. -
Specify the name of the new SP Attribute Profile.
-
Create the Email attribute
setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://axschema.org/contact/email", "$user.attr.mail")
. -
Specify the name of the SP Attribute Profile to modify.
-
Specify the OpenID attribute name to
http://axschema.org/contact/email
. -
Set the value to the LDAP Attribute containing the email address, mail in this case:
$user.attr.mail
. -
Create the Name attribute
setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://openid.net/schema/namePerson/friendly", "My name is $user.attr.givenname $user.attr.sn")
. -
Specify the name of the SP Attribute Profile to modify.
-
Specify the OpenID attribute name to
http://openid.net/schema/namePerson/friendly
. -
Set the value to (in this example, the givenname LDAP attribute contains the 9rst name, and sn the last name): My name is
$user.attr.givenname $user.attr.sn
. -
Create the UserID attribute:
setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://schemas.openid.net/ax/api/user_id", "$user.userid")
. -
Specify the name of the SP Attribute Profile to modify.
-
Specify the OpenID attribute name to
<http://schemas.openid.net/ax/api/user_id>
. -
Set the value to the LDAP Attribute containing the email address, mail in this case:
$user.attr.uid
. -
Create the OAM Session Count attribute
setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://session/count", "$session.count")
. -
Specify the name of the SP Attribute Profile to modify.
-
Specify the OpenID attribute name to
<http://session/count>
. -
Set the value to:
$session.count
. -
Create the client’s IP Address attribute
setSPPartnerAAributeProfileEntry("openIDAArProfile", "http://session/ipaddress", "$request.client_ip")
. -
Specify the name of the SP Attribute Profile to modify.
-
Specify the OpenID attribute name to
<http://session/ipaddress>
. -
Set the value to:
$request.client_ip
.
To update the SP partner to use that SP Attribute Profile, execute:
-
The
setSPPartnerAAributeProfile
command:setSPPartnerAAributeProfile("acmeRP", "openIDAArProfile")
-
Specify the SP partner name
-
Specify the name of the SP Attribute Profile to use
OpenID Response
Based on a user with the following characteristics, IdP generates an OpenID response similar to the one shown below:
-
UserID
: alice -
First
name: Alice -
Last name
: Appleton -
Email
: alice@idp.com
OpenID Response generated by IdP for alice:
https://acme.com/sp/openidv20?re9d=id-UnaYvk-mDQy6ZQB-4R39L4An4B0-& openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res& openid.op_endpoint=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20& openid.claimed_id=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did- p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D&openid.identity=http%3A%2F%2Fadc00pcc.us.oracle.com%3A23002%2Foamfed%2Fidp%2Fopenidv20%3Fid%3Did- p4rWL%2FjzZAKwxAYLA%2FjOtP7s6fqjdyQ2BiSWZduaR5c%3D& openid.return_to=http%3A%2F%2Fadc00peq.us.oracle.com%3A7499%2Ffed%2Fsp%2Fopenidv20%3Fre9d%3Did-UnaYvk-mDQy6ZQB-4R39L4An4B0-&openid.response_nonce=2014-02-26T21%3A35%3A08Zid- uTAXy9lDK7TVvgezZVY3XZ06iSDcZb97zxiOl0qw&openid.assoc_handle=id-n-nN- qW2VAZa75-XJshWpmVHK53Yz0-lTZtrtsJm&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response& openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=2& openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly& openid.ax.value.attr1=My+name+is+Alice+Appleton&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id& openid.ax.value.attr2=alice&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=alice%40idp.com& openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress& openid.ax.value.attr4=10.145.120.253&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax. openid.sig=TeDo%2FouX%2BXRI%2F1G8kJVsw5JOVY8%3D
The decoded URL query parameters related to the attributes are:
-
Name of attribute #0:
openid.ax.type.attr0=http://session/count
-
Value for attribute #0:
openid.ax.value.attr0=2
-
Name of attribute #1:
openid.ax.type.attr1= http://openid.net/schema/namePerson/friendly
-
Value for attribute #1:
openid.ax.value.attr1=My name is Alice Appleton
-
Name of attribute #2:
openid.ax.type.attr2= http://schemas.openid.net/ax/api/user_id
-
Value for attribute #2:
openid.ax.value.attr2=alice
-
Name of attribute #3:
openid.ax.type.attr3=http://axschema.org/contact/email
-
Value for attribute #3:
openid.ax.value.attr3=alice@idp.com
-
Name of attribute #4:
openid.ax.type.attr4=http://session/ipaddress
-
Value for attribute #4:
openid.ax.value.attr4=10.145.120.253
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Example- Sending Attributes with OAM and IdP
F61882-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.