Using Test SP App in OAM/ SP

This article demonstrates how to enable and use the Test SP Application in OAM/SP, which is very useful when OAM is an SP and Federation agreements are set up. It provides the following capabilities:

• Test the Federation SSO flows

• Verify if the mapping rules work

• See which attributes are sent by the IdP, how they are named and how they are processed by OAM/SP

• See the Federation token (SAML Assertion or OpenID SSO Response)

This tool is very useful to diagnose issues in the SAML/OpenID flows, before rolling Federation SSO out.

This is a Web Application that exercises the SP functionality of OAM via a browser without creating any OAM session:

• The application is accessed via a browser

• Federation SSO is started with the specified IdP

• You authenticate at the IdP

• OAM/SP processes the SAML Assertion / OpenID SSO response The application displays the result and SAML Assertion / OpenID SSO response

Enabling / Disabling the Test SP Engine

Out of the box, the Test SP application is disabled and you must enable it before being able to use it.

Note: Once you’re done using the Test SP App, you should disable it.

To enable or disable the Test SP app, you need to execute the following OAM WLST commands:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh.

2. Connect to the WLS Admin server: connect().

3. Navigate to the Domain Runtime branch: domainRuntime().

4. Execute the TestSPEngine() command:

   1. To enable the Test SP Engine: configureTestSPEngine("true")

   2. To disable the Test SP Engine: configureTestSPEngine("false")

5. Exit the WLST environment: exit().

Using the Test SP Engine

Starting Federation SSO

Starting the Federation SSO flow involves:

• Going to the Test SP application via a browser

• Selecting the IdP to perform Federation SSO with

• Starting the operation

The URL to use to access the Test SP application is: http(s)://oam-runtime-host:oam-runtime-port/oamfed/user/testspss

The Test SP application displays a drop down with a list of IdPs to perform Federation SSO with:

• Either you select an IdP

• Or you choose the one references as the Default, which instructs OAM/SP to use the Default SSO IdP

Description of the illustration Initiate_Federation_SSO.jpg

Once you select the IdP, click on the Start SSO button that triggers the Federation SSO with the specified IdP:

• You are redirected to the IdP, similarly to a normal Federation SSO operation

• (the IdP is not aware that you are using the Test SP application bundled with OAM: the IdP is only aware that OAM/SP is performing the Federation SSO) The IdP either:

• Challenges you for your credentials, and then sends a SAML/OpenID response

• Sends an SAML/OpenID response (either because you are already authenticated, or because an error occurred)

Result of the Test SP Operation

When the IdP redirects the user with the SAML Assertion / OpenID Response to OAM/SP, the server validates the response, maps it to an LDAP user record and returns the result to the Test SP application which displays:

• The result of the authentication operation

• The canonical user ID to which the response was mapped which contains

• The Identity Store name

• The user’s DN

• The user’s ID

• The authentication instant

• The IdP partner name

• Attributes from the SSO Response that are stored in the OAM session

• The decrypted/decoded SSO response

Description of the illustration Test_SP_Operation_Result.jpg

Diagnosing Issues

If the Federation SSO between an IdP and OAM/SP is not working, the Test SP engine can be a good tool with the OAM logs to diagnose the problems.

Mapping Issues

If the incoming SSO Assertion cannot be mapped to a local LDAP user record, the Test SP application can show:

• The error message

• The NameID/attributes sent by the IdP

• The SSO message sent by the IdP, which contains the NameID/attributes

In this example, the IdP’s and OAM/SP’s administrators agreed to use SAML 2.0 and identify the user via the email address. The issue here is that the email address for alice at the IdP is alice.appleton@oralce.com, while in the LDAP directory used by OAM/SP, the email is alice@oracle.com

The Test SP application displays the following information at the end of the flow:

• The authentication operation failed

• The Assertion could not be mapped to a local user record

• The data extracted from the Assertion as well as the message itself

Description of the illustration Mapping_Issues_Result.jpg

The OAM log files shows the following error message as well as the SAML message:

<Feb 28, 2014 7:18:05 AM PST> <Warning>

<oracle.security.fed.eventhandler.fed.proVles.sp.sso.assertion.Saml20AssertionProcessor><FED-15108> <User was not found during configure based authentication using NameIDmapping for name identifier: alice.appleton@oracle.com name identifier format :urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and message :<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Destination="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso" ID="idaWfL5-f37nhQWh0WWjHbobsVetM-" InResponseTo="id-hqkZGMV-wEO5-CulpYxArIvr91Y14dA-WSRYZ8zP" IssueInstant="2014-02-28T15:18:05Z"Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertionxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-PoODBDUeoiSY4ajPCQ86yjZWkw-"IssueInstanattributet="2014-02-28T15:18:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-PoOD-BDUeoiSY4ajPCQ86yjZWkw-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>X5ojFxrpBOS4klosM5jcBOF8Bqg=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>VJKJOBOowHZ4lVkHjX4w2YHi+0ZAa4ez/+D+ketAQcOxxtwOZPcBYERwkMgazudMh0XEMbIkwsBTVwb4tX+uV327Gjlp1hXc0uYnm2n8mZfen9Ppru6jTES4N7PoD3mOpCfFEHBUJg118DihWGLfzBWw7LMLaN2A</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">alice.appleton@oracle.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-hqkZGMV-wEO5-CulpYxArIvr91Y14dA-WSRYZ8zP" NotOnOrAfter="2014-02-28T15:23:05Z"Recipient="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso"/></saml:SubjectConfirmation></saml:Subject><saml:ConditionsNotBefore="2014-02-28T15:18:05Z" NotOnOrAfter="2014-02-28T15:23:05Z"><saml:AudienceRestriction><saml:Audience>http://adc00pcc.us.oracle.com:23002/oam/fed</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-28T15:18:05Z" SessionIndex="id-2i7BY1gGnhukoBSDmrvkBIaG-NI-" SessionNotOnOrAfter="2014-02-28T16:18:05Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

Response Validation Issues

If the incoming SSO Assertion cannot be validated, the Test SP application can show:

• The error message

• The SSO message sent by the IdP

In this example, the IdP’s and OAM/SP’s administrators agreed to use SAML 2.0 but the IdP is not signing the Assertion as required by OAM/SP (typically the Assertion is signed: for this example I disabled the signature on the IdP to showcase the error) The Test SP application depicts the following information at the end of the flow:

• The authentication operation failed

• The Assertion could not be validated

• The SAML message

Description of the illustration Response_Validation_Issues_Result.jpg

The OAM log files shows the following error message as well as the SAML message:

<Feb 28, 2014 7:23:05 AM PST> <Error><oracle.security.fed.eventhandler.fed.profiles.utils.CheckUtils> <FEDSTS-18003><Assertion is not signed.><Feb 28, 2014 7:23:05 AM PST> <Error><oracle.security.fed.eventhandler.fed.profiles.sp.sso.v20.ProcessResponseEventHandler><FED-18012> <Assertion cannot be validated: <samlp:Responsexmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Destination="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso" ID="id-De7M27k5CWpBsuGzgaxwHgwqV1g-" InResponseTo="id-fX4nHKLCMcAZjHvsKfCORDZLmIDcQMpVYjqmxQb"IssueInstant="2014-02-28T15:23:05Z"Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertionxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-EAdQSXjroyYNuuWbaBWZVdBtu8-"IssueInstant="2014-02-28T15:23:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">alice@oracle.com</saml:NameID><saml:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationDataInResponseTo="id-fX4nHKLCMcA-ZjHvsKfCORDZLmIDcQMpVYjqmxQb"NotOnOrAfter="2014-02-28T15:28:05Z"Recipient="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso"/></saml:SubjectConfirmation></saml:Subject><saml:ConditionsNotBefore="2014-02-28T15:23:05Z" NotOnOrAfter="2014-02-28T15:28:05Z"><saml:AudienceRestriction><saml:Audience>http://adc00pcc.us.oracle.com:23002/oam/fed</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-28T15:23:05Z" SessionIndex="id--0QWpaU2AV-L7UpNvLH5Bn7Z5Xk-" SessionNotOnOrAfter="2014-02-28T16:23:05Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Using Test SP App in OAM

F61889-01

September 2022

Copyright © 2022, Oracle and/or its affiliates.