Using Test SP App in OAM/ SP
This article demonstrates how to enable and use the Test SP Application in OAM/SP, which is very useful when OAM is an SP and Federation agreements are set up. It provides the following capabilities:
-
Test the Federation SSO flows
-
Verify if the mapping rules work
-
See which attributes are sent by the IdP, how they are named and how they are processed by OAM/SP
-
See the Federation token (SAML Assertion or OpenID SSO Response)
This tool is very useful to diagnose issues in the SAML/OpenID flows, before rolling Federation SSO out.
This is a Web Application that exercises the SP functionality of OAM via a browser without creating any OAM session:
-
The application is accessed via a browser
-
Federation SSO is started with the specified IdP
-
You authenticate at the IdP
-
OAM/SP processes the SAML Assertion / OpenID SSO response The application displays the result and SAML Assertion / OpenID SSO response
Enabling / Disabling the Test SP Engine
Out of the box, the Test SP application is disabled and you must enable it before being able to use it.
Note: Once you’re done using the Test SP App, you should disable it.
To enable or disable the Test SP app, you need to execute the following OAM WLST commands:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
. -
Connect to the WLS Admin server:
connect()
. -
Navigate to the Domain Runtime branch:
domainRuntime()
. -
Execute the
TestSPEngine()
command:-
To enable the Test SP Engine:
configureTestSPEngine("true")
-
To disable the Test SP Engine:
configureTestSPEngine("false")
-
-
Exit the WLST environment:
exit()
.
Using the Test SP Engine
Starting Federation SSO
Starting the Federation SSO flow involves:
-
Going to the Test SP application via a browser
-
Selecting the IdP to perform Federation SSO with
-
Starting the operation
The URL to use to access the Test SP application is: http(s)://oam-runtime-host:oam-runtime-port/oamfed/user/testspss
The Test SP application displays a drop down with a list of IdPs to perform Federation SSO with:
-
Either you select an IdP
-
Or you choose the one references as the Default, which instructs OAM/SP to use the Default SSO IdP
Description of the illustration Initiate_Federation_SSO.jpg
Once you select the IdP, click on the Start SSO button that triggers the Federation SSO with the specified IdP:
-
You are redirected to the IdP, similarly to a normal Federation SSO operation
-
(the IdP is not aware that you are using the Test SP application bundled with OAM: the IdP is only aware that OAM/SP is performing the Federation SSO) The IdP either:
-
Challenges you for your credentials, and then sends a SAML/OpenID response
-
Sends an SAML/OpenID response (either because you are already authenticated, or because an error occurred)
Result of the Test SP Operation
When the IdP redirects the user with the SAML Assertion / OpenID Response to OAM/SP, the server validates the response, maps it to an LDAP user record and returns the result to the Test SP application which displays:
-
The result of the authentication operation
-
The canonical user ID to which the response was mapped which contains
-
The Identity Store name
-
The user’s DN
-
The user’s ID
-
The authentication instant
-
The IdP partner name
-
Attributes from the SSO Response that are stored in the OAM session
-
The decrypted/decoded SSO response
Description of the illustration Test_SP_Operation_Result.jpg
Diagnosing Issues
If the Federation SSO between an IdP and OAM/SP is not working, the Test SP engine can be a good tool with the OAM logs to diagnose the problems.
Mapping Issues
If the incoming SSO Assertion cannot be mapped to a local LDAP user record, the Test SP application can show:
-
The error message
-
The NameID/attributes sent by the IdP
-
The SSO message sent by the IdP, which contains the NameID/attributes
In this example, the IdP’s and OAM/SP’s administrators agreed to use SAML 2.0 and identify the user via the email address. The issue here is that the email address for alice at the IdP is alice.appleton@oralce.com
, while in the LDAP directory used by OAM/SP, the email is alice@oracle.com
The Test SP application displays the following information at the end of the flow:
-
The authentication operation failed
-
The Assertion could not be mapped to a local user record
-
The data extracted from the Assertion as well as the message itself
Description of the illustration Mapping_Issues_Result.jpg
The OAM log files shows the following error message as well as the SAML message:
<Feb 28, 2014 7:18:05 AM PST> <Warning>
<oracle.security.fed.eventhandler.fed.proVles.sp.sso.assertion.Saml20AssertionProcessor><FED-15108> <User was not found during configure based authentication using NameIDmapping for name identifier: alice.appleton@oracle.com name identifier format :urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and message :<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Destination="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso" ID="idaWfL5-f37nhQWh0WWjHbobsVetM-" InResponseTo="id-hqkZGMV-wEO5-CulpYxArIvr91Y14dA-WSRYZ8zP" IssueInstant="2014-02-28T15:18:05Z"Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertionxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-PoODBDUeoiSY4ajPCQ86yjZWkw-"IssueInstanattributet="2014-02-28T15:18:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-PoOD-BDUeoiSY4ajPCQ86yjZWkw-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>X5ojFxrpBOS4klosM5jcBOF8Bqg=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>VJKJOBOowHZ4lVkHjX4w2YHi+0ZAa4ez/+D+ketAQcOxxtwOZPcBYERwkMgazudMh0XEMbIkwsBTVwb4tX+uV327Gjlp1hXc0uYnm2n8mZfen9Ppru6jTES4N7PoD3mOpCfFEHBUJg118DihWGLfzBWw7LMLaN2A</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">alice.appleton@oracle.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-hqkZGMV-wEO5-CulpYxArIvr91Y14dA-WSRYZ8zP" NotOnOrAfter="2014-02-28T15:23:05Z"Recipient="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso"/></saml:SubjectConfirmation></saml:Subject><saml:ConditionsNotBefore="2014-02-28T15:18:05Z" NotOnOrAfter="2014-02-28T15:23:05Z"><saml:AudienceRestriction><saml:Audience>http://adc00pcc.us.oracle.com:23002/oam/fed</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-28T15:18:05Z" SessionIndex="id-2i7BY1gGnhukoBSDmrvkBIaG-NI-" SessionNotOnOrAfter="2014-02-28T16:18:05Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
Response Validation Issues
If the incoming SSO Assertion cannot be validated, the Test SP application can show:
-
The error message
-
The SSO message sent by the IdP
In this example, the IdP’s and OAM/SP’s administrators agreed to use SAML 2.0 but the IdP is not signing the Assertion as required by OAM/SP (typically the Assertion is signed: for this example I disabled the signature on the IdP to showcase the error) The Test SP application depicts the following information at the end of the flow:
-
The authentication operation failed
-
The Assertion could not be validated
-
The SAML message
Description of the illustration Response_Validation_Issues_Result.jpg
The OAM log files shows the following error message as well as the SAML message:
<Feb 28, 2014 7:23:05 AM PST> <Error><oracle.security.fed.eventhandler.fed.profiles.utils.CheckUtils> <FEDSTS-18003><Assertion is not signed.><Feb 28, 2014 7:23:05 AM PST> <Error><oracle.security.fed.eventhandler.fed.profiles.sp.sso.v20.ProcessResponseEventHandler><FED-18012> <Assertion cannot be validated: <samlp:Responsexmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Destination="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso" ID="id-De7M27k5CWpBsuGzgaxwHgwqV1g-" InResponseTo="id-fX4nHKLCMcAZjHvsKfCORDZLmIDcQMpVYjqmxQb"IssueInstant="2014-02-28T15:23:05Z"Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertionxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-EAdQSXjroyYNuuWbaBWZVdBtu8-"IssueInstant="2014-02-28T15:23:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">http://adc00peq.us.oracle.com:7499/fed/idp</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">alice@oracle.com</saml:NameID><saml:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationDataInResponseTo="id-fX4nHKLCMcA-ZjHvsKfCORDZLmIDcQMpVYjqmxQb"NotOnOrAfter="2014-02-28T15:28:05Z"Recipient="http://adc00pcc.us.oracle.com:23002/oam/server/fed/sp/sso"/></saml:SubjectConfirmation></saml:Subject><saml:ConditionsNotBefore="2014-02-28T15:23:05Z" NotOnOrAfter="2014-02-28T15:28:05Z"><saml:AudienceRestriction><saml:Audience>http://adc00pcc.us.oracle.com:23002/oam/fed</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-02-28T15:23:05Z" SessionIndex="id--0QWpaU2AV-L7UpNvLH5Bn7Z5Xk-" SessionNotOnOrAfter="2014-02-28T16:23:05Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.