34.4 Cryptographic Settings in Oracle Identity Federation

This chapter describes the crypto configuration properties in OIF that are used to affect the Federation SSO exchanges.

34.4.1 Hashing Algorithms

Oracle Identity Federation (OIF) supports the consumption and issuance of SAML messages signed with the SHA-1 hashing algorithm or SHA-256 hashing algorithm.

By default, OIF uses SHA-1 for signing outgoing messages. Messages are signed differently based on the binding being used.
  • For XML Digital signatures HTTP-POST or Artifact bindings are used.
  • For Query signatures HTTP-Redirect binding is used.

34.4.2 Examples on SHA-1 Signed Messages

An example of a signed AuthnRequest message sent via the HTTP-Redirect binding would be:
https://acme.com/idp/saml20?SAMLRequest=hVPLbtswEPwVgT1LpB6tY8JyoNZ1q9ZujVgJ3N4Yio5ZSKTMpaz470v5ESQB4gA8LWZ2ZnaXo%2BvHuvJ2woDUKkVhQJAnFNelVA8pui2m%2FhXywDJVskorkaK9AHQ9HgGrq4Zmrd2oG7FtBVjPNVJAS5COuLG2oRh3XRd0caDNA44IIZgMsUP1kA%%2B%2FruIoOPN0IOU8aba1MxeDtpXXKj1AeoOxUq7R%2BMX0py%2Fko5iQiKsWd3rj%2FAzyfPN%2FnJd88lCV5Lv37URBuFrGzWTVVaWRgAgL6sq3X0xgln3NaxpBcLjo%2BrLzzH%2BDw%3D%3D&RelayState=id-AkgTE5PMRAZTaKRcZHT-2rIse-oPhCxyI00Xycbf&SigAlg=hSp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=rjZFsFuaFKv77JbspdDwT2wGV366iL3zvWc%2B1aybu%2FW%2BpFwLOfTJBtVsKfwJre1nGCU5SEvFD%2FBBURkxOG1KhR3k%2FrOw%2Bj7g7RlHfSaHKaAO3p6aAGQYPCpz%2Fd0%2BKArDAL%2FDNoH46G6Pnf7VWSb6a2COUiTV6118KaPbexrnJtE
An example of a SAML 2.0 Assertion sent via the HTTP-POST binding would be:
<samlp:Response ...<samlp:Response ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="id-BgLUimKUWYyS3JQbf2geeP9EwS-eGKxOPTuPvxgJ" ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-excc14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/>
<dsig:Reference URI="#id-BgLUimKUWYyS3JQbf2geeP9EwS-eGKxOPTuPvxgJ">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>uS85cIFf4z9KcHH/z60fNRPLoyo=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>NiTyPtOEjyG...SpVjbhKxY=</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
...
</saml:Subject>
<saml:Conditions ...>
...
</saml:Conditions>
<saml:AuthnStatement ...>
...
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

34.4.3 Examples on SHA-256 Signed Messages

An example of a signed AuthnRequest message sent via the HTTP-Redirect binding would be:
https://acme.com/idp/saml20?SAMLRequest=hVNdb9owFP0rkfec%2BCbAVixClY2hIdGWDui6vhnbFEuOndoOKfv1c%2Fio2kqlkp%2BuzrnnnHuvB5fPpYq2wjppdI7SBFAkNDNc6sccLRfj%2BAJFzlPNqTJa5GgnHLocDhwtVUWK2m%2F0b%2FFUC%2Bej0Eg7wp0MxI33FcG4aZqk6STGPuIMADD0c%2F%2FFLDswb9bFN2dNp61G584V4vJ3o4PJUi7MYTXWaRd0vtKoP%2BAolHYsdTU71nHbJQzgEo8JbULASlTImGmJN%2B6%2FT5eC44lr3A7%2F20G6HAzZC9lo7GxJfXng7aVEGq9h4ZD8dLv0PCNNGPvpLMOQIYNLVv9AX4lebrZ69B1MpoZJdnuUxtpkr63UVKpCs6tcA5FhVKmRelayState=id-BiQreMi9cMY3oFI9PKMNKtuOjpuFS2PrW4R8KKvd&SigAlg=hSp%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=PvyMUD%2FKXnCc0drlN1pvoK171znJkajEHLgtzE4I7YFQIvP4wp3M%2FV7y08x0Qkv0jwo9K4VBG%2BQUBFtXr41ZDp%2BHOb7GlmaY973n7X2UDlbUbVlrJX%2FqS1GyyNY6MSMcO5K0J7VJcQXf8CvGEcVHr%2FZhPjihnAO2vi%2Bej3fbfgo%3D
An example of a SAML 2.0 Assertion sent via the HTTP-POST binding would be:
<samlp:Response ...<samlp:Response ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="id-5B4KZ-PeUzikxtC-Cr9g6uFQ-muwj3ZmC4PUW4wT" ...>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...
</saml:Issuer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-excc14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsasha256"/>
<dsig:Reference URI="#id-5B4KZ-PeUzikxtC-Cr9g6uFQ-muwj3ZmC4PUW4wT">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>Ppx/...L9ooHtsvgxvI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>G6yppQXy...SzHz2oa+zA=</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
...
</saml:Subject>
<saml:Conditions ...>
...
</saml:Conditions>
<saml:AuthnStatement ...>
...
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

34.4.4 Configuring OIF to use SHA-1 or SHA-256 Hashing Algorithm

Oracle Identity Federation (OIF) can be configured at the following levels to use SHA-1 or SHA-256 in SAML signatures.
  • At a partner level
  • At a partner profile level, where all partners referencing this profile will be affected unless they were configured at a partner level for SHA-1/SHA-256 signatures
Use the following WLST commands to configure how OIF should compute a signature.
  1. Enter the WLST environment.
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server.
    connect()
  3. Navigate to the Domain Runtime branch.
    domainRuntime()
  4. Run the configureFedDigitalSignature() command.
    configureFedDigitalSignature(partner="", partnerProfile="", partnerType="", default="false", algorithm="SHA-256", displayOnly="false", delete="false")
    You can set the following parameters:
    • partner: To configure a specific partner
    • partnerProfile: To configure a specific partner profile
    • partnerType: Indicates the type of partner/partner profile (idp or sp)
    • algorithm: Indicates which hashing algorithm to use (SHA-1 or SHA-256)
    • displayOnly: Indicates whether or not the command should display the setting on this partner/partner profile instead of setting it. If set to true, this command will not modify the configuration (true or false)
    • delete: Indicates whether or not the command should delete the setting on this partner/partner profile instead of setting it. If set to true, this command will delete the configuration and the parent configuration (partner profile or global) will be used (true or false)
    An example would be:
    configureFedDigitalSignature(partner="AcmeIdP", partnerType="idp", algorithm="SHA-256")
  5. Exit WLST environment.
    exit()

34.4.5 Signing Outgoing Messages

This section provides information on how to configure the following settings:
  • Out of the Box (OOTB) Boolean settings for the outgoing SAML messages
  • SAML 2.0 AuthnRequest at different levels
  • Properties defined at SP/IP partner profiles

34.4.5.1 OOTB Configurations for Outgoing SAML Messages

Following are the Out-of-the-box (OOTB) Boolean settings that indicate when OIF need to sign outgoing SAML messages (if set to true, OIF signs the outgoing message).

Global Level
  • saml20sendsignedauthnrequest: SAML 2.0 AuthnRequest (true)
SAML 1.1 IdP Partner Profile
  • sendsignedrequestsoap: SAML 1.1 Request via the Artifact/SOAP binding (true)
SAML 1.1 SP Partner Profile
  • sendsignedassertion: SAML 1.1 Assertion (true)
  • sendsignedresponseassertionpost: SAML 1.1 Response containing an Assertion over the HTTP-POST binding (false)
  • sendsignedresponseassertionsoap: SAML 1.1 Response containing an Assertion over the Artifact/SOAP binding (false)
  • sendsignedresponsesoap: SAML 1.1 Response not containing an Assertion over the Artifact/SOAP binding (true)
SAML 2.0 IdP Partner Profile
  • sendsignedrequestpost: SAML 2.0 Request over the HTTP-POST binding (true)
  • sendsignedrequestquery: SAML 2.0 Request over the HTTP-Redirect binding (true)
  • sendsignedrequestsoap: SAML 2.0 Request over the Artifact/SOAP binding (true)
  • sendsignedresponsepost: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (true)
  • sendsignedresponsequery: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (true)
  • sendsignedresponsesoap: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (true)
SAML 2.0 SP Partner Profile
  • sendsignedassertion: SAML 2.0 Assertion (true)
  • sendsignedrequestpost: SAML 2.0 Request over the HTTP-POST binding (true)
  • sendsignedrequestquery: SAML 2.0 Request over the HTTP-Redirect binding (true)
  • sendsignedrequestsoap: SAML 2.0 Request over the Artifact/SOAP binding (true)
  • sendsignedresponseassertionpost: SAML 2.0 Response containing an Assertion over the HTTP-POST binding (false)
  • sendsignedresponseassertionsoap: SAML 2.0 Response containing an Assertion over the Artifact/SOAP binding (false)
  • sendsignedresponsepost: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (true)
  • sendsignedresponsequery: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (true)
  • sendsignedresponsesoap: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (true)

34.4.5.2 Configuring SAML 2.0 AuthnRequest

You can configure OIF to sign an outgoing SAML 2.0 AuthnRequest at the following levels:
  • Global level
  • IdP Partner Profile level
  • IdP Partner level
  • Partner Profile level
  • Partner level
Perform the following steps to access Domain Runtime branch:
  1. Enter the WLST environment: 
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server: 
    connect()
  3. Navigate to the Domain Runtime branch: 
    domainRuntime()
Upon accessing the Domain Runtime branch, run any of the following commands to configure OIF to sign an outgoing SAML 2.0 AuthnRequest at the appropriate level.
  • To configure at a global level:
    putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true/false")

    Set the value to true to have OIF sign the outgoing AuthnRequest.

    An example would be: 
    putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true")
  • To configure SAML 2.0 IdP at a Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/sendsignedauthnrequest", "true/false")

    Replace PARTNER_PROFILE by a SAML 2.0 IdP Partner Profile name.

    Set the value to true to have OIF sign the outgoing AuthnRequest.

    An example would be:
    putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedauthnrequest", "true")
  • To configure SAML 2.0 at a IdP Partner level:
    updatePartnerProperty("PARTNER", "idp", "sendsignedauthnrequest", "true/false", "boolean")

    Replace PARTNER by a SAML 2.0 IdP Partner name.

    Set the value to true to have OIF sign the outgoing AuthnRequest.

    An example would be: 
    updatePartnerProperty("AcmeIdP", "idp", "sendsignedauthnrequest", "false", "boolean")
  • To configure at a Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/PROPERTY_NAME", "true/false")

    Replace PARTNER_PROFILE by a Partner Profile name.

    Replace PROPERTY_NAME by the name of the property to set the value to true or false.

    An example would be: 
    putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedrequestquery", "true")
  • To configure at a Partner level:
    updatePartnerProperty("PARTNER", "PARTNER_TYPE", "PROPERTY_NAME","true/false", "boolean")

    Replace PARTNER by a Partner name.

    Replace PARTNER_TYPE by the type of the specified Partner (IdP or SP).

    Replace PROPERTY_NAME by the name of the property to set the value to true or false.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "sendsignedrequestquery", "true","boolean")

34.4.5.3 Changing SAML 2.0 Metadata

Changing the saml20sendsignedauthnrequest property at a global level changes the following attribute in the SAML 2.0 Metadata generated by OIF.
  • The AuthnRequestsSigned attribute in the SPSSODescriptor element is set based on saml20sendsignedauthnrequest property.
A sample SAML 2.0 Metadata shows these two attributes:
<md:EntityDescriptor ...>
<dsig:Signature>
...
</dsig:Signature>
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" ...>
...
</md:IDPSSODescriptor>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
...>
</md:SPSSODescriptor>
</md:EntityDescriptor>

34.4.6 Signing Incoming Messages

This section provides information on how to configure the following settings.
  • OOTB Boolean settings for the incoming SAML messages
  • SAML 2.0 AuthnRequest at different levels
  • SAML 1.1 Assertion at different levels
  • SAML 2.0 Assertion at different levels
  • Properties defined at SP/IP partner profiles

34.4.6.1 OOTB Boolean Settings for Incoming SAML Messages

Following are the Out-of-the-box (OOTB) Boolean settings that indicate when OIF need to require incoming SAML messages (if set to true, OIF requires the incoming message).

Global Level
  • saml20requiresignedauthnrequest: SAML 2.0 AuthnRequest (false)
  • saml11requiresignedassertion: SAML 1.1 Assertion contained in a Response message (true)
  • saml20requiresignedassertion: SAML 2.0 Assertion contained in a Response message (true)
SAML 1.1 IdP Partner Profile
  • requiresignedresponseassertionpost: SAML 1.1 Response via the HTTP-POST binding (false)
  • requiresignedresponseassertionsoap: SAML 1.1 Response via the Artifact/SOAP binding (false)
SAML 1.1 SP Partner Profile
  • requiresignedrequestsoap: SAML 1.1 Request via the Artifact/SOAP binding (false)
SAML 2.0 IdP Partner Profile
  • requiresignedrequestpost: SAML 2.0 Request over the HTTP-POST binding (false)
  • requiresignedrequestquery: SAML 2.0 Request over the HTTP-Redirect binding (false)
  • requiresignedrequestsoap: SAML 2.0 Request over the Artifact/SOAP binding (false)
  • requiresignedresponseassertionpost: SAML 2.0 Response containing an Assertion over the HTTP-POST binding (false)
  • requiresignedresponseassertionsoap: SAML 2.0 Response containing an Assertion over the Artifact/SOAP binding (false)
  • requiresignedresponsepost: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (false)
  • requiresignedresponsequery: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (false)
  • requiresignedresponsesoap: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (false)
SAML 2.0 SP Partner Profile
  • requiresignedrequestpost: SAML 2.0 Request over the HTTP-POST binding (false)
  • requiresignedrequestquery: SAML 2.0 Request over the HTTP-Redirect binding (false)
  • requiresignedrequestsoap: SAML 2.0 Request over the Artifact/SOAP binding (false)
  • requiresignedresponsepost: SAML 2.0 Response not containing an Assertion over the HTTP-POST binding (false)
  • requiresignedresponsequery: SAML 2.0 Response not containing an Assertion over the HTTP-Redirect binding (false)
  • requiresignedresponsesoap: SAML 2.0 Response not containing an Assertion over the Artifact/SOAP binding (false)

Note:

If an incoming message is signed, even though OIF does not require this type of message to be signed, OIF verifies the message and returns an error if signature validation fails.

34.4.6.2 Configuring SAML 2.0 AuthnRequest

You can configure OIF to sign an outgoing SAML 2.0 AuthnRequest at the following levels:
  • Global level
  • IdP Partner Profile level
  • IdP Partner level
  • Partner Profile level
  • Partner level
Perform the following steps to access Domain Runtime branch:
  1. Enter the WLST environment: 
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server: 
    connect()
  3. Navigate to the Domain Runtime branch: 
    domainRuntime()
Upon accessing the Domain Runtime branch, run any of the following commands to configure OIF to sign an outgoing SAML 2.0 AuthnRequest at the appropriate level.
  • To configure at a global level:
    putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true/false")

    Set the value to true to have OIF sign the outgoing AuthnRequest.

    An example would be: 
    putBooleanProperty("/spglobal/saml20sendsignedauthnrequest", "true")
  • To configure SAML 2.0 IdP at a Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/sendsignedauthnrequest", "true/false")

    Replace PARTNER_PROFILE by a SAML 2.0 IdP Partner Profile name.

    Set the value to true to have OIF sign the outgoing AuthnRequest.

    An example would be:
    putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedauthnrequest", "true")
  • To configure SAML 2.0 at a IdP Partner level:
    updatePartnerProperty("PARTNER", "idp", "sendsignedauthnrequest", "true/false", "boolean")

    Replace PARTNER by a SAML 2.0 IdP Partner name.

    Set the value to true to have OIF sign the outgoing AuthnRequest.

    An example would be: 
    updatePartnerProperty("AcmeIdP", "idp", "sendsignedauthnrequest", "false", "boolean")
  • To configure at a Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/PROPERTY_NAME", "true/false")

    Replace PARTNER_PROFILE by a Partner Profile name.

    Replace PROPERTY_NAME by the name of the property to set the value to true or false.

    An example would be: 
    putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/sendsignedrequestquery", "true")
  • To configure at a Partner level:
    updatePartnerProperty("PARTNER", "PARTNER_TYPE", "PROPERTY_NAME","true/false", "boolean")

    Replace PARTNER by a Partner name.

    Replace PARTNER_TYPE by the type of the specified Partner (IdP or SP).

    Replace PROPERTY_NAME by the name of the property to set the value to true or false.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "sendsignedrequestquery", "true","boolean")

34.4.6.3 Configuring SAML 1.1 Assertion for Incoming Messages

Upon accessing the Domain Runtime branch, run any of the following commands to configure OIF to sign or not sign an incoming SAML 1.1 Assertions at the appropriate level.
  • To configure at a global level:
    putBooleanProperty("/spglobal/saml11requiresignedassertion", "true/false")

    Set the value to true to have OIF require incoming SAML 1.1 Assertions to be signed.

    An example would be: 
    putBooleanProperty("/spglobal/saml11requiresignedassertion", "true")
  • To configure at a SAML 1.1 IdP Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/requiresignedassertion", "true/false")

    Replace PARTNER_PROFILE by a SAML 1.1 IdP Partner Profile name.

    Set the value to true to have OIF require incoming SAML 1.1 Assertions to be signed.

    An example would be: 
    putBooleanProperty("/fedpartnerprofiles/saml11-idp-partner-profile/requiresignedassertion", "true")
  • To configure at a SAML 1.1 IdP Partner level:
    updatePartnerProperty("PARTNER", "idp", "requiresignedassertion", "true/false", "boolean")

    Replace PARTNER by a SAML 1.1 IdP Partner name.

    Set the value to true to have OIF require incoming SAML 1.1 Assertions to be signed.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "requiresignedassertion", "false", "boolean")

34.4.6.4 Configuring SAML 2.0 Assertion for Incoming Messages

Upon accessing the Domain Runtime branch, run any of the following commands to configure OIF to sign or not sign an incoming SAML 2.0 Assertions at the appropriate level.
  • To configure at a global level:
    putBooleanProperty("/spglobal/saml20requiresignedassertion", "true/false")

    Set the value to true to have OIF require incoming SAML 2.0 Assertions to be signed.

    An example would be: 
    putBooleanProperty("/spglobal/saml20requiresignedassertion", "true")
  • To configure at a SAML 2.0 IdP Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/requiresignedassertion", "true/false")

    Replace PARTNER_PROFILE by a SAML 2.0 IdP Partner Profile name.

    Set the value to true to have OIF require incoming SAML 2.0 Assertions to be signed.

    An example would be: 
    putBooleanProperty("/fedpartnerprofiles/saml20-idp-partner-profile/requiresignedassertion", "true")
  • To configure at a SAML 2.0 IdP Partner level:
    updatePartnerProperty("PARTNER", "idp", "requiresignedassertion", "true/false", "boolean")

    Replace PARTNER by a SAML 2.0 IdP Partner name.

    Set the value to true to have OIF require incoming SAML 2.0 Assertions to be signed.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "requiresignedassertion", "false", "boolean")

34.4.6.5 Changing SAML 2.0 Metadata of Incoming Messages

Changing the saml20requiresignedauthnrequest or saml20requiresignedassertion properties at a global level changes the following attributes in the SAML 2.0 Metadata generated by OIF.
  • The WantAuthnRequestsSigned attribute in the IDPSSODescriptor element is set based on saml20requiresignedauthnrequest property.
  • The WantAssertionsSigned attribute in the SPSSODescriptor element is set based on saml20requiresignedassertion property.
A sample SAML 2.0 Metadata shows these two attributes:
<md:EntityDescriptor ...>
<dsig:Signature>
...
</dsig:Signature>
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" ...>
...
</md:IDPSSODescriptor>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
...>
</md:SPSSODescriptor>
</md:EntityDescriptor>

34.4.7 Configuring X.509 Certificate in Outgoing Message

The OIF can be configured to send the X.509 signing certificate in an outgoing XML SAML message sent via the HTTP-POST or SOAP binding.

The includecertinsignature Boolean property indicates whether or not the certificate will be added to the message.

For OIF to send the X.509 signing certificate in an outgoing message, run one of the following commands to set the includecertinsignature Boolean property.
  • To configure at a Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/includecertinsignature", "true/false")

    Replace PARTNER_PROFILE by a Partner Profile name.

    Set the value to true or false.

    An example would be: 
    putBooleanProperty("/fedpartnerprofiles/saml20-sp-partner-profile/includecertinsignature", "true")
  • To configure at a Partner level:
    updatePartnerProperty("PARTNER", "PARTNER_TYPE", "includecertinsignature", "true/false", "boolean")

    Replace PARTNER by a Partner name.

    Replace PARTNER_TYPE by the type of the specified Partner (idp or sp).

    Set the value to true or false.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "includecertinsignature", "true", "boolean")

34.4.8 Managing SAML 2.0 Encryption

With SAML 2.0, you can encrypt the following data in messages:
  • Assertions
  • NameIDs
  • Attributes

OIF allows an administrator to specify which types of data should be encrypted.

34.4.8.1 OOTB Configuration to Encrypt Outgoing SAML Messages

The following OOTB Boolean values indicate when OIF should encrypt outgoing SAML messages (if set to true, OIF will encrypt the data):
  • SAML 2.0 IdP Partner Profile
  • sendencryptednameid: Indicates if NameID contained in LogoutRequest messages should be encrypted (false)
  • SAML 2.0 SP Partner Profile
  • sendencryptedattribute: Indicates if each attribute contained in a SAML Assertion should be encrypted (false)
  • sendencryptednameid: Indicates if NameID contained in LogoutRequest, Assertion messages should be encrypted (false)
When creating a new SP Partner, the configuration for that Partner specifies that the OIF/IdP should not encrypt the Assertion:
  • sendencryptedassertion on the partner entry: Indicates if the Assertion should be encrypted (false)

34.4.8.2 Encrypting Outgoing Assertion

Perform the following steps to configure OIF/IdP to encrypt the outgoing Assertion for an SP Partner via the OAM Administration Console:
  1. Login to the OAM Administration Console: https://oam-admin-host:oam-adminport/oamconsole.
  2. Navigate to Identity Federation, Identity Provider Administration.
  3. Open SP Partner.
  4. In the Advanced section, select the Encrypt Assertion checkbox.
  5. Click Save.
To configure the SP Partner via WLST, perform the following steps:
  1. Enter the WLST environment:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server:
    connect()
  3. Navigate to the Domain Runtime branch:
    domainRuntime()
  4. Execute the updatePartnerProperty() command:
    updatePartnerProperty("PARTNER", "sp", "sendencryptedassertion", "true/false", "boolean")

    Replace PARTNER by a Partner name.

    Set the value to true or false.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "sendencryptedassertion", "true", "boolean")
  5. Exit the WLST environment:
    exit()

34.4.8.3 Configuring NameID and Attributes Properties

To configure the properties, perform the following steps:
  1. Enter the WLST environment:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server: 
    connect()
  3. Navigate to the Domain Runtime branch: 
    domainRuntime()
  4. To configure at a Partner Profile level:
    putBooleanProperty("/fedpartnerprofiles/PARTNER_PROFILE/PROPERTY_NAME", "true/false")

    Replace PARTNER_PROFILE by a Partner Profile name.

    Replace PROPERTY_NAME by the name of the property to set.

    Set the value to true or false.

    An example would be: 
    putBooleanProperty("/fedpartnerprofiles/saml20-sp-partner-profile/sendencryptedaSribute", "true")
  5. To configure at a Partner level:
    updatePartnerProperty("PARTNER", "PARTNER_TYPE", "PROPERTY_NAME", "true/false", "boolean")

    Replace PARTNER by a Partner name.

    Replace PARTNER_TYPE by the type of the specified Partner (idp or sp).

    Replace PROPERTY_NAME by the name of the property to set.

    Set the value to true or false.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "sendencryptedaSribute", "true", "boolean")
  6. Exit the WLST environment: 
    exit()

34.4.9 Encryption Algorithm

At the Partner or Partner Profile level, the encryption algorithm can be defined by setting the defaultencryptionmethod string property to one of the following values:
  • http://www.w3.org/2001/04/xmlenc#aes128-cbc for AES-128 CBC
  • http://www.w3.org/2001/04/xmlenc#aes192-cbc for AES-192 CBC
  • http://www.w3.org/2001/04/xmlenc#aes256-cbc for AES-256 CBC
  • http://www.w3.org/2001/04/xmlenc#tripledes-cbc for 3DES CBC

By default, that property is set to http://www.w3.org/2001/04/xmlenc#aes128-cbc (AES-128 CBC).

To configure the defaultencryptionmethod property, perform the following steps:
  1. Enter the WLST environment by executing: 
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  2. Connect to the WLS Admin server: 
    connect()
  3. Navigate to the Domain Runtime branch: 
    domainRuntime()
  4. To configure at a Partner Profile level:
    putStringProperty("/fedpartnerprofiles/PARTNER_PROFILE/defaultencryptionmethod", "ALGORITHM")

    Replace PARTNER_PROFILE by a Partner Profile name.

    Replace ALGORITHM by one of the above algorithm values.

    An example would be: 
    putStringProperty("/fedpartnerprofiles/saml20-sp-partner-profile/defaultencryptionmethod", "http://www.w3.org/2001/04/xmlenc#tripledes-cbc")
  5. To configure at a Partner level:
    updatePartnerProperty("PARTNER", "PARTNER_TYPE", "defaultencryptionmethod", "ALGORITHM", "string")

    Replace PARTNER by a Partner name.

    Replace PARTNER_TYPE by the type of the specified Partner (idp or sp).

    Replace ALGORITHM by one of the above algorithm values.

    An example would be: 
    updatePartnerProperty("AcmeSP", "sp", "defaultencryptionmethod", "http://www.w3.org/2001/04/xmlenc#tripledes-cbc", "string")
  6. Exit the WLST environment: 
    exit()