Adding an OpenID Relying Party to Oracle Identity Federation (OIF)


Since January of 2011 (11.1.1.4), OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.


During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.


OIF is administered through Enterprise Manager. Log on the OIF EM console (for example, http://demo.com:7411/em).


Step 1: Enable OpenID RP support


Navigate to OIF Administration -> Service provider
  • Select OpenId 2.0 tab
  • Select Map User via Federated Identity
  • Unselect Map user via attribute query
Expand Protocol Settings

  • Click Enable OpenID 2.0 support
  • Click APPLY to save your changes
NOTE: I found that you can not unselect "Map User via Attribute Query". As long as you override this in the IDP specific settings, this should not matter (i.e. I think this is the default if you dont set it in the IDP)

Step 2: Add Google as an IDP


In this step you will create a new federation with Google as the OP and OIF as the RP.

  • Navigate to Federations
  • Click + to add a provider
  • You will be asked to add a provider by importing meta data, or manually. Choose Add Provider Manually
  • Enter Provider Details:
  • Google, Description: Google, Protocol: OpenID 2.0, role: IDP
  • Save the new provider.
  • Select the saved federation provider ("Google") and click "Edit"
  • Select Trusted Provider Settings tab
  • Enter https://www.google.com/accounts/o8/id for both the Endpoint URL and the Discovery URL
  • Select Oracle Identity Federation Settings tab
  • Assertion Settings: Check "Map User via Federated Identity" and "Error when user Mapping fails"
  • Protocol Settings: Check "Perform OpenID provider Discovery"
  • Save your changes

Step 3 (Optional) Add an AX attribute mapping


OIF supports the OpenID AX (Attribute Exchange) specification. In this step we will configure OIF to request certain attributes from Google during a SSO operation. The user will be asked to consent to providing these attributes

Navigate to Federations -> Google -> OIF Settings
  • Click Attribute Mappings and Filters
  • Select Add Name Mappings
  • Enter User Attribute Name: email
  • Enter Assertion Attr Name: email
  • Enter Format or Namespace: http://schema.openid.net/contact/
  • Save your changes

Step 4: Test it out


OIF ships with a sample page that can be used to initiate a SSO operation. The demo page is installed as part of OIF at /user/testspsso. For example:

http://oif.demo.com/fed/user/testspsso

  • On the demo page Select Google as the IDP
  • Under Requested Attributes (space delimted) enter email
  • Click Initiate SSO
  • You should be redirected to Google. Log on with your Google Credentials, and consent to allowing OIF to see the email.
  • You will be redirected back to OIF to see the results of the SSO operation. You should see the email attribute being passed back.

Comments

Kunal Jain said…
Hi,

I need some guidance to set up a POC.

The customer has a OAM protected company portal with AD authentication and wants to do SSO integration with google apps using OIF. Can you please share high level steps that needs to be followed and also who is the IDP & SP in the above scenario.

Please revert.
Thanks.
Kunal Jain
jkunal@gmail.com
April 19, 2012 at 12:55 AM
Unknown said…
Did you see this error at all?

[2013-01-08T14:21:27.399-08:00] [wls_oif2] [ERROR] [FED-12064] [oracle.security.fed.controller.ApplicationController] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000JkSGFzZ3j4YVLqJN8A1Gl_gk00033P,0] [APP: OIF#11.1.1.2.0] Exception: {0}[[
oracle.security.fed.controller.web.action.exceptions.ResponseHandlerException: oracle.security.fed.util.http.HttpException: java.net.SocketException: Network is unreachable
at oracle.security.fed.http.flow.profiles.sp.OpenIDV20RetrieveXRDSResponseHandler.perform(Unknown Source)
at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
January 8, 2013 at 2:25 PM
Unknown said…
Could you please help understand what would be the login page when I integrate Google with OpenID as IDP for my OIF?
February 27, 2013 at 7:07 PM
Post a Comment

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Image
ForgeRock Directory Services 7.0 was a big achievement for the Grenoble Directory team.  It is the only "Kubernetes native" directory where you can add a new replica using kubectl: kubectl scale sts/ds-idrepo --replicas=3 The 7.0 deployment is assembled using standard Kubernetes primitives such as StatefulSets , Persistent Volume Claims, and Services.  This is all built and orchestrated using Skaffold and Kustomize .  An emerging pattern in the Kubernetes world is the use of Custom Resources and Operators .  Broadly speaking, a custom resource is the declaration of the desired system state, and the operator's job is to observe the current state and bring the system into alignment with the declared state: source: https://blog.container-solutions.com/kubernetes-operators-explained The Kubernetes API server (the thing that responds to your kubectl commands) can be extended to handle new custom types.  A custom resource definition (CRD) describes to the API server the syntax
Read more

Automating OpenDJ backups on Kubernetes

Image
Kubernetes   StatefulSets  are designed to run "pet" like services such as databases.   ForgeRock's OpenDJ LDAP server is an excellent fit for StatefulSets as it requires stable network identity and persistent storage. The ForgeOps project contains a Kubernetes Helm chart to deploy DJ to a Kubernetes cluster. Using a StatefulSet, the cluster will auto-provision persistent storage for our pod. We configure OpenDJ to place its backend database on this storage volume. This gives us persistence that survives container restarts, or even restarts of the cluster. As long as we don't delete the underlying persistent volume, our data is safe. Persistent storage is quite reliable, but we typically want additional offline backups. The high level approach to accomplish this is as follows: Configure the OpenDJ container to support scheduled backups to a volume. Configure a Kubernetes volume to store the backups. Create a sidecar container that archives the backups
Read more

Deploying the ForgeRock platform on Kubernetes using Skaffold and Kustomize

Image
If you are following along with the  ForgeOps repository, you will see some significant changes in the way we deploy the ForgeRock IAM platform to Kubernetes.  These changes are aimed at dramatically simplifying the workflow to configure, test and deploy ForgeRock Access Manager, Identity Manager, Directory Services and the Identity Gateway. To understand the motivation for the change, let's recap the current deployment approach: The Kubernetes manifests are maintained in one git repository ( forgeops ), while the product configuration is another ( forgeops-init ). At runtime ,  Kubernetes init containers clone the configuration from git and make it  available to the component using a shared volume. The advantage of this approach is that the docker container for a product can be (relatively) stable. Usually it is the configuration that is changing, not the product binary. This approach seemed like a good idea at the time, but in retrospect it created a lot of c
Read more