Adding an OpenID Relying Party to Oracle Identity Federation (OIF)

Since January of 2011 (, OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.

During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.

OIF is administered through Enterprise Manager. Log on the OIF EM console (for example,

Step 1: Enable OpenID RP support

Navigate to OIF Administration -> Service provider
  • Select OpenId 2.0 tab
  • Select Map User via Federated Identity
  • Unselect Map user via attribute query
Expand Protocol Settings

  • Click Enable OpenID 2.0 support
  • Click APPLY to save your changes
NOTE: I found that you can not unselect "Map User via Attribute Query". As long as you override this in the IDP specific settings, this should not matter (i.e. I think this is the default if you dont set it in the IDP)

Step 2: Add Google as an IDP

In this step you will create a new federation with Google as the OP and OIF as the RP.

  • Navigate to Federations
  • Click + to add a provider
  • You will be asked to add a provider by importing meta data, or manually. Choose Add Provider Manually
  • Enter Provider Details:
  • Google, Description: Google, Protocol: OpenID 2.0, role: IDP
  • Save the new provider.
  • Select the saved federation provider ("Google") and click "Edit"
  • Select Trusted Provider Settings tab
  • Enter for both the Endpoint URL and the Discovery URL
  • Select Oracle Identity Federation Settings tab
  • Assertion Settings: Check "Map User via Federated Identity" and "Error when user Mapping fails"
  • Protocol Settings: Check "Perform OpenID provider Discovery"
  • Save your changes

Step 3 (Optional) Add an AX attribute mapping

OIF supports the OpenID AX (Attribute Exchange) specification. In this step we will configure OIF to request certain attributes from Google during a SSO operation. The user will be asked to consent to providing these attributes

Navigate to Federations -> Google -> OIF Settings
  • Click Attribute Mappings and Filters
  • Select Add Name Mappings
  • Enter User Attribute Name: email
  • Enter Assertion Attr Name: email
  • Enter Format or Namespace:
  • Save your changes

Step 4: Test it out

OIF ships with a sample page that can be used to initiate a SSO operation. The demo page is installed as part of OIF at /user/testspsso. For example:

  • On the demo page Select Google as the IDP
  • Under Requested Attributes (space delimted) enter email
  • Click Initiate SSO
  • You should be redirected to Google. Log on with your Google Credentials, and consent to allowing OIF to see the email.
  • You will be redirected back to OIF to see the results of the SSO operation. You should see the email attribute being passed back.


Popular posts from this blog

OAM R2 REST APIs for Policy Management

SAML Federation in OAM 11g R2

Apache reverse proxy with LDAP authentication