Adding an OpenID Relying Party to Oracle Identity Federation (OIF)


Since January of 2011 (11.1.1.4), OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.


During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.


OIF is administered through Enterprise Manager. Log on the OIF EM console (for example, http://demo.com:7411/em).


Step 1: Enable OpenID RP support


Navigate to OIF Administration -> Service provider
  • Select OpenId 2.0 tab
  • Select Map User via Federated Identity
  • Unselect Map user via attribute query
Expand Protocol Settings

  • Click Enable OpenID 2.0 support
  • Click APPLY to save your changes
NOTE: I found that you can not unselect "Map User via Attribute Query". As long as you override this in the IDP specific settings, this should not matter (i.e. I think this is the default if you dont set it in the IDP)

Step 2: Add Google as an IDP


In this step you will create a new federation with Google as the OP and OIF as the RP.

  • Navigate to Federations
  • Click + to add a provider
  • You will be asked to add a provider by importing meta data, or manually. Choose Add Provider Manually
  • Enter Provider Details:
  • Google, Description: Google, Protocol: OpenID 2.0, role: IDP
  • Save the new provider.
  • Select the saved federation provider ("Google") and click "Edit"
  • Select Trusted Provider Settings tab
  • Enter https://www.google.com/accounts/o8/id for both the Endpoint URL and the Discovery URL
  • Select Oracle Identity Federation Settings tab
  • Assertion Settings: Check "Map User via Federated Identity" and "Error when user Mapping fails"
  • Protocol Settings: Check "Perform OpenID provider Discovery"
  • Save your changes

Step 3 (Optional) Add an AX attribute mapping


OIF supports the OpenID AX (Attribute Exchange) specification. In this step we will configure OIF to request certain attributes from Google during a SSO operation. The user will be asked to consent to providing these attributes

Navigate to Federations -> Google -> OIF Settings
  • Click Attribute Mappings and Filters
  • Select Add Name Mappings
  • Enter User Attribute Name: email
  • Enter Assertion Attr Name: email
  • Enter Format or Namespace: http://schema.openid.net/contact/
  • Save your changes

Step 4: Test it out


OIF ships with a sample page that can be used to initiate a SSO operation. The demo page is installed as part of OIF at /user/testspsso. For example:

http://oif.demo.com/fed/user/testspsso

  • On the demo page Select Google as the IDP
  • Under Requested Attributes (space delimted) enter email
  • Click Initiate SSO
  • You should be redirected to Google. Log on with your Google Credentials, and consent to allowing OIF to see the email.
  • You will be redirected back to OIF to see the results of the SSO operation. You should see the email attribute being passed back.

Comments

Kunal Jain said…
Hi,

I need some guidance to set up a POC.

The customer has a OAM protected company portal with AD authentication and wants to do SSO integration with google apps using OIF. Can you please share high level steps that needs to be followed and also who is the IDP & SP in the above scenario.

Please revert.
Thanks.
Kunal Jain
jkunal@gmail.com
Unknown said…
Did you see this error at all?

[2013-01-08T14:21:27.399-08:00] [wls_oif2] [ERROR] [FED-12064] [oracle.security.fed.controller.ApplicationController] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000JkSGFzZ3j4YVLqJN8A1Gl_gk00033P,0] [APP: OIF#11.1.1.2.0] Exception: {0}[[
oracle.security.fed.controller.web.action.exceptions.ResponseHandlerException: oracle.security.fed.util.http.HttpException: java.net.SocketException: Network is unreachable
at oracle.security.fed.http.flow.profiles.sp.OpenIDV20RetrieveXRDSResponseHandler.perform(Unknown Source)
at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
Unknown said…
Could you please help understand what would be the login page when I integrate Google with OpenID as IDP for my OIF?

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

OAM R2 REST APIs for Policy Management

Automating OpenDJ backups on Kubernetes