Oracle Identity Federation: Federate yourself!


A customer asked me how they could test their OIF IdP configuration without standing up another relying party.

Since OIF can act in both roles (IdP and SP), in turns out you can configure OIF to federate against itself.  It's seems somewhat crazy, and its not all that intuitive, so I thought I would include a few notes on how to set this up.

The key is that you must export OIFs SP and IdP metadata and re-import it back into OIF as configured federations. The "/fed/user/testspsso" test page can be then be used to initiate the federation.

Here are the basics of how to accomplish this.

Step 1: Export your SP and IdP metadata. This is done from the em console.
Administration -> Security and Trust:





Step 2) Import the exported meta data back into OIF:
Administration->Federations 

Click on the "Choose File" button and select the meta-data files you exported in step 1




You should now have an IdP and SP configured under your federations.  You may want to edit your federation settings to enable additional attributes to be mapped or change the default request format (POST, for example). See your OIF Admin guide for the details.


Step 3) Set your default SSO Identity Provider to be the newly created IdP that you just imported.

Administration->Service Provider->Common






Step 4) You are now ready to test your IdP

There is a neat Firefox plugin called "SAML Tracer" that is great for debugging SAML isses.  I highly recommend installing it.

Navigate to the test SP SSO page. This is located at:
 http://your-oif-server:7499/fed/user/testspsso

You should see something like this:




Click on "Start SSO".

You will be redirected to your OIF login page. Assuming you have configured LDAP authentication (Administration->Auth Engines -> LDAP), you will see this:


Login with your LDAP credentials, and you will see the response from the IdP:





If you are using the SAML tracer you can see the SAML request (OIF acting the SP role) and the response (OIF acting in the IdP role).  Here is an example request:









Congratulations. You have now federated with yourself!




Comments

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

OAM R2 REST APIs for Policy Management

Automating OpenDJ backups on Kubernetes