Posts

Showing posts from September, 2012

SAML Federation in OAM 11g R2

Image
Oracle Access Manger 11G R2 adds SAML Relying Party support as a native feature. You no longer need to stand up and integrate OIF if you want to federate with another IdP.

SAML IdP support didn't quite make it into the first OAM R2 release - so you will still need OIF. This is on the roadmap - so stay tuned.

In this article I will show how easy it is to set up OAM as a SAML relying party.

I am using OIF configured as the sample IdP. See my previous article on setting up OIF to self federate (handy for experimenting). Assuming you have OIF configured you should be able to bring up the test SP SSO page: http://demo:7499/fed/user/testspsso


You will be challenged for credentials. After logging in you will see this:




Great. Now we have a working IdP we can proceed to setting up OAM as a relying party.

As a pre-requisite make sure you have federation services enabled in OAM 11G (System Configuration -> Available Services)

Bring up the OAM Console and navigate to System Configuration …

OAM R2 REST APIs for Policy Management

Image
Oracle Access Manager 11g R2 provides several new REST APIs. This continues a trend to expose key functionality via Web Services.

The OAM Mobile and Social service provides APIs for Authentication, Authorization  and User Profile services.  I will cover those APIs in a future article (have a look here for examples) - but today I want to focus on the  policy management APIs.

The Policy Administration API enables to you to interact with OAM to create a variety of Policy objects such as Application Domains, Resources, AuthN Schemes, and AuthN/AuthZ policies. The policy model is shown below:




For example, if you want to retrieve all of the resources in an Application Domain you can perform a GET against the /resource URI:


curl -u USER:PASSWORD http://<SERVER>:<PORT>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource?appdomain="IAM Suite"

Note: The port above is where the OAM Admin Server is deployed (often 7001). It is NOT the managed server (oam_server1 - 14100 by …