SAML Federation in OAM 11g R2



Oracle Access Manger 11G R2 adds SAML Relying Party support as a native feature. You no longer need to stand up and integrate OIF if you want to federate with another IdP.

SAML IdP support didn't quite make it into the first OAM R2 release - so you will still need OIF. This is on the roadmap - so stay tuned.

In this article I will show how easy it is to set up OAM as a SAML relying party.

I am using OIF configured as the sample IdP. See my previous article on setting up OIF to self federate (handy for experimenting). Assuming you have OIF configured you should be able to bring up the test SP SSO page:  http://demo:7499/fed/user/testspsso


You will be challenged for credentials. After logging in you will see this:




Great. Now we have a working IdP we can proceed to setting up OAM as a relying party.

As a pre-requisite make sure you have federation services enabled in OAM 11G (System Configuration -> Available Services)

Bring up the OAM Console and navigate to System Configuration -> Identity Federation

Click on “Identity Providers” and select the new icon.







Next we need to load the SAML IdP meta data from OIF. You can export it from the em console or bring up and save this URL:

http://demo:7499/fed/idp/metadata

Select and import this meta data file into OAM. You should also select “Create Authentication Scheme and Module” at this time. Save your changes. You now have OAM configured as a Relying Party.


We still need to configure OIF to know about OAM as the service provider. To do this, export OAM’s SP meta data (under Federation Settings), and import it into OIF (Admin -> Federations ):



Edit the new federation in OIF:

In the edit screen click on the Enable Attributes in Single Sign-on.

  • Click “X509 Subject Name” and “Email Address” checkboxes and click Apply button.
  • Then click on Edit button next to the “Attribute Mapping and Filters”.
  • In Name mapping tab – add two mappings
    • User Attribute Name – givename Assertion Name givenname
    • User Attribute Name – title Assertion Name role
Make sure “Send With SSO Assertion” is enabled.

Back in OAM, navigate to Policy -> Authentication Schemes. You will see a new Authentication Scheme has been created:





You can use this Authentication Scheme in a policy - just like any other (LDAP, Kerberos, etc.).

To test your federation, create a test directory under your ohs1 instance and protect this URL with the federation Authentication Scheme. The OHS folder is something like:

/app/oracle/fmw/Oracle_WT1/instances/instance1/config/OHS/ohs1/htdocs

For this example we have created federation/index.html file under htdocs.

Bring up the policy domain for ohs1, and create an Authentication Policy that use the Federation Scheme:




Now create a resource and protect it with the policy:




Clear your browsers cookies and bring up the URL:

http://demo:7777/federation/index.html

 Because this URL is protected by the Federation Scheme, OAM will initiate federation with the configured IdP. You should see the IdP logon page. After log on you will be re-directed back to the protected page.


Pro Tip: Install the SAML tracer firefox plugin so you can watch the SAML message exchange!




Comments

Anonymous said…
Hey Warren - good to see that you have gone through this already. I am trying to set this up but I am using OpenAM as the IdP. When I import the metadata file into OAM, I get an error message:

ADFC-10001: cannot instantiate class 'oracle.security.am.fed.oif.managedbeans.idp.EditIDProviderMB'

According to some other documentation, that means that my metadata file is not valid. I am wondering if you could post (or send me) a copy of the metadata file from your OIF IdP so that I could compare.
January 4, 2013 at 10:00 AM
Anonymous said…
I thought that my problem might have been caused with the self-signed certs that I was using so I spent a bunch of time getting to know how to export and import certs from one type of keystore to another...

That didn't fix the issue.

According to one posting in Oracle support land, this is a bug with 11.1.2.0 and is subsequently fixed with 11.1.2.1. I think I only applied 1/2 of the BP01 fix to my test lab (the OIM half). I'll go back and apply the full patch and see if that gets me past this...
January 4, 2013 at 2:50 PM
Unknown said…
Hi, Great post
Now I am trying to access the attributes in the SAML token and pass them as HTTP headers to the protected applications downstream, any idead or help on how to achieve this.
February 12, 2013 at 7:15 AM
Madonaldo said…
Why are everyone looking for ways online to get help solving their pregnancy and infertility problems when most of every native American is talking online about the help of Dr Mandaker Alamun. I checked him out when my husband who could not get me pregnant for over 9 years of marriage as a result of low sperm count became fertile and now, I am 5 months pregnant and it is this man known as Dr Mandaker who helped my husband solve his problem. My name is Alecia Maldonado from CA USA. I would advise anyone and everyone who needs the help of any spell caster in love marriage,finance, job promotion,lottery spell,poker spell,golf spell,Law & Court case Spells,money spell,weigh loss spell,diabetic spell,hypertensive spell,high cholesterol spell,Trouble in marriage,Barrenness(need spiritual marriage separation),good Luck, Money Spells,it's all he does or looking for breakthrough in your political career to meet this Dr Mandaker the link to his website copy this link (witch-doctor.page4.me)His email contact witchhealing@outlook.com for He is a Reliable and trustworthy. I and my husband have gone to different hospitals having the thinking that I was at fault for not getting pregnant. But at the Federal hospital, they examined him too and his sperm count was low and unable to get a woman pregnant as a result of male infertility. It was then I sort out,thanks to Dr Mandaker.
June 25, 2019 at 9:43 AM
Post a Comment

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Image
ForgeRock Directory Services 7.0 was a big achievement for the Grenoble Directory team.  It is the only "Kubernetes native" directory where you can add a new replica using kubectl: kubectl scale sts/ds-idrepo --replicas=3 The 7.0 deployment is assembled using standard Kubernetes primitives such as StatefulSets , Persistent Volume Claims, and Services.  This is all built and orchestrated using Skaffold and Kustomize .  An emerging pattern in the Kubernetes world is the use of Custom Resources and Operators .  Broadly speaking, a custom resource is the declaration of the desired system state, and the operator's job is to observe the current state and bring the system into alignment with the declared state: source: https://blog.container-solutions.com/kubernetes-operators-explained The Kubernetes API server (the thing that responds to your kubectl commands) can be extended to handle new custom types.  A custom resource definition (CRD) describes to the API server the syntax
Read more

Automating OpenDJ backups on Kubernetes

Image
Kubernetes   StatefulSets  are designed to run "pet" like services such as databases.   ForgeRock's OpenDJ LDAP server is an excellent fit for StatefulSets as it requires stable network identity and persistent storage. The ForgeOps project contains a Kubernetes Helm chart to deploy DJ to a Kubernetes cluster. Using a StatefulSet, the cluster will auto-provision persistent storage for our pod. We configure OpenDJ to place its backend database on this storage volume. This gives us persistence that survives container restarts, or even restarts of the cluster. As long as we don't delete the underlying persistent volume, our data is safe. Persistent storage is quite reliable, but we typically want additional offline backups. The high level approach to accomplish this is as follows: Configure the OpenDJ container to support scheduled backups to a volume. Configure a Kubernetes volume to store the backups. Create a sidecar container that archives the backups
Read more

OAM R2 REST APIs for Policy Management

Image
Oracle Access Manager 11g R2 provides several new REST APIs. This continues a trend to expose key functionality via Web Services. The OAM Mobile and Social service provides APIs for Authentication, Authorization  and User Profile services.  I will cover those APIs in a future article (have a look here for examples) - but today I want to focus on the  policy management APIs. The Policy Administration API  enables to you to interact with OAM to create a variety of Policy objects such as Application Domains, Resources, AuthN Schemes, and AuthN/AuthZ policies. The policy model is shown below: For example, if you want to retrieve all of the resources in an Application Domain you can perform a GET against the /resource URI: curl -u USER:PASSWORD http://<SERVER>:<PORT>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource?appdomain="IAM Suite" Note: The port above is where the OAM Admin Server is deployed (often 7001). It is NOT the managed server (oa
Read more