In this article, I will provide examples on how to configure OIF/IdP to map OAM Authentication Schemes to Federation Authentication Methods, based on
the concepts introduced in my previous entry.
I will show examples for
the three protocols supported by OIF:
SAML 2.0 SSO
SAML 1.1 SSO
OpenID 2.0
Enjoy
the reading!
Configuration
As I mentioned in my previous article, mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent, since
the methods are defined in
the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0).
As such,
the WLST commands to set those mappings will involve:
Either
the SP Partner Profile and affect all Partners referencing that profile, which do not override
the Federation Authentication Method to OAM Authentication Scheme mappings
Or
the SP Partner entry, which will only affect
the SP Partner
It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all
the mappings defined in
the SP Partner Profile will be ignored.
WLST Commands
The two OIF WLST commands that can be used to define mapping Federation Authentication Methods to OAM Authentication Schemes are:
addSPPartnerProfileAuthnMethod() to define a mapping on an SP Partner Profile, taking as parameters:
The name of
the SP Partner Profile
The Federation Authentication Method
The OAM Authentication Scheme name
addSPPartnerAuthnMethod() to define a mapping on an SP Partner , taking as parameters:
The name of
the SP Partner
The Federation Authentication Method
The OAM Authentication Scheme name
Note: I will discuss in a subsequent article
the other parameters of those commands.
In
the next sections, I will show examples on how to use those methods:
For SAML 2.0, I will configure
the SP Partner Profile, that will apply all
the mappings to SP Partners referencing this profile, unless they override mapping definition
For SAML 1.1, I will configure
the SP Partner.
For OpenID 2.0, I will configure
the SP/RP Partner
SAML 2.0
Test Setup
In this setup, OIF is acting as an IdP and is integrated with a remote SAML 2.0 SP partner identified by AcmeSP.
In this test, I will perform Federation SSO with OIF/IdP configured to:
Use LDAPScheme as
the Authentication Scheme
Use BasicScheme as
the Authentication Scheme
Map BasicSessionScheme to
the urn:oasis:names:tc:SAML:2.0:ac:classes:Password Federation Authentication Method
Use OAMLDAPPluginAuthnScheme as
the Authentication Scheme
Map OAMLDAPPluginAuthnScheme to
the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Federation Authentication Method
LDAPScheme as Authentication Scheme
Using
the OOTB settings regarding user authentication in OAM,
the user will be challenged via a FORM based login page based on
the LDAPScheme.
Also
the default Federation Authentication Method mappings configuration maps only
the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport to LDAPScheme (also marked as
the default scheme used for authentication), FAAuthScheme, BasicScheme and BasicFAScheme.
After authentication via FORM, OIF/IdP would issue an Assertion similar to:
<samlp:Response ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <dsig:Signature> ... </dsig:Signature> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
BasicScheme as Authentication Scheme
For this test, I will switch
the default Authentication Scheme for
the SP Partner Profile to BasicScheme instead of LDAPScheme. I will use
the OIF WLST setSPPartnerProfileDefaultScheme() command and specify which scheme to be used as
the default for
the SP Partner Profile referenced by AcmeSP (which is saml20-sp-partner-profile in this case: getFedPartnerProfile("AcmeSP", "sp") ):
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the setSPPartnerProfileDefaultScheme() command:setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", "BasicScheme")
Exit
the WLST environment:exit()
The user will now be challenged via HTTP Basic Authentication defined in
the BasicScheme for AcmeSP.
Also, as noted earlier,
the default Federation Authentication Method mappings configuration maps only
the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport to LDAPScheme (also marked as
the default scheme used for authentication), FAAuthScheme, BasicScheme and BasicFAScheme.
After authentication via HTTP Basic Authentication, OIF/IdP would issue an Assertion similar to:
<samlp:Response ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <dsig:Signature> ... </dsig:Signature> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
Mapping BasicScheme
To change
the Federation Authentication Method mapping for
the BasicScheme to urn:oasis:names:tc:SAML:2.0:ac:classes:Password instead of urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport for
the saml20-sp-partner-profile SAML 2.0 SP Partner Profile (the profile to which my AcmeSP Partner is bound to), I will execute
the addSPPartnerProfileAuthnMethod() method:
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the addSPPartnerProfileAuthnMethod() command:addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "BasicScheme")
Exit
the WLST environment:exit()
After authentication via HTTP Basic Authentication, OIF/IdP would now issue an Assertion similar to (see that
the AuthnContextClassRef was changed from PasswordProtectedTransport to Password):
<samlp:Response ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <dsig:Signature> ... </dsig:Signature> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
OAMLDAPPluginAuthnScheme as Authentication Scheme
For this test, I will switch
the default Authentication Scheme for
the SP Partner Profile to OAMLDAPPluginAuthnScheme instead of BasicScheme. I will use
the OIF WLST setSPPartnerProfileDefaultScheme() command and specify which scheme to be used as
the default for
the SP Partner Profile referenced by AcmeSP (which is saml20-sp-partner-profile in this case: getFedPartnerProfile("AcmeSP", "sp") ):
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the setSPPartnerProfileDefaultScheme() command:setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", "OAMLDAPPluginAuthnScheme")
Exit
the WLST environment:exit()
The user will now be challenged via FORM defined in
the OAMLDAPPluginAuthnScheme for AcmeSP.
Contrarily to LDAPScheme and BasicScheme,
the OAMLDAPPluginAuthnScheme is not mapped by default to any Federation Authentication Methods. As such, OIF/IdP will not be able to find a Federation Authentication Method and will set
the method in
the SAML Assertion to
the OAM Authentication Scheme name.
After authentication via FORM, OIF/IdP would issue an Assertion similar to (see
the AuthnContextClassRef set to OAMLDAPPluginAuthnScheme):
<samlp:Response ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <dsig:Signature> ... </dsig:Signature> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> OAMLDAPPluginAuthnScheme </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
Mapping OAMLDAPPluginAuthnScheme
To add
the OAMLDAPPluginAuthnScheme to
the Federation Authentication Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport mapping, I will execute
the addSPPartnerProfileAuthnMethod() method:
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the addSPPartnerProfileAuthnMethod() command:addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "OAMLDAPPluginAuthnScheme")
Exit
the WLST environment:exit()
After authentication via FORM, OIF/IdP would now issue an Assertion similar to (see that
the method was changed from OAMLDAPPluginAuthnScheme to PasswordProtectedTransport):
<samlp:Response ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <dsig:Signature> ... </dsig:Signature> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
SAML 1.1
Test Setup
In this setup, OIF is acting as an IdP and is integrated with a remote SAML 1.1 SP partner identified by AcmeSP.
In this test, I will perform Federation SSO with OIF/IdP configured to:
Use LDAPScheme as
the Authentication Scheme
Use OAMLDAPPluginAuthnScheme as
the Authentication Scheme
Map OAMLDAPPluginAuthnScheme to
the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Federation Authentication Method
Use LDAPScheme as
the Authentication Scheme
Map LDAPScheme to
the urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Federation Authentication Method
LDAPScheme as Authentication Scheme
Using
the OOTB settings regarding user authentication in OAM,
the user will be challenged via a FORM based login page based on
the LDAPScheme.
Also
the default Federation Authentication Method mappings configuration maps only
the urn:oasis:names:tc:SAML:1.0:am:password to LDAPScheme (also marked as
the default scheme used for authentication), FAAuthScheme, BasicScheme and BasicFAScheme.
After authentication via FORM, OIF/IdP would issue an Assertion similar to:
<samlp:Response ...> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion Issuer="https://idp.com/oam/fed" ...> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp/ssov11</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier ...>
[email protected]</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthnStatement> <dsig:Signature> ... </dsig:Signature> </saml:Assertion></samlp:Response>
OAMLDAPPluginAuthnScheme as Authentication Scheme
For this test, I will switch
the default Authentication Scheme for
the SP Partner to OAMLDAPPluginAuthnScheme instead of LDAPScheme. I will use
the OIF WLST setSPPartnerDefaultScheme() command and specify which scheme to be used as
the default for
the SP Partner:
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the setSPPartnerDefaultScheme() command:setSPPartnerDefaultScheme("AcmeSP", "OAMLDAPPluginAuthnScheme")
Exit
the WLST environment:exit()
The user will be challenged via FORM defined in
the OAMLDAPPluginAuthnScheme for AcmeSP.
Contrarily to LDAPScheme,
the OAMLDAPPluginAuthnScheme is not mapped by default to any Federation Authentication Methods (in
the SP Partner Profile). As such, OIF/IdP will not be able to find a Federation Authentication Method and will set
the method in
the SAML Assertion to
the OAM Authentication Scheme name.
After authentication via FORM, OIF/IdP would issue an Assertion similar to (see
the AuthenticationMethod set to OAMLDAPPluginAuthnScheme):
<samlp:Response ...> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion Issuer="https://idp.com/oam/fed" ...> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp/ssov11</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z" AuthenticationMethod="OAMLDAPPluginAuthnScheme"> <saml:Subject> <saml:NameIdentifier ...>
[email protected]</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthnStatement> <dsig:Signature> ... </dsig:Signature> </saml:Assertion></samlp:Response>
Mapping OAMLDAPPluginAuthnScheme
To map
the OAMLDAPPluginAuthnScheme to
the Federation Authentication Method urn:oasis:names:tc:SAML:1.0:am:password for this SP Partner only, I will execute
the addSPPartnerAuthnMethod() method:
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the addSPPartnerAuthnMethod() command:addSPPartnerAuthnMethod("AcmeSP", "urn:oasis:names:tc:SAML:1.0:am:password", "OAMLDAPPluginAuthnScheme")
Exit
the WLST environment:exit()
After authentication via FORM, OIF/IdP would now issue an Assertion similar to (see that
the method was changed from OAMLDAPPluginAuthnScheme to password):
<samlp:Response ...> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion Issuer="https://idp.com/oam/fed" ...> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp/ssov11</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier ...>
[email protected]</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthnStatement> <dsig:Signature> ... </dsig:Signature> </saml:Assertion></samlp:Response>
LDAPScheme as Authentication Scheme
I will now show that by defining a Federation Authentication Mapping at
the Partner level, this now ignores all mappings defined at
the SP Partner Profile level.
For this test, I will switch
the default Authentication Scheme for this SP Partner back to LDAPScheme, and
the Assertion issued by OIF/IdP will not be able to map this LDAPScheme to a Federation Authentication Method anymore, since
A Federation Authentication Method mapping is defined at
the SP Partner level and thus
the mappings defined at
the SP Partner Profile are ignored
The LDAPScheme is not listed in
the mapping at
the Partner level
I will use
the OIF WLST setSPPartnerDefaultScheme() command and specify which scheme to be used as
the default for this SP Partner:
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the setSPPartnerDefaultScheme() command:setSPPartnerDefaultScheme("AcmeSP", "LDAPScheme")
Exit
the WLST environment:exit()
After authentication via FORM, OIF/IdP would issue an Assertion similar to (see
the AuthenticationMethod set to LDAPScheme):
<samlp:Response ...> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion Issuer="https://idp.com/oam/fed" ...> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp/ssov11</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z" AuthenticationMethod="LDAPScheme"> <saml:Subject> <saml:NameIdentifier ...>
[email protected]</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthnStatement> <dsig:Signature> ... </dsig:Signature> </saml:Assertion></samlp:Response>
Mapping LDAPScheme at Partner Level
To fix this issue, we will need to add
the LDAPScheme to
the Federation Authentication Method urn:oasis:names:tc:SAML:1.0:am:password mapping for this SP Partner only. I will execute
the addSPPartnerAuthnMethod() method:
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the addSPPartnerAuthnMethod() command:addSPPartnerAuthnMethod("AcmeSP", "urn:oasis:names:tc:SAML:1.0:am:password", "LDAPScheme")
Exit
the WLST environment:exit()
After authentication via FORM, OIF/IdP would now issue an Assertion similar to (see that
the method was changed from LDAPScheme to password):
<samlp:Response ...> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion Issuer="https://idp.com/oam/fed" ...> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp/ssov11</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier ...>
[email protected]</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthnStatement> <dsig:Signature> ... </dsig:Signature> </saml:Assertion></samlp:Response>
OpenID 2.0
In
the OpenID 2.0 flows,
the RP must request use of PAPE, in order for OIF/IdP/OP to include PAPE information.
For OpenID 2.0,
the configuration will involve mapping a list of OpenID 2.0 policies to a list of Authentication Schemes.
The WLST command will take a list of policies, delimited by
the ',' character, instead of SAML 2.0 or SAML 1.1 where a single Federation Authentication Method had to be specified.
Test Setup
In this setup, OIF is acting as an IdP/OP and is integrated with a remote OpenID 2.0 SP/RP partner identified by AcmeRP.
In this test, I will perform Federation SSO with OIF/IdP configured to:
Use LDAPScheme as
the Authentication Scheme
Map LDAPScheme to
the http://schemas.openid.net/pape/policies/2007/06/phishing-resistant and http://openid-policies/password-protected policies Federation Authentication Methods (the second one is a custom for this use case)
LDAPScheme as Authentication Scheme
Using
the OOTB settings regarding user authentication in OAM,
the user will be challenged via a FORM based login page based on
the LDAPScheme.
No Federation Authentication Method is defined OOTB for OpenID 2.0, so if
the IdP/OP issue an SSO response with a PAPE Response element, it will specify
the scheme name instead of Federation Authentication Methods
After authentication via FORM, OIF/IdP would issue an SSO Response similar to:
https://acme.com/openid?refid=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=1&openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.attr1=My+name+is+Bobby+Smith&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr2=bob&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=bob%40oracle.com&openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.attr4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=LDAPScheme&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax.type.attr2%2Cax.value.attr2%2Cax.type.attr3%2Cax.value.attr3%2Cax.type.attr4%2Cax.value.attr4%2Cns.pape%2Cpape.auth_time%2Cpape.auth_policies&openid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D
Mapping LDAPScheme
To map
the LDAP Scheme to
the http://schemas.openid.net/pape/policies/2007/06/phishing-resistant and http://openid-policies/password-protected policies Federation Authentication Methods, I will execute
the addSPPartnerAuthnMethod() method (the policies will be comma separated):
Enter
the WLST environment by executing:$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to
the WLS Admin server:connect()
Navigate to
the Domain Runtime branch:domainRuntime()
Execute
the addSPPartnerAuthnMethod() command:addSPPartnerAuthnMethod("AcmeRP", "http://schemas.openid.net/pape/policies/2007/06/phishing-resistant,http://openid-policies/password-protected", "LDAPScheme")
Exit
the WLST environment:exit()
After authentication via FORM, OIF/IdP would now issue an Assertion similar to (see that
the method was changed from LDAPScheme to
the two policies):
https://acme.com/openid?refid=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=1&openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.attr1=My+name+is+Bobby+Smith&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr2=bob&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=bob%40oracle.com&openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.attr4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fphishing-resistant+http%3A%2F%2Fopenid-policies%2Fpassword-protected&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax.type.attr2%2Cax.value.attr2%2Cax.type.attr3%2Cax.value.attr3%2Cax.type.attr4%2Cax.value.attr4%2Cns.pape%2Cpape.auth_time%2Cpape.auth_policies&openid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D
In
the next article, I will cover how OIF/IdP can be configured so that an SP can request a specific Federation Authentication Method to challenge
the user during Federation SSO.Cheers,
Damien Carru