This article is a continuation of my previous entry where I explained how OIF/IdP leverages OAM to authenticate users at runtime:
OIF/IdP internally forwards
the user to OAM and indicates which Authentication Scheme should be used to challenge
the user if needed
OAM determine if
the user should be challenged (user already authenticated, session timed out or not, session authentication level equal or higher than
the level of
the authentication scheme specified by OIF/IdP…)
After identifying
the user, OAM internally forwards
the user back to OIF/IdP
OIF/IdP can resume its operation
In this article, I will discuss how OIF/IdP can be configured to map Federation Authentication Methods to OAM Authentication Schemes:
When processing an Authn Request, where
the SP requests a specific Federation Authentication Method with which
the user should be challenged
When sending an Assertion, where OIF/IdP sets
the Federation Authentication Method in
the Assertion
Enjoy
the reading!
Overview
The various Federation protocols support mechanisms allowing
the partners to exchange information on:
How
the user should be challenged, when
the SP/RP makes a request
How
the user was challenged, when
the IdP/OP issues an SSO response
When a remote SP partner redirects
the user to OIF/IdP for Federation SSO,
the message might contain data requesting how
the user should be challenged by
the IdP: this is treated as
the Requested Federation Authentication Method.
OIF/IdP will need to map that Requested Federation Authentication Method to a local Authentication Scheme, and then invoke OAM for user authentication/challenge with
the mapped Authentication Scheme. OAM would authenticate
the user if necessary with
the scheme specified by OIF/IdP.
Similarly, when an IdP issues an SSO response, most of
the time it will need to include an identifier representing how
the user was challenged: this is treated as
the Federation Authentication Method.
When OIF/IdP issues an Assertion, it will evaluate
the Authentication Scheme with which OAM identified
the user:
If
the Authentication Scheme can be mapped to a Federation Authentication Method, then OIF/IdP will use
the result of that mapping in
the outgoing SSO response:
AuthenticationStatement in
the SAML Assertion
OpenID Response, if PAPE is enabled
If
the Authentication Scheme cannot be mapped, then OIF/IdP will set
the Federation Authentication Method as
the Authentication Scheme name in
the outgoing SSO response:
AuthenticationStatement in
the SAML Assertion
OpenID Response, if PAPE is enabled
Mappings
In OIF/IdP,
the mapping between Federation Authentication Methods and Authentication Schemes has
the following rules:
One Federation Authentication Method can be mapped to several Authentication Schemes
In a Federation Authentication Method <-> Authentication Schemes mapping, a single Authentication Scheme is marked as
the default scheme that will be used to authenticate a user, if
the SP/RP partner requests
the user to be authenticated via a specific Federation Authentication Method
An Authentication Scheme can be mapped to a single Federation Authentication Method
Let’s examine
the following example and
the various use cases, based on
the SAML 2.0 protocol:
Mappings defined as:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport mapped to
LDAPScheme, marked as
the default scheme used for authentication
BasicScheme
urn:oasis:names:tc:SAML:2.0:ac:classes:X509 mapped to
X509Scheme, marked as
the default scheme used for authentication
Use cases:
SP sends an AuthnRequest specifying urn:oasis:names:tc:SAML:2.0:ac:classes:X509 as
the RequestedAuthnContext: OIF/IdP will authenticate
the use with X509Scheme since it is
the default scheme mapped for that method.
SP sends an AuthnRequest specifying urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as
the RequestedAuthnContext: OIF/IdP will authenticate
the use with LDAPScheme since it is
the default scheme mapped for that method, not
the BasicScheme
SP did not request any specific methods, and user was authenticated with BasisScheme: OIF/IdP will issue an Assertion with urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as
the FederationAuthenticationMethod
SP did not request any specific methods, and user was authenticated with LDAPScheme: OIF/IdP will issue an Assertion with urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport as
the FederationAuthenticationMethod
SP did not request any specific methods, and user was authenticated with BasisSessionlessScheme: OIF/IdP will issue an Assertion with BasisSessionlessScheme as
the FederationAuthenticationMethod, since that scheme could not be mapped to any Federation Authentication Method (in this case,
the administrator would need to correct that and create a mapping)
Configuration
Mapping Federation Authentication Methods to OAM Authentication Schemes is protocol dependent, since
the methods are defined in
the various protocols (SAML 2.0, SAML 1.1, OpenID 2.0).
As such,
the WLST commands to set those mappings will involve:
Either
the SP Partner Profile and affect all Partners referencing that profile, which do not override
the Federation Authentication Method to OAM Authentication Scheme mappings
Or
the SP Partner entry, which will only affect
the SP Partner
It is important to note that if an SP Partner is configured to define one or more Federation Authentication Method to OAM Authentication Scheme mappings, then all
the mappings defined in
the SP Partner Profile will be ignored.
Authentication Schemes
As discussed in
the previous article, during Federation SSO, OIF/IdP will internally forward
the user to OAM for authentication/verification and specify which Authentication Scheme to use.
OAM will determine if a user needs to be challenged:
If
the user is not authenticated yet
If
the user is authenticated but
the session timed out
If
the user is authenticated, but
the authentication scheme level of
the original authentication is lower than
the level of
the authentication scheme requested by OIF/IdP
So even though an SP requests a specific Federation Authentication Method to be used to challenge
the user, if that method is mapped to an Authentication Scheme and that at runtime OAM deems that
the user does not need to be challenged with that scheme (because
the user is already authenticated, session did not time out, and
the session authn level is equal or higher than
the one for
the specified Authentication Scheme),
the flow won’t result in a challenge operation.
Protocols
SAML 2.0
The SAML 2.0 specifications define
the following Federation Authentication Methods for SAML 2.0 flows:
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered
urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
urn:oasis:names:tc:SAML:2.0:ac:classes:PGP
urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI
urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig
urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword
urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony
urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
Out of
the box, OIF/IdP has
the following mappings for
the SAML 2.0 protocol:
Only urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport is defined
This Federation Authentication Method is mapped to:
LDAPScheme, marked as
the default scheme used for authentication
FAAuthScheme
BasicScheme
BasicFAScheme
This mapping is defined in
the saml20-sp-partner-profile SP Partner Profile which is
the default OOTB SP Partner Profile for SAML 2.0
An example of an AuthnRequest message sent by an SP to an IdP with
the SP requesting a specific Federation Authentication Method to be used to challenge
the user would be:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.com/oamfed/idp/samlv20" ID="id-8bWn-A9o4aoMl3Nhx1DuPOOjawc-" IssueInstant="2014-03-21T20:51:11Z" Version="2.0"> <saml:Issuer ...>https://acme.com/sp</saml:Issuer> <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> <samlp:RequestedAuthnContext Comparison="minimum"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext></samlp:AuthnRequest>
An example of an Assertion issued by an IdP would be:
<samlp:Response ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ...> <saml:Issuer ...>https://idp.com/oam/fed</saml:Issuer> <dsig:Signature> ... </dsig:Signature> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData .../> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-03-21T20:53:55Z" SessionIndex="id-6i-Dm0yB-HekG6cejktwcKIFMzYE8Yrmqwfd0azz" SessionNotOnOrAfter="2014-03-21T21:53:55Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
An administrator would be able to specify a mapping between a SAML 2.0 Federation Authentication Method and one or more OAM Authentication Schemes
SAML 1.1
The SAML 1.1 specifications define
the following Federation Authentication Methods for SAML 1.1 flows:
urn:oasis:names:tc:SAML:1.0:am:unspecified
urn:oasis:names:tc:SAML:1.0:am:HardwareToken
urn:oasis:names:tc:SAML:1.0:am:password
urn:oasis:names:tc:SAML:1.0:am:X509-PKI
urn:ietf:rfc:2246
urn:oasis:names:tc:SAML:1.0:am:PGP
urn:oasis:names:tc:SAML:1.0:am:SPKI
urn:ietf:rfc:3075
urn:oasis:names:tc:SAML:1.0:am:XKMS
urn:ietf:rfc:1510
urn:ietf:rfc:2945
Out of
the box, OIF/IdP has
the following mappings for
the SAML 1.1 protocol:
Only urn:oasis:names:tc:SAML:1.0:am:password is defined
This Federation Authentication Method is mapped to:
LDAPScheme, marked as
the default scheme used for authentication
FAAuthScheme
BasicScheme
BasicFAScheme
This mapping is defined in
the saml11-sp-partner-profile SP Partner Profile which is
the default OOTB SP Partner Profile for SAML 1.1
An example of an Assertion issued by an IdP would be:
<samlp:Response ...> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion Issuer="https://idp.com/oam/fed" ...> <saml:Conditions ...> <saml:AudienceRestriction> <saml:Audience>https://acme.com/sp/ssov11</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthenticationInstant="2014-03-21T20:53:55Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameID ...>
[email protected]</saml:NameID> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthnStatement> <dsig:Signature> ... </dsig:Signature> </saml:Assertion></samlp:Response>
Note: SAML 1.1 does not define an AuthnRequest message.
An administrator would be able to specify a mapping between a SAML 1.1 Federation Authentication Method and one or more OAM Authentication Schemes
OpenID 2.0
The OpenID 2.0 PAPE specifications define
the following Federation Authentication Methods for OpenID 2.0 flows:
http://schemas.openid.net/pape/policies/2007/06/phishing-resistant
http://schemas.openid.net/pape/policies/2007/06/multi-factor
http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical
Out of
the box, OIF/IdP does not define any mappings for
the OpenID 2.0 Federation Authentication Methods.
For OpenID 2.0,
the configuration will involve mapping a list of OpenID 2.0 policies to a list of Authentication Schemes.
An example of an OpenID 2.0 Request message sent by an SP/RP to an IdP/OP would be:
https://idp.com/openid?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.realm=https%3A%2F%2Facme.com%2Fopenid&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.attr0=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.if_available=attr0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=0
An example of an Open ID 2.0 SSO Response issued by an IdP/OP would be:
https://acme.com/openid?refid=id-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fidp.com%2Fopenid&openid.claimed_id=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.identity=https%3A%2F%2Fidp.com%2Fopenid%3Fid%3Did-38iCmmlAVEXPsFjnFVKArfn5RIiF75D5doorhEgqqPM%3D&openid.return_to=https%3A%2F%2Facme.com%2Fopenid%3Frefid%3Did-9PKVXZmRxAeDYcgLqPm36ClzOMA-&openid.response_nonce=2014-03-24T19%3A20%3A06Zid-YPa2kTNNFftZkgBb460jxJGblk2g--iNwPpDI7M1&openid.assoc_handle=id-6a5S6zhAKaRwQNUnjTKROREdAGSjWodG1el4xyz3&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.type.attr0=http%3A%2F%2Fsession%2Fcount&openid.ax.value.attr0=1&openid.ax.type.attr1=http%3A%2F%2Fopenid.net%2Fschema%2FnamePerson%2Ffriendly&openid.ax.value.attr1=My+name+is+Bobby+Smith&openid.ax.type.attr2=http%3A%2F%2Fschemas.openid.net%2Fax%2Fapi%2Fuser_id&openid.ax.value.attr2=bob&openid.ax.type.attr3=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.value.attr3=bob%40oracle.com&openid.ax.type.attr4=http%3A%2F%2Fsession%2Fipaddress&openid.ax.value.attr4=10.145.120.253&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_time=2014-03-24T19%3A20%3A05Z&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fphishing-resistant&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ax%2Cax.mode%2Cax.type.attr0%2Cax.value.attr0%2Cax.type.attr1%2Cax.value.attr1%2Cax.type.attr2%2Cax.value.attr2%2Cax.type.attr3%2Cax.value.attr3%2Cax.type.attr4%2Cax.value.attr4%2Cns.pape%2Cpape.auth_time%2Cpape.auth_policies&openid.sig=mYMgbGYSs22l8e%2FDom9NRPw15u8%3D
In
the next article, I will provide examples on how to configure OIF/IdP for
the various protocols, to map OAM Authentication Schemes to Federation Authentication Methods.Cheers,Damien Carru