OAM 11g R2 Federation Lab
Task1-Configuring OIF11GR1 to OUD as DataStore
Task2-Verify Identity Provider
Task3-Export OIF 11gR1 IDP identity metadata
Task4-Configuring OAM and importing the IDP metadata
Task5-Import OAM11gR2 SAML2.0 Metadata(SP) into OIF11gR1
Task6-Configure Default Authentication Engine As LDAPDirectory
Task7-Configuring Federation DataStore (To Store Federated Records)
Task8-Configuring OIF AuthScheme To A Resource
Task9-Test Federation
Task10-Configuring LDAP Authrization in OAM (Part 1)
Task11-Configuring SAML attributes from IDP to back-end application as custom header attributes (Part 2)
Task12-Configuring the Responses to Send SAML Attributes to myBank Application As Headers (Part 3)
Task13-Verify LDAP Authorization And Header Responses
Task1-Configuring OIF11GR1 to OUD as DataStore
Use webgate11g_1 Application Domain
http://oam.example.com:8001/em (EM Console of OIF)
Go to Farm_IDMDomain -> Identity and Access -> OIF (11.1.1.2.0)
Oracle Identity Federation -> Administration -> Data Stores
Edit User Data Store
Repository Type = LDAP Directory
Connection URL(s)
ldap://oam.example.com:1389
Bind DN
cn=Directory Manager
Password
Oracle123
User ID Attribute
uid
User Description Attribute
uid
Person Object Class
inetorgperson
Base DN
ou=people,dc=example,dc=com
Test LDAP Connection
Task2-Verify Identity Provider
Right Side -> Oracle Identity Federation -> Administration -> Identity Provider
Click SAML 2.0 tab
Assertion Subject NameID format is defaulted to email address with the User Attribute mapping in the user store being mail
Send Encrypted Attributes = uncheck
Send Encrypted NameIDs = uncheck
Send Encrypted Assertions = uncheck
Send Signed Assertion = check
Enable SAML 2.0 Protocol = check
Enable Single Sign-On Protocol = check
Enable NameID Management Protocol: Register = check
Enable NameID Management Protocol: Terminate = check
Enable Attribute Query Responder = uncheck
Enable Authentication Query Responder = uncheck
Enable Assertion ID Responder = uncheck
Enable Protocol Bindings = SSO - Artifact;SSO - HTTP POST;SSO - HTTP POST
Default Binding = HTTP Redirect
Default SSO Response Binding = Artifact
Message Section
Request - SOAP = Send Signed = check
Response - HTTP Redirect = Send Signed = check
Response - HTTP POST = Send Signed = check
Response - SOAP = Send Signed = check
Request - HTTP POST = Send Signed = check
Response with Assertion - SOAP = Send Signed = uncheck
Request - HTTP Redirect = Send Signed = uncheck
Response with Assertion - HTTP POST = Send Signed = uncheck
AuthnRequest = n/a
Task3-Export OIF 11gR1 IDP identity metadata
Go to -> Oracle Identity Federation -> Administration -> Security and Trust
Click Provider Metadata
Provider Type : Identity Provider
Protocol : SAML 2.0
Click Generate
Choose Save
Task4-Configuring OAM and importing the IDP metadata
Go to :7001/oamconsole
System Configuration -> Available Services
Enable "Identity Federation"
"Security Token Service"
"Mobile and Social"
Now on the left , Go to Identity Federation -> Identity Providers
New Identity Provider
Browse and Import the OIF IDP Metadata file just generated
Name : OIF_IDP
Protocol : SAML 2.0
Metadata File
Map assertion Name ID to User ID Store attribute = mail
User Mapping : OUD_UserStore
User Search Base DN : ou=people,dc=example,dc=com
Provider ID : http://oam:7499/idp
Signing Certificate Subject : CN=oam Signing Certificate
Enable Identity Partner : check
Default Identity Partner : check
Enable global logout : check
HTTP POST preferred binding : check
Authentication Request NameID Format : Email Address
Now Go to Left hand Side -> Federation Settings -> Export SAML 2.0 Metadata
Provider Id: https://oam:14101/oam/fed
Signing Key: osts_signing
Encryption Key: osts_encryption
Export SAML 2.0 Metadata
Choose Save and Ok
Task5-Import OAM11gR2 SAML2.0 Metadata(SP) into OIF11gR1
Go to OIF Em Console
LEFT => Identity and Access -> OIF (11.1.1.2.0)
RIGHT => Oracle Identity Federation -> Administration Federations
Click Add
check Enable Provider
Load Metadata -> Browse File and upload
Select Record and click Edit
Click "Oracle Identity Federation Settings"
check "Enable Attributes in Single Sign-On (SSO)"
check "Email Address"
Choose Apply
Task6-Configure Default Authentication Engine As LDAPDirectory
Go to Oracle Identity Federation -> Administration -> Authentication Engines
Click LDAP Directory
Connection URL(s)
ldap://oam.example.com:1389
Bind DN
cn=Directory Manager
Password
Oracle123
Confirm Password
Oracle123
User Credential ID Attribute
uid
User Unique ID Attribute
uid
Person Object Class
inetorgperson
Base DN
ou=people,dc=example,dc=com
Enable Authentication Engine
Test LDAP Connection
Click Apply
Task7-Configuring Federation DataStore (To Store Federated Records)
Go to Oracle Identity Federation -> Administration -> Data Stores
Change Federation Data Store -> Change Repository Data Store from "None" to "XML File"
Now go to Administration -> Identities
Go to "Local Users"
Search (click)
Task8-Configuring OIF AuthScheme To A Resource
Go to /oamconsole
Identity Federation -> Identity Providers -> OIF_IDP
Click "Create Authentication Scheme and Module"
A new OIF Plugin and an OIF Scheme is created prefixed with the name of the provider OIF_IDP you had created initially
OIF_IDPFederationPlugin
OIF_IDPFederationScheme
Go to Authentication Modules -> Custom Authentication Modules -> OIF_IDPFederationPlugin
Steps
1. FedAuthnRequestPlugin
2. AssertionProcessing
Steps Orchestration
Initial Step = FedAuthnRequestPlugin
FedAuthnRequestPlugin -> success(on Success), AssertionProcessing (on Failure), failure (on Error)
AssertionProcessing -> success (on Success), failure (on Failure), On Error (failure)
Go to Policy Configuration -> Application Domains -> webgate11g_1 -> Authentication Policies -> Protected Resource Policy -> Change Authentication Scheme from LDAPScheme to OIF_IDPFederationScheme
Task9-Test Federation
edit mod_wl_ohs.conf
proxy /mybank
Try to access http://oam.example.com:7777/mybank
You will be redirected to the OIF login page
Use the OUD User user.0
Once successful authentication , mybank home page is displayed confirming the OIF Authentication
Go to Oracle Identity Federation -> Administration -> Identities
Click Federated Identities
Search
you will see user.0 who just tried
Task10-Configuring LDAP Authrization in OAM (Part 1)
/mybank/testheaders.jsp and set an authorization policies that allow only customers can access this URL
Go to Application Domain -> webgate11g_1 ->
Resources -> New Resource
Type : HTTP
Host Identifier : webgate11g_1
Resource URL : /mybank/testheaders.jsp
Query : Name Value list
Operations : ALL,CONNECT,OPTIONS,PUT,POST,GET
Protection Level : Protected
Click Apply
Go to Authorization Policies
Click "Create Authorization Policy"
Name : CustomersOnly
Resources : /mybank/testheaders.jsp
Conditions click +
Name : myBankCustomers
Type : Identity
On the bottom
Click + and Add Users and Groups
Search Store Name : OUD_UserStore
Entity Type : Group
Entity Name : Customers(Group Name)
Click Save
Now come to Rules tab
Allow Rule
Select the myBankCustomers (Identity) [Condition just created in last step]
Click Apply
Task11-Configuring SAML attributes from IDP to back-end application as custom header attributes (Part 2)
Go to OIF EM Console
Oracle Identity Federation -> Administration -> Federations
Select Provider ID record and click Edit
Click Edit "Attribute Mappings and Filters"
Name Mappings -> Add +
User Attribute Name : mail
Assertion Attribute Name : EmailAddress
Format or Namespace = blank
Send with SSO Assertion = check
Get Value from User Session = uncheck
Require from Infocard = uncheck
Name Mappings -> Add +
User Attribute Name : cn
Assertion Attribute Name : FullName
Format or Namespace = blank
Send with SSO Assertion = check
Get Value from User Session = uncheck
Require from Infocard = uncheck
Click Apply
Task12-Configuring the Responses to Send SAML Attributes to myBank Application As Headers (Part 3)
Go to the Authorization Policy -> CustomersOnly and
go to "Responses" tab
Click + add icon
Add Response
Type = Header
Name = EmailAddress
Value = $session.attr.fed.attr.EmailAddress
Click + add icon
Add Response
Type = Header
Name = FullName
Value = $session.attr.fed.attr.FullName
Click Apply
Task13-Verify LDAP Authorization And Header Responses
Take a user who belongs to the customer group
Any user who does not belong to customer group will be denied access to /mybank/testheaders.jsp
Access "http://oam.example.com:7777/mybank/testheaders.jsp"
Test a user who is not a customer member and see denied access
Now try with a user who is a member of customer group and see the testheaders.jsp page
Request Headers
FullName = FullNameOfTheTestUser
EmailAddress = EmailAddressOfTheTestUser
Task2-Verify Identity Provider
Task3-Export OIF 11gR1 IDP identity metadata
Task4-Configuring OAM and importing the IDP metadata
Task5-Import OAM11gR2 SAML2.0 Metadata(SP) into OIF11gR1
Task6-Configure Default Authentication Engine As LDAPDirectory
Task7-Configuring Federation DataStore (To Store Federated Records)
Task8-Configuring OIF AuthScheme To A Resource
Task9-Test Federation
Task10-Configuring LDAP Authrization in OAM (Part 1)
Task11-Configuring SAML attributes from IDP to back-end application as custom header attributes (Part 2)
Task12-Configuring the Responses to Send SAML Attributes to myBank Application As Headers (Part 3)
Task13-Verify LDAP Authorization And Header Responses
Task1-Configuring OIF11GR1 to OUD as DataStore
Use webgate11g_1 Application Domain
http://oam.example.com:8001/em (EM Console of OIF)
Go to Farm_IDMDomain -> Identity and Access -> OIF (11.1.1.2.0)
Oracle Identity Federation -> Administration -> Data Stores
Edit User Data Store
Repository Type = LDAP Directory
Connection URL(s)
ldap://oam.example.com:1389
Bind DN
cn=Directory Manager
Password
Oracle123
User ID Attribute
uid
User Description Attribute
uid
Person Object Class
inetorgperson
Base DN
ou=people,dc=example,dc=com
Test LDAP Connection
Task2-Verify Identity Provider
Right Side -> Oracle Identity Federation -> Administration -> Identity Provider
Click SAML 2.0 tab
Assertion Subject NameID format is defaulted to email address with the User Attribute mapping in the user store being mail
Send Encrypted Attributes = uncheck
Send Encrypted NameIDs = uncheck
Send Encrypted Assertions = uncheck
Send Signed Assertion = check
Enable SAML 2.0 Protocol = check
Enable Single Sign-On Protocol = check
Enable NameID Management Protocol: Register = check
Enable NameID Management Protocol: Terminate = check
Enable Attribute Query Responder = uncheck
Enable Authentication Query Responder = uncheck
Enable Assertion ID Responder = uncheck
Enable Protocol Bindings = SSO - Artifact;SSO - HTTP POST;SSO - HTTP POST
Default Binding = HTTP Redirect
Default SSO Response Binding = Artifact
Message Section
Request - SOAP = Send Signed = check
Response - HTTP Redirect = Send Signed = check
Response - HTTP POST = Send Signed = check
Response - SOAP = Send Signed = check
Request - HTTP POST = Send Signed = check
Response with Assertion - SOAP = Send Signed = uncheck
Request - HTTP Redirect = Send Signed = uncheck
Response with Assertion - HTTP POST = Send Signed = uncheck
AuthnRequest = n/a
Task3-Export OIF 11gR1 IDP identity metadata
Go to -> Oracle Identity Federation -> Administration -> Security and Trust
Click Provider Metadata
Provider Type : Identity Provider
Protocol : SAML 2.0
Click Generate
Choose Save
Task4-Configuring OAM and importing the IDP metadata
Go to :7001/oamconsole
System Configuration -> Available Services
Enable "Identity Federation"
"Security Token Service"
"Mobile and Social"
Now on the left , Go to Identity Federation -> Identity Providers
New Identity Provider
Browse and Import the OIF IDP Metadata file just generated
Name : OIF_IDP
Protocol : SAML 2.0
Metadata File
Map assertion Name ID to User ID Store attribute = mail
User Mapping : OUD_UserStore
User Search Base DN : ou=people,dc=example,dc=com
Provider ID : http://oam:7499/idp
Signing Certificate Subject : CN=oam Signing Certificate
Enable Identity Partner : check
Default Identity Partner : check
Enable global logout : check
HTTP POST preferred binding : check
Authentication Request NameID Format : Email Address
Now Go to Left hand Side -> Federation Settings -> Export SAML 2.0 Metadata
Provider Id: https://oam:14101/oam/fed
Signing Key: osts_signing
Encryption Key: osts_encryption
Export SAML 2.0 Metadata
Choose Save and Ok
Task5-Import OAM11gR2 SAML2.0 Metadata(SP) into OIF11gR1
Go to OIF Em Console
LEFT => Identity and Access -> OIF (11.1.1.2.0)
RIGHT => Oracle Identity Federation -> Administration Federations
Click Add
check Enable Provider
Load Metadata -> Browse File and upload
Select Record and click Edit
Click "Oracle Identity Federation Settings"
check "Enable Attributes in Single Sign-On (SSO)"
check "Email Address"
Choose Apply
Task6-Configure Default Authentication Engine As LDAPDirectory
Go to Oracle Identity Federation -> Administration -> Authentication Engines
Click LDAP Directory
Connection URL(s)
ldap://oam.example.com:1389
Bind DN
cn=Directory Manager
Password
Oracle123
Confirm Password
Oracle123
User Credential ID Attribute
uid
User Unique ID Attribute
uid
Person Object Class
inetorgperson
Base DN
ou=people,dc=example,dc=com
Enable Authentication Engine
Test LDAP Connection
Click Apply
Task7-Configuring Federation DataStore (To Store Federated Records)
Go to Oracle Identity Federation -> Administration -> Data Stores
Change Federation Data Store -> Change Repository Data Store from "None" to "XML File"
Now go to Administration -> Identities
Go to "Local Users"
Search (click)
Task8-Configuring OIF AuthScheme To A Resource
Go to /oamconsole
Identity Federation -> Identity Providers -> OIF_IDP
Click "Create Authentication Scheme and Module"
A new OIF Plugin and an OIF Scheme is created prefixed with the name of the provider OIF_IDP you had created initially
OIF_IDPFederationPlugin
OIF_IDPFederationScheme
Go to Authentication Modules -> Custom Authentication Modules -> OIF_IDPFederationPlugin
Steps
1. FedAuthnRequestPlugin
2. AssertionProcessing
Steps Orchestration
Initial Step = FedAuthnRequestPlugin
FedAuthnRequestPlugin -> success(on Success), AssertionProcessing (on Failure), failure (on Error)
AssertionProcessing -> success (on Success), failure (on Failure), On Error (failure)
Go to Policy Configuration -> Application Domains -> webgate11g_1 -> Authentication Policies -> Protected Resource Policy -> Change Authentication Scheme from LDAPScheme to OIF_IDPFederationScheme
Task9-Test Federation
edit mod_wl_ohs.conf
proxy /mybank
Try to access http://oam.example.com:7777/mybank
You will be redirected to the OIF login page
Use the OUD User user.0
Once successful authentication , mybank home page is displayed confirming the OIF Authentication
Go to Oracle Identity Federation -> Administration -> Identities
Click Federated Identities
Search
you will see user.0 who just tried
Task10-Configuring LDAP Authrization in OAM (Part 1)
/mybank/testheaders.jsp and set an authorization policies that allow only customers can access this URL
Go to Application Domain -> webgate11g_1 ->
Resources -> New Resource
Type : HTTP
Host Identifier : webgate11g_1
Resource URL : /mybank/testheaders.jsp
Query : Name Value list
Operations : ALL,CONNECT,OPTIONS,PUT,POST,GET
Protection Level : Protected
Click Apply
Go to Authorization Policies
Click "Create Authorization Policy"
Name : CustomersOnly
Resources : /mybank/testheaders.jsp
Conditions click +
Name : myBankCustomers
Type : Identity
On the bottom
Click + and Add Users and Groups
Search Store Name : OUD_UserStore
Entity Type : Group
Entity Name : Customers(Group Name)
Click Save
Now come to Rules tab
Allow Rule
Select the myBankCustomers (Identity) [Condition just created in last step]
Click Apply
Task11-Configuring SAML attributes from IDP to back-end application as custom header attributes (Part 2)
Go to OIF EM Console
Oracle Identity Federation -> Administration -> Federations
Select Provider ID record and click Edit
Click Edit "Attribute Mappings and Filters"
Name Mappings -> Add +
User Attribute Name : mail
Assertion Attribute Name : EmailAddress
Format or Namespace = blank
Send with SSO Assertion = check
Get Value from User Session = uncheck
Require from Infocard = uncheck
Name Mappings -> Add +
User Attribute Name : cn
Assertion Attribute Name : FullName
Format or Namespace = blank
Send with SSO Assertion = check
Get Value from User Session = uncheck
Require from Infocard = uncheck
Click Apply
Task12-Configuring the Responses to Send SAML Attributes to myBank Application As Headers (Part 3)
Go to the Authorization Policy -> CustomersOnly and
go to "Responses" tab
Click + add icon
Add Response
Type = Header
Name = EmailAddress
Value = $session.attr.fed.attr.EmailAddress
Click + add icon
Add Response
Type = Header
Name = FullName
Value = $session.attr.fed.attr.FullName
Click Apply
Task13-Verify LDAP Authorization And Header Responses
Take a user who belongs to the customer group
Any user who does not belong to customer group will be denied access to /mybank/testheaders.jsp
Access "http://oam.example.com:7777/mybank/testheaders.jsp"
Test a user who is not a customer member and see denied access
Now try with a user who is a member of customer group and see the testheaders.jsp page
Request Headers
FullName = FullNameOfTheTestUser
EmailAddress = EmailAddressOfTheTestUser
Comments
Post a Comment