Sunday, May 11, 2014

OIF 11g R2 : Self Federation Configuration and Testing

In this post I will cover the configuration of Oracle Identity Federation (OIF) which will act as Service Provider (SP) as well as Identity Provider (IdP).
This will let us understand the federation concepts and some of the configurations involved in all kind of federation setup.


First export your SP and IdP metadata. This can be done by logging into em console.

Go to Farm_IDMDomain-> Identity and Access -> OIF -> Administration -> Security and Trust -> Provider Metadata

























Click on Generate once for Service Provider and again for Identity Provider









You will have 2 files now one for each SP and IdP.

Import back these into OIF by going to 

OIF->Administration -> Federations.



Edit and enable the settings as below





Go Administration -> Service Provider-> Common -> Select Default SSO Identity Provider


Go Administration -> Service Provider-> SAML 2.0 
Make the below settings if not already enabled.











Go to Administration -> Identity Provider  -> SAML 2.0 Settings




Go to Administration -> Data Store. Create a User Data Store as below



Go to Administration -> Authentication Engines. Create Default Authentication Engine of type LDAP as below



Check out the Administration -> Server Properties in case you want change port numbers etc.




Now we are ready to test

Go to http://oif-server:7499/fed/user/testspsso. Click Start SSO











The Final Response






Below is the output from SAML Tracer plugin








Referral Identity Provider File Deepak-PC.mydomain.com_7499_idp_saml20.xml

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id-mvX-tZlC7JzjmZ-je5q2XHsvFRo-" cacheDuration="P0Y0M30DT0H0M0.0S" entityID="http://Deepak-PC.mydomain.com:7499/fed/idp" validUntil="2014-06-03T11:27:46Z">
   <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:X509Data>
               <dsig:X509Certificate>MIICIzCCAYygAwIBAgIBOjANBgkqhkiG9w0BAQQFADA1MTMwMQYDVQQDEypEZWVw
YWstUEMubXlkb21haW4uY29tIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTQwNDI3
MTQxOTI1WhcNMTUwNDI3MTQxOTI1WjA1MTMwMQYDVQQDEypEZWVwYWstUEMubXlk
b21haW4uY29tIFNpZ25pbmcgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAN0o44CFVvoz/nR5jVhpkMwEWgRiVMVp1SrOVVsXQXNdnj5DJgUz
hD9OYa2FgpUuFwXkzUic8TpEghy0wSG0DAXp7/oBcJxhl8MhP69yuyz+TCyFlY0h
IwW3HKXMVEp3xpJcCjVK0S21QeoRFoxs6l8aZdmfFHRqZiaHieQf8vwjAgMBAAGj
QzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwfwADAdBgNVHQ4EFgQU
SIPyoWDDisc1gn3kHIzApTXD1kIwDQYJKoZIhvcNAQEEBQADgYEAbWw2xiTvoKbc
8C+fIAqJc0ZKYmnRYIia15YbcUjpoy81p2VGeExW6RInXF3Wg2Xf8Iuw8IPt7uUO
4JDgVS8Uc8598etMd9b7GLZYK13B7hqBYLalP2pG5z3g02OvglX0lTFirssbG+Vf
xN5kLD4dOS25LIQMqsqSaQC6sNVd2Jo=</dsig:X509Certificate>
               <dsig:X509IssuerSerial>
                  <dsig:X509IssuerName>CN=Deepak-PC.mydomain.com Signing Certificate</dsig:X509IssuerName>
                  <dsig:X509SerialNumber>58</dsig:X509SerialNumber>
               </dsig:X509IssuerSerial>
               <dsig:X509SubjectName>CN=Deepak-PC.mydomain.com Signing Certificate</dsig:X509SubjectName>
            </dsig:X509Data>
         </dsig:KeyInfo>
      </md:KeyDescriptor>
      <md:KeyDescriptor use="encryption">
         <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:X509Data>
               <dsig:X509Certificate>MIICKTCCAZKgAwIBAgIBKzANBgkqhkiG9w0BAQQFADA4MTYwNAYDVQQDEy1EZWVw
YWstUEMubXlkb21haW4uY29tIEVuY3J5cHRpb24gQ2VydGlmaWNhdGUwHhcNMTQw
NDI3MTQxOTI1WhcNMTUwNDI3MTQxOTI1WjA4MTYwNAYDVQQDEy1EZWVwYWstUEMu
bXlkb21haW4uY29tIEVuY3J5cHRpb24gQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAKk3sadHJeSrDwtsuHYjfYWdm5ZtmkAk0ihPVryxZDZu
Pf5xwCBv7/sUBV00enS7PZvUQKY1TMN5V0a4yc/zYa9SF8s9449ludb56mBFBS2P
gfkLsSwJD4fCNR39n/0+2R9lWFuAT77Lcd6jaq9Jwiky2iLZL9Agn5foQZSdgmzX
AgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwfwADAdBgNV
HQ4EFgQUuxZu/+HWIsLRwOilkArnaikxcRMwDQYJKoZIhvcNAQEEBQADgYEAKufG
6RoDd7zjKaiojFdzfT5XQBwL2pK9npLHwUDSHuFeHXvDp1SUNDkApCEg2KOGiJU8
vfxrN+ql/yDYXzWGylY7wljFFvynMN+74WgSplrHjZMQvZCuwaoLwyr+bF3cx5f0
YTKRROysyMHbojmB1JfZWdqLpl2FvzzS1ljEh4o=</dsig:X509Certificate>
               <dsig:X509IssuerSerial>
                  <dsig:X509IssuerName>CN=Deepak-PC.mydomain.com Encryption Certificate</dsig:X509IssuerName>
                  <dsig:X509SerialNumber>43</dsig:X509SerialNumber>
               </dsig:X509IssuerSerial>
               <dsig:X509SubjectName>CN=Deepak-PC.mydomain.com Encryption Certificate</dsig:X509SubjectName>
            </dsig:X509Data>
         </dsig:KeyInfo>
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      </md:KeyDescriptor>
      <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/soap" index="1" isDefault="true" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20ss" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20ss" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20ss" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20ss" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/soap" />
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" />
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20" />
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://Deepak-PC.mydomain.com:7499/fed/idp/samlv20ss" />
   </md:IDPSSODescriptor>
</md:EntityDescriptor>



Referral Service Provider File Deepak-PC.mydomain.com_7499_sp_saml20.xml


<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id-axAAa-6iuRyEYMIDzRbAEX1afIU-" cacheDuration="P0Y0M30DT0H0M0.0S" entityID="http://Deepak-PC.mydomain.com:7499/fed/sp" validUntil="2014-06-03T11:29:23Z">
   <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:X509Data>
               <dsig:X509Certificate>MIICIzCCAYygAwIBAgIBOjANBgkqhkiG9w0BAQQFADA1MTMwMQYDVQQDEypEZWVw
YWstUEMubXlkb21haW4uY29tIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTQwNDI3
MTQxOTI1WhcNMTUwNDI3MTQxOTI1WjA1MTMwMQYDVQQDEypEZWVwYWstUEMubXlk
b21haW4uY29tIFNpZ25pbmcgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAN0o44CFVvoz/nR5jVhpkMwEWgRiVMVp1SrOVVsXQXNdnj5DJgUz
hD9OYa2FgpUuFwXkzUic8TpEghy0wSG0DAXp7/oBcJxhl8MhP69yuyz+TCyFlY0h
IwW3HKXMVEp3xpJcCjVK0S21QeoRFoxs6l8aZdmfFHRqZiaHieQf8vwjAgMBAAGj
QzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwfwADAdBgNVHQ4EFgQU
SIPyoWDDisc1gn3kHIzApTXD1kIwDQYJKoZIhvcNAQEEBQADgYEAbWw2xiTvoKbc
8C+fIAqJc0ZKYmnRYIia15YbcUjpoy81p2VGeExW6RInXF3Wg2Xf8Iuw8IPt7uUO
4JDgVS8Uc8598etMd9b7GLZYK13B7hqBYLalP2pG5z3g02OvglX0lTFirssbG+Vf
xN5kLD4dOS25LIQMqsqSaQC6sNVd2Jo=</dsig:X509Certificate>
               <dsig:X509IssuerSerial>
                  <dsig:X509IssuerName>CN=Deepak-PC.mydomain.com Signing Certificate</dsig:X509IssuerName>
                  <dsig:X509SerialNumber>58</dsig:X509SerialNumber>
               </dsig:X509IssuerSerial>
               <dsig:X509SubjectName>CN=Deepak-PC.mydomain.com Signing Certificate</dsig:X509SubjectName>
            </dsig:X509Data>
         </dsig:KeyInfo>
      </md:KeyDescriptor>
      <md:KeyDescriptor use="encryption">
         <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:X509Data>
               <dsig:X509Certificate>MIICKTCCAZKgAwIBAgIBKzANBgkqhkiG9w0BAQQFADA4MTYwNAYDVQQDEy1EZWVw
YWstUEMubXlkb21haW4uY29tIEVuY3J5cHRpb24gQ2VydGlmaWNhdGUwHhcNMTQw
NDI3MTQxOTI1WhcNMTUwNDI3MTQxOTI1WjA4MTYwNAYDVQQDEy1EZWVwYWstUEMu
bXlkb21haW4uY29tIEVuY3J5cHRpb24gQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAKk3sadHJeSrDwtsuHYjfYWdm5ZtmkAk0ihPVryxZDZu
Pf5xwCBv7/sUBV00enS7PZvUQKY1TMN5V0a4yc/zYa9SF8s9449ludb56mBFBS2P
gfkLsSwJD4fCNR39n/0+2R9lWFuAT77Lcd6jaq9Jwiky2iLZL9Agn5foQZSdgmzX
AgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwfwADAdBgNV
HQ4EFgQUuxZu/+HWIsLRwOilkArnaikxcRMwDQYJKoZIhvcNAQEEBQADgYEAKufG
6RoDd7zjKaiojFdzfT5XQBwL2pK9npLHwUDSHuFeHXvDp1SUNDkApCEg2KOGiJU8
vfxrN+ql/yDYXzWGylY7wljFFvynMN+74WgSplrHjZMQvZCuwaoLwyr+bF3cx5f0
YTKRROysyMHbojmB1JfZWdqLpl2FvzzS1ljEh4o=</dsig:X509Certificate>
               <dsig:X509IssuerSerial>
                  <dsig:X509IssuerName>CN=Deepak-PC.mydomain.com Encryption Certificate</dsig:X509IssuerName>
                  <dsig:X509SerialNumber>43</dsig:X509SerialNumber>
               </dsig:X509IssuerSerial>
               <dsig:X509SubjectName>CN=Deepak-PC.mydomain.com Encryption Certificate</dsig:X509SubjectName>
            </dsig:X509Data>
         </dsig:KeyInfo>
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
         <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      </md:KeyDescriptor>
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20ss" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20ss" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20ss" ResponseLocation="http://Deepak-PC.mydomain.com:7499/fed/sp/samlv20ss" />
      <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/soap" />
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/art20" index="0" isDefault="true" />
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/authnResponse20" index="1" />
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/authnResponse20ss" index="2" />
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://Deepak-PC.mydomain.com:7499/fed/sp/authnResponse20" index="4" />
   </md:SPSSODescriptor>
</md:EntityDescriptor>