Saturday, November 5, 2016

OAM 11g R2 Federation Lab

Task1-Configuring OIF11GR1 to OUD as DataStore
Task2-Verify Identity Provider
Task3-Export OIF 11gR1 IDP identity metadata
Task4-Configuring OAM and importing the IDP metadata
Task5-Import OAM11gR2 SAML2.0 Metadata(SP) into OIF11gR1
Task6-Configure Default Authentication Engine As LDAPDirectory
Task7-Configuring Federation DataStore (To Store Federated Records)
Task8-Configuring OIF AuthScheme To A Resource
Task9-Test Federation
Task10-Configuring LDAP Authrization in OAM (Part 1)
Task11-Configuring SAML attributes from IDP to back-end application as custom header attributes (Part 2)
Task12-Configuring the Responses to Send SAML Attributes to myBank Application As Headers (Part 3)
Task13-Verify LDAP Authorization And Header Responses

Task1-Configuring OIF11GR1 to OUD as DataStore

Use webgate11g_1 Application Domain

http://oam.example.com:8001/em (EM Console of OIF)

Go to Farm_IDMDomain -> Identity and Access -> OIF (11.1.1.2.0)

Oracle Identity Federation -> Administration -> Data Stores

Edit User Data Store

Repository Type = LDAP Directory
    Connection URL(s)
    ldap://oam.example.com:1389
    Bind DN
    cn=Directory Manager
    Password
    Oracle123
    User ID Attribute
    uid
    User Description Attribute
    uid
    Person Object Class
    inetorgperson
    Base DN
    ou=people,dc=example,dc=com
   
Test LDAP Connection

Task2-Verify Identity Provider

Right Side -> Oracle Identity Federation -> Administration -> Identity Provider

Click SAML 2.0 tab
Assertion Subject NameID format is defaulted to email address with the User Attribute mapping in the user store being mail
Send Encrypted Attributes = uncheck
Send Encrypted NameIDs = uncheck
Send Encrypted Assertions = uncheck
Send Signed Assertion = check
Enable SAML 2.0 Protocol = check
Enable Single Sign-On Protocol = check
Enable NameID Management Protocol: Register = check
Enable NameID Management Protocol: Terminate = check
Enable Attribute Query Responder = uncheck
Enable Authentication Query Responder = uncheck
Enable Assertion ID Responder = uncheck
Enable Protocol Bindings = SSO - Artifact;SSO - HTTP POST;SSO - HTTP POST
Default Binding = HTTP Redirect
Default SSO Response Binding = Artifact

Message Section
Request - SOAP = Send Signed = check
Response - HTTP Redirect = Send Signed = check
Response - HTTP POST = Send Signed = check
Response - SOAP = Send Signed = check
Request - HTTP POST = Send Signed = check
Response with Assertion - SOAP = Send Signed = uncheck
Request - HTTP Redirect = Send Signed = uncheck
Response with Assertion - HTTP POST = Send Signed = uncheck
AuthnRequest = n/a

Task3-Export OIF 11gR1 IDP identity metadata

Go to -> Oracle Identity Federation -> Administration -> Security and Trust

Click Provider Metadata
Provider Type : Identity Provider
Protocol : SAML 2.0

Click Generate

Choose Save

Task4-Configuring OAM and importing the IDP metadata

Go to :7001/oamconsole

System Configuration -> Available Services
Enable "Identity Federation"
"Security Token Service"
"Mobile and Social"

Now on the left , Go to Identity Federation -> Identity Providers
New Identity Provider
Browse and Import the OIF IDP Metadata file just generated

Name : OIF_IDP
Protocol : SAML 2.0
Metadata File
Map assertion Name ID to User ID Store attribute = mail

User Mapping : OUD_UserStore
User Search Base DN : ou=people,dc=example,dc=com
Provider ID : http://oam:7499/idp
Signing Certificate Subject : CN=oam Signing Certificate

Enable Identity Partner : check
Default Identity Partner : check

Enable global logout : check
HTTP POST preferred binding : check
Authentication Request NameID Format : Email Address

Now Go to Left hand Side -> Federation Settings -> Export SAML 2.0 Metadata

Provider Id: https://oam:14101/oam/fed
Signing Key: osts_signing
Encryption Key: osts_encryption

Export SAML 2.0 Metadata

Choose Save and Ok

Task5-Import OAM11gR2 SAML2.0 Metadata(SP) into OIF11gR1

Go to OIF Em Console
LEFT => Identity and Access -> OIF (11.1.1.2.0)
RIGHT => Oracle Identity Federation -> Administration Federations
Click Add
check Enable Provider
Load Metadata -> Browse File and upload

Select Record and click Edit
Click "Oracle Identity Federation Settings"
check "Enable Attributes in Single Sign-On (SSO)"
check "Email Address"

Choose Apply

Task6-Configure Default Authentication Engine As LDAPDirectory

Go to Oracle Identity Federation -> Administration -> Authentication Engines

Click LDAP Directory

Connection URL(s)
ldap://oam.example.com:1389
    Bind DN
    cn=Directory Manager
    Password
    Oracle123
    Confirm Password
    Oracle123
    User Credential ID Attribute
    uid
    User Unique ID Attribute
    uid
    Person Object Class
    inetorgperson
    Base DN
    ou=people,dc=example,dc=com
Enable Authentication Engine
Test LDAP Connection
Click Apply

Task7-Configuring Federation DataStore (To Store Federated Records)

Go to Oracle Identity Federation -> Administration -> Data Stores

Change Federation Data Store -> Change Repository Data Store from "None" to "XML File"

Now go to Administration -> Identities
Go to "Local Users"
Search (click)

Task8-Configuring OIF AuthScheme To A Resource

Go to /oamconsole
Identity Federation -> Identity Providers -> OIF_IDP
Click "Create Authentication Scheme and Module"

A new OIF Plugin and an OIF Scheme is created prefixed with the name of the provider OIF_IDP you had created initially

OIF_IDPFederationPlugin
OIF_IDPFederationScheme

Go to Authentication Modules -> Custom Authentication Modules -> OIF_IDPFederationPlugin

Steps
1. FedAuthnRequestPlugin
2. AssertionProcessing

Steps Orchestration
Initial Step = FedAuthnRequestPlugin
FedAuthnRequestPlugin -> success(on Success), AssertionProcessing (on Failure), failure (on Error)
AssertionProcessing -> success (on Success), failure (on Failure), On Error (failure)

Go to Policy Configuration -> Application Domains -> webgate11g_1 -> Authentication Policies -> Protected Resource Policy -> Change Authentication Scheme from LDAPScheme to OIF_IDPFederationScheme

Task9-Test Federation
edit mod_wl_ohs.conf
proxy /mybank

Try to access http://oam.example.com:7777/mybank

You will be redirected to the OIF login page
Use the OUD User user.0
Once successful authentication , mybank home page is displayed confirming the OIF Authentication

Go to Oracle Identity Federation -> Administration -> Identities
Click Federated Identities
Search
you will see user.0 who just tried

Task10-Configuring LDAP Authrization in OAM (Part 1)

/mybank/testheaders.jsp  and set an authorization policies that allow only customers can access this URL

Go to Application Domain -> webgate11g_1 ->
Resources -> New Resource
Type : HTTP
Host Identifier : webgate11g_1
Resource URL : /mybank/testheaders.jsp
Query : Name Value list
Operations : ALL,CONNECT,OPTIONS,PUT,POST,GET
Protection Level : Protected
Click Apply

Go to Authorization Policies
Click "Create Authorization Policy"
Name : CustomersOnly
Resources : /mybank/testheaders.jsp
Conditions click +
Name : myBankCustomers
Type : Identity
On the bottom
Click + and Add Users and Groups

Search Store Name : OUD_UserStore
Entity Type : Group
Entity Name : Customers(Group Name)
Click Save

Now come to Rules tab
Allow Rule
Select the myBankCustomers (Identity) [Condition just created in last step]

Click Apply

Task11-Configuring SAML attributes from IDP to back-end application as custom header attributes (Part 2)

Go to OIF EM Console
Oracle Identity Federation -> Administration -> Federations
Select Provider ID record and click Edit
Click Edit "Attribute Mappings and Filters"

Name Mappings -> Add +

User Attribute Name : mail
Assertion Attribute Name : EmailAddress
Format or Namespace = blank
Send with SSO Assertion = check
Get Value from User Session = uncheck
Require from Infocard = uncheck

Name Mappings -> Add +

User Attribute Name : cn
Assertion Attribute Name : FullName
Format or Namespace = blank
Send with SSO Assertion = check
Get Value from User Session = uncheck
Require from Infocard = uncheck

Click Apply

Task12-Configuring the Responses to Send SAML Attributes to myBank Application As Headers (Part 3)

Go to the Authorization Policy -> CustomersOnly and
go to "Responses" tab
Click + add icon
Add Response

Type = Header
Name = EmailAddress
Value = $session.attr.fed.attr.EmailAddress

Click + add icon
Add Response

Type = Header
Name = FullName
Value = $session.attr.fed.attr.FullName

Click Apply

Task13-Verify LDAP Authorization And Header Responses

Take a user who belongs to the customer group
Any user who does not belong to customer group will be denied access to /mybank/testheaders.jsp

Access "http://oam.example.com:7777/mybank/testheaders.jsp"

Test a user who is not a customer member and see denied access

Now try with a user who is a member of customer group and see the testheaders.jsp page

Request Headers
FullName = FullNameOfTheTestUser
EmailAddress = EmailAddressOfTheTestUser