#Oracle #OIF controlling the authentication method #SAML #IDM


I am thinking, I am thinking ....I am working with a client today who has Oracle Identity Federation (OIF) 11g configured with Oracle Access Manager (OAM) 10g as the default Authentication Engine.  With this configuration the authentication module is dictated by the OAM policy configuration.  If you set the OAM policy (the policy that protects the /fed/user/authnoam resource) to IWA then all federated SSO attempts will be routed to the IWA authn engine and if this policy is configure for a custom login form then all SSO attempts will be routed to the custom login form … I think you get the point.  So, what happens when some resources (SaaS apps configured as SP/RP’s in OIF) require different levels of assurance (LOAs)?  I thought maybe I could use the SAML default authentication method configured in the SP/RP metadata in the circle of trust (COT) but that does not get passed onto OAM.  My second thought was to create a different policy for the URL that was being protected … but that OIF uses a pretty standard URL (/fed/user/authnoam?refid=id-blahblahblah) … OAM wouldn’t be able to figure out which policy to use.

So, had anyone else found a solution to this problem?  I would appreciate any discussions or feedback.

About these ads

, , ,

  1. #1 by Sunny on December 6, 2012 - 7:14 pm

    Any luck with this? I am having the same issue.

  2. #2 by SK on December 7, 2012 - 5:11 am

    Were you able to figure out a solution for this?

    • #3 by Brad Tumy on December 7, 2012 - 9:41 am

      OIF provides a mechanism to allow you to redirect to a different IDP based on the authentication-mechanism value in the SAML Request. IMHO it’s a bit of a wonky solution because it forces you to have multiple IDPs stood up (One for each type of authentication that you want to support). I haven’t had a chance to try it out yet because this became overcome by other events. If I remember correctly you want to look at OIF’s IDP Proxy capability … they have a section in the documentation on this but I can’t remember the link off the top of my head.

    • #4 by Brad Tumy on December 26, 2012 - 6:09 pm

      I ended up writing a custom authentication engine that uses the authentication mechanism from the Relying Party, RP (or Service Provider, SP) to dynamically construct a URL that is protected by OAM. There are separate OAM policies for each potential authentication option. I can send you more information if you are interested.

  3. #5 by S on December 28, 2012 - 6:35 am

    Can you please send more details

    • #6 by Sunny on April 17, 2013 - 1:21 pm

      Can you send me the information also.
      Regards,
      Sunny

      • #7 by Brad Tumy on April 17, 2013 - 3:07 pm

        The code that I wrote performs the same functionality as the SSO
        Proxy. So, you are probably better off using that.

        Additionally when OIF is integrated with OAM as an sp integration
        module it automatically maps the OAM authentication schemes to OIF’s
        authentication mechanisms. You can then configure OIF to use a
        specific authentication mechanism for each service provider that you
        have integrated. I don’t have this documented very well yet but will
        try to add some more details to the post in the near future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,086 other followers

%d bloggers like this: