OAM integration with OIF : Authentication Engine or Service Provider

OIF is a federation product from Oracle which can act as both Identity Provider (IdP) or Service Provider (SP). More on Federation basics IdP/SP here

  • OIF come with authentication engine (LDAP, OAM, OSSO, Database, InfoCard, JAAS… ) and is used when OIF acts as Identity Provider
  • OIF also comes with Service Provider Integration Modules ( OSSO, OAM, Custom SP Engine…)

OAM is a web Single Sign-On product from Oracle and also comes with its own authentication engine and can be integrated with OID for authentication (For OAM 11.1.1.3 integration with OID click here and for OAM 11.1.1.5 integration with OID click here ).

  • OAM and OIF can be implemented on their own alone or integrated with each other.

OAM can be integrated with OIF in one of two mode

1. OAM acting as authentication Engine with OIF: In this OAM-OIF integration, unauthenticated users are redirected to OAM for authentication. OAM authenticates user against its configured LDAP server and creates session in both OAM and OIF. In this mode OIF delegates authentication to OAM and OAM acts as Authentication Provider. To configure this type of integration follow steps here or here

2. OIF acting as authentication Engine (IdP) with OAM: In this integration, unauthenticated users are redirected to Identity Provider of OIF for authentication. OIF (acting as IdP) authenticates user against its configured authentication engine and creates session in both OIF and OAM. In this mode OIF acts as Identity Provider for OAM. To configure this type of integration follow steps here or here

Note : In this type of OAM-OIF integration where OIF acts as authentication engine for OAM, steps are slightly different between OIF 11.1.1.5 and OIF 11.1.1.6 (OIF 11.1.1.6 uses OAM 11g SP Module where as OIF 11.1.1.5 uses OSSO SP Module)

 

More on OAM 11g in my Book at Amazon or Packt Publication

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

13 comments
vishuenc says April 4, 2012

I have following doubts …
1. how do we check the ObSSOCookie is set or not in fiddler or any vendor trace.

2. Sometimes when user trying to access SSO url then he redirects to some other URL…How do we resolve that configurations issues?

3. For example, if both companies have Federations servers then how they will share/AutH user’s identity?

4. For example, If Company ‘A’ uses federation services from Company ‘B’ then how user’s identities are managed?

Reply
Atul Kumar says April 4, 2012

@ vishuenc,

Q1. how do we check the ObSSOCookie is set or not in fiddler or any vendor trace.

A1: You can check cookie in HTTP Header using browser plug-in like IEHTTPHeader (for IE) or HTTPHeader (for firefox). What is fiddler ?

Q2. Sometimes when user trying to access SSO url then he redirects to some other URL…How do we resolve that configurations issues?

A2: Enable debug on oracle.security handler of OIF (ODL). Debug is enabled using EM. You then check OIF logs and HTTPHeader trace to find root cause of issue.

Q3. For example, if both companies have Federations servers then how they will share/AutH user’s identity?
A3: Federation on one company will act SP and other compnay will act as IdP . For resource requested by SP , SP will contact IdP for user authentication. After authentication, IdP will assert user to SP which (depending on configuration) will map it to user at its own end and provide access to resource. I’ll cover few use case of IdP/SP on this blog later.

Q4. For example, If Company ‘A’ uses federation services from Company ‘B’ then how user’s identities are managed?
A5: There are multiple ways in which federation can be done (mapped, linked, transient…) check my post http://onlineappsdba.com/index.php/2012/04/01/oracle-identity-federation-oif-for-beginners-idp-sp/

For mapped or linked federation each side will manage users. These user are linked based on IdP and SP setting. I am going to cover how this mapping is done in OIF in my upcomig posts.

Reply
» OAM – OIF integration : Login Fails when value for attribute cn is different than uid in LDAP Store Online Apps DBA: One Stop Shop for Apps DBA’s says April 11, 2012

[…] in oam, oif  Print This Post I recently integrated OAM with OIF where OAM is configured as OIF SP Integration Module. In this integration OAM resource is protected by authentication scheme OIFScheme and OAM’s […]

Reply
JL says November 17, 2012

Hi Atul,

Thanks for this post and a clearer explanation of the options for integrating OAM with OIF. We have been using OAM (currently 11gR2) for awhile now, and I’m looking into extending to support federated identities (i.e., integrating OIF). We currently have OIF 11.1.2 installed as part of the IDM suite (OIF/OID/OVD) installation.

Our use cases would be something like:

1) A user who is currently one of our users under OAM accesses one of the resource protected by our OAM: Such users should be able to continue to authenticate against OAM, but if

2) A user who is NOT currently one of our users under OAM accesses a resource protected by our OAM: Such users should be given the opportunity to authenticate against the IDP of one of our federated partners, and then, after authenticating against one of those IDPs, be (ideally) redirected to their original target resource and be able access the resource protected by our OAM.

In other words, if one of our users accesses one of our protected resources, there shouldn’t be a need to involve OIF, and only our OAM ATN and ATZ should be involved. Conversely, in the other case, we would want to delegate authentication to the SP of our OIF to facilitate that user getting authenticating by “their” IDP.

I think that your 2nd option (OIF acting as authentication Engine (IdP) with OAM) fits our case better, but it seems like with JUST that integration, ALL of our users would have to authenticate via our OIF SP to our OIF IDP, rather than authenticating directly via our own OAM.

Is there a way to accommodate such usage scenarios with OIF and OAM out-of-the-box? Or will we need to do some customization?

Jim

Reply
JL says November 18, 2012

Hi,

I am trying to integrate OAM with OAM using the option #2, using the OSSO SP integration module in OIF and the OIFScheme/DAP module in OAM.

This is *almost* working, i.e., when I try to hit the OAM-protected resource (/fedtest/*), I get redirected to the IDP login page, and to the SP login page, and authenticate successfully with both, but then the ATN fails in OAM, and I get the blue OAM error page. If I set a Failure URL on the ATN policy, I can see it gets invoked, so I know that OAM thinks the ATN has failed.

I’ve been trying to nail this problem down, but it looks like after the the IdP and SP authentications succeed, OAM is throwing a NumberFormatException when it tries to process a DAP token. I’m pretty sure that OAM is able to decrypt the DAP token, because I have logging set to TRACE:32 on OAM and can see the decrypted tap_token_body.

The problem is that that tap_token_body has a number of fields that are coming in a null (the “Expriy Time” (Oracle’s spelling :), etc.), and that OAM code throws that NumberFormatException, and then eventually the ATN fails.

One of the differences is that I’m using a “real” Apache, with an OAM 10g Apache webgate, rather than OHS. I don’t know if that makes a difference, but if it does, is there a way to do this integration with using Apache, rather than OHS?

Thanks,
Jim

Reply
Gopi says November 19, 2012

Hi Jim,
I am also facing exactly the same issue (ATN fails) that you facing. Did you ever get resolved this? If you have a solution for this, please reply.

Reply
JL says November 19, 2012

Hi Gopi,

I couldn’t get it working using the OSSO SP Plugin. I had enabled TRACE:32 on OAM, and the problem was occurring at the very end, when OAM was trying to extract the information from the DAP token, but from the debug, it looked like there were a number of fields in the token that were null.

I think, but am not sure, that the problem that I was trying to use this integration with a “real” Apache+webgate, rather than an OHS+webgate.

We’re just starting to work with OAM 11gR2/11.1.2, and I noticed that OAM 11.1.2 includes a section for configuring with identity federation. From what I saw, it allows you to configure OAM as an SP directly, rather than having to use the SP interface in OIF. So, I used OAM as an SP talking to OIF as the IdP, and the configuration was relatively simple, and works.

So, if you have 11gR2, try that for the SP.

11.1.2 also has several Federation modules and schemes out-of-box for after you’ve setup OAM as an SP, and they’re ok as starters, but may need to be tweaked to provide my full use case.

Good luck,
Jim

Reply
Gopi says November 20, 2012

Hi Jim,

Thanks for your quick reply. I’m working with OAM 11gR2/11.1.2 only. I too noticed the identity federation service that coexists with OAM earlier. That time I thought we can configure it only as IdP. I am a newbie and not aware of much of these.
My use case is pretty much simillar to yours I guess. Can you help me in solving this?

My configuration is as follows….
1. Machine M1 is configured with OAM
2. Machine M2 is configured with OIF as IdP

My use case is as follows….
1. I want to access the protected resource of M1
2. The user unauthenticated by OAM (i.e., who is not present in identity store of OAM) has to be redirected to OIF for authentication.

3. From OIF the user details has to be federated to OAM so that he will be authorized at OAM and access the resource if he had permission.

This is my use case.

Now tell me how to do the following…
1. How to configure the identity federation coexisting with OAM 11gR2/11.1.2 as SP?

2. Can OAM delegate the authentication of only specific users (as I specified in step2 of my use case)? If so, how can it be done?

Please help me in solving these… I am working on these for the last 1 week, but I’m unable to do…

Thanks
Gopi

Reply
Gopi says November 20, 2012

Working with OHS+Webgate only…

forgot to mention this.

Thanks
Gopi

Reply
Gopi says November 21, 2012

Hi Guys….

if anyone of you know answer for my second previous comment, please reply

Reply
JL says December 4, 2012

Gopi,

For your case 2, if you have OAM 11gR2, take a look at the MT/Multi-tenant Plugin and Scheme, e.g., FederationMTPlugin. That has steps where it attempts to check for a local user first, and then if it fails, does a federated ATN.

Jim

Reply
JL says December 4, 2012

Atul (or anyone),

If you have some understanding of possible OAM-OIF integrations, I have another question.

I’m using OAM 11gR2, and with that, I’m using OAM as an SP using the “Identity Provider” configuration under “Identity Federation”, and have it working with OIF 11.1.1.5, but only with FORM login. In that configuration, I’m using FederationScheme in the OAM, then the SP inside OAM puts up a FORM login. After submit, it redirects to OIF, sending a get with a samlv20 request.

That’s all working fine here now, but now I need to look at how to be able to do X509 ATN.

I kind of understand the two models of delegating, but for example, if you use OIF delegating ATN to OAM (i.e., OAM as an OIF ATN Engine), it looks like the way that works is that a user has to come to the OIF through a webgate (in order to get OAM_REMOTE_USER after ATN’ing). I got that part.

But, if I have a resource protected by OAM policy, that means the request goes through two webgates (one in front of the OIF, and one in front of the OAM-protected resource) so I’m ending up with two ObSSOCookie cookies (FYI, working only with Apache 10g webgates), and things break when that happens. I have an SR with Oracle, but they haven’t responded in two+ days, and I’m pretty much stuck on this, so if you know how this integration is suppose to work, can you please post info?

Thanks,
Ji

Reply
sampal says December 17, 2012

Hello Atul,

In our current environment we have OIF integrated with OAM in authentication mode. OIF is acting as the identity provider to different external applications. We want to protect the applictaions using two different authentictaion schemes – Form based and Kerberos. However in oam when we protect /fed/user/authnoam we can use only one authentication scheme – either kerberos/form based. We have used virtual hosts configuration in Apache server too. ( It didnot work )

Can you please let me know how can we protect applictaion with multiple authentication schemes from OAM.

Reply
Add Your Reply