Leave a Comment:
21 comments
Hi Atul,
I am having trouble configuring OAM-OIF with Google Apps.
As per my understanding Google Apps is the idp and OIF is configured as SP.
At this point, I really not sure how do I integrate and post integration what should be the behavior. I have followed the steps mentioned in oracle docs but no luck.
Can you please share some insight on it.
Thanks
Reply@ kjj1983,
Are you
a) using google apps like gdoc, gtalk, gmail …and authenticating against OIF using user store from your company or
b) using your company resource protected by OIF and authenticating using google username/password
If a) Then google apps is acting as service provider and OIF(deployed in your company) as Identity provider
If b) Then OIF (deployed in your company) is acting as service provider and google as Identity provider
I hope this is clear now.
You mentioned that “I have followed the steps mentioned in oracle” – which doc are you following ?
Reply@ kjj1983,
If your requirement is to use google as Identity Provider then you can integrated OIF (as SP or replying party) with google (as IdP or OenID Provider/OP) for federated SSO either using SAML 2.0 or OPEN ID 2.0.
For Open ID 2.0 (with Google as IdP or OP) check steps at http://blog.warrenstrange.com/2011/08/adding-openid-relying-party-to-oracle.html and use https://www.google.com/accounts/o8/id as google’s IDP end point.
I’ll cover this in detail later on my upcoming posts
ReplyHi Atul –
I have followed the blog post form Warren Strange and have configured Google as IDP. Now for the integration between OAM & OIF I followed the following
http://docs.oracle.com/cd/E14571_01/doc.1111/e15740/oif.htm
I have done the above.
OIF 11.1.1.6 & OAM 11.1.1.5. I have done the integration using Service Provider Integration Modules Oracle Single Sign On. Not sure if this the right configuration.
And do I also need to follow the following section in 3.2.3 Deploying Oracle Identity Federation with Oracle Access Manager
http://docs.oracle.com/cd/E15523_01/oim.1111/e13400/deployment.htm#BABBFDEG
Please advice.
Thanks
Kunal Jain
@ Kunal Jain,
If you want Oracle stack to be as SP (replying party) and google as IdP/OP (Identity Provider or OpenID Provider) then you are on right track.
There are few bugs in OAM-OIF integration with OAM BP02 (11.1.1.5.2), I will cover these on blog in my upcoming posts.
ReplyHi Atul –
If you can give me your email address, I can send you the document with screen shots, so that you can verify if it is correct.
Thanks
Kunal Jain
jkunal@gmail.com
And also does OID supports auto federation ..i.e. If OpenID account is not present in RP it will automatically create one?
IOf a new user logs in , can the product automatically create a account?
ReplyOn trying to access
http://oamoifdemo.mycorp.com:7779/fedpartner/index.html (Resource protected by OIFScheme in OAM)
I am redirected to
A page on the public Internet requests data from your private intranet. For security reasons, automatic access is blocked, but you may choose to continue.
Continue
Always continue when data is requested from this server on my private intranet
On clicking Continue – I get the following page. olab2.mycorp.com is my OIF Server.
This document you requested has moved temporarily.
ReplyDon’t go for OAM test directly. First check if OIF (SP) test page is working with Google OP (IdP).
I hope you are using OpenID 2.0.
What is your OIF version and weblogic version ? (I can build same environment at my end to test this setup)
ReplyOIF – Google integration is working.
So when I try to access the protected resource (OIFScheme protected). I am redirected to the google login.
After logging in I am supposed to be redirected to the above protected page.
OAM 11.1.1.5 – WLS 10.3.5
OIF 11.1.1.6 – WLS 10.3.6
Atul –
Do we also need to follow the document at http://docs.oracle.com/cd/E28389_01/oim.1111/e13400/deployment.htm#BABCAECB
3.2.4 Oracle Identity Federation/SP Authenticating to Oracle Access Manager
Reply@ kjj1983,
NO, don’t configure OIF SP authenticating to OAM. You want OIF SP to authenticate google OP (OpenID Provider) which as per you is already working.
I am assuming your requirement is that users in Oracle system should be able to login using google account via Open ID federation.
Reply@Atul –
Yes the requirement is that the users in LDAP should be able to login using google via Open ID federation.
For e.g.
kunal@mycorp.com should be able to get authenticated through google and via OIF should be able to authenticate with OAM and access the protected resource.
Replykunal@mycorp.com is a google apps account. So we already have a google apps account created.
ReplyHi Atul –
can you please help.
Following is the log error when I try to access the OIFScheme protected resource.
I am integrating this with dossia server.
<Exception: {0}
oracle.security.fed.controller.web.action.exceptions.ResponseHandlerException: OpenID XRDS document location could not be determined: {Date=Tue, 01 May 2012 06:15:10 GMT, Content-Length=2996, Content-Type=text/html;charset=windows-1252, Connection=close, Server=Apache/2.2.3 (CentOS)}
at oracle.security.fed.http.flow.profiles.sp.OpenIDV20RetrieveXRDSResponseHandler.perform(OpenIDV20RetrieveXRDSResponseHandler.java:102)
at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:338)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:142)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:253)
at oracle.security.fed.controller.web.flow.URLContextTarget.perform(URLContextTarget.java:84)
at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:370)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:142)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
@ kjj1983
Your issue is “OpenID XRDS document location could not be determined”. Please share what steps you did to configure OIF with Dossia using openID ?
Reply@ kjj1983,
In document you shared with me, you used Discovery URL as https://dev-openid.dossia.org where did you get this information. Is this not an Endpoint URL ?
Endpoint URL: This is the URL where the user is redirected at the OP for authentication. You used https://dev-openid.dossia.org as end point URL which looks OK to me
however
Discovery URL: This is the URL where the OP publishes its XRDS metadata, in your case you used Discovery URL as https://dev-openid.dossia.org so OIF is expecting XRDS metadata at this location and it can’t find this XRDS metadata from Dossia.
ReplyHi Atul,
We are trying to integrate facebook acting as IDP and OIF 11.1.1.5 as SP.Is there any guide or document to achieve this.
Hi Atul,
I am using OIF 10g and my data store is OAM 10g(integrated OAM & OIF) i am having multiple directory profiles in OAM, let say ssoroot.local is main node and its childs are SSOchilda.ssoroot.local,SSOchildb.ssoroot.local
When i configured a saml application and try to access the application, i am able to login with all the users in root node, and where as the users in the child node are unable to login and getting the below error, and here when i search the users i am able to search all the users such as i am getting users in root node as well as in child nodes.
F.Y.I..,
ERROR – javax.naming.NameNotFoundException: [LDAP: error code 32 – 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=ssoroot,DC=local’
] [Root exception is com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 – 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: ‘ssoroot.local’
]; remaining name ‘CN=mohan kumar,CN=Users,DC=ssochilda,DC=ssoroot,DC=local,dc=ssoroot,dc=local’]; remaining name ”
13/02/20 23:03:48: ERROR – No value in user record for Name ID Policy requested: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Please help me regarding this error.
Thanks,
Mohankumar.Koribilli