Oracle Identity Federation (OIF) is federation solution from Oracle that provides cross domain Single Sign-On (SSO). OIF can act as Service Provider (SP), Identity Provider (IdP), or both (IdP & SP).
I recently integrated two OIF instances, one acting as IdP and second acting as SP. Both OIF had their own Identity Store (as OID) where user with attribute employeeNumber (on IdP side) was linked to user with attribute uid (on SP side).
Note: This type of federation is called as Linked Federation, other types are Transient, Mapped, and Attribute or Role-based Federation . Step by step integration of Linked-based federation in OIF is covered in Oracle By Example (OBE)
To add further complexity to solution OAM (Oracle Access Manager) was integarted with OIF (SP side) as Service Provider Integration Module (i.e. OAM authentication was delegated to OIF SP and any user session at OIF should automatically create session at OAM).
During testing a resource protected in OAM by OIF Scheme (Challenge URL pointing to http(s)://OIF_SP_Host/fed/user/sposso ) , OAM was re-directing user browser to OIF_SP (/fed/user/sposso?osso_spToken) which in turn was redirecting to OIF_IdP (/fed/idp/samlv20?SAMLRequest) for authentication.
After authentication at IdP (using default ldap authentication engine which is OID), request was redirected back to OIF_SP (/fed/sp/art20?SAMLart=) and error message on browser reported was
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Note: Authorization related errors in OIF are mainly because of wrong nameID mapping done beween OIF IdP and SP .
To troubleshoot OIF configuration issue –
1. First thing to check is look for any errors in wls_oif<N>.out at both SP and IDP side under $DOMAIN_HOME/servers/<oif_server_name>/logs/
In my case error at IdP side in wls_oid<N>.out was
<Apr 17, 2012 4:48:30 PM BST> <Error> <oracle.security.fed.eventhandler.profiles.idp.sso.v20.AuthnRequestEventHandler> <FED-15003> <No value in user record for NameIDPolicy requested: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress>
Note: Value of attribute email for user is NULL in OID configured with IDP & SP but why is IDP trying to query emailAddress for user ?
Error at SP side in wls_oid<N>.out was
<Apr 17, 2012 4:24:20 PM BST> <Error> <oracle.security.fed.eventhandler.authn.engines.osso.OssoFinishSPSSOEventHandler> <FED-15134> <The service providercould not map the identity provider response to a user>
Looking at error message on IdP and SP , it was clear that error was related to nameid-format (more on nameid-format or NameIDPolicy in SAML Token later).
To debug what nameID format is requested by OIF SP, enable trace in OIF for logger oracle.security from Enterprise Manager (/em)
After enabling TRACE in OIF at SP side, access URL in OAM protected by OIF Authentication scheme and query what NameID format SP is requesting in SAML token ( This information is recorded in trace at $DOMAIN_HOME/servers/<oif_server>/logs/wls_oif-diagnotics.log )
[2012-04-12T11:49:16.339+01:00] [wls_oif1] [TRACE]  [oracle.security.fed.http.translator.SenderProtocolMessageTranslator]
[tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’]
[userId: <anonymous>] [ecid: 004jV7Dh5Eo5e_r_CHXBig0007RO000IIb,0:1]
[APP: OIF#220.127.116.11.0] [SRC_METHOD: translateSAML2MessageToQuery]
[URI: /fed/user/sposso] Outgoing QUERY message:
<samlp:AuthnRequest xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” Destination=”http://idpHost.idpDomain:8888/fed/idp/samlv20” ForceAuthn=”false”
ID=”id-MaNTZObsPFZEn7mqeHE1ETWAnAU-” IssueInstant=”2012-04-18T10:49:16Z” ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact” Version=”2.0″>
<samlp:NameIDPolicy AllowCreate=”true” Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress“/>
If you notice in SAML token requested by OIF SP, it is requesting nameid-format in NameIDPolicy as emailAddress
Q: How to change OIF_SP to request for attribute employeeNumber at OIF_IdP and map this to attribute uid at OIF_SP ?
A: To achieve this, configure OIF at SP side (Service Provider) Default Authentication Request NameID format to Custom (or unspecified) (first screen shot) and update value of Custom (or unspecified) to employeeNumber. You also need to select option Map User via Attribute Query (with value like (&(uid=%enumuid%))) (first screenshot)
Note: You also need to configure OIF at IdP side (Identity Provider) custom (or unspecified) to enabled with value as employeeNumber (second screenshot) and configure Attribute Mapping and Filters (for SP at IdP side) to return employeeNumber as enumid (third and fourth screenshot)
Configuration at IdP side for Identity Provider
To configure SP metadata at IDP side from OIF_IdP : Administration -> Federations -> select SP metadata (registered earlier) and click edit -> select tab Oracle Identity Federation Settings and click Edit next to Attribute Mapping and Filters