OIF 10g working as both IDP and SP at the same time

These days I am concentrating more on OIF 10g and I feel this as a wonderful opportunity to learn more. The usecase I achieved yesterday is same OIF 10g acting as both IDP and SP at the same time. Technically speaking, single OIF product can serve the authentication and service too which is really a big advantage.

If we talk about the business use case,  let’s assume that there is an Organization MyComp partnered with MyBank providing banking services to MyComp. Logically, MyComp will act as IDP and MyBank will act as SP. So, do we really need to have 2 federation products to achieve this? Well, I think No!! A single product can act as IDP and SP. But there are some limitations I found in this approach.

  • A single user repository has to be used by both federation instances i.e., IDP and SP.
  • A single federation repository has to be used by both federation instances.

If there are federation experts out there, you can comment on my understanding.

Anyhow, let’s get into the actual part. I am going to explain the procedure to configure same OIF as both IDP and SP and accessing a resource at SP end using IDP initiated SSO.

Assumptions and Constraints:

  1. OIF product is already installed with default configurations.
  2. An LDAP is available to be used as user repository.
  3. I am going to use SAML only (memory)  for storing federation records.
  4. The target application is assumed to be up and running. In my case, I have installed an Apache server and deployed a sample page.

Procedure:

  1. Configure the User Store for IDP and SP as shown below.
  2. Configure the SAML as Federation Store for IDP and SP as shown below.
  3. Ensure that both Identity Provider and Service Provider options are enabled as shown below.
  4. Enable Auto account linking in Service Provider section, also select E-Mail address as NameID Format as shown below.
  5. Enable Auto Account linking in Identity provider tab as shown below.
  6. Select the Binding Profiles for Request and Response for Service Provider as shown below.
  7. Select the Binding profiles for Request and Response for Identity Provider as shown below.
  8. Get the metadata from SP using the URL http://nic-tebmigr1a-ac.nic.co.in:7778/fed/sp/metadatav20 as shown below. OIF hostname is nic-tebmigr1a-ac.nic.co.in and it is running on port 7778.
  9. Save the file as dev_sp_metadatav20.xml.
  10. Get the metadata from IDP using the URL http://nic-tebmigr1a-ac.nic.co.in:7778/fed/idp/metadatav20 as shown below. OIF hostname is nic-tebmigr1a-ac.nic.co.in and it is running on port 7778.
  11. Save the file as dev_idp_metadatav20.xml.
  12. Exchange the SP metadata into OIF instance as shown below.Point the dev_sp_metadatav20.xml and provide some description, click Add.
  13. Exchange the IDP metadata into OIF instance as shown below. Point the dev_idp_metadatav20.xml and provide some description, click Add.
  14. Check the list of IDPs and SPs available in Circle of Trust as shown below.
  15. Point the Default SSO Identity Provider for the SP as shown below.

This finishes configuration part. Now, we have to frame the URL that end user will access for protected resource through federation.

As per my environment, the IDP URL is:  http://nic-tebmigr1a-ac.nic.co.in:7778/fed/idp

SP URL is: http://nic-tebmigr1a-ac.nic.co.in:7778/fed/sp

The Protected Resource URL is : http://nic-tebmigr1a-ac.nic.co.in:7779/FederationExample.html

Now, the IDP initiated SSO URL is: http://nic-tebmigr1a-ac.nic.co.in:7778/fed/idp/initiatesso?providerid=http://nic-tebmigr1a-ac.nic.co.in:7778/fed/sp&returnurl=http://nic-tebmigr1a-ac.nic.co.in:7779/FederationExample.html

Let us access the URL in the browser as shown below.

The IDP login page will display and enter the login details as valid user in OIF User Store  (in my case, userid is mahendra.k and password is admin123) as shown below.

After successful authentication at IDP, assertion will get created and it will redirect to SP. SP will inturn check the assertion for validity and creates federation record (in SAML only) and will redirect to protected resource as shown below.

Any doubts, please leave a comment below. You can also mail me mahi.babu@gmail.com directly.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

Not found