Forum Stats

  • 3,851,533 Users
  • 2,263,994 Discussions
  • 7,904,770 Comments

Discussions

OAM 11g FEDERATION IdP Initiated - URL

4087534
4087534 Member Posts: 4
edited Sep 21, 2020 7:59PM in Identity Manager

Hi,

I need to implement an idp-initiated SAML2.0 federation in which OAM (11g) is IDP.

What configurative differences are there on the OAM side when implementing an Idp-initiated and SP-initiated federation?

Thanks in advance

Enrico

Tagged:

Answers

  • ChellappanSampath-Oracle
    ChellappanSampath-Oracle Posts: 21 Employee
    edited Sep 10, 2020 10:40AM

    Below document explains implementing federation in OAM:

    1.) Oracle Access Manager (OAM) Federation: How to Create an SAML 2.0 Identity Provider Partner(IDP)/Configure OAM as a SAML 2.0 Service Provider (SP) (Doc ID 2322401.1)

    2.) https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/sharedidm/cloud_sso_idp_configuration/OAM11gR2/OAMIF11gR2_IdPConfig_CloudSP.html

    Did this answer your question ? If so, marking this answer as such will help community members find replies that might help them in similar situations, because your rating will change the ICON color of the reply to make them stand out. Please scroll to the bottom of the reply, and select either “Helpful Answer” or “Correct Answer.” . Choosing one of these options will change the background color to make the reply stand out from the other replies. More details on marking a question as answered can be found in Did Your Question Get Answered in My Oracle Support Community [ID 1180503.1].

  • 4087534
    4087534 Member Posts: 4
    edited Sep 10, 2020 11:00AM

    Thanks for reply,

    but these documents don't report the configuration differences between Idp-intiated and Sp-intiated.

    Thanks

    Enrico

  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge
    edited Sep 13, 2020 10:12AM

    >>What configurative differences are there on the OAM side when implementing an Idp-initiated and SP-initiated federation?

    The main difference between SP-initiated and IdP-initiated is how the user begins the flow for sso. Below are the two types of flow - SP-initiated and IdP-initiated. Before we get into details, the two end points SP, the Service Provider, and IdP, the Identity Provider have already been configured as the two Federation end points in their respective roles. Remember SP and IdP never talk to each other directly. And the other thing to understand is that user always authenticates only to his IdP, for example your LDAP directory where your user account exists.

    In SP-initiated, the user access the Application URL (or the resource, or Application) to begin with. Now when the Application receives the user request, it (the Application or Service Provider actually), it has no idea who the user is - so the user's request is re-directed to the IdP or the Identity Provider. How this happens is via the SAML protocol as follows:    The SP creates a SAML request, forwarding the user request (all via HTTP redirects) to the Identity Provider (IdP). The user provides authentication/gets authenticated with the IdP - IdP provides a secured signed message to the user - the user's browser specifically, which is then provided to the SP (in SAML protocol this is the SAML response sent by IdP to SP). Once SP verifies and confirms the SAML response, the user is provided access to the resource or Application URL.

    In IdP-initiated, the user is first accessing a button or link in the IdP. This gets forwarded to the SP with a SAML message containing the assertion. The rest of the flow is similar, the SP once it confirms the SAML response, the user is provided access to the resource or Application URL.

    Read this blog for details of SP and IdP initiated SSO flows. It also provides details of the difference between both the scenarios/sso flows.

    In SP initiated SSO, you would provide the Application URL to the user or it is published to users so they can access the URL, which starts the sso/saml flow. With IdP initiated, the user will authenticate to the IdP first and you would provide a button that a user clicks to access the Application. Unless you have a valid use case for IdP-initiated, I would go with SP-initiated which I have almost used with several apps/clients/use cases.

    Read this SP vs IdP initiated for the Oracle OAM/Federation environments.

    See below diagram which shows a SP-initiated SSO flow. 1- is the user accessing the URL/Protected Resource, and then 3- is a redirect to the IdP by the SP for getting user authentication. For details refer this blog which gives both SP and IdP initiated SSO flows with diagram and steps in the flow. That should provide you with difference between SP and IdP initated flow.

    sp-initiated-sso.gif

    Hope this helps and please mark the answer as resolved if it answered your question.

  • 4087534
    4087534 Member Posts: 4
    edited Sep 14, 2020 6:55AM

    Hi Sundeep,

    thanks for reply. I found the links you turned to me very useful.

    So configuring an idp-iniated or sp-initiated federation in OAM ( IdP provider) is the same.

    In particular, the setting url in idp-initiated federation, how it is composed? There is a specific pattern?

    Thanks in advance

    Enrico

  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge
    edited Sep 14, 2020 10:32PM

    Make sure you know the difference between configuring OAM as an IdP or an SP. I believe you already have decided to use OAM as IdP and have valid reasons.

    So first thing is to make sure you read the below two choices, whether you want your OAM or Identity Federation to be a Service Provider or Identity Provider. In your case you decided to have OAM As An Identity Provider.

    Here is the URL from where below screenshot was taken (it is from 11gR2 PS3 but same principle applies to 12c as well). So read the section for Administering Identity Federation as an Identity Provider.

    oamfederation.png

    Now next thing. If you are configuring OAM as an IdP then you select the Red box below, i.e. “Create Service Provider Partner”. (vice-versa if configuring OAM as SP then you would have selected Green box –“create Identity Provider Partner”). Note this difference. So once again since in your case OAM is the IdP, hence you select the Red box "Create Service Provider Partner". In Federation there are two end points, one is Identity Provider and the other is Service Provider. So if you have decided that OAM will be your Identity Provider (IdP) then you need to define the settings for your remote Service Provider. Thats what you do in "Create Service Provider Partner".

    oamfederation2.png

    For 12c OAM here is the Federation chapter with details.

    Hope this helps. Please mark the answer as resolved if it answered your question.

  • 4087534
    4087534 Member Posts: 4
    edited Sep 21, 2020 3:48AM

    Hi Sandeep, thanks for your answer.

    I have already done in the past configuration with federations that OAM is identity provider but they were standard federation (sp-initiated)

    I've never done an idp-initiated federation before (our customer wants it) .

    My question was whether there were configuration differences on OAM if a federation is idp-initiated

    I understood that on the OAM side there is no configurative difference, but the difference is made by the url set to access

    is correct?

    thanks in advance

  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge
    edited Sep 21, 2020 7:59PM

    Enrico,  There is a big difference. If you read my previous reply, here is the starting point -   If you are configuring OAM as an IdP then you select the Red box below, i.e. “Create Service Provider Partner”

    So when you click on the "Create Service Provide Partner", this is the first difference and from there on when you see the GUI, you will find the next screens.

    I am not sure why you say there are no configuration differences. Once again, in your use case, you will start with - creating a Service Provider Partner (this itself is the big difference and from there on you will see the next screen that you will need to enter the values). Go ahead and implement in the Test environment. All the best. Of course the metadata exchange will follow next. Thanks

    Also to remind you if the reply is useful or helpful then you need to mark it as Helpful. Remember this is a community forum and the only way posts are helpful if they are marked as resolved or Helpful. I cannot mark my own replies as Helpful or Resolved- you have the privileges to do since you asked the question, so please my mark my earlier reply/replies as Helpful/Resolved.