Integrating ADFS 2.0/3/0 IdP with OIF SPDamien Carru blog

Integrating ADFS 2.0/3.0 IdP with OIF SP

By Damien Carru-Oracle on Apr 07, 2014

As a continuation of my previous article, I will today describe how to integrate ADFS 2.0/3.0 as an IdP and OIF as an SP.
The SAML 2.0 integration will be based on:
  • Email address will be used as the NameID format
  • The NameID value will contain the user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.
ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

ADFS Setup

To add OIF as an SP in ADFS IdP, perform execute the following steps:
  • Go to the machine where ADFS 2.0 is deployed
  • If ADFS 2.0 is used
    • Click Start Menu -> Programs -> Administrative Tools -> AD FS 2.0 Management
    • Expand ADFS 2.0 -> Trust Relationships
  • If ADFS 3.0 is used
    • In Server Manager, click Tools -> AD FS Management
    • Expand AD FS -> Trust Relationships
  • Right click on Relying Party Trusts and select Add Relying Party Trust
  • The Add Relying Party Trust window will appear
Execute the following steps:
  • Click Start
  • Select Import data about the relying party from a file
  • Click browse and select the OIF SP SAML 2.0 Metadata file from the local machine (it is required for the OIF endpoints to be SSL terminated, otherwise ADFS will not import the metadata. See my previous pre-requisites article about SSL)
Execute the following steps:
  • Click Next
  • Enter a name for the new OIF SAML 2.0 Service Provider
If using ADFS 3.0, execute the following steps:
  • Click Next
  • The next screen will show an optional multi factor authentication settings section
  • Select the option depending on your requirements
Execute the following steps:
  • Click Next
  • Select Permit all users to access this Relying Party
Execute the following steps:
  • Click Next
  • A summary window will be displayed
Execute the following steps:
  • Click Next
  • Leave Open the Edit Claims box checked
Execute the following steps:
  • Click Close
  • The Edit Rule window will appear
Execute the following steps:
  • Click Add Rule: we will configure ADFS to retrieve the user’s email address from LDAP and include it as EmailAddress SAML Attribute
  • Select Send LDAP Attributes as Claims
Execute the following steps:
  • Click Next
  • Enter a name for the Claim Rule
  • Select Active Directory as the Attribute Store
  • Since we are using Email Address as the NameID, in the first row, select Email Addresses as the LDAP Attribute, and Email Address as the Outgoing Claim Type
Execute the following steps:
  • Click Finish
  • The list of rules will be displayed
Execute the following steps:
  • Click Add Rule: we will transform the SAML Attribute EmailAddress to make it the NameID with its format set to email address.
  • Select Transform an Incoming Claim
Execute the following steps:
  • Click Next
  • Enter a name for the rule
  • Select Email Address as the Incoming Claim Type
  • Select NameID as the Outgoing Claim Type
  • Select Email as the Outgoing name ID format
  • Select Pass through all claim values
Execute the following steps:
  • Click Finish
  • The list of claim rules will be displayed
  • Click OK
As mentioned in the pre-requisites article, if you want to configure ADFS to use/accept SHA-1 signatures, perform the following steps (Note: if you don’t configure ADFS to use/accept SHA-1 signatures, you will have to configure OIF to use SHA-256 for signatures):
  • Go to the machine where ADFS is deployed
  • If ADFS 2.0 is used
    • Click Start Menu -> Programs -> Administrative Tools -> AD FS 2.0 Management
    • Expand ADFS 2.0 -> Trust Relationships
  • If ADFS 3.0 is used
    • In Server Manager, click Tools -> AD FS Management
    • Expand AD FS -> Trust Relationships
  • Right click on the newly created Relying Party and select Properties
  • Select the Advanced Tab
  • Select SHA-1
  • Click OK
As also mentioned in the pre-requisites article, if you decided to disabled decryption on the ADFS IdP, execute the following steps:
  • Go to the machine where ADFS is deployed
  • If ADFS 2.0 is used, click Start Menu -> Programs -> Administrative Tools -> Windows PowerShell Modules
  • If ADFS 3.0 is used, click Start Menu -> Administrative Tools -> Active Directory Module for Windows PowerShell
  • Execute the following command (replace RP_NAME with the SP name used to create the partner in ADFS):
    set-ADFSRelyingPartyTrust –TargetName "RP_NAME" –EncryptClaims $False
    • For example:
      set-ADFSRelyingPartyTrust –TargetName "ACME SP" –EncryptClaims $False

OIF Setup

To add ADFS as an IdP partner in OIF, execute the following steps:
  • Go to the OAM Administration Console: http(s)://oam-admin-host:oam-admin-port/oamconsole
  • Navigate to Identity Federation -> Service Provider Administration
  • Click on the “Create Identity Provider Partner” button
  • In the Create screen:
    • Enter a name for the partner
    • Check whether or not this partner should be used as the IdP by default when starting a Federation SSO operation, if no IdP partner is specified. (in this example we will set it as the default IdP)
    • Select SAML 2.0 as the Protocol
    • Click Load Metadata and upload the SAML 2.0 Metadata file for the IdP
    • Assertion Mapping section:
      • Optionally set the OAM Identity Store that should be used (note: in the example, I left the field blank to use the default OAM Identity Store)
      • Optionally set the user search base DN (note: in the example, I left the field blank to use the user search base DN configured in the Identity Store)
      • Select how the mapping will occur (note: in the example, I am mapping the Assertion via the NameID to the LDAP mail attribute)
    • Select the Attribute Profile that will be used to map the names of the attributes in the incoming SAML Assertion to local names. See my next article on IdP Attribute Profile for more information. In this example, I will use the default IdP Attribute Profile.
    • Click Save
As mentioned in the pre-requisites article, if you want to configure OIF to use SHA-256 for signatures, perform the following steps (Note: if you don’t configure OIF to use SHA-256 for signatures, you will have to configure ADFS to use/accept SHA-1 signatures):
  • Enter the WLST environment by executing:
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server:
    connect()
  • Navigate to the Domain Runtime branch:
    domainRuntime()
  • Execute the configureFedDigitalSignature() command:
    configureFedDigitalSignature(partner="PARTNER_NAME", partnerType="idp/sp", algorithm="SHA-256/SHA-1")
    • Replace PARTNER_NAME with the name of the partner added
    • Set the partnerType to idp or sp
    • Set the algorithm to SHA-256 or SHA-1
    • An example would be:
      configureFedDigitalSignature(partner="ADFSIdP", partnerType="idp", algorithm="SHA-256")
  • Exit the WLST environment:
    exit()
As also mentioned in the pre-requisites article, if you decided not to disable strong encryption on the ADFS IdP, be sure that the JCE Unlimited Strength Jurisdiction policy files were installed in the OIF environment.

Test

To test the integration:
  • Either protect a resource with WebGate and a FederationScheme with ADFS IdP being the Default SSO Identity Provider for OIF
  • Or use the OIF Test SP application and select ADFS as the IdP

Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Image
Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
Read more