Authenticating to the OIG REST API from an OAM-protected web app

The objective of this post is to describe how a web app protected by an OAM WebGate can authenticate to the OIG REST APIs. In a previous blog post, I provided detailed steps to do the same thing for the SCIM REST APIs; now in this blog post I will explain how the same approach can be applied to the OIG REST APIs too, with only some minor changes. The reason we can use essentially the same approach for both the OIG REST and SCIM REST APIs is that both use the same OWSM policy (oracle/multi_token_noauth_rest_service_policy) for security. You might use these steps if you were building a custom web interface to OIM, or integrating OIM into a portal (as a custom portlet).

Rather than repeat the steps from that post, I will refer you back to it with the following changes:

  1. Firstly, make sure you have applied Bundle Patch (Patch 24326201)
  2. Follow the instructions in the Patch 24326201 README to install OIG REST APIs and test them
  3. Otherwise follow the steps in my original blog post; however, in “Step 1: Creating the example application”, replace the index.jsp with the alternate version given below.

The index.jsp file needs to be changed to point to the OIG REST API instead of the SCIM REST API. Additionally, the example given was retrieving the /Me SCIM resource which represents the authenticated user; however, that operation has no direct equivalent in the OIG REST API. Instead what we do in this example is parse the SAML assertion to find the username, and then pass that as filter criteria to the /iam/governance/selfservice/api/v1/users endpoint.

<%@page contentType="text/html; charset=UTF-8" %>
<%@ page import="*" %>
<%@ page import="*" %>
<%@ page import="java.nio.charset.*" %>
<%@ page import="java.util.*" %>
<%@ page import="*" %>
<%@ page import="javax.json.*" %>
<%@ page import="*" %>
<%@ page import="javax.xml.bind.*" %>
<%@ page import="javax.xml.parsers.*" %>
<%@ page import="org.w3c.dom.*" %>
<%@ page import="org.xml.sax.*" %>

public static String escapeHTML(String s) {
    return s.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll("\"","&quot;");
public static String gzipBase64(String s) throws Exception {
    byte[] b = s.getBytes(StandardCharsets.UTF_8);
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    GZIPOutputStream gzos = new GZIPOutputStream(baos);
    return DatatypeConverter.printBase64Binary(baos.toByteArray());

public static String getUserName(String samlAssertion) throws Exception {
    StringReader sr = new StringReader(samlAssertion);
    InputSource is = new InputSource(sr);
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = dbf.newDocumentBuilder();
    Document doc = db.parse(is);
    org.w3c.dom.Element root = doc.getDocumentElement();
    NodeList nl = root.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "NameID");
    String userName = ((org.w3c.dom.Element)nl.item(0)).getAttribute("SPProvidedID");
    return userName;
public static JsonObject getMyProfile(String token, String userName) throws Exception {
    URL url = new URL("https://OIMHOST:14001/iam/governance/selfservice/api/v1/users?q=User::Login eq " + userName);
    HttpURLConnection conn = (HttpURLConnection)url.openConnection();
    conn.setRequestProperty("Authorization","oit " + token);
    StringBuilder sb = new StringBuilder();
    JsonReader rdr = Json.createReader(conn.getInputStream());
        try {
        return rdr.readObject();
    } finally {
public static String prettyPrint(JsonObject obj) {
    Map<String, Object> cfg = new HashMap<String,Object>(1);
    cfg.put(JsonGenerator.PRETTY_PRINTING, true);
    StringWriter sw = new StringWriter();
    JsonWriterFactory wf = Json.createWriterFactory(cfg);
    JsonWriter jw = wf.createWriter(sw);
    return sw.toString();
public static String htmlesc(String input) {
    return input.replace("&","&amp;").replace("<","&lt;").replace(">","&gt;").replace("\"","&quot;");
    String samlAssertion = request.getHeader("OAM_IDENTITY_ASSERTION");
    String token = gzipBase64(samlAssertion);
    String userName = getUserName(samlAssertion);
    JsonObject profile = getMyProfile(token, userName);
<title>Show My Profile</title>
<h1>Show My Profile</h1>
Find below your user profile.

Add Your Comment