Configuring SAML Federation between Oracle Identity Cloud Services and MS Azure AD

Introduction The intent of this post is describing the mechanics for configuring very basic SAML Federation between Oracle Identity Cloud Services (IDCS) and Microsoft Azure AD. The scenario in mind is having Azure AD as an Identity Provider to IDCS. The required configuration in Azure AD is essentially the same as presented in Paulo’s excellent post, where he describes […]

OAM Federation 11.1.2.3: Example Message Processing Plugin

SAML is an extensible protocol. Since it is based on XML, through the use of XML namespaces, custom elements and attributes can be inserted into the SAML messages at the appropriate places. Sometimes third party or custom SAML implementations will require particular custom elements or attributes to function. In this example, we will suppose an […]

OAM Federation 11.1.2.3: Performing a Loopback Test

In this blog post I will share steps for performing a loopback test of OAM Federation 11.1.2.3. In a loopback test, we configure OAM’s SP to point to OAM’s IdP. This enables you to confirm the basic functionality of OAM Federation without requiring any external partner server. I also find it useful in plugin development […]

OAM Federation: Identity Provider & Service Provider Management

In this blog post I want to clarify a point of initial confusion some people experience with OAM Federation 11.1.2.3. If we go to the “Federation” tab of the OAM Console, we see: Now the two main objects you manage in your OAM Fed configuration are your IdP Partner definitions and your SP Partner definitions. […]

Enterprise Gateway (OEG) External Service Calls

I’ve had the opportunity recently to work with the Oracle Enterprise Gateway (OEG) for a DoD opportunity.For those that aren’t familiar, OEG is an OEM from Vordel.The definitive blog on Vordel is at http://xmlgateway.blogspot.com/ where our old friend Josh Bregman writes.There were a couple of patterns that emerged in my work that I wanted to post.

One pattern is the need to make an external call to a service.In my case, I needed to call to an attribute sharing service (See Chris’ blog on XASP for more details on one approach for this) and a XACML PDP.Note, OEG has an embedded PDP solution using Oracle Entitlements Server (OES) that provides a faster service, but in my case, I had to stay with the standards-based solution.This is very easy to accomplish with OEG with a 3-step circuit:

 

 

 

 

 

 

The Set Message defines the parameters of the request.In my case, I have an attribute service that takes a user DN and returns specified attributes.

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>

<SOAP-ENV:Body>

<orafed-arxs:AttributeRequest xmlns:orafed-arxs=”http://www.oracle.com/fed/ar/10gR3″ TargetIDP=”SpaceFenceIDP”>

<orafed-arxs:Subject>cn=${user.cn},ou=${user.physicalDeliveryOffice},dc=service,dc=mil</orafed-arxs:Subject>

<orafed-arxs:Attribute Name=”mail”/>

<orafed-arxs:Attribute Name=”clearance”/>

</orafed-arxs:AttributeRequest>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Notice the wildcards with ${variable}.These were attained earlier in the circuit with a “Retrieve from Directory Server” node after authentication to the Gateway.In the Policy Editor, create a policy and drag the Set Message onto the easel.Enter “text/xml” for the Content-type and optimally, import the request from a file, then save.

 

 

 

 

 

 

 

Setting the URL is very straightforward, just enter the URL and any trust certificates if necessary.

The response from the attribute service (Oracle Identity Federation in this case) is:

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>

<SOAP-ENV:Body>

<orafed-arxs:AttributeResponse CacheFor=”1499″ xmlns:orafed-arxs=”http://www.oracle.com/fed/ar/10gR3″>

<orafed-arxs:Status>Success</orafed-arxs:Status>

<orafed-arxs:Subject>cn=Jane Wilson,ou=CDC,dc=service,dc=mil</orafed-arxs:Subject>

<orafed-arxs:Attribute Name=”mail”>

<orafed-arxs:Value>jwilson@service.mil</orafed-arxs:Value>

</orafed-arxs:Attribute>

<orafed-arxs:Attribute Name=”businessCategory”>

<orafed-arxs:Value>Secret</orafed-arxs:Value>

</orafed-arxs:Attribute>

</orafed-arxs:AttributeResponse>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Knowing this response format will help in parsing the response in OEG.When editing “Retrieve from Message”, re-name the node appropriately and select “Add” under the attribute location.

 

 

 

 

Name the attribute (arbitrary) and select magic wand button.Browse to the response file saved on disk, and you should see the contents in the XPATH Wizard.Select the node which you wish to have returned to the gateway.

 

 

 

 

 

 

 

 

Select “Use this path” and the XPath Expression should show up in the XPath field.Select OK.Name the attribute you want to populate in the gateway and save the node.

Debugging on OEG typically consists of adding a “Trace” node to your circuit and putting the listener in DEBUG or DATA mode.This gives you the “System.out” visibility into what’s going on in the Gateway.

Thanks to Dave Roberts from Vordel for getting me over the humps and for stealing second in 2004.