Introduction
This post will guide you with setting up federation with OAM. I have recently gone through this integration and came across some issues. But don't fret, all of the issues I encountered have workarounds and at the time of this writing all issues have been submitted with Oracle. My hope is that this will help our customers implementing this use case until all the fixes have been implemented.
Configuration Setup
To setup OAM as an IdP you should read the whitepaper here. The whitepaper describes in detail the steps needed to complete the setup. However, you may run across some issues which are described below.
In Step 1-3; within the saved OCI metadata you will see the following:
<md:RequestedAttribute FriendlyName="GroupName"
Now that we have made a change to the metadata the signature is now invalid. The signature is used to validate and make sure that the metadata has not been tampered with. In order for OAM to process/accept the metadata we must also remove the signature.
Now save the file and import into OAM as documented.
In Step 2-11 there is a document bug that describes setting the 'expression' to return a subset of groups. Specifically setting $user.groups = "OCI_*". This expression is not supported (an enhancement request has been logged with Oracle). Please use the value option as user/groups.
One last thing; OCI requires that multiple groups sent in the SAML Assertion must be within individual 'AttributeValue' tags. By default OAM will send multiple groups in a single delimited line( i.e. comma). You must change this behavior in OAM with the WLST call as described
here.
That's it! Test and validate!