In my earlier post I wrote about federating between Oracle Access Manager (OAM) and Oracle Cloud infrastructure (OCI) Console. However, in that post OAM was integrated with OCI on the commercial side of the house. OCI also has infrastructure for government agencies (.gov). In order to federate to OCI Gov, there are a different set of rules you must abide by, specifically we use the FedRAMP standard (https://fedramp.gov) when federating users to OCI.
FedRAMP maps the 'Digital Identity Guidelines' from the National Institute of Standards and Technology (NIST) to FedRAMP levels (1,2,3).
If you look through the FedRAMP Digital Identity Requirements there are three levels:
The assurance levels as defined by NIST SP 800-63 R3 are:
Since we are discussing Federation, let's pay particular attention to the Federation Assurance Levels (FAL).
By default OCI Gov regions supports FedRAMP High (FAL3). This can be turned off by filing a Service Request (SR) with Oracle. It is the customers/agencies responsibility to determine how this will effect their ability to meet a particular standard. In many cases the customer would have filed a FedRAMP Security Plan (SSP). You can check out the link here with the SSP templates for High/Moderate and Low.
Looking at FAL3 (High) in Digital Identity Requirements you will notice that there are 3 requirements when federating a user from your IdP to OCI Console:
1) The assertion must be encrypted.
2) The assertion must be signed.
3) The SAML2 Holder-of-key (HoK) assertion profile must be set on your IdP. For more detailed information see the specifications.
OAM 11g and OAM 12c now support SAML2 Holder of Key profile; you will need to install patch 30468914. Please carefully review the 'Post Installation Instructions' in the 'Read Me' file; it explains in detail how to turn on HoK.