Thanks
Siva Pokuri.
Showing posts with label SAML. Show all posts
Showing posts with label SAML. Show all posts
Thursday, November 15, 2018
Thursday, August 16, 2018
OAM 11g IDP SAML Federation authorization policies
This post is on how to enable and configure authorization policies for federated applications with OAM 11g as Identity Provider.
Note: Tested with an application integrated with OAM 11g R2 PS2 as IDP and I think this article still applies to later versions also.
By default, Federation Authorization is disabled. Execute below steps to enable federation authorization using WLST commands.
- Enter the WLST environment by executing
$IAM_ORACLE_HOME/common/bin/wlst.sh - Connect to the WLS Admin server
connect() - Navigate to the Domain Runtime
domainRuntime() - Execute the configureFedSSOAuthz() command
- To enable authorization:
configureFedSSOAuthz("true") - To disable authorization:
configureFedSSOAuthz("false") - Exit the WLST environment:
exit()
Authorization policies can be configured to allow/deny to individual accounts (OR) groups (OR) combination of both groups & individual accounts from OAM 11g backend LDAP server.
Steps to configure Token Issuance policy
- Go to the OAM Administration Console: https://oam-admin-host:port/oamconsole
- Navigate to Access Manager -> Application Domains
- Click Search
- Click in IAM Suite in the list of results
- Click on the Token Issuance Policies tab
- Click “Create Token Issuance Policy”
- Enter a name (Example: AdministratorsOnlyPolicy)
- Click on Conditions tab
- Click Add to add a constraint for the AdministratorsOnly group
- Enter the details of the constraints:
- Name: example AdministratorsGroup
- Type: Token Requestor Identity
Note: If you would like to allow all the users with valid credentials to login into application just select "True" in condition type drop down and click "Add selected" button.
- Click Add Selected
- Select the newly created constraint to configure it
- In the conditions details, click Add and select Add Identities
- Select the Identity Store and enter Administrators group name
- Click search
- Select the AdministratorsOnly Group
- Click Add Selected
- Click on the Rules tab
- In the Allow Rule section, select the AdministratorsGroup condition and add it to the Selected Conditions, since we want to allow users belonging to the Administrators group to do Federation SSO with the partners listed in this policy
- Click Apply
Execute the following steps to create a new resource and add it to the AdministratorsOnlyPolicy Token Issuance Policy:
- Go to the OAM Administration Console: http(s)://oam-admin-host:port/oamconsole
- Navigate to Access Manager -> Application Domains
- Click Search
- Click in IAM Suite in the list of results
- Click on the Resources tab
- Click on New Resource and create a new resource for the Token Issuance Policy:
- Type: TokenServiceRP
- Resource URL, name of the SP Partner as it was created in the Federation Admin section: Example: XYZAppAdmin
- Operations: all
- Token Issuance Policy: AdministratorsOnlyPolicy
- Apply
Expect "User is not
authorized to perform Federation SSO" SAML status message in IDP SAML response in case any user try to login other than user from Admin group.
Happy SSO'ing
Thanks
Siva Pokuri
Sunday, June 10, 2018
Single Sign-On recommendations
It's increasingly challenging to manage multiple identities of an individual and it's operational overhead to the organizations.
Implementing the Single sign-on solution in an organization to authenticate and SSO'ing for applications access within an enterprise will reduce operational overhead and cost to the organization.
Traditionally, there is header based Single Sign-On as it's still out there lingering in the market. In Early 2000's, it's noted that SAML is widely accepted mechanism for SSO requirements. Later in the game, late 2000's where mobile applications and API based designs came into the picture there comes OAuth authorization mechanism.
The goal of each SSO mechanism is very simple "One login to multiple applications". Well, definitely it's not that easy to enable SSO as stated.
When it comes to the recommendation on Single Sign-On to an enterprise application, I would suggest considering below list of choices and take the wise decision to implementing Single Sign-On.
Option 1: Legacy application with no delegated authentication capability to external authentication engine with Header based authentication. Note that this approach needs code change in the application authentication mechanism.
Option 2: Application that's fitted of delegating authentication to SAML Identity provider (IDP) then just go with it without further thought.
Option 3: Planning for developing a new application and studying about the authentication mechanisms in architecture then consider Open ID / OAuth (3 legged )as a primary option.
It's recommended to read and understand each Single Sign-On mechanism before going to the implementation phase.
Happy SSO'ing.
Thanks.
Wednesday, March 21, 2018
Troubleshoot: SAP HANA SAML integration
When SAP HANA enabled for external authentication with SAML mechanism you might get "Assertion did not contain a valid MessageID." error message when trying to log in.
Solution:
Adding SAML parameter, assertion_timeout and set the value to 30 in SAP solves the issue.
Ref: https://blogs.sap.com/2014/07/03/troubleshooting-issues-when-implementing-saml-sso-in-hana-xs-engine/
Thanks
Solution:
Adding SAML parameter, assertion_timeout and set the value to 30 in SAP solves the issue.
Ref: https://blogs.sap.com/2014/07/03/troubleshooting-issues-when-implementing-saml-sso-in-hana-xs-engine/
Thanks
Wednesday, August 23, 2017
OIF 11g "Authentication request is expired" error message
Issue:
When IDP and SP system time is not in sync you might see "Authentication request is expired" error message in OIF log messages. And you can notice "RequestDenied" status SAML message.
Error Message:
[2017-08-23T10:05:11.877-04:
Cause:
When Identity Provider (OIF) and Service Provider servers system time is not in sync above error message appears.
Resolution:
Make sure both Service Provider and Identity Provider machines system time is in sync.
Thanks
Siva Pokuri.
Subscribe to:
Posts (Atom)