Showing posts with label assertion. Show all posts
Showing posts with label assertion. Show all posts

Monday, March 27, 2017

OIF: Encrypt SAML Assertions

               Today we are going to learn about the configurations required to enable encrypted SAML communication between IDP and SP. In my earlier posts, I have covered about SSO configurations and couple of other scenarios in Federated SSO by taking Salesforce as example. You can refer to my earlier posts for more information.

               This post specifically covers about configuration required to enable Encryption of SAML Assertion. Assuming we already have configured SSO to Service Provider application in SP Initiated mode which is Salesforce in our example.

 Environment:
  • OAM 11.1.2.3BP07
  •  Salesforce
  • RHEL6/OEL6 
Steps:

  • In this post, we are going to use the Self-Signed Certificate that can be generated inside Salesforce. In real environments, we usually get these certificates signed by third party certificate authority.
  • Lets login to Salesforce application to create a Self-Signed certificate
  • Go to Setup ->  Ceritificates and Key management 
  • Click on Create Self-Signed Certificate to create new certificate if there is no existing certificate
 
  • Once the certificate is created, Lets configure the IDP Profile to configure the encryption settings.
  • Navigate to Setup and search for Single Sign-on settings
  • Update the following options
    • Request Signature method -> RSA-SHA1
    • Assertion Decryption Certificate -> Select the previously created self-signed certificate
  •  Save the Changes and Download the metadata file
  • If you compare this latest downloaded metadata with earlier, this will have additional information about the encryption information.
  •  Now we need to import this latest metadata into Identity Provider which is OIF
  • Login to OAM Console and Go to Federation -> Identity Provider Administration
  • Open 'Salesforce' service provider profile
  • Click on 'Load metadata' to import this new metadata configuration
  • Go to Advanced section and check the 'Encrypt Assertion' setting
  • Save the changes made to this service provide profile.
  • Ok. We are now finished with the configuration changes. Let's validate the Encryption now.
Validation: 
  • Access the Salesforce application using the SP initiated URL.
    • https://<mydomain>.my.salesforce.com
  • This will redirect to the IDP Url to authenticate against IDP
  • Provide the login credentials and click on Submit to login
  •  Once the authentication is successful, OIF engine generates SAML Response in encrypted manner as shown below. You can view this SAML messages using the browser plugins.
 
  • Once the Assertion is successfully decrypted and validated by Salesforce, you will be landed into your Salesforce domain. 
Thank you for visiting.
Posted by at
Labels: , , , , , , , , , , , ,

Wednesday, September 21, 2016

OIF: Relay State parameter in Federation

            In  this post, we are going to cover the configuration of 'Relay State' parameter for SP partners. Again before we go into the configuration, Let us understand the purpose of 'Relay state'  parameter. Essentially we use this parameter to automate the redirection of a user to a specific target page URL as soon as authentication against IDP is completed successfully and SAML assertion is posted to SP. This way you can avoid adding 'returnurl' paramter to your SSO URL while redirecting to Service provider application.

          In our example, we are using trying this on Salesforce application by redirecting to some contentdoor specific url. We have configured Salesforce as Service Provider and OAM11.1.2.3 as IDP. You can refer to my earlier posts given below for more information on SSO configurations.
Environment:
  • OAM 11.1.2.3 BP07
  • RHEL6
  • Salesforce
Steps:
  • Assuming you already have configured Federated SSO to a service provider application (For ex: Salesforce) by having OAM as IDP and Salesforce as SP.
  • Now Login to OAM server
  • Change directory to <Oracle_IDM1_Home>/common/bin
  • Execute the follownig commands
    • ./wlst.sh
    • connect('weblogic', 'password123', 't3://localhost:7001')
    • domainRuntime() 
    • updatePartnerProperty(partnerName="salesforce",partnerType="SP",propName="providerrelaystate",propValue="https://mydomain.lightning.force.com/one/one.app#/sObject/ContentDocument/home",type="string") 

  • On successful execution, You will receive the message as shown above.
 Validation:
  • You can login by login to salesforce using IDP Initiated or SP URLl After the authentication, you will be automatically redirected to the URL that is configured as 'Relay State' URL as shown below.
 
You can also refer to various other properties that you can set through WLST command line. These are very well documented in Oracle docs. Please refer here.  

Thank you for visiting.

Posted by at
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)