I am working with a client today who has Oracle Identity Federation (OIF) 11g configured with Oracle Access Manager (OAM) 10g as the default Authentication Engine. With this configuration the authentication module is dictated by the OAM policy configuration. If you set the OAM policy (the policy that protects the /fed/user/authnoam resource) to IWA then all federated SSO attempts will be routed to the IWA authn engine and if this policy is configure for a custom login form then all SSO attempts will be routed to the custom login form … I think you get the point. So, what happens when some resources (SaaS apps configured as SP/RP’s in OIF) require different levels of assurance (LOAs)? I thought maybe I could use the SAML default authentication method configured in the SP/RP metadata in the circle of trust (COT) but that does not get passed onto OAM. My second thought was to create a different policy for the URL that was being protected … but that OIF uses a pretty standard URL (/fed/user/authnoam?refid=id-blahblahblah) … OAM wouldn’t be able to figure out which policy to use.
So, had anyone else found a solution to this problem? I would appreciate any discussions or feedback.