OIF

#Oracle #OIF controlling the authentication method #SAML #IDM


I am thinking, I am thinking ....I am working with a client today who has Oracle Identity Federation (OIF) 11g configured with Oracle Access Manager (OAM) 10g as the default Authentication Engine.  With this configuration the authentication module is dictated by the OAM policy configuration.  If you set the OAM policy (the policy that protects the /fed/user/authnoam resource) to IWA then all federated SSO attempts will be routed to the IWA authn engine and if this policy is configure for a custom login form then all SSO attempts will be routed to the custom login form … I think you get the point.  So, what happens when some resources (SaaS apps configured as SP/RP’s in OIF) require different levels of assurance (LOAs)?  I thought maybe I could use the SAML default authentication method configured in the SP/RP metadata in the circle of trust (COT) but that does not get passed onto OAM.  My second thought was to create a different policy for the URL that was being protected … but that OIF uses a pretty standard URL (/fed/user/authnoam?refid=id-blahblahblah) … OAM wouldn’t be able to figure out which policy to use.

So, had anyone else found a solution to this problem?  I would appreciate any discussions or feedback.

Advertisements

Upgrade #Oracle #OIF to 11.1.1.3 #IDM #Identity


We installed Oracle Identity Federation (OIF) 11.1.1.2 a few months ago and had to move on to some other, more pressing IDM-related issues.  We finally came back to the Federation tasks at the beginning of September.  The first thing I did was take an inventory of where we left off and compared to what the current released version was from Oracle.  I found that we were now a version behind with both Weblogic Server (WLS) and OIF.  I initially put off upgrading because we were in a hurry to integrate with one of their business partners.  We were able to configure the Circle of Trust with the Relying Party (RP, aka Service Provider) with just a few issues.   This particular partner is using OpenSAML as their software of choice.  The only issue for us is that they didn’t (or don’t) create metadata files.  This is their choice because OpenSAML has a module for doing this.  The metadata files is a feature in SAML 2.0 that allows for easy (…easier) integration with your Federation partners.  I was able to create one manually for them by using the sp.xml file that was created when using the OpenSSO Fedlet (that’s for another post).

So, finally on to the point of this post.  The only issues that we have had with OIF 11.1.1.2 is that when trying to search for local users (we are using OVD as our User Data Store … OVD front’s two different AD instances) we have some issues with the search function and not all users can authenticate.  Yes, this is actually a major problem.

I noticed via http://support.oracle.com that there are a lot of patches available for 11.1.1.2.  I ended up downloading the 11.1.1.3 version from OTN (here).

(Note:  I talked to my contact at Oracle Support who said that 11.1.1.4 is coming very soon)

This version requires that Weblogic be at least 10.1.3.  I went back to the support site and downloaded the 10.1.3 patch from there.  It’s a jar file that is run and will open up as an OUI installer.  I found this site which I used as a guide.  It’s pretty simple and painless.  Make sure that you restart WLS after upgrading and before upgrading OIF.  When the OIF upgrade is complete you should restart the managed service.

After restarting OIF I noticed in Enterprise Manager (EM) that OIF is still displaying as 11.1.1.2.  I am running the Upgrade Assistant (Oracle_Home/bin/ua).  On the second screen you can select “Verify Instance”.  This will walk you through and verify that your OIF instance is upgraded to the correct version.  In my case the status is showing as “Failed”.    One thing that seems odd to me is that the port shown (on the error message) is 7499.  It looks like it’s trying to access the URL to the metadata file and is trying to go on 7499. (i.e., http://hostname:7499/fed/idp/metadata).  I can get to the file via 7777 and not 7499.  So, I’ll need to check later as to why the Upgrade Assistant is using that port.

I just tried to re-run the 11.1.1.3 patch installer.  It complained that the patch had already been applied to this Oracle_Home.  So, now I am perplexed.  Let’s try rebooting the box and restarting the WLS and OIF services.

Interestingly, after the reboot the OIF version is still showing as 11.1.1.2 … but my OIF LDAP Authentication Engine error is no longer occurring.  So, maybe it did get patched??  I am working on confirming this … maybe the version number doesn’t get updated?  … that doesn’t sound right though.