Since January of 2011 (188.8.131.52), OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.
During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.
OIF is administered through Enterprise Manager. Log on the OIF EM console (for example, http://demo.com:7411/em).
Step 1: Enable OpenID RP support
Navigate to OIF Administration -> Service provider
- Select OpenId 2.0 tab
- Select Map User via Federated Identity
- Unselect Map user via attribute query
- Click Enable OpenID 2.0 support
- Click APPLY to save your changes
Step 2: Add Google as an IDP
In this step you will create a new federation with Google as the OP and OIF as the RP.
- Navigate to Federations
- Click + to add a provider
- You will be asked to add a provider by importing meta data, or manually. Choose Add Provider Manually
- Enter Provider Details:
- Google, Description: Google, Protocol: OpenID 2.0, role: IDP
- Save the new provider.
- Select the saved federation provider ("Google") and click "Edit"
- Select Trusted Provider Settings tab
- Enter https://www.google.com/accounts/o8/id for both the Endpoint URL and the Discovery URL
- Select Oracle Identity Federation Settings tab
- Assertion Settings: Check "Map User via Federated Identity" and "Error when user Mapping fails"
- Protocol Settings: Check "Perform OpenID provider Discovery"
- Save your changes
Step 3 (Optional) Add an AX attribute mapping
OIF supports the OpenID AX (Attribute Exchange) specification. In this step we will configure OIF to request certain attributes from Google during a SSO operation. The user will be asked to consent to providing these attributes
Navigate to Federations -> Google -> OIF Settings
- Click Attribute Mappings and Filters
- Select Add Name Mappings
- Enter User Attribute Name: email
- Enter Assertion Attr Name: email
- Enter Format or Namespace: http://schema.openid.net/contact/
- Save your changes
Step 4: Test it out
OIF ships with a sample page that can be used to initiate a SSO operation. The demo page is installed as part of OIF at /user/testspsso. For example:
- On the demo page Select Google as the IDP
- Under Requested Attributes (space delimted) enter email
- Click Initiate SSO
- You should be redirected to Google. Log on with your Google Credentials, and consent to allowing OIF to see the email.
- You will be redirected back to OIF to see the results of the SSO operation. You should see the email attribute being passed back.