Wednesday, August 31, 2011

Adding an OpenID Relying Party to Oracle Identity Federation (OIF)


Since January of 2011 (11.1.1.4), OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.


During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.


OIF is administered through Enterprise Manager. Log on the OIF EM console (for example, http://demo.com:7411/em).


Step 1: Enable OpenID RP support


Navigate to OIF Administration -> Service provider
  • Select OpenId 2.0 tab
  • Select Map User via Federated Identity
  • Unselect Map user via attribute query
Expand Protocol Settings

  • Click Enable OpenID 2.0 support
  • Click APPLY to save your changes
NOTE: I found that you can not unselect "Map User via Attribute Query". As long as you override this in the IDP specific settings, this should not matter (i.e. I think this is the default if you dont set it in the IDP)

Step 2: Add Google as an IDP


In this step you will create a new federation with Google as the OP and OIF as the RP.

  • Navigate to Federations
  • Click + to add a provider
  • You will be asked to add a provider by importing meta data, or manually. Choose Add Provider Manually
  • Enter Provider Details:
  • Google, Description: Google, Protocol: OpenID 2.0, role: IDP
  • Save the new provider.
  • Select the saved federation provider ("Google") and click "Edit"
  • Select Trusted Provider Settings tab
  • Enter https://www.google.com/accounts/o8/id for both the Endpoint URL and the Discovery URL
  • Select Oracle Identity Federation Settings tab
  • Assertion Settings: Check "Map User via Federated Identity" and "Error when user Mapping fails"
  • Protocol Settings: Check "Perform OpenID provider Discovery"
  • Save your changes

Step 3 (Optional) Add an AX attribute mapping


OIF supports the OpenID AX (Attribute Exchange) specification. In this step we will configure OIF to request certain attributes from Google during a SSO operation. The user will be asked to consent to providing these attributes

Navigate to Federations -> Google -> OIF Settings
  • Click Attribute Mappings and Filters
  • Select Add Name Mappings
  • Enter User Attribute Name: email
  • Enter Assertion Attr Name: email
  • Enter Format or Namespace: http://schema.openid.net/contact/
  • Save your changes

Step 4: Test it out


OIF ships with a sample page that can be used to initiate a SSO operation. The demo page is installed as part of OIF at /user/testspsso. For example:

http://oif.demo.com/fed/user/testspsso

  • On the demo page Select Google as the IDP
  • Under Requested Attributes (space delimted) enter email
  • Click Initiate SSO
  • You should be redirected to Google. Log on with your Google Credentials, and consent to allowing OIF to see the email.
  • You will be redirected back to OIF to see the results of the SSO operation. You should see the email attribute being passed back.