Wednesday, August 31, 2011

Adding an OpenID Relying Party to Oracle Identity Federation (OIF)

Since January of 2011 (, OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.

During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.

OIF is administered through Enterprise Manager. Log on the OIF EM console (for example,

Step 1: Enable OpenID RP support

Navigate to OIF Administration -> Service provider
  • Select OpenId 2.0 tab
  • Select Map User via Federated Identity
  • Unselect Map user via attribute query
Expand Protocol Settings

  • Click Enable OpenID 2.0 support
  • Click APPLY to save your changes
NOTE: I found that you can not unselect "Map User via Attribute Query". As long as you override this in the IDP specific settings, this should not matter (i.e. I think this is the default if you dont set it in the IDP)

Step 2: Add Google as an IDP

In this step you will create a new federation with Google as the OP and OIF as the RP.

  • Navigate to Federations
  • Click + to add a provider
  • You will be asked to add a provider by importing meta data, or manually. Choose Add Provider Manually
  • Enter Provider Details:
  • Google, Description: Google, Protocol: OpenID 2.0, role: IDP
  • Save the new provider.
  • Select the saved federation provider ("Google") and click "Edit"
  • Select Trusted Provider Settings tab
  • Enter for both the Endpoint URL and the Discovery URL
  • Select Oracle Identity Federation Settings tab
  • Assertion Settings: Check "Map User via Federated Identity" and "Error when user Mapping fails"
  • Protocol Settings: Check "Perform OpenID provider Discovery"
  • Save your changes

Step 3 (Optional) Add an AX attribute mapping

OIF supports the OpenID AX (Attribute Exchange) specification. In this step we will configure OIF to request certain attributes from Google during a SSO operation. The user will be asked to consent to providing these attributes

Navigate to Federations -> Google -> OIF Settings
  • Click Attribute Mappings and Filters
  • Select Add Name Mappings
  • Enter User Attribute Name: email
  • Enter Assertion Attr Name: email
  • Enter Format or Namespace:
  • Save your changes

Step 4: Test it out

OIF ships with a sample page that can be used to initiate a SSO operation. The demo page is installed as part of OIF at /user/testspsso. For example:

  • On the demo page Select Google as the IDP
  • Under Requested Attributes (space delimted) enter email
  • Click Initiate SSO
  • You should be redirected to Google. Log on with your Google Credentials, and consent to allowing OIF to see the email.
  • You will be redirected back to OIF to see the results of the SSO operation. You should see the email attribute being passed back.