Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘IDMDomain’.Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead
- Enter the WLS scripting environment for the OIF instance.
- Set the authncontext property containing the root context of the post-processing plugin page
setConfigProperty('serverconfig','authnpath','/bridge.jsp','string')
- Set the authnpath property containing the relative path of the post-processing plugin page:
setConfigProperty('serverconfig','authncontext','/bridge','string')
- Exit the WLST script environment
service provider to which the attribute is to be sent, and click “Edit”.
Note: This must be done for each service provider that needs to receive
the attribute.
2. Click the “Edit” button next to “Attribute Mappings and Filters”.
3. In the “Name Mappings” tab, click “Add”.
4. In the “Add Attribute Name Mapping” window, set the value of both
“User Attribute Name” and “Assertion Attribute Name” to “specVer”, and
check the “get Value from User Session” and “Send with SSO Assertion”
options. Click “OK”.
Note: The sample JSP sets the attribute name “specVer” in the user session.
OIF can be configured to map “specVer” to any attribute name in the
outgoing assertion.
5. In the “Attribute Mappings and Filters” page, click “OK”.
6. Check the “Enable Attributes in Single Sign-On (SSO)” option, and check the
NameID format for which you want to send assertion attributes.
7. Click “Apply” to save the changes.
8. You can use WLST commands, to change the mapped assertion attribute name to
another desired value, for example:
addFederationMapEntryInMap(‘<spProviderID>’,’attributelist’,’specVer’,
‘assertion-attr’,’ca:gc:cyber-authentication:basic:specVer’,’string’)
Note: Using the WLST commands is sometimes needed to work around a bug in
the 11gR1 EM console that does not correctly handle attribute names
containing certain characters, including the ‘:’ (colon) character.
file in the /bridge/web directory.
To change the application name and/or context, modify the application.xml and
the web.xml file in the /bridge/descriptors directory.
After modifying the application JSP or descriptor files, you must rebuild the
application by invoking the Ant build script from the /bridge directory:
ant build
The resulting bridge.ear file is written to the /bridge/build/ear directory.
<%@page buffer="5" autoFlush="true" session="false"%> <%@page language="java" import="java.util.*"%> <% ///////////////////////////////////////////////////////////////////////// // This sample JSP sets an attribute in the OIF user session, by // acting as a bridge in the OIF authentication engine flow. // // Copyright (C) 2010, Oracle and/or its affiliates. All rights reserved. ///////////////////////////////////////////////////////////////////////// response.setHeader("Cache-Control", "no-cache"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT"); // This JSP page receives a request from an OIF authentication engine,// adds an attribute to the map stored in the request obect for the user session, // and forwards the request back to OIF to resume the authentication flow. // Retrieve any exiting attribute map from the request. Map attributes = (Map)request.getAttribute("oracle.security.fed.authn.attributes"); // Create the attribute map if none exists yet. if (attributes == null) attributes = new HashMap(); // Add specVer={"1.0"} to attribute map. Set values = new HashSet(); Set values1 = new HashSet(); values.add("1"); values1.add("0"); attributes.put("application", values); attributes.put("siteid", values1); // Set the attribute map in the request. request.setAttribute("oracle.security.fed.authn.attributes", attributes); // Forward the user request back to OIF. request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/user/loginsso").forward(request, response); %>
- http://download.oracle.com/docs/cd/E13222_01/wls/docs91/config_scripting/using_WLST.html
- Oracle Identity Federation 11g Administrator’s Guide (11.1.1.4 BETA Draft)
-
The framework used in that example is present in OIF 11gR1 PS1 (11.1.1.2.0) but isn’t documented until PS3 (11.1.1.4.0)
Hi Brad –
Will the same jsp work and procedure for openIDv20 protocol.
Let me know.
The openIDV20 allows the transient federation.
Cheers
I have no idea … I have never tried it with OpenID.
So, what we are trying here is, we get all the assertions from IdP to OIF, but these are not been passed to the OAM. Can we pass it to OAM and to the user session??
the code samples link do not work. can you give me another direct link of can you email the code sample to bvinayakh@gmail.com
Sree,
Thanks for pointing out that the code is not completely readable on the blog. I have posted the code on github and put a link to it, from my blog. I added a line of text under the code that will take you to my github account. In case you have any issues finding it I have also added it here:
git://github.com/bradtumy/oracle-custom-code.git
Thanks,
Brad