I am working with a client today who has Oracle Identity Federation (OIF) 11g configured with Oracle Access Manager (OAM) 10g as the default Authentication Engine. With this configuration the authentication module is dictated by the OAM policy configuration. If you set the OAM policy (the policy that protects the /fed/user/authnoam resource) to IWA then all federated SSO attempts will be routed to the IWA authn engine and if this policy is configure for a custom login form then all SSO attempts will be routed to the custom login form … I think you get the point. So, what happens when some resources (SaaS apps configured as SP/RP’s in OIF) require different levels of assurance (LOAs)? I thought maybe I could use the SAML default authentication method configured in the SP/RP metadata in the circle of trust (COT) but that does not get passed onto OAM. My second thought was to create a different policy for the URL that was being protected … but that OIF uses a pretty standard URL (/fed/user/authnoam?refid=id-blahblahblah) … OAM wouldn’t be able to figure out which policy to use.
So, had anyone else found a solution to this problem? I would appreciate any discussions or feedback.
Any luck with this? I am having the same issue.
Were you able to figure out a solution for this?
OIF provides a mechanism to allow you to redirect to a different IDP based on the authentication-mechanism value in the SAML Request. IMHO it’s a bit of a wonky solution because it forces you to have multiple IDPs stood up (One for each type of authentication that you want to support). I haven’t had a chance to try it out yet because this became overcome by other events. If I remember correctly you want to look at OIF’s IDP Proxy capability … they have a section in the documentation on this but I can’t remember the link off the top of my head.
I ended up writing a custom authentication engine that uses the authentication mechanism from the Relying Party, RP (or Service Provider, SP) to dynamically construct a URL that is protected by OAM. There are separate OAM policies for each potential authentication option. I can send you more information if you are interested.
Can you please send more details
Can you send me the information also.
Regards,
Sunny
The code that I wrote performs the same functionality as the SSO
Proxy. So, you are probably better off using that.
Additionally when OIF is integrated with OAM as an sp integration
module it automatically maps the OAM authentication schemes to OIF’s
authentication mechanisms. You can then configure OIF to use a
specific authentication mechanism for each service provider that you
have integrated. I don’t have this documented very well yet but will
try to add some more details to the post in the near future.