Thursday, August 16, 2018

OAM 11g IDP SAML Federation authorization policies

This post is on how to enable and configure authorization policies for federated applications with OAM 11g as Identity Provider.

Note: Tested with an application integrated with OAM 11g R2 PS2 as IDP and I think this article still applies to later versions also. 

By default, Federation Authorization is disabled. Execute below steps to enable federation authorization using WLST commands.

  • Enter the WLST environment by executing
  • Connect to the WLS Admin server
  • Navigate to the Domain Runtime
  • Execute the configureFedSSOAuthz() command
    • To enable authorization:
    • To disable authorization:
  • Exit the WLST environment:

Authorization policies can be configured to allow/deny to individual accounts (OR) groups (OR) combination of both groups & individual accounts from OAM 11g backend LDAP server.

Steps to configure Token Issuance policy

  • Go to the OAM Administration Console: https://oam-admin-host:port/oamconsole
  • Navigate to Access Manager -> Application Domains
  • Click Search
  • Click in IAM Suite in the list of results
  • Click on the Token Issuance Policies tab
  • Click “Create Token Issuance Policy”
  • Enter a name (Example: AdministratorsOnlyPolicy)
  • Click on Conditions tab
  • Click Add to add a constraint for the AdministratorsOnly group
  • Enter the details of the constraints:
    • Name: example AdministratorsGroup
    • Type: Token Requestor Identity
Note: If you would like to allow all the users with valid credentials  to login into application just select "True" in condition type drop down and click "Add selected" button.
  • Click Add Selected
  • Select the newly created constraint to configure it
    • In the conditions details, click Add and select Add Identities
    • Select the Identity Store and enter Administrators group name
    • Click search
    • Select the AdministratorsOnly Group
  • Click Add Selected
  • Click on the Rules tab
  • In the Allow Rule section, select the AdministratorsGroup condition and add it to the Selected Conditions, since we want to allow users belonging to the Administrators group to do Federation SSO with the partners listed in this policy
  • Click Apply
Execute the following steps to create a new resource and add it to the AdministratorsOnlyPolicy Token Issuance Policy:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:port/oamconsole
  • Navigate to Access Manager -> Application Domains
  • Click Search
  • Click in IAM Suite in the list of results
  • Click on the Resources tab
  • Click on New Resource and create a new resource for the Token Issuance Policy:
    • Type: TokenServiceRP
    • Resource URL, name of the SP Partner as it was created in the Federation Admin section: Example: XYZAppAdmin
    • Operations: all
    • Token Issuance Policy: AdministratorsOnlyPolicy
    • Apply

Expect "User is not authorized to perform Federation SSO" SAML status message in IDP SAML response in case any user try to login other than user from Admin group.

Happy SSO'ing

Siva Pokuri

No comments:

Post a Comment