difference between 10g and 11g OAM

Here is 11g features:

• Oracle Universal Installer for platform. Generic for all platforms
• Host-based cookie
• Individual WebGate OAMAuthnCookie_ making it more secure
• A per agent key, and server key, are used. Agent key is stored in wallet file and Server key is stored in Credential store
• One per-agent secret key shared between 11g WebGate and OAM Server One OAM Server key
• OAM 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Identity Federation for this situation.
• Capability to act as a detached credential collector
• Webgate Authorization Caching
• Diagnostic page to tune parameters
• Has separate install and configuration option. Hence, single install and multiple instance configuration is supported.

And 10g:

• InstallShield and One installer per platform
• Domain-based cookie
• ObSSOCookie (one for all 10g Webgates)
• Global shared secret stored in the directory server only (not accessible to WebGate)
• There is just one global shared secret key per OAM deployment which is used by all the WebGates
• OAM 10g provides a proprietary multiple network domain SSO capability that predates Oracle Identity Federation. Complex configuration is required.
• One Web server configuration supported per WebGate. Need to have multiple WebGates for multiple instances.

SailPoint ITRole sample xml code

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Bundle PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Bundle displayName="Reviewer IT Role" name="Reviewer IT Role" type="it">
  <Attributes>
    <Map>
      <entry key="accountSelectorRules"/>
      <entry key="allowDuplicateAccounts" value="false"/>
      <entry key="allowMultipleAssignments" value="false"/>
      <entry key="mergeTemplates" value="false"/>
      <entry key="requestable">
        <value>
          <Boolean/>
        </value>
      </entry>
      <entry key="sysDescriptions">
        <value>
          <Map>
            <entry key="en_US"/>
          </Map>
        </value>
      </entry>
    </Map>
  </Attributes>
  <Inheritance>
    <Reference class="sailpoint.object.Bundle" name="IT-Roles"/>
  </Inheritance>
  <Owner>
    <Reference class="sailpoint.object.Identity" name="IAM_WorkGroup"/>
  </Owner>
  <Profiles>
    <Profile>
      <ApplicationRef>
        <Reference class="sailpoint.object.Application" name="OpenDJ Internal"/>
      </ApplicationRef>
      <Constraints>
        <Filter operation="CONTAINS_ALL" property="groups">
          <Value>
            <List>
              <String>cn=Reviewer,ou=orasystems,dc=com</String>
            </List>
          </Value>
        </Filter>
      </Constraints>
    </Profile>
  </Profiles>
</Bundle>

OpenDJ OpenAM sailpoint application integration steps

    1.       Create Internal OpenDJ LDAP group

Create a LDIF file

dn: cn=Worker,ou=orasystemsusa,ou=com

changetype: add

objectClass: top

objectClass: groupOfNames

cn: Worker

dn: cn=Reviewer,ou=orasystemsusa,ou=com

changetype: add

objectClass: top

objectClass: groupOfNames

cn: Reviewer

Import the LDIF, with the below command in the Internal OpenDJ.

 ./ldapmodify \

--port 389 \

--bindDN "cn=Directory Manager" \

--bindPassword ********* \

--filename /opt/tmpfiles/newgroup.ldif

2.       Login to Sailpoint Console. Run the task “OpenDJ Internal Group Aggregation Task” to refresh groups.

3.       Go to Applications -> Entitlement Catalog and Open both the groups and remove the requestable flag and save.

4.       Import the below xml in the below order.

   Bundle-ItRole.xml

   Bundle-ItRole.xml

      

   Bundle-reviewer.xml

   Bundle-worker.xml

5.       Login to Forgerock Internal OpenAM Admin Console.

Navigate to Internal->Authorization-PolicySets-Allow_workerportal_access and add the two new groups in the subjects. Save.

Navigate to Internal->Authorization-PolicySets-Allow_contentmanager_access and add the two new groups in the subjects. Save.

6.       Restart OpenAM tomcat.

Can Openam support encrypted SAML response ?

Openam does support encrypted support. SP have to send metadata with  wantAssertionEncrypted=true

and Openam will send an encrypted response.

OpenAM SAML configuration error "Missing signature algorithm"

ERROR: QuerySignatureUtil.verify: Null SigAlg query parameter.

libSAML2:07/05/2018 06:38:12:713 PM EDT: Thread[http-bio-127.0.0.1-8443-exec-3,5,main]: TransactionId[c6d8f6a3-a9e1-4820-a30b-38350fc47d11-51806]

ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.

com.sun.identity.saml2.common.SAML2Exception: Missing signature algorithm.

When coding make sure following.

Create your AuthN request making sure that when you create the signature to combine all 3 parameter elements and then sign it:


String authnrequest = "SAMLRequest=" + encodedRequestMessage
                                        + "&RelayState=" + URLEncoder.encode(relayURL, "UTF-8")
                                        + "&SigAlg=" + URLEncoder.encode(sigAlg, "UTF-8");
java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
signature.initSign(privateKey);
signature.update(authnrequest.getBytes(Charset.forName("UTF-8")));
byte[] signatureByteArray = signature.sign();
String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray, Base64.DONT_BREAK_LINES);
return idpUrlREDIRECT + "?"
       + authnrequest
      + "&Signature="
      + URLEncoder.encode(signatureBase64encodedString, "UTF-8");



The resulting AuthN request should look something like the following:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                   AssertionConsumerServiceURL="http://localhost:8084/DBAuthentication/samllogin"
                   Destination="https://ssoidp.lb.com:443/openam/SSORedirect/metaAlias/idp"
                   ID="ckimokpjjjongadnnkfbophokmmhdfhilckkknac"
                   IssueInstant="2018-09-05T15:15:48.936Z"
                   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                   ProviderName="http://localhost:8084/DBAuth/sp"
                   Version="2.0">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8084/DBAuth/sp</saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
 <samlp:RequestedAuthnContext Comparison="exact">
   <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

OpenAM ERROR: IDPSSOFederate.doSSOFederate: Unable to get AuthnRequest from cache, sending error response ---

The cache is cleared every 10 minutes by default, but you may want to consider increasing this interval if you keep seeing the following error in the Federation debug log

AM / OpenAM 13.x console: navigate to: Configure > Global Services > SAMLv2 Service Configuration > Cache cleanup interval and enter the number of seconds that you want the AuthnRequest to remain in the cache. Once this time elapses, the cache is cleared.



./ssoadm set-attr-defs -s sunFAMSAML2Configuration -t global -u [adminID] -f [passwordfile] -a CacheCleanupInterval=[seconds]

OpenAM mod auth mellon multi domain multi server Apachi setup

The Apache Server document could be updated to clarify a few things with regards to load balanced web sites and multiple web virtual hosts.

For load balanced sites that use host specific key/certificate pairs then there needs to be a metadata file for each web server with a unique EntityID, because of the different certs

For web servers providing multiple web vhosts a global mellon.conf doesn’t work for all of the sites. Each vhost that needs to use SAML auth will need their own mellon.conf that specifies the site specific MellonSPMetadataFile and Endpoint URL

My setup:
Load Balanced Web Servers
web1-co-dmz
web2-co-dmz

Web Virtual Hosts, configured on each web server
vhost1.com
vhost2.com

Multi-Domain Certificate that includes both names. Each server has its own private key certificate pair.
For the EntityIDs I used the following:
entityID="https://vhost1.com_web1”
entityID="https://vhost1.com_web2”
entityID="https://vhost2.com_web1”
entityID="https://vhost2.com_web2"

I wound up creating two mellon.conf files in /etc/httpd/conf/saml2 on each web server.
web1-co-dmz:/etc/httpd/saml2/https_vhost2.com_web1.xml
web1-co-dmz:/etc/httpd/saml2/https_vhost1.com_web1.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost2.com_web2.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost1.com_web2.xml

I then added an Include to each web vhost configuration, example:
vhost1.v-vhost.conf: Include saml2/www_mellon.conf
vhost2.com-vhost.conf: Include saml2/data_mellon.conf

I hope that helps