Friday, May 22, 2015

Recommendations while using custom federation

Suppose you are the Service Provider using COTS federation product and your partner is Identity Provider using custom federation solution. Here are some personal recommendations for achieving SAML Single Sign-On in a smooth manner.

  1. Identify the features you are implementing with your partner upfront such as HTTP Binding, Signing, encryption, logout, Query Attributes, Account Linking etc., 
  2. Discuss and agree the certificate, private key, encryption algorithms etc., 
  3. Setup local environment to do proof of concept with COTS products and make sure you implement all the agreed features.
  4. Make sure your partner having custom federation solution has done POC so that you are sure that they are adhering to SAML standards. 
  5. If your partner has not done any POC in their local environment then you will need to validate the metadata manually before importing it to Service Provider.
  6. When partner metadata is validated and make sure it is imported in your Service Provider properly. Be heedful of syntactical errors. 
  7. If your partner has SAML response tested by dummy client, then ask for SAML response. If the response is encoded, use a SAML decoder and verify if all the elements are present. This is where we ended up wasting lot of time while running the test and identifying each and every element missing in SAML response. 
  8. It is always suggested to test the basic federation without Signing/Encryption/Attribute Query etc.,
  9. Once basic federation is tested, signing is next step.
  10. Then test the encryption. failed to connect in SSL

We have enabled SSL for WebLogic Admin Server and disabled the non-SSL port. We wanted to run some WLST commands and ran from
While trying to connect to with SSL port to admin server, the connection failed. I've tried various combinations of hosts with/without domain name and localhost too. See the below screenshot.

The actual fix is to add parameter in script. This parameter will essentially disable the hostname verification and required for stand alone clients connecting to weblogic server.

Restarted the WebLogic servers after making the script changes and connection worked with SSL.

Thursday, May 21, 2015

Upgrading OAM from 11gR2 PS2 to 11gR2 PS3

In my previous posts, I have shared information about documentation and binaries of PS3 release. In this post I would like to briefly share my experiences of upgrading OAM from PS2 to PS3.

I have WebLogic 10.3.6 and JRockit 6 before upgrade and there is no change in those components even after upgrade.

Here are the pre-requisites required before upgrade:

  1. Backup Middleware home and Policy database/schemas.
  2. Stop all weblogic servers.

Here are the high level steps upgrading OAM to PS3 in a pure OAM 11g environment (without involving OAAM/OES etc.,).

  1. Upgrade OAM binaries to PS3 : This step is a typical OAM installation process and it installs all binaries that are part of IAM package. Ensure that below screen appears that implies binaries are upgraded successfully.
  2. Upgrade OAM, IAU and OPSS schemas : This step upgrades OPSS, IAU and OAM schemas to latest version to be compatible with OAM PS3 binaries. Verify the schema versions post upgrade, find the below screenshot.
  3. Upgrade OPSS : This step upgrades the OPSS with configuration and policy stores to PS3. It upgrades jps-config.xml and policy stores. Note that it does not upgrade the OPSS schema which was upgraded in previous step already.
  4. Undeploying Coherence : This step un-deploys Coherence module from OAM deployment. 
  5. Upgrading System Configuration : This step is required to enable the PS3 features in OAM deployment. Ensure that message "System Configurations have been successfully upgraded to version:" in the end of script output.
If you intend to use Federation in Oracle Access Management then follow the below steps to enable it.
  1. Goto <>/common/bin
  2. Run the command
  3. Connect to admin server.
  4. Connect to domainRuntime()
  5. Run the command upgradeFedSTS111230(). Ensure that message "command was successful" was displayed as shown in below screenshot.

Post Authentication rules are disabled by default. If you intend to use it, enable them by following below steps:
  1. Login to OAM Admin Console.
  2. Select Configuration
  3. Select Available Services.
  4. Enable Adaptive Authentication Service as shown below.

Login to OAM Admin Console to see the new look and feel :)

I will talk about my experiences with PS3 and its features in the future posts. 

Monday, May 18, 2015

OAM 11gR2 PS3 has been released

Oracle has released the Oracle Identity Management 11gR2 PS3 and here it is

I would say they did well for PS3 documentation by branching different features into different sections such as Single Sign-On, policy model, Multi Data centers and installation steps and this looks clean.