Professional Documents
Culture Documents
Abstract
Through its support for the WS-Federation and Security Assertion Markup Language (SAML) 2.0 protocols, Microsoft Active Directory Federation Services 2.0 (AD FS 2.0) provides claimsbased, cross-domain, Web single sign-on (SSO) interoperability with non-Microsoft federation solutions. Oracle Identity Federation, through its support for SAML 2.0, enables cross-domain federated SSO between environments that are running Microsoft and Oracle federation infrastructures. Building on existing documentation from both companies, this step-by-step guide walks you through the setup of a basic lab deployment of AD FS 2.0 and Oracle Identity Federation that performs cross-product, browser-based, identity federation. Both products perform both identity federation roles: claims provider/identity provider and relying party/service provider. This document is intended for developers and system architects who are interested in understanding the basic modes of interoperability between AD FS 2.0 and Oracle Identity Federation.
This document is provided as-is. Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2010 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Internet Explorer, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
AD FS 2.0 Step-by-Step Guide: Federation with Oracle Identity Federation .................................. 5 About This Guide.......................................................................................................................... 5 Terminology Used in This Guide .............................................................................................. 5 About the Author ....................................................................................................................... 5 Prerequisites and Requirements .................................................................................................. 6 AD FS 2.0 ................................................................................................................................. 6 Oracle Identity Federation ........................................................................................................ 6 Windows ................................................................................................................................ 6 OIF ......................................................................................................................................... 7 Step 1: Preconfiguration Tasks ....................................................................................................... 8 Ensure IP Connectivity ................................................................................................................. 8 Configure Name Resolution ......................................................................................................... 8 Verify Clock Synchronization ....................................................................................................... 8 Enable SSL Server Authentication ............................................................................................... 9 Create a New Self-signed SSL Certificate for Oracle HTTP Server ..................................... 9 Apply New SSL Certificate in Oracle HTTP Server ............................................................... 9 Install OHS SSL Certificate on AD FS 2.0 Computer ............................................................ 9 Install IIS SSL Certificate on OIF Computer ........................................................................ 10 Change Federation URLs in OIF Metadata to Use SSL ..................................................... 11 Create Sample Users ................................................................................................................. 11 Step 2: Configure AD FS 2.0 as the Identity Provider and OIF as the Relying Party ................... 12 Configure OIF ............................................................................................................................. 13 Create New Trusted Provider Using Metadata ....................................................................... 13 Configure AD FS 2.0 .................................................................................................................. 14 Add a Relying Party Using Metadata ...................................................................................... 14 Edit Claim Rules for Relying Party Trust ................................................................................ 15 Disable AD FS 2.0 Encryption ................................................................................................ 16 Change AD FS 2.0 Signature Algorithm ................................................................................. 17 Create Links for Initiating Federated Access ............................................................................. 17 Step 3: Test AD FS 2.0 as the Identity Provider and OIF as the Relying Party ............................ 18 Step 4: Configure OIF as the Identity Provider and AD FS 2.0 as the Relying Party ................... 19 Configure OIF ............................................................................................................................. 19 Add Attribute to OIF-generated Assertion .............................................................................. 19 Configure AD FS 2.0 .................................................................................................................. 20 Add a Claims Provider Using Metadata .................................................................................. 20 Edit Claim Rules for Claims Provider Trust ............................................................................ 21 Edit Claim Rules for the WIF Sample Application .................................................................. 22 3
Change AD FS 2.0 Signature Algorithm ................................................................................. 23 Create Link for Initiating Federated Access (optional) ............................................................... 23 Step 5: Test OIF as the Identity Provider and AD FS 2.0 as the Relying Party ............................ 24 Appendix ........................................................................................................................................ 25 WS-Federation Support .......................................................................................................... 25 Certification Authority-issued Token Signing Certificates ....................................................... 25 Federated Logout.................................................................................................................... 26 SAML 2.0 Artifact Profile ......................................................................................................... 26 Alternative Authentication Methods (OIF as IDP) ................................................................... 26 Persistent and Transient Name IDs ........................................................................................ 26 URLs for Initiating SSO ........................................................................................................... 27
XML document sent from the federation party that is managing users to the federation party that is managing an application during an access request describing a user Partner in a federation that creates security tokens for users Partner in a federation that consumes security tokens for providing access to applications Data about users that is sent inside security tokens
Security Token
Assertion
Claims Provider
Identity Provider
Relying Party
Service Provider
Claims
Assertion attributes
In this deployment, each product performs both the claims provider/identity provider role and the relying party/service provider role.
AD FS 2.0
The test deployment created in the AD FS 2.0 Federation with a WIF Application Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=193997) is used as starting point for this lab. That lab uses a single Windows Server 2008 R2 instance (fsweb.contoso.com) to host both the AD FS 2.0 federation server and a Windows Identity Foundation (WIF) sample application. It presumes the availability of a Contoso.com domain in which fsweb.contoso.com is a member server. The same computer can act as the domain controller and federation server in test deployments.
Windows
Host operating system: Windows Server 2008 R2 Active Directory Domain Services server role installed to provide the OIF user identity and federation data repositories: Domain name: woodgrovebank.com Host name: orafed.woodgrovebank.com Note A domain controller is an optional component for this lab. Oracle Internet Directory or another Lightweight Directory Access Protocol (LDAP) directory can be used in this lab without impacting the results. Web server role (Internet Information Services (IIS)) installed to host the preformatted hyperlinks that initiate federated access: Static content role service installed Default website ports: HTTP (80) and HTTPS (443)
Windows Firewall with Advanced Security turned off, to easily allow for HTTPS communications on nonstandard ports (See below.) 6
OIF
Product version: Oracle Identity Federation 11.1.1.2, as delivered in Oracle Identity Management 11.1.1.3. Note Oracle Identity Management 11.1.1.3, the most recent OIM release, is the first certified for use on Windows Server 2008 R2. However, after the 11.1.1.3 patch update is installed, the OIF component remains at 11.1.1.2. Other Oracle Identity Management components installed or configured simultaneously with OIF: Oracle HTTP Server, to act as a proxy for the OIF server, using its default HTTP (7777) and HTTPS (4443) ports Note Oracle Access Manager is a web access management product shipped OIM that provides policy-based web access control. While often used in conjunction with OIF, it is omitted from the configuration here because its use has no impact on how federation with AD FS 2.0 is configured. OIF Configuration type: Advanced Automatic port assignment LDAP (Microsoft Active Directory) as the User Data Store, LDAP Authentication Mechanism, and Federation Data Store. Note Using Active Directory as the OIF repository requires secure LDAP (LDAPS) communication. Follow the instructions in section 8.2.2.4 of the Administrators Guide to Oracle Identity Federation 11g (http://go.microsoft.com/fwlink/?LinkId=197149) to configure LDAP over SSL in OIF. In-memory tables for User Session and Message store type File for Configuration Store type SAML 2.0 SSO service URL: http://orafed.woodgrovebank.com:7777/fed/idp/samlv20 SAML 2.0 Assertion consumer service URL: http://www.woodgrovebank.com:7777/fed/sp/authnResponse20
Ensure IP Connectivity
Make sure that the OIF (orafed.woodgrovebank.com) and AD FS 2.0 (fsweb.contoso.com) computers have IP connectivity between them. The Contoso.com domain controller, if running on a separate computer, does not require IP connectivity to the OIF system.
To install the OHS SSL certificate into fsweb.contoso.com 1. From fsweb.contoso.com, use Internet Explorer to visit https://orafed.woodgrovebank.com:4443. 2. At the security warning, click the link to continue to the website. The Address Bar will turn red to signify that the page is protected by an SSL certificate that is not trusted. 3. Click the Certificate Error message next to the Internet Explorer address bar, and then click View certificates. 4. In the Certificate window, on the General tab, click Install Certificate to start the Certificate Import Wizard. 5. Click Next. 6. In the Certificate Store window, click the radio button for Place all certificates in the following store. 7. Click Browse, and then click Show physical stores. 8. Select Local Computer in the Trusted Root Certificate Authorities folder, and click OK. 9. Click Next > Finish > OK > OK. 10. Close and reopen Internet Explorer, and then revisit https://orafed.woodgrovebank.com:4443. This time the address bar should remain white, signifying a working SSL channel.
10. Close and reopen Internet Explorer, and then revisit https://fsweb.contoso.com. This time the address bar should remain white, signifying a working SSL channel.
5. Provide a password, clear the User must change password at next logon check box, and then click Next. 6. Click Finish. 7. In the right-most pane of Active Directory Users and Computers, right-click the new user object, and then click Properties. 8. On the General tab, in the E-mail box, type the following, and then click OK.
Name Value
alansh@contoso.com
9. In the console tree, under woodgrovebank.com, right-click the Users folder. Click New, and then click User. Follow the same procedure as above to add a second user with the values in the following table.
Name Value
10. Log in to the Contoso domain controller with administrative credentials, and add Alan Shen to the Contoso Active Directory, using the same steps and values as above. Note It is not necessary to add George Curio, because the AD FS 2.0 sample application does not require identity mapping.
Step 2: Configure AD FS 2.0 as the Identity Provider and OIF as the Relying Party
In this step, you configure the scenario in which Alan Shen from Contoso (through AD FS 2.0) gets federated access to the Woodgrove Bank sample application (using OIF). The scenario uses the SAML 2.0 POST profile.
12
Configure OIF
Create a New Trusted Provider Using Metadata
Note Creating trusted providers with metadata supplied by AD FS 2.0 requires edits to the AD FS 2.0 metadata XML file, which uses extension points in the SAML 2.0 metadata standard (http://go.microsoft.com/fwlink/?LinkID=194835) that are not supported by Oracle Identity Federation 11.1.1.2. To create a new trusted provider using metadata 1. From the OIF computer (orafed.woodgrovebank.com), using Internet Explorer, go to the AD FS 2.0 metadata XML file at https://fsweb.contoso.com/FederationMetadata/200706/FederationMetadata.xml. 2. Click Page, and then click Save As to save FederationMetadata.xml to the desktop. 3. Open FederationMetadata.xml with an XML editor. 4. Delete the sections of the file shown in the following table.
Description Section starts with Section ends with
Metadata document signature WS-Trust & WSFederation application service metadata WS-Trust & WSFederation security token service metadata
</ds:Signature>
</RoleDescriptor>
5. Save the edited file as FederationMetadata_forOIF.xml to the desktop. 6. In the Fusion Middleware Control interface, in the navigation tree on the left, right-click OIF in the Identity and Access folder, and then select Administration > Federations. 7. On the Federations page, click Add. 8. In the Add Trusted Provider window, click Browse, select FederationMetadata_forOIF.xml, and click Open. 9. Click OK. 10. On the Federations page, click the provider with the Provider ID 13
http://fsweb.contoso.com/adfs/services/trust, and then click Edit. 11. On the Edit Trusted Provider page, click the Oracle Identity Federation Settings tab. 12. Scroll to the Service Provider/Requester Settings section, and make the changes in the following table. To edit a field, click the arrow icon to make editing available, and then make the editing changes.
Name Value before editing Value after editing
Enable Auto Account Linking Map User with Name ID Default SSO Response Binding Note
For simplicity, we are using the HTTP POST binding in this lab. Note, however, that AD FS 2.0 supports the SAML 2.0 Artifact binding, which may be preferable in some federation scenarios. 13. Click Apply.
Configure AD FS 2.0
Add a Relying Party Using Metadata
You can add a partner using OIF into AD FS 2.0 either manually or through metadata import. In this lab, you use metadata import. To add a relying party using metadata 1. In AD FS 2.0, in the console tree, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust to start the Add Relying Party Trust Wizard. 2. On the Select Data Source page, leave Import data about the relying party published online or on a local network selected. 3. In Federation metadata address, type https://orafed.woodgrovebank.com:4443/fed/sp/metadata?providerid=http://fsweb. contoso.com/adfs/services/trust, and click Next. Note OIF produces federation metadata documents for both the default OIF configuration and partner-specific configurations. Earlier, you made a partnerspecific change in OIF to use HTTP Post instead of Artifact as the default federation binding. This change impacts metadata. Using the Contoso-specific metadata document above ensures that AD FS 2.0 will use HTTP POST during 14
IDP-initiated SSO. 4. Click OK to acknowledge that some metadata that AD FS 2.0 does not understand will be skipped. 5. On the Specify Display Name page, type Woodgrove Bank, and click Next. 6. On the Choose Issuance Authorization Rules page, leave the default Permit all users to access the relying party selected, and then click Next. 7. Click Next, and then click Close.
E-Mail-Addresses
E-Mail Address
Token Groups Unqualified Names Role 7. Click Finish. 8. On the Issuance Transform Rules tab, click Add Rule. 9. On the Select Rule Template page, select Transform an Incoming Claim, and click Next. 10. On the Configure Claim Rule page, type the values in the following table.
15
Name
Value
Outgoing Name ID format Email 11. Leave the Pass through all claim values radio button selected, and click Finish. 12. Click OK to close the Edit Claim Rules window. Note Although Name ID was available as an outgoing claim type in step 6, choosing Name ID directly there would have resulted in AD FS 2.0 sending the Name ID with no Name ID format applied. This would not work by default with OIF, which expects the Name ID in the Email Address Name ID format.
Note You can make many configuration changes to AD FS 2.0 using the Windows PowerShell command-line and scripting environment. For more information, see the AD FS 2.0 Windows PowerShell Administration section of the AD FS 2.0 Operations Guide (http://go.microsoft.com/fwlink/?LinkId=194005) and the AD FS 2.0 Cmdlets Reference (http://go.microsoft.com/fwlink/?LinkId=177389).
17
In this lab, you host the link on a web page on the OIF computer, which is served by IIS. You will include both IDP- and SP-initiated SSO links. The links will result in federated access to an OIFsupplied sample application. To create links for initiating federated access 1. On the OIF computer (orafed.woodgrovebank.com), navigate to c:\inetpub\wwwroot, and create a new file called index.htm. 2. Right-click index.htm, and select Open With. Select Notepad to open the file. 3. Add the following to the document: <p>Welcome to Woodgrove Bank</p> <p>Test Links - From AD FS 2.0 to OIF</p> <a href="https://orafed.woodgrovebank.com/fed/sp/initiatesso?providerid=http://fswe b.contoso.com/adfs/services/trust> Link to Test SP-initiated POST Single SignOn to OIF from AD FS 2.0 </a> <p> <a href="https://fsweb.contoso.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=http: //orafed.woodgrovebank.com:7777/fed/sp> Link to Test IDP-initiated POST Single Sign-On to OIF from AD FS 2.0</a> 4. Save and close the file.
Step 3: Test AD FS 2.0 as the Identity Provider and OIF as the Relying Party
In this scenario, Alan Shen from Contoso accesses the federated sample application at woodgrovebank.com. Note For the best results, clear all the cookies in Internet Explorer on the AD FS 2.0 computer (fsweb.contoso.com). To clear the cookies, click Tools, click Internet Options, click Delete under Browsing History, and then select cookies for deletion. To access the woodgrovebank.com application 1. Log in to the console of the fsweb.contoso.com server using the CONTOSO\alansh account. 2. Open a browser window and navigate to: 18
http://orafed.woodgrovebank.com. 3. Click either of the links to test SSO to OIF from AD FS 2.0. At this point, you should see the OIF sample application. Notice the role claims that are sent from inside Active Directory (for example, Domain Users) that are now available for use in the federated application. Review the log files for AD FS 2.0 in Event Viewer and for OIF in the Fusion Middleware Control interface for more information. Note Configure OIF auditing as described in Chapter 7 of the Administrators Guide to Oracle Identity Federation 11g (http://go.microsoft.com/fwlink/?LinkID=197149) to see the contents of the security tokens passing between environments. Note In this lab, access to the OIFprotected application is somewhat controlled because it is limited to users in the local OIF user store. For more robust access control, deploy OIF with Oracle Access Manager.
Step 4: Configure OIF as the Identity Provider and AD FS 2.0 as the Relying Party
In this step, you configure a scenario in which a George Curio, a Woodgrove Bank user (using OIF) gets federated access to the WIF sample application through AD FS 2.0. As before, this scenario uses the SAML 2.0 POST profile.
Configure OIF
Add an Attribute to the OIF-Generated Assertion
The trusted provider that was created earlier for Contoso already includes the basic information that OIF needs to generate security tokens for the Contoso sample application. We will make some adjustments to add capabilities to the use case. The first is to add the users full name as an attribute to the OIF-generated assertion, which will be used as the screen name in the Contoso sample application. To add the Name attribute to the OIF-generated security token 1. In the Fusion Middleware Control interface, in the navigation tree on the left, right-click OIF in the Identity and Access folder, and select Administration > Federations. 2. On the Federations page, click the provider with the Provider ID 19
http://fsweb.contoso.com/adfs/services/trust, and then click Edit. 3. On the Edit Trusted Provider page under the Oracle Identity Federation Settings tab, select the Enable Attributes in Single Sign-On (SSO) check box. 4. On the next line, select the Email Address Name ID format check box, and then click Apply. 5. Under the Oracle Identity Federation Settings tab, click Edit next to Attribute Mapping and Filters. 6. On the Attribute Mapping and Filters page, click the Name Mappings tab, and then click Add. 7. In the Add Attribute Name Mapping window, type the values in the following table.
Name Value
Name http://schemas.xlmsoap.org/ws/2005/05/identity/claims/name
8. Still in the Add Attribute Name Mapping window, select the Send with SSO Assertion check box, and then click OK. 9. Click OK to leave the Attribute Mappings and Filters page.
Configure AD FS 2.0
Add a Claims Provider Using Metadata
Once again, you use the metadata import capabilities of AD FS 2.0 to create the Woodgrove Bank claims provider. The metadata includes the public key that is used to validate security tokens that OIF signs. To add a claims provider using metadata 1. In AD FS 2.0, in the console tree, right-click the Claims Provider Trusts folder, and then click Add Claims Provider Trust to start the Add Claims Provider Trust Wizard. 2. On the Select Data Source page, click Import data about the relying party published online or on a local network. 3. In Federation metadata address, type https://orafed.woodgrovebank.com:4443/fed/idp/metadata?providerid=http://fsweb. contoso.com/adfs/services/trust, and click Next. 4. Click OK to acknowledge that some metadata that AD FS 2.0 does not understand will be skipped. 5. In the Specify Display Name page, type Woodgrove Bank, and click Next. 6. Click Next, and then click Close. 20
Incoming name ID format Email 5. Select the Pass through only claim values that match a specific email suffix value option. In Email suffix value, type woodgrovebank.com, and then click Finish. 6. Click Add Rule again. 7. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim check box, and then click Next. 8. In the Configure Claim Rule page, in Claim rule name, use the values in the following table.
Name Value
Name Rule
Incoming claim type Name 9. Leave the Pass through all claim values option selected, and then click Finish. 10. To acknowledge the security warning, click Yes. 11. Click OK.
21
Incoming Name ID format Email 5. Leave the Pass through all claim values option selected, and then click Finish. 6. Click Add Rule again. 7. On the Select Rule Template page, select Pass Through or Filter an Incoming Claim, and then click Next. 8. On the Configure Claim Rule page, type the values in the following table.
Name Value
Incoming claim type Name 9. Leave the Pass through all claim values option selected, and then click Finish. 10. Click OK. Note If you configured the optional Step 6: Change Authorization Rules when you were testing the original AD FS 2.0 with WIF Step-by-Step Guide deployment, ensure that you add back the Permit All Users issuance authorization rules for the WIF sample application before testing this scenario. Or, as an alternative, add a new Permit or Deny Users Based on an Incoming Claim rule, allowing incoming Name ID = georgec@woodgrovebank.com to access the application. 22
23
Step 5: Test OIF as the Identity Provider and AD FS 2.0 as the Relying Party
In this scenario, George Curio (georgec) from Woodgrove Bank accesses the Contoso WIF sample application. Note Clear all the cookies in Internet Explorer on the OIF computer (orafed.woodgrovebank.com). To clear the cookies, click Tools, click Internet Options, click Delete under Browsing History, and then select cookies for deletion. To access the Contoso sample application 1. On the OIF computer, open a browser window and navigate to https://fsweb.contoso.com/ClaimsAwareWebAppWithManagedSTS/default.aspx . 2. The first page prompts you to select your organization from a list. Select Woodgrove Bank from the list, and then click Continue to Sign In. Note This page did not appear in the previous example when you were redirected to AD FS 2.0. This is because at that point there was only one identity provider registered in AD FS 2.0. When only one IDP is available, AD FS 2.0 defaults to forwarding requests to that IDP. 3. The OIF forms logon page appears. Log in with the user name georgec and the password you created for the user earlier, and then click Sign in. 4. If you created the optional preformatted hyperlink earlier, you can try it now. Clear cookies, visit http://orafed.woodgrovebank.com, and select the link to test SP-initiated SSO to OIF from AD FS 2.0.
When you access the WIF application, note the presence of the name claim, which was an additional assertion attribute. Also note the NameIdentifier claim, which successfully passed the rule limitation of using only addresses with the woodgrovebank.com suffix. Review the log files for AD FS 2.0 in Event Viewer and for OIF in the Fusion Middleware Control interface for more information. Note Configure OIF auditing as described in Chapter 7 of the Administrators Guide to Oracle Identity Federation 11g (http://go.microsoft.com/fwlink/?LinkID=197149) to see the contents of the security tokens passing between environments.
24
Appendix
The purpose of this section is to highlight other possibilities that are outside the scope of this document but that are available to architects when they are deploying federation between AD FS 2.0 and OIF.
WS-Federation Support
AD FS 2.0 continues to support the WS-Federation protocol for Web-based federation and SSO. OIF also supports WS-Federation. For information about how to deploy a test lab between OIF and AD FS using WS-Federation, see the legacy ADFS Step-by-Step Guide: Federation with Oracle Identity Federation (http://go.microsoft.com/fwlink/?LinkId=197273).
25
Federated Logout
Both AD FS 2.0 and OIF include support for federated single logout. Federated single logout makes it possible for a user to log out completely from their IDP federation server, as well as any replying party applications that are federated through a particular browser session. Federated logout improves security by ensuring that no sessions are left open for misuse, hijacking, or other malicious actions.
26
FM as IDP / ADFS as RP
WORKS
WORKS
27