Friday, November 6, 2015

OAM Federation : Issue with nameidformat


Environment:

OAM as IDP
Target SaaS application as SP

Problem Statement:

Typically, some vendor applications which support federation based on SAML 2.0 will have default nameidformat when comes to emailAddress as below

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" AllowCreate="true" />

So, if we try to integrate OAM(IDP) with the application(SP) by defining "NameID Format"= email address in the OAM console

ACS Response will be like the below when you test the URL

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>

Issue:

The issue here is

OAM 11gR2 PS2 standard nameidformat for email is

  “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”

Reference:


Where as the SaaS application is trying with

 “urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress”

Fix:


Ask the Vendor of SaaS which you are trying to integrate as SP to send the SAML request as

 “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”

There is no way to modify OAM standard nameidformat per my knowledge.


No comments:

Post a Comment

Other Posts