Configure Oracle Access Manager for SAML Integration

Create a New Identity Provider 

This section assumes that Oracle Access Manager federation services have been enabled.

  1. Sign to the Oracle Access Manager console as an Administrator.
  2. Click the Federation tab at the top of the console.
  3. In the Federation area of the Launch Pad tab, click Service Provider Management. For an explanation of why you select this option when creating an identity provider, see the OAM Federation: Identity Provider & Service Provider Management blog post.


On the Service Provider Administration tab, click Create Identity Provider Partner.


In the General area, enter a name for the Identity Provider partner and select both the Enable Partner and Default Identity Provider Partner check boxes. Go to the next step before saving.

In the Service Information area:

  1. Select SAML2.0 as the protocol.
  2. Select the Load from provider metadata option.
  3. Click Browse (for Windows) or Choose File (for Mac) and select the Azure AD SAML metadata file that you saved previously.

Go to the next step before saving.

  1. In the Mapping Options area:
    1. Select the User Identity Store option that will be used as the Oracle Access Manager LDAP identity store that is checked for E-Business Suite users. Typically, this is already configured as the Oracle Access Manager identity store.
    2. Leave the User Search Base DN field blank. The search base is automatically picked from the identity store configuration.
    3. Select the Map assertion Name ID to User ID Store attribute option and enter mail in the text box.


Important: This configuration defines the user mapping between Azure AD and Oracle Access Manager. Oracle Access Manager will take the value of the NameID element in the incoming SAML assertion and try to look up that value against the mail attribute across all user entries in the configured identity store. Therefore, it's imperative that the Azure AD user principal name (in the Azure AD configuration shown previously) is synchronized with the mail attribute in Oracle Access Manager's identity store.

  1. Click Save to save the identity provider partner.
  2. After the partner is saved, come back to the Advanced area at the bottom of the tab.

Ensure that the options are configured as follows:

    • Enable global logout is selected.
    • HTTP POST SSO Response Binding is selected.

This is an instruction that Oracle Access Manager sends in the authentication request telling Azure AD how it should transmit the SAML assertion back. If you inspect the authentication request that Oracle Access Manager sends, you would see something like the following example. Note the bold ProtocolBinding attribute of AuthnRequest element in the example.

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Destination="https://login.microsoftonline.com/4e39517e-7ef9-45a79751-6ef6f2d43429/saml2" ID="id-y5nmx61xB8QWXtDmYWcH7rPYs5zXtV-fcKRyyM9" IssueInstant="2019-04-23T17:01:25Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid- format:entity">http://myoamserver.mycompany.com:14100/oam/fed</saml:Is suer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xmlexc-c14n#"/>
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#id-y5nmx61xB8QWXtDmYWcH7rPYs5zXtV-fcKRy-yM9">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms> <dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>pa00UWdqfywm4Qb59HioA6BhD18=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>X4eZRyFD6sznA0g3BJebU2c6ftunG2UvwbMptO+10wFky0aAL nnr0Na+5fF83U4Ut99OvAIZ41K3YMNaR4A8zr37SSlBrb72X7CTtxjh2mAphWDRPmkJx4v
S0HACzZh0MHimdwq+qVXuFRbSLBE+9XNSGWJzGAh//WqGBlNrKnw=</dsig:SignatureV alue>
</dsig:Signature>
</samlp:AuthnRequest>

    • Enable HTTP Basic Authentication (SSO artifact binding) is not selected.

This setting asks Azure AD to send the assertion via an HTTP POST request. When receiving a request like this, identity providers typically create an HTML form with the assertion as a hidden form element that is automatically posted to the service provider's Assertion Consumer Service (ACS).

  1. In the General area, click the Create Authentication Scheme and Module button.

An authentication scheme and module are created with the partner name. The only configuration left is attaching the authentication scheme to the E-Business Suite resources that require Azure AD credentials for authentication, which you will do in the next section.

  1. You can check the authentication module that was created by following these steps: A. Click the Application Security tab at the top of the console.
    1. Under Plug-ins, select Authentication Modules, click Search, and find your federation module.
    2. Select the module, and then click the Steps tab.
    3. Note that the value in the FedSSOIdP property is the identity provider partner.


Associate the E-Business Suite Resources with the Authentication Scheme Perform these steps while logged in to the Oracle Access Manager console as an Administrator.

    1. At the top of the console, click Application Security.
    2. Under Access Manager, select Application Domain, click Search, and select the application domain that was created during E-Business Suite script execution for the integration that would have registered the E-Business Suite WebGate.
    3. Click the Authentication Policies tab, and then click Protected Resources Policy.

Change the Authentication Scheme by changing the previously created authentication scheme with the new federation authentication scheme. This is how Oracle Access Manager ties a protected resource to an identity provider.

    1. Click Apply to save the change.


  • No labels