Environment:
OAM as IDP
Target SaaS application as SP
Problem Statement:
Typically, some vendor applications which support federation based on SAML 2.0 will have default nameidformat when comes to emailAddress as below
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"
AllowCreate="true" />
So, if we try to integrate OAM(IDP) with the application(SP) by defining "NameID Format"= email address in the OAM console
ACS Response will be like the below when you test the URL
<samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>
Issue:
The issue here is
OAM 11gR2 PS2 standard nameidformat for email is
“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
Reference:
Where as the SaaS application is trying with
“urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress”
Fix:
Ask the Vendor of SaaS which you are trying to integrate as SP to send the SAML request as
“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
There is no way to modify OAM standard nameidformat per my knowledge.
No comments:
Post a Comment