Oracle Access Manager 11gR2 (OAM 11.1.2.x.x) Federation - Unknown Authentication Scheme "ImpAS" in SAML Response From OAM Identity Provider (IdP) to Service Provider (SP) Partner (Doc ID 2250619.1)

Last updated on MAY 09, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Access Manager 11gR2 (OAM 11.1.2.x.x) Federation - Unknown Authentication Scheme "ImpAS" in SAML Response From OAM Identity Provider (IdP) to Service Provider (SP) Partner

 

Use case:
1.- On the SP side, they have an application that is protected by WebGate, say: http://sp-host:7980/app

2.- On the SP side, the application is protected with a custom authentication scheme using an external JSP login Form that resides on the IdP (OAM). The IdP is an MDC with 2 Data Centers.

3.- The user tries to access the Application on the SP: http://sp-host:7980/app

4.- The SP then redirects the user to the custom external Login Form on the MDC (say: the Master Data Center).

5.- The Master DC authenticates the user and the user is redirected back to the originally requested URL on the SP (http://sp-host:7980/app).

6.- So far that is a typical Form Authentication with external custom Login Form. No Federation Service has been involved up to this point.

7.- Then, Once on the SP, customer's Custom Application will send a SAML Authentication Request to the IdP.

8.- If the Master (who authenticated the user in the first place) receives the SAML Authentication Request, It will automatically send back a SAML Response Assertion to the SP with some User Attributes in the Assertion and the expected AuthnContext.

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

9.- Now, if the SAML Authentication Request is received by the Clone (who did not authenticate the user in the first place), the Clone will also send a SAML Response Assertion to the SP with some User Attributes. However, in the SAML Assertion sent by the Clone, the AuthnContext is wrong. The Authentication Context has an unknown Authentication Scheme (ImpAS), as shown below:

<saml:AuthnContextClassRef>ImpAS</saml:AuthnContextClassRef>

 

 

 



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms