Last updated on MAY 09, 2017
Applies to:Oracle Access Manager - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
Oracle Access Manager 11gR2 (OAM 11.1.2.x.x) Federation - Unknown Authentication Scheme "ImpAS" in SAML Response From OAM Identity Provider (IdP) to Service Provider (SP) Partner
- Customer has an MDC environment, consisting of 2 Data Centers with OAM 126.96.36.199.0 in each.
- Federation Service has been enabled on the OAM Servers in the 2 Data Centers.
- And OAM Servers in the MDC are acting as IdP in Federation with a Remote Partner acting as a Service Provider.
1.- On the SP side, they have an application that is protected by WebGate, say: http://sp-host:7980/app
2.- On the SP side, the application is protected with a custom authentication scheme using an external JSP login Form that resides on the IdP (OAM). The IdP is an MDC with 2 Data Centers.
3.- The user tries to access the Application on the SP: http://sp-host:7980/app
4.- The SP then redirects the user to the custom external Login Form on the MDC (say: the Master Data Center).
5.- The Master DC authenticates the user and the user is redirected back to the originally requested URL on the SP (http://sp-host:7980/app).
6.- So far that is a typical Form Authentication with external custom Login Form. No Federation Service has been involved up to this point.
7.- Then, Once on the SP, customer's Custom Application will send a SAML Authentication Request to the IdP.
8.- If the Master (who authenticated the user in the first place) receives the SAML Authentication Request, It will automatically send back a SAML Response Assertion to the SP with some User Attributes in the Assertion and the expected AuthnContext.
9.- Now, if the SAML Authentication Request is received by the Clone (who did not authenticate the user in the first place), the Clone will also send a SAML Response Assertion to the SP with some User Attributes. However, in the SAML Assertion sent by the Clone, the AuthnContext is wrong. The Authentication Context has an unknown Authentication Scheme (ImpAS), as shown below:
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms