How to configure OAM as an IDP and SP for Authentication

Problem Statement: How to configure OAM as an Identity Provider(IDP) and Service Provider(SP)

Product Components : OAM(11.1.2.3) , OIF , Active Directory, Metadata of another SSO Application

Detailed Problem Statement : I have 2 SSO products(Oracle and Azure) and wanted users from Oracle identity store to be authenticated using Oracle SSO and users from Azure user identity store to be authenticated via Azure SSO. However request should always be initiated by Oracle, So if I am a Azure user Oracle will act as a Service Provider and will redirect user to Azure for Authentication, post successful authentication Azure will send return attributes to Oracle and Oracle will send those returned attributes to application and user will be logged in to application. As from user point of view they won't be having any idea to which SSO they belong to so as soon as they will enter their credentials authentication will happen from respective SSO application.

Note : If you want to use single Challenge Method in that case you don't need Advanced Rules and it's licence. However if you want to use multiple Challenge Method you need to enable the below service.

Note: Advanced Rules are part of the Adaptive Authentication Service for which a license is required.

If you want to go with the below process you must have the license for the “Adaptive Authentication Service“ , as per oracle document License Detail.

I have explained the details of what changes needs to be done in below blog link:- To achieve this functionality please go through the steps and make changes in your environment once you have implemented these changes you can view the steps below to cross verify or if any missed .

Link to Blog 

Step by Step screenshots :-

Within the OAM console navigate to the Configuration/Available Services page and enable Adaptive Authentication Service.

Authentication Scheme which I used using WLST :-

The module will check for Kerberos Token. Please note stepUI onwards are extra you may remove them and here you have to change stepKTA to stepKTA2(or whatever name you have specified).

Now if Kerberos Token fails user will get the customized page which you have placed in putty. As soon as user will click on Button it will take to Application Domain.

You need to edit the same Application Domain which you have used in WLST as Scheme.

Now in App Domain you need to add a condition in Advanced Rules and change the Scheme, like displayed in above screenshot.

This will change the scheme as soon as user token authentication will fail.

Here I have prepared my own custom login page which will invoke a custom plugin which I have written. Custom page will send the credentials to plugin and plugin will send "success" or "failure" to orchestration steps which will redirect to either Oracle SSO autentication or Azure SSO page.

I have designed my custom login page to be like this where as soon as user will submit the credentials it will go to plugin and as per my logic it will pass "success" or "failure". 

I received step "FedAuthnRequestPlugin" and "AssertionProcessing" when I configured Azure as a federation Identity Provider application. remaining are the Oracle fallback steps as I have multiple Active directory to search into.

So custom plugin, based on input authenticate user from either oracle or Azure.

Please note : In custom page I am not taking any user input from Azure user to give user seamless experience. I am passing dummy credentials so that user can be redirected to Azure SSO page and will be addressed with login page.

Hope this help!!