SAML IDP issue

Similar Messages

• Is there a simple SAML IDP solution?

  I am looking for an easy to setup SAML IDP solution which can integrate with my java application running on tomcat. Is opensso the route I should persue?
  Also, where do you download this thing from. The site is confusing as hell...
  Is this the product which used to be opensource by sun called federation manager?
  Regards,
  -Inet

  nice.. would there be any advantage to utilizing the s/pdif aspect of the line out as far as sound fidelity from imac to speaker?  i am getting pro tools 10 and wanted the best set up for my price range
  thanks

• SAML - signature issue

  Hi,<br/>
  <br/>
  Im trying to get a scenario going doing 3rd part --> PI 7.11 SPS 04 --> SAP ECC 6.0
  <br/>
  1) The sender (3rd part) sends a sync request containing a SAML assertion in the header. This message is signed using a X.509 certificate.
  <br/>
  2) PI is to receive the request using WS adapter and pretty much just pass the request along to receiver using WS receiver adapter (also using SAML).
  <br/>
  3) The receiver (R3) receives request and returns a response.
  <br/><br/>
  The following lists the prereq done:<br/>
  1) SAP crypto lib is installed on both PI and R3 system.<br/>
  2) All PSE's are created on both PI and R3 system in STRUST<br/>
  3) Report WSS_SETUP has been executed in both PI and R3 system<br/>
  4) Trust:<br/>
  4.1) On PI system the PSE cert has been exported from STRUST and imported into the STRUSTSSO2 PSE on the R3 system (this includes adding it to ACL and certificate list)<br/>
  4.2) On R3 system the PSE cert has been exported from STRUST and imported into STRUSTSSO2 PSE  on the PI system (this includes adding it to ACL and certificate list)<br/>
  4.3) The public X.509 key certificate of 3rd party has been imported into STRUSTSSO2 on PI system in the stores 'WS Security keys', 'WS Security standard' and added to certificate list.<br/>
  5) Principal propagation has been enabled on both PI and R3 integration engines.<br/>
  6) No user mapping is setup since the authenticationAssertion will contain a native SAP user.<br/>
  7) Report WSS_INFO has been executed on both PI and R3 system.<br/>
  <br/><br/>
  8) SSL is not currently enabled - so far testing is performed stricly using HTTP
  <br/><br/><br/>
  The actual issue at hand:<br/>
  When 3rd party calls PI the following error is given:<br/>
  <br/><br/>
  CL_SOAP_MESSAGE                         IF_SOAP_MESSAGE_PART~DESERIALIZE_BODY                    SOAP Message               CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48 .
  <br/><br/><br/>
  CL_SOAP_RUNTIME_SERVER     EXECUTE_PROCESSING                                                                 SOAP Runtime               CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
  <br/><br/><br/>
  CL_SOAP_RUNTIME_SERVER     EXECUTE_PROCESSING                                                                 SOAP Runtime               A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1 )
  <br/><br/><br/>
  CL_SOAP_RUNTIME_ERROR          map_core_exception_to_fault                                             SOAP Runtime               Invalid XML signature
  <br/><br/><br/>
  The message processing thus fails due to a certificate issue when initially receiver by PI.
  The question is why do I get this error? I'm well aware of the following post Web Service Security with SAML - Invalid XML signature which does not have any impact in my case.
  <br/><br/><br/>
  Thanks in advance,<br/>
  Daniel
  <br/><br/>
  Edited by: Daniel Engsig-Karup on Aug 23, 2010 3:20 PM
  Edited by: Daniel Engsig-Karup on Aug 23, 2010 3:25 PM

  Thanks for your reply.
  Some changes have now been made on the client side calling PI. The error now is:
  CX_WS_SECURITY_FAULT : Logon failed (trace key 4C7277D9375E62B4E1000000AC1C378B) | program: CL_WSSE_CONTEXT===============CP include: CL_WSSE_CONTEXT===============CM00K line: 196
  CX_WS_SECURITY_FAULT : Logon failed (trace key 4C7277D9375E62B4E1000000AC1C378B) | program: CL_WSSE_CONTEXT===============CP include: CL_WSSE_CONTEXT===============CM00K line: 196
  A SOAP Runtime Core Exception occurred in method CL_WSSE_CONTEXT===============CM00K of class CL_WSSE_CONTEXT===============CP at position id 196  with internal error id 1001  and error text CX_WS_SECURITY_FAULT:Logon failed (trace key 4C7277D9375E62B4E1000000AC1C378B) (fault location is 1  )
  CX_SY_NO_HANDLER : An exception with the type CX_SY_REF_IS_INITIAL occurred, but was neither handled locally, nor declared in a RAISING clause | program: CL_ST_SAML10==================CP include: CL_ST_SAML10==================CM004 line: 1
  CX_SY_REF_IS_INITIAL : Dereferencing the NULL reference | program: CL_ST_SAML10==================CP include: CL_ST_SAML10==================CM004 line: 47
  Question is what that means - if its progression or regression.
  Any ideas?
  Best Regards,
  Daniel

• SAML configuration issue-Urgent Help required!!!

  I have configured SAML using the following article guidelines http://www.oracle.com/technology/pub/articles/dev2arch/2006/12/sso-with-saml.html
  but I 'm unable to login to Application A itself which is SAML source site.Please Help me to understand where am i going wrong!!!!!

  Hi George,
  The issue is I wanted to download few app from google play on Cisco DX 650 example office suite whic helps to open an attachment like word pdf etc on the phone.In order to do that we require a google play store app on the phone which I am able to see on few phones and on few phones it is missing.
  I have checked the CUCM config for all the phone and I can see allow application from android market is enabled.
  still I am not able to see the play store Icon
  Rgds,
  Ajith

• Validate SAML token with WSM

  I'v posted this thread in the [SOA Suite forum|http://forums.oracle.com/forums/thread.jspa?threadID=912083&tstart=0] in the first place, but maybe this forum is a better places, for this question.
  We're experiencing a lot of inconveniences using the "SAML - Verify WSS 1.0 Token" validation step in WSM. We've configured the SAML verifier to "allow signed assertions only" in order to achieve our security goals. Before a client is allowed access to a protected web service, the client must request an identity provider to get a signed saml assertion and attach this security token to the web service security header. In order to access the protected web services we'll like to use WSM to verify that the saml assertion:
  1. Is issued by a specific identity provider (no problem)
  2. That the conditions in the assertion is valid (no problem)
  3. That the assertion i signed by a trusted certificate (problem)
  4. That the signature of the assertion is valid in proportion to the signed context of the assertion (problem)
  The inconveniences starts when we expect that the "SAML - Verify WSS 1.0 Token" validation step, validates the signatures of the assertion, before using it. But it seems, that this isn't the purpose of the verifier. When the saml token verifier is configured with "allow signed assertions only", then the client receives a "SAML token verification failed". This seems reasonably, but if we just add an empty ds:Signature element inside the wsse:Security element, then the client is granted access:
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <ds:Signature Id="Signature-11551252" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="nakbhwl3Qz8mPC00cL1bUg22" Issuer="https://credentials.com/idp" IssueInstant="2009-06-09T11:05:40Z">
  </saml:Assertion>
  </wsse:Security>
  I find this behavior very strange. Also, if i do some manual changes in the saml assertion issued and signed by the identity provider, this is allowed too, even though the signature is invalidated. Event if I remove the ds:Signature from the assertion, but keeps the empty ds:Signature below the wsse:Security element, the client is granted access.
  In the documentation of the "SAML - Verify WSS 1.0 Token", i found this quotation:
  "Verifies the SAML token according to the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard."
  But I don't find this statement true. Our assertions is issued with confirmation method "sender-voches":
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  I interpret the spec as, a receiver MUST NOT accept assertions containing a "sender-vouches" confirmation method unless the assertions and soap message content being vouches for are protected by an attesting entity who is trusted by the receiver. This is absolute not the case in our tests. The assertion isn't protected at all. The empty ds:Signature element in the wsse:Security element doesn't protect any thing and even when we totally remove the ds:Signature tag in the assertion, we're granted access.
  It seems like the purpose of the "SAML - Verify WSS 1.0 Token" step isn't to validate the confidentiality of the saml assertions and only grant access if the saml assertions is correct. It is possible to freely change the tokens and then be granted access. I think we need some more steps in WSM before the saml validation step, but I don't know which.
  We'll like to know if any one knows how to use this "SAML - Verify WSS 1.0 Token" step, to achieve a secure access to protected service. Do we need some pre/post step to achieve a satisfying level of security, do we need to make our own custom step or just used another security product?
  Regard
  Jacob
  Edited by: wmjaboj on 2009-06-10 01:42

  hi jacob
  looks like you have successfully configured the client side ; I am struggling in that itself. I am calling a secure web-service and I want to use saml token profile 1.1. I am using wls 10.3 and I am getting an error Unable to add signature .
  Can you help me with the configuration at the client side ?
  Thanks
  Regards
  Sanyam

• Problem in External Debugging for the Web service if SAML is Configured

  Hi All,
     I am facing a problem .  I will tell you the exact process :
  1. I have provided a external breakpoint in the ERP  system.
  2 . SAML is configured on both Consumer as well as Provider side.
  3. try to execute the process Remotely, I am not getting breakpoint in the ERP system
    If I remove the SAML and Provide basic Authentication, i am able to get. it seems there is some configuration parameter which are missing in the SAML Configuration.
  Please advice how to check for the same.
  Regards,
  Kapil.

  Hi Kapil,
  I think the request is falling over with SAML authentication issues between the consumer & provider & that's why it's not triggering the breakpoint. I would first try tracing the request when it reaches the SOAP runtime of the provider using SAP Note 1254821. See the section towards the bottom under 'Error Analysis'.
  Regards, Trevor

• Getting Invalid SAML token error while trying to access wls9.2 webservice

  Hi,
  I am using wss4j at the client side as SAML token issuer to add saml assertion to the soap envelop whose target is a webservice deployed in a aqua logic service bus 2.6. But at the server side i.e wls9.2, i am getting following exception
  weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]</faultstring></soapenv:Fault></soapenv:Body></soapenv:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]
       at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:476)
       at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:392)
  This error seems to be coming during unmarshalling of soap envelop which is run before request goes to SAML Identity Assertion provider V1. Certificates are properly configured at both client and server side so it seems that generated SAML assertion is not compliant with weblogic 9.2 unmarshalling process.
  Has anyone got any solution for this problem. I am not exactly looking for full SSO configuration at the weblogic side so I have not set any credential mapper (which is also a saml issuer). Nor have i done any setting related with SSO on weblogic.
  Any idea will really be helpful in this regard.
  Thanks.

  In what version of Oracle?
  I see a couple of problems assuming you are working with a currently supported version:
  1. Never grant CONNECT to anyone: Ever. Grant CREATE SESSION.
  2. GRANT CREATE TABLE to AQ;
  Go to Morgan's Library at www.psoug.org and look at AQ Demo 1. You should have no problem cutting and pasting your way to where you are trying to go.

• Adobe Connect SAML SSO Support

  Hello,
  I would like to know whether Adobe Connect supports SAML Single Sign On or not? Can I achieve SAML based SSO with Adobe Connect as SP from my SAML IdP?
  Please let me know the details.
  regards,
  Sales User

  I have not seen the Service Plan link work on any account.
  I would go to
  http://www.adobe.com/dk/products/acrobatconnectpro/?promoid=BPBEH
  and then click on the link in the upper left to have someone
  contact you. They will be able to direct you to someone/someplace
  to take care of your payment.
  Jorma@RealEyes

• Disable multiple logon from SAP NetWeaver Portal

  Hello
  I'd like if there is a parameter inside SAP NetWeaver Poral to disable multiple logon with the same account(like login/disable_multi_gui_login for ABAP).
  Thanks in advace
  Regards
  Stéphane

  Look at service.sap.com
  This authentication only works for S-users (as well as SAP employees) who are active accounts in SAP's AD. That works via the internet for SAP customers and employers (e.g. from each other's networks but their own devices) as well.
  With a SAML IdP you have a lot more flexibility in choosing the source of the first authentication and managing complex access rights through to the backend.
  But you are correct: if there are not too many users to manage and they are smart enough to periodically generate a client certificate and they are physically attached to their own personal devices, then a Certificate Authority or even Open SSL solution is another option.
  I guess it would be usefull to know how many users there are and how the authentication through from the NW portal to the ABAP backend system is going to replaced. Also how much user context information is needed on the backend system still, if at all anymore.
  I think we need more information here still before we can safely conclude that a client certificate is appropriate for an internet scenario.
  I am more worried about all those issues like stolen certificate and so on.
  From my SDN experiences it is more often a case of people loosing their certificates and user IDs than one of other people stealing them..    The vaste majority of the 2 million users are using passwords and those who are active seem to be happy with the password reset service --> also an option.
  Cheers,
  Julius

• The server was overloaded. Impossible to process data.

  Hi,
  We are running into a condition 503 Service Unavailable when a user logs in via SAML2. To replicate the scenario I log into the SAML idp which tkes me to the portal. I click logoff which then puts me back onto the idp login page. I login again and then get  a 503 error. This started happening after activating SAML2 in the portal. The Portal is running on NetWeaver 7.31 sp11.
  In the default trace I see the following.
  #2.0 #2014 11 11 16:10:49:241#0-500#Error#com.sap.engine.services.servlets_jsp.Security#
  com.sap.ASJ.web.000657#BC-JAS-WEB#servlet_jsp#C0008E96B61600AF0000000000008E2C#643695450000000004#sap.com/irj#com.sap.engine.services.servlets_jsp.Security#J2EE_GST_SWP#0##2B438FBD69E711E497D10000265E035A#ec29bc3669e611e494890000265e035a#ec29bc3669e611e494890000265e035a#0#Thread[HTTP Worker [@614087135],5,Dedicated_Application_Thread]#Plain##
  Service not available. Details: The server was overloaded. Impossible to process data.#

  Hello,
  We are facing same issue - we are on Ep NW 7.30 SPS 12.
  I could find below SAP Notes which were recently released
  2132887 - SAML2 log out from the portal fails. Error "Server is overloaded. It is impossible to process data" might also occur
  2133307 - Improve the DoNotLogoutResources Option in SAML 2.0
  Note says tp edit parameter DoNotLogoutResources by adding URL - /irj/servlet/prt/portal/prtroot/com.sap.portal.dsm.Terminator in SAP NetWeaver Administrator under Configuration -> Authentication and Single Sign-On -> Authentication -> Components, in the SAML2LoginModule.
  Is that we need to Edit the Login Module Options and add this?
  Did any one give a try? Please suggest
  Thanks,
  Subbu

• Web service debugging problem

  OK so heres the issue I'm struggling with. I'm trying to
  debug a call to an ASP.NET webservice I created to figure out why
  the data isn't displaying correctly in my data grid but for
  whatever reason it doesn't seem to be invoking the webservice when
  one would expect it to when I'm walking thru the code in the
  debugger. I have a breakpoint set in my ASP.NET webservice so I can
  see the moment the service gets hit. My code is below. The service
  gets hit on the ASP.NET side at some point AFTER the calls to
  send() and the assignment of lastResult in my loadData() method
  which doesn't seem to make sense to me. Anyone have any idea what
  the hell is going on here? I tried stepping thru all the Flex event
  handler stuff to identify exactly when the service is actually
  getting hit and it appears to be somewhere after the last call to
  UIComponent.callLaterDispatcher(Event).
  <mx:WebService id="ws" wsdl="
  http://localhost:3019/TestSite/TestService.asmx?WSDL"
  useProxy="false">
  <mx:operation name="GetUserInfo">
  <mx:request>
  <userId>1</userId>
  </mx:request>
  </mx:operation>
  </mx:WebService>
  private function loadData():void{
  ws.GetUserInfo.send();
  datagrid.dataProvider = ws.GetUserInfo.lastResult;
  }

  Hi Kapil,
  I think the request is falling over with SAML authentication issues between the consumer & provider & that's why it's not triggering the breakpoint. I would first try tracing the request when it reaches the SOAP runtime of the provider using SAP Note 1254821. See the section towards the bottom under 'Error Analysis'.
  Regards, Trevor

• How to logoff from HCP Java Web application

  Hi all,
  I need to enable logoff from my UI5 application, based on Java EE / HCP.
  Authentication is enforced with SAML and SAP ID Service.
  I guess that, upon clicking a button, a request should be sent to the SAML IdP service in order to perform logout.
  However, I'm not sure how that is performed.
  Any help or link to documentation would be greatly valued.
  Thanks a lot
  Regards
  Vincenzo

  You are right, I guess my question is a good candidate for RTFM!
  I should have searched also on help.ondemand.com
  I just looked into SDN and ui5 sdk help.
  Thanks for your help
  Regards
  Vincenzo

• [SOLVED] SOA Suite 11g and OID

  How should I configure OC4J in TP4 such that Human Tasks can be assigned to users in an LDAP directory, e.g Oracle Internet Directory?
  Thanks,
  Eyðun
  Message was edited by:
  Eyðun E. Jacobsen
  Message was edited by:
  Eyðun E. Jacobsen

  The resulting jps-config.xml will be as follows:
  <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
  <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">
  <!-- This property can be used to configure 3rd party IdM at application level jps-config -->
  <!--property name="oracle.security.jps.idm.authentication" value="CUSTOM_AUTH"/-->
  <!-- This property is for jaas mode. Possible values are "off", "doas" and "doasprivileged" -->
  <property name="oracle.security.jps.jaas.mode" value="off"/>
  <!-- These are various jps common properties used for LDAP operations -->
  <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
  <property name="oracle.security.jps.ldap.root.name" value="cn=OracleJpsContainer"/>
  <property name="oracle.security.jps.ldap.max.retry" value="5"/>
  <propertySets>
  <!-- SAML Trusted Issuer -->
  <propertySet name="saml.trusted.issuers.1">
  <property name="name" value="www.oracle.com"/>
  </propertySet>
  <!-- This property points to valid Access SDK installation directory -->
  <propertySet name="access.sdk.properties">
  <property name="access.sdk.install.path" value="$ACCESS_SDK_HOME"/>
  </propertySet>
  </propertySets>
  <serviceProviders>
  <serviceProvider type="CREDENTIAL_STORE" name="credstoressp" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">
  <description>SecretStore-based CSF provider</description>
  </serviceProvider>
  <serviceProvider type="IDENTITY_STORE" name="idstore.xml.provider" class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider">
  <description>XML-based IdStore Provider</description>
  </serviceProvider>
       <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
  <description>XML-based IdStore Provider</description>
  </serviceProvider>
  <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
  <description>XML-based PolicyStore Provider</description>
  </serviceProvider>
  <serviceProvider type="ANONYMOUS" name="anonymous.provider" class="oracle.security.jps.internal.anonymous.idm.IdmAnonymousServiceProvider">
  <description>Anonymous Service Provider</description>
  </serviceProvider>
  <serviceProvider type="LOGIN" name="jaas.login.provider" class="oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider">
  <description>This is Jaas Login Service Provider and is used to configure login module service instances</description>
  </serviceProvider>
  <serviceProvider type="POLICY_STORE" name="policy.xds" class="oracle.security.jps.internal.policystore.xds.XsPolicyServiceProvider">
  <description>JAAS+ policy service provider</description>
  </serviceProvider>
  <serviceProvider type="XDS_AUTHENTICATION_PROVIDER" name="authentication.xds" class="oracle.security.jps.internal.idstore.xds.XsAuthenticationProvider">
  <description>JAAS+ authentication service provider</description>
  </serviceProvider>
  <serviceProvider type="XDS_SESSION_PROVIDER" name="sessioncookie.xds" class="oracle.security.jps.internal.policystore.xds.session.SessionCookieProvider">
  <description>JAAS+ Session Cookie service provider</description>
  </serviceProvider>
  <!-- 3rd Party Custom Idm Provider -->
  <serviceProvider type="IDM" name="idm.provider" class="oracle.security.jps.internal.idm.IdmServiceProvider">
  <description>3rd Party Custom Idm Provider</description>
  </serviceProvider>
  <serviceProvider name="keystore.provider" type="KEY_STORE" class="oracle.security.jps.internal.keystore.KeyStoreProvider">
  <description>PKI Based Keystore Provider</description>
  <property name="provider.property.name" value="owsm"/>
  </serviceProvider>
  </serviceProviders>
  <serviceInstances>
  <serviceInstance name="credstore" provider="credstoressp" location="./oc4j-credstore">
  <description>File Based Credential Store Service Instance</description>
  </serviceInstance>
  <serviceInstance name="idstore.xml" provider="idstore.xml.provider" location="./system-jazn-data.xml">
  <description>File Based Identity Store Service Instance</description>
  <property name="subscriber.name" value="jazn.com"/>
  </serviceInstance>
  <serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="./system-jazn-data.xml">
  <description>File Based Policy Store Service Instance</description>
  </serviceInstance>
  <serviceInstance name="anonymous" provider="anonymous.provider">
  <description>Anonymous Service Instance</description>
  <!-- Anonymous user name must be defined for anonymous service -->
  <property name="anonymous.user.name" value="anonymous"/>
  <!-- This property set defines the anonymous role -->
  <property name="anonymous.role.name" value="anonymous-role"/>
  </serviceInstance>
  <serviceInstance name="idm" provider="idm.provider">
  <description>JSSO Authentication Configuration</description>
  <property name="idm.authentication.name" value="JavaSSO"/>
  <property name="idm.token.asserter.class" value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
  <property name="idm.token.collector.class" value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
  <property name="idm.token.type" value="COOKIE_TOKEN"/>
  <property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
  <property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
  <property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
  <property name="custom.sso.cred.key" value="JSSO_KEY"/>
  <property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
  </serviceInstance>
  <serviceInstance name="idm.osso" provider="idm.provider">
  <description>Oracle SSO Authentication Configuration</description>
  <property name="idm.authentication.name" value="OSSO"/>
  <property name="idm.token.asserter.class" value="oracle.security.jps.internal.osso.OSSOTokenAsserter"/>
  <property name="idm.token.collector.class" value="oracle.security.jps.internal.osso.OSSOTokenCollector"/>
  <property name="idm.token.type" value="HEADER_TOKEN"/>
  </serviceInstance>
  <serviceInstance name="idstore.loginmodule" provider="jaas.login.provider">
  <description>Identity Store Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
  <serviceInstance name="anonymous.loginmodule" provider="jaas.login.provider">
  <description>Anonymous Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.anonymous.AnonymousLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
  <serviceInstance name="xds.loginmodule" provider="jaas.login.provider">
  <description>JAAS+ LWS LoginModule</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.xds.XsLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUISITE"/>
  </serviceInstance>
  <!-- KeyStore Service Instance -->
  <serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
  <description>Default JPS Keystore Service</description>
  <property name="keystore.type" value="JKS"/>
       <property name="keystore.csf.map" value="oracle.wsm.security"/>
  <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
  <property name="keystore.sig.csf.key" value="enc-csf-key"/>
  <property name="keystore.enc.csf.key" value="enc-csf-key"/>      
  </serviceInstance>
  <!-- SAML Login Module -->
  <serviceInstance name="saml.loginmodule" provider="jaas.login.provider">
  <description>SAML Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.saml.JpsSAMLLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  <propertySetRef ref="saml.trusted.issuers.1"/>
  </serviceInstance>
  <!-- This is Kerberos Login Module Instance. -->
  <serviceInstance name="krb5.loginmodule" provider="jaas.login.provider">
  <description>Kerberos Login Module</description>
  <property name="loginModuleClassName" value="com.sun.security.auth.module.Krb5LoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  <property name="storeKey" value="true"/>
  <property name="useKeyTab" value="true"/>
  <property name="doNotPrompt" value="true"/>
  <property name="keyTab" value="./krb5.keytab"/>
  <property name="principal" value="HOST/[email protected]"/>
  </serviceInstance>
  <!-- This is OAM Login Module Instance. -->
  <serviceInstance name="oam.loginmodule" provider="jaas.login.provider">
  <description>Oracle Access Manager Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.oam.OAMLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  <propertySetRef ref="access.sdk.properties"/>
  </serviceInstance>
  <!-- For 10.1.3. Should be removed if not needed. JAZN User Manager Login Module Instance -->
  <serviceInstance name="admin.tool.loginmodule" provider="jaas.login.provider">
  <description>Realm Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jazn.login.module.RealmLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
  <!-- Digest Authenticator Login Module Instance -->
  <serviceInstance name="digest.authenticator.loginmodule" provider="jaas.login.provider">
  <description>Digest Authenticator Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.DigestLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
  <!-- Certificate Authenticator Login Module Instance -->
  <serviceInstance name="certificate.authenticator.loginmodule" provider="jaas.login.provider">
  <description>X509 Certificate Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.x509.X509LoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
  <!-- WSS Username token digest login module -->
  <serviceInstance name="wss.digest.loginmodule" provider="jaas.login.provider">
  <description>WSS Digest Login Module</description>
  <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.WSSDigestLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
       <serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
  <property name="subscriber.name" value="dc=us,dc=oracle,dc=com"/>
  <property name="idstore.type" value="OID"/>
  <property name="security.principal.alias" value="JPS"/>
  <property name="security.principal.key" value="oid.credentials"/>
  <property name="ldap.url" value="ldap://stapm51.us.oracle.com:389"/>
  <extendedProperty>
  <name>user.search.bases</name>
  <values>
  <value>dc=us,dc=oracle,dc=com</value>
  </values>
  </extendedProperty>
  <extendedProperty>
  <name>group.search.bases</name>
  <values>
  <value>dc=us,dc=oracle,dc=com</value>
  </values>
  </extendedProperty>
  <property name="username.attr" value="cn"/>
  <propperty name="group.attr" value="cn"/>
       <property name="PROPERTY_ATTRIBUTE_MAPPING" value="im=mail"/>
       </serviceInstance>
  </serviceInstances>
  <jpsContexts default="default">
  <!-- This is the default JPS context. All the mendatory services and Login Modules
  must be configured in this default context -->
  <jpsContext name="default">
  <serviceInstanceRef ref="credstore"/>                                   
  <serviceInstanceRef ref="keystore"/>
  <serviceInstanceRef ref="idstore.xml"/>
  <serviceInstanceRef ref="policystore.xml"/>
  <serviceInstanceRef ref="idstore.loginmodule"/>
  <serviceInstanceRef ref="idm"/>
  </jpsContext>
       <jpsContext name="oid">
  <serviceInstanceRef ref="credstore"/>
  <serviceInstanceRef ref="keystore"/>
  <serviceInstanceRef ref="idstore.oid"/>
  <serviceInstanceRef ref="policystore.xml"/>
  <serviceInstanceRef ref="idstore.loginmodule"/>
  <serviceInstanceRef ref="idm"/>
  </jpsContext>
  <!-- This is default owsm security context -->
  <jpsContext name="oracle.wsm.security.default">
  <serviceInstanceRef ref="credstore"/>
  <serviceInstanceRef ref="idstore.xml"/>
  <serviceInstanceRef ref="keystore"/>
  <serviceInstanceRef ref="anonymous.loginmodule"/>
  <serviceInstanceRef ref="idstore.loginmodule"/>
  <serviceInstanceRef ref="certificate.authenticator.loginmodule"/>
  <serviceInstanceRef ref="saml.loginmodule"/>
  <serviceInstanceRef ref="krb5.loginmodule"/>
  <serviceInstanceRef ref="oam.loginmodule"/>
  <serviceInstanceRef ref="wss.digest.loginmodule"/>
  </jpsContext>
  <!-- This is the default anonymous Login Module context -->
  <jpsContext name="anonymous">
  <serviceInstanceRef ref="anonymous"/>
  <serviceInstanceRef ref="anonymous.loginmodule"/>
  </jpsContext>
  <!-- Default Idm Login Module -->
  <jpsContext name="oracle.security.jps.fmw.authenticator.IdmAuthenticator">
  <serviceInstanceRef ref="idstore.loginmodule"/>
  </jpsContext>
  <!-- For 10.1.3. Should be removed if not needed. Admin Tool Login Module -->
  <jpsContext name="oracle.security.jazn.tools.Admintool">
  <serviceInstanceRef ref="idstore.loginmodule"/>
  </jpsContext>
  <!-- Digest Authenticator Login Module -->
  <jpsContext name="oracle.security.jps.fmw.authenticator.DigestAuthenticator">
  <serviceInstanceRef ref="digest.authenticator.loginmodule"/>
  </jpsContext>
  <!-- Basic Authenticator Login Module -->
  <jpsContext name="oracle.security.jps.fmw.authenticator.BasicAuthenticator">
  <serviceInstanceRef ref="idstore.loginmodule"/>
  </jpsContext>
  <!-- Certificate Authenticator Login Module -->
  <jpsContext name="X509CertificateAuthentication">
  <serviceInstanceRef ref="certificate.authenticator.loginmodule"/>
  </jpsContext>
  <!-- SAML Login Module Context -->
  <jpsContext name="SAML">
  <serviceInstanceRef ref="saml.loginmodule"/>
  </jpsContext>
  </jpsContexts>
  </jpsConfig>

• Slow Admin Console

  We are having an issue with our WLP 10.3.2 environment where the admin takes a while to startup. It is installed as a Windows service and always started within a couple of minutes until recently. No known changes that would affect this. Look at the logging below....the server showed running at 8:12 am shortly after last log entry below. Notice the 3 minute gaps at 8:06 and 8:09am. I would assume this is where the delay is but not sure as we saw this same entries in the logs when it started quicker, however, there were not large gaps in time like there is now. Let me know if you have any ideas, thanks.
  ####<May 28, 2013 8:06:54 AM CDT> <Notice> <Security> <qaportal1> <AdminServer> <ConnSetupMgr ldaps://qaadmserver1.fcqa.com:636> <<anonymous>> <> <> <1369746414936> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  ####<May 28, 2013 8:06:54 AM CDT> <Notice> <Security> <qaportal1> <AdminServer> <ConnSetupMgr ldaps://qaadmserver1.fcqa.com:636> <<anonymous>> <> <> <1369746414936> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  ####<May 28, 2013 8:06:55 AM CDT> <Notice> <Security> <qaportal1> <AdminServer> <ConnSetupMgr ldaps://qaadmserver1.fcqa.com:636> <<anonymous>> <> <> <1369746415014> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  ####<May 28, 2013 8:09:39 AM CDT> <Notice> <Security> <qaportal1> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1369746579092> <BEA-090082> <Security initializing using security realm myrealm.>
  ####<May 28, 2013 8:12:13 AM CDT> <Notice> <WebLogicServer> <qaportal1> <AdminServer> <main> <<WLS Kernel>> <> <> <1369746733452> <BEA-000365> <Server state changed to STANDBY>
  ####<May 28, 2013 8:12:13 AM CDT> <Notice> <WebLogicServer> <qaportal1> <AdminServer> <main> <<WLS Kernel>> <> <> <1369746733452> <BEA-000365> <Server state changed to STARTING>

  No real changes, we added an ADAM server to the provider list but it didn't seem to be a fix when I removed it....thanks.
  <security-configuration>
  <name>QA11</name>
  <realm>
  <sec:authentication-provider xsi:type="wls:iplanet-authenticatorType">
  <sec:name>ADAM</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:host>qaadmserver1.fcqa.com qaadmserver2.fcqa.com</wls:host>
  <wls:port>636</wls:port>
  <wls:user-object-class>user</wls:user-object-class>
  <wls:ssl-enabled>true</wls:ssl-enabled>
  <wls:user-name-attribute>cn</wls:user-name-attribute>
  <wls:principal>cn=administrator,cn=users,dc=client,dc=fcqa,dc=com</wls:principal>
  <wls:user-base-dn>cn=users,dc=client,dc=fcqa,dc=com</wls:user-base-dn>
  <wls:credential-encrypted>bs</wls:credential-encrypted>
  <wls:user-from-name-filter>(&amp;(cn=%u)(objectclass=user))</wls:user-from-name-filter>
  <wls:cache-size>64</wls:cache-size>
  <wls:cache-ttl>30</wls:cache-ttl>
  <wls:group-base-dn>cn=users,dc=client,dc=fcqa,dc=com</wls:group-base-dn>
  <wls:group-from-name-filter>(&amp;(cn=%g)(objectclass=group))</wls:group-from-name-filter>
  <wls:static-group-object-class>group</wls:static-group-object-class>
  <wls:parallel-connect-delay>10</wls:parallel-connect-delay>
  <wls:connection-retry-limit>2</wls:connection-retry-limit>
  <wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
  <wls:connection-pool-size>100</wls:connection-pool-size>
  <wls:static-group-dns-from-member-dn-filter>(&amp;(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
  <wls:dynamic-group-object-class></wls:dynamic-group-object-class>
  <wls:dynamic-group-name-attribute></wls:dynamic-group-name-attribute>
  <wls:dynamic-member-url-attribute></wls:dynamic-member-url-attribute>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
  <sec:name>Active Directory</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:host>qaadserver1 qaadserver2</wls:host>
  <wls:port>636</wls:port>
  <wls:ssl-enabled>true</wls:ssl-enabled>
  <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
  <wls:principal>cn=administrator,cn=users,dc=fcqa,dc=com</wls:principal>
  <wls:user-base-dn>ou=HomeOfficeUsers,dc=FCQA,dc=COM</wls:user-base-dn>
  <wls:credential-encrypted>bs</wls:credential-encrypted>
  <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
  <wls:group-base-dn>cn=Users,dc=FCQA,dc=COM</wls:group-base-dn>
  <wls:parallel-connect-delay>5</wls:parallel-connect-delay>
  <wls:connection-retry-limit>2</wls:connection-retry-limit>
  <wls:connection-pool-size>15</wls:connection-pool-size>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
  <sec:name>FCHQA AD Realm</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:host>qafchadserver1 qafchadserver2</wls:host>
  <wls:port>636</wls:port>
  <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
  <wls:principal>cn=administrator,cn=users,dc=fchqa,dc=fcqa,dc=com</wls:principal>
  <wls:user-base-dn>ou=HomeOfficeUsers,dc=FCHQA,dc=FCQA,dc=COM</wls:user-base-dn>
  <wls:credential-encrypted>bs</wls:credential-encrypted>
  <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
  <wls:group-base-dn>cn=Users,dc=FCHQA,dc=FCQA,dc=COM</wls:group-base-dn>
  <wls:parallel-connect-delay>5</wls:parallel-connect-delay>
  <wls:connection-retry-limit>2</wls:connection-retry-limit>
  <wls:connection-pool-size>15</wls:connection-pool-size>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:sql-authenticatorType">
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:data-source-name>p13nDataSource</wls:data-source-name>
  </sec:authentication-provider>
  <sec:authentication-provider xmlns:wsrp="http://www.bea.com/ns/wlp/90/security/wsrp" xsi:type="wsrp:wsrp-identity-asserterType">
  <sec:name>WSRPIdentityAsserter</sec:name>
  <sec:active-type>WSRPPerimeterAtnToken</sec:active-type>
  <sec:base64-decoding-required>false</sec:base64-decoding-required>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
  <sec:name>DefaultIdentityAsserter</sec:name>
  <sec:active-type>X.509</sec:active-type>
  <sec:active-type>wsse:PasswordDigest</sec:active-type>
  <wls:use-default-user-name-mapper>true</wls:use-default-user-name-mapper>
  <wls:default-user-name-mapper-attribute-type>CN</wls:default-user-name-mapper-attribute-type>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:saml-identity-asserter-v2Type">
  <sec:name>SAMLIdentityAsserter</sec:name>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:saml-authenticatorType">
  <sec:name>SAMLAuthenticator</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:default-authenticatorType">
  <sec:name>defaultauth</sec:name>
  <sec:control-flag>OPTIONAL</sec:control-flag>
  </sec:authentication-provider>
  <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
  <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
  <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
  <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
  <sec:credential-mapper xsi:type="wls:saml-credential-mapper-v2Type">
  <sec:name>SAMLCredentialMapper</sec:name>
  <wls:issuer-uri>http://www.bea.com/wsrp/saml</wls:issuer-uri>
  <wls:name-qualifier>wsrpConsumer</wls:name-qualifier>
  <wls:signing-key-alias>wsrpconsumerrsa</wls:signing-key-alias>
  <wls:default-time-to-live>2700</wls:default-time-to-live>
  <wls:default-time-to-live-delta>-900</wls:default-time-to-live-delta>
  <wls:cred-cache-size>1000</wls:cred-cache-size>
  <wls:cred-cache-min-viable-ttl>1800</wls:cred-cache-min-viable-ttl>
  <wls:signing-key-pass-phrase-encrypted>bs</wls:signing-key-pass-phrase-encrypted>
  </sec:credential-mapper>
  <sec:credential-mapper xsi:type="wls:pki-credential-mapperType">
  <sec:name>PKICredentialMapper</sec:name>
  <wls:key-store-file-name>wsrpKeystore.jks</wls:key-store-file-name>
  <wls:key-store-pass-phrase-encrypted>bs</wls:key-store-pass-phrase-encrypted>
  </sec:credential-mapper>
  <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
  <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
  <sec:user-lockout-manager>
  <sec:lockout-enabled>true</sec:lockout-enabled>
  <sec:lockout-threshold>8</sec:lockout-threshold>
  <sec:lockout-duration>30</sec:lockout-duration>
  <sec:lockout-reset-duration>5</sec:lockout-reset-duration>
  <sec:lockout-cache-size>5</sec:lockout-cache-size>
  <sec:lockout-gc-threshold>400</sec:lockout-gc-threshold>
  </sec:user-lockout-manager>
  <sec:enable-web-logic-principal-validator-cache>true</sec:enable-web-logic-principal-validator-cache>
  <sec:max-web-logic-principals-in-cache>500</sec:max-web-logic-principals-in-cache>
  <sec:name>myrealm</sec:name>
  <sec:rdbms-security-store>
  <sec:username>BEA10</sec:username>
  <sec:password-encrypted>bs</sec:password-encrypted>
  <sec:connection-url>jdbc:oracle:thin:@QAOracleDB:1521:PORTQA</sec:connection-url>
  <sec:driver-name>oracle.jdbc.OracleDriver</sec:driver-name>
  <sec:connection-properties>user=BEA10</sec:connection-properties>
  <sec:jms-topic>p13n.security.RDBMSSecurityStoreTopic</sec:jms-topic>
  <sec:jms-topic-connection-factory>weblogic.jms.ConnectionFactory</sec:jms-topic-connection-factory>
  <sec:jms-exception-reconnect-attempts>15</sec:jms-exception-reconnect-attempts>
  <sec:notification-properties>java.naming.provider.url=t3://10.5.110.227:7011,java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory</sec:notification-properties>
  <sec:name>p13nRDBMSSecurityStore</sec:name>
  </sec:rdbms-security-store>
  <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
  <sec:name>SystemPasswordValidator</sec:name>
  <pas:min-password-length>8</pas:min-password-length>
  <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
  </sec:password-validator>
  </realm>
  <default-realm>myrealm</default-realm>
  <anonymous-admin-lookup-enabled>false</anonymous-admin-lookup-enabled>
  <credential-encrypted>bs</credential-encrypted>
  <web-app-files-case-insensitive>false</web-app-files-case-insensitive>
  <compatibility-connection-filters-enabled>false</compatibility-connection-filters-enabled>
  <node-manager-username>beaadmin</node-manager-username>
  <node-manager-password-encrypted>bs</node-manager-password-encrypted>
  <principal-equals-case-insensitive>false</principal-equals-case-insensitive>
  <principal-equals-compare-dn-and-guid>false</principal-equals-compare-dn-and-guid>
  <downgrade-untrusted-principals>false</downgrade-untrusted-principals>
  <enforce-strict-url-pattern>true</enforce-strict-url-pattern>
  <cross-domain-security-enabled>false</cross-domain-security-enabled>
  </security-configuration>

• Common domain cookie in ADFS3

  Hi,
  I would like to use the common domain cookie in ADFS3.
  I have used the cmdlet set-adfswebconfig to define the cookie reader and the cookie writer.
  Cookie writer seems to work as I'm redirected to the cookie writer URL once I'm authenticated.
  However, I'm never redirected to the cookie reader URL to get the IDP identifier.
  At this moment, I'm using :
  One SAML IdP /Claim Provider
  One SAML SP / Relying Party
  I'm always using "InPrivate" session to be sure not to drag any cookie.
  Has anybody used this feature?
  Thanks for your help
  Yannick

  The common domain is a 3rd domain, different from IdP and SP. That's the worst case scenario, I mean common domain could be the same domain as IdP or SP but anyway lets take the worst case
  In your example mycomp.com is the common domain. Then you need some way of identifying requests targeting a particular SP. One way to do it is to have a subdomain for each SP in the common domain - mysp.mycomp.com, anothersp.mycomp.com. Then when a user requests http://mysp.mycomp.com/whatever, based on 'mysp' portion of the request and the IdP registered/associated with 'mysp', you would know which IdP to authenticate with. This is all done via cookies as the SAML spec explains. In this case OIF would have to be deployed on mycomp.com domain and deal with cookies per spec, that's your IdP discovery