Today I would like to show you some diagram that I did to explain how 'OIF works' with OAM in order to provide SSO solution for different federations. Note: OIF is used only for authentication purpose here and no role information is exchanged nor authorization explanation is provided in this example.
Wait, before this example I would like to answer the first question that comes in my mind:
What is the purpose of OIF and what is the main difference between OIF and OAM?
OIF is a Oracle SSO solution for use different LDAP repositories. Companies authenticating their employees into different LDAP servers instead of regular one, configured by OAM solution.
The main difference between OIF and OAM is:
OIF is SSO solution for federation purposes. Used to allow authentication that comes from a different place.
OAM is SSO solution for a single company that does not need a different LDAP authentication than what it has into their IDM server.
So,
1) Into this 'real world' (fig 1), we have OAM(configured with AuthProvider as OIF) and then it calls the URL that OAM has its IDP configured. So, instead of cookies here, user will have a trust relationship between 2 different federations(usually I call as different companies for easy understanding).
1.1)Also you can see that login page can be ldap authentication that is related of that URL. It means that the first company(who received a request) don't handle this second part. It only receives the first request from user and 'ask' OAM who is the authentication schema and who is the authentication provider for this URL.
Fig1: the OAM Authn Scheme FAAuthScheme will be modified to use OIF/SP instead of collecting user creds via a login page and validating those against, for example, the regular OID Server that is installed with first federation(again: company who receives the first request).
2) As a generic explanation this is the way OIF goes:
I hope this explanation helps and let me know if you have any further question please,
Thiago Leoncio.
