Oracle® OpenSSO Fedlet Interoperability Guide for Oracle Identity Federation 11g Release 1 (11.1.1.3.0) Part Number E17847-01 |
|
|
View PDF |
This chapter provides an introduction to the Oracle OpenSSO Fedlet, including:
For information about federated identity management, including a description of the key features and concepts of Oracle Identity Federation, see the “Introduction to Oracle Identity Federation” in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
The Oracle OpenSSO Fedlet (Fedlet) is a compact, easy to deploy SAML 2.0 service provider implementation. It includes a small software package and a simple file-based configuration, embeddable into a service provider's Java or .NET application. The Fedlet establishes single sign-on (SSO) between an identity provider instance and the service provider application without requiring a fully-featured federation product on the service provider side.
The Oracle OpenSSO Fedlet can accept SAML 2.0 assertions from any SAML 2.0 identity provider and retrieve user attributes to accomplish SSO and content personalization. The Fedlet can be configured to communicate with any number of identity providers. It also can leverage an external discovery service to find the preferred identity provider.
For information about the platforms and product versions supported by the Oracle OpenSSO Fedlet, see the appropriate certification matrix:
http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html
The Oracle OpenSSO Fedlet can be downloaded as a separate ZIP file. The ZIP file includes all the files and components required to deploy the Fedlet with a Java or .NET service provider application. To use the Fedlet, you are not required to install any other federation components on the service provider side.
To install and configure the Oracle OpenSSO Fedlet, follow these general steps:
Download and unzip the Oracle-OpenSSO-Fedlet.zip
file, as described in Chapter 2, "Installing the Oracle OpenSSO Fedlet."
Note:
For some deployments, rather than downloading the Oracle OpenSSO Fedlet ZIP file, a service provider administrator can simply get a previously configured Oracle OpenSSO Fedlet package from the identity provider administrator. The service provider administrator then adds any application specific logic to the package and deploys the Fedlet service provider application.To determine the Oracle OpenSSO Fedlet version, check the FederationConfig.properties
file for the Java Fedlet or the Fedlet.dll.config
file for the .NET Fedlet after you extract the files in the Fedlet package.
Get the metadata file from your identity provider, name this file idp.xml
, and copy it to the Fedlet configuration directory.
Configure the Oracle OpenSSO Fedlet as follows:
Configure the Java Fedlet by running the ConfigureFedlet
program or by performing the configuration steps manually, as described in Chapter 3, "Configuring the Java Oracle OpenSSO Fedlet."
In most cases, you can run the ConfigureFedlet
program, which prompts you for information and then automatically configures the Java Fedlet. If you want to configure specific features, however, such as Attribute Query, you must configure the Java Fedlet manually.
Configure the .NET Fedlet, as described in Chapter 4, "Configuring the .NET Oracle OpenSSO Fedlet."
A service provider administrator (or developer) can add any specific application logic to the service provider application. For example, for the Java Fedlet, add the logic to the fedlet.war
or embed the fedlet.war
in the service provider application.
Import the Fedlet service provider metadata file (sp.xml
) into the identity provider. This file is created during the Fedlet configuration.
If you configured the Fedlet for features such as the identity provider discovery service or attribute query, perform the additional configuration steps on the identity provider side required for these features.
You can deploy multiple instances of the Oracle OpenSSO Fedlet on the same host as follows:
Multiple Java Fedlet instances can run on the same host server if each Fedlet instance runs in its own Java Virtual Machine (JVM).
Multiple .NET Fedlet instances can run on the same Internet Information Server (IIS), if you deploy the .NET Fedlet files in each respective application's App_Data
and bin
folders.
One consideration, however, is that the Oracle OpenSSO Fedlet does not perform session management on the service provider side. The service provider application or web container must perform the session management.
The Oracle OpenSSO Fedlet supports the following features:
Table 1-1 Oracle OpenSSO Fedlet SAML 2.0 Single Sign-on (SSO) and Single Logout Features
Feature | Java Fedlet | .NET Fedlet |
---|---|---|
SAML 2.0 SSO |
||
IdP and SP Initiated HTTP POST |
Yes |
Yes |
IdP and SP Initiated HTTP Artifact |
Yes |
Yes |
SAML 2.0 Single Logout |
||
IdP and SP Initiated HTTP POST |
Yes |
Yes |
IdP and SP Initiated HTTP Redirect |
Yes |
Yes |
This section describes the following scenarios for the Oracle OpenSSO Fedlet:
Oracle OpenSSO Fedlet SP-Initiated and IdP-Initiated SAML 2.0 Single Sign-on
Oracle OpenSSO Fedlet Identity Provider Discovery Service with Multiple Identity Providers
Oracle Identity Federation as an Additional Identity Provider With OpenSSO 8.0 Update 1
You want to download, install, and configure the Oracle OpenSSO Fedlet as new deployment on the service provider side in your environment. See these chapters:
You have installed the Oracle OpenSSO Fedlet, and you want to configure or reconfigure your installation. See these chapters:
If you have installed the Oracle OpenSSO Fedlet, and you want to configure it for service provider initiated or identity provider initiated SAML 2.0 single sign-on (or both), see the following sections:
You have installed the Oracle OpenSSO Fedlet, and you want to configure single logout. Single logout allows the session termination of all participants in a session simultaneously. Any participant in the session can initiate the logout request. See the following sections:
Your existing identity federation deployment has the Oracle OpenSSO Fedlet configured with multiple identity providers in a circle of trust, and you want to configure the Oracle OpenSSO Fedlet to use the identity provider discovery service to determine the preferred identity provider. See the following sections:
The Oracle OpenSSO Fedlet supports XML signature verification and decryption of encrypted assertion
and nameid
elements and their corresponding attributes. See the following sections:
You are a service provider that wants to use the Oracle OpenSSO Fedlet attribute query feature with an identity provider to retrieve user attributes to customize the service you provide for your users. See Section 3.10, "Configuring the Java Oracle OpenSSO Fedlet for SAML 2.0 Attribute Query." (The attribute query feature is not supported by the .NET Fedlet.)
Your existing identity federation deployment has the Oracle OpenSSO Fedlet installed with Oracle OpenSSO 8.0 Update 1 configured as an identity provider, and you want to add an Oracle Identity Federation identity provider to your deployment. See the following sections: