28 Introduction to Identity Federation in Oracle Access Management

This chapter introduces identity federation features available from the Oracle Access Management Console. This chapter includes the following sections:

28.1 Identity Federation with Oracle Access Management

This chapter introduces the Identity Federation capabilities that are available within Oracle Access Management in 11g Release 2 (11.1.2.1).

The topics in this chapter presume some familiarity with identity federation. See "Federated Identity Management" for background and conceptual information.

28.1.1 Federated SSO in Oracle Access Management

The Oracle Identity Management framework supports two approaches to cross-domain single sign-on:

  • An Oracle Access Management Identity Federation server built into the Oracle Access Management Access Manager server (OAM Server). All configuration for the Identity Federation server is performed in Oracle Access Management Console.

    This new approach has been introduced in 11g Release 2 (11.1.2.1) and is the subject of this document.

    Note:

    Only service provider functionality is present in this release.
  • Separate Oracle Identity Federation Release 1 (11.1.1) and Oracle Access Manager Servers that you can integrate to provide federation capabilities. Both servers must be configured and managed for this integration.

    This approach existed in 11g Release 1 (11.1.1), and continues to be available. For details about this approach, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.

Note:

You cannot mix-and-match the above approaches, as each integration stands on its own. Choose the approach that best fits your installation.

The current document is limited to describing the features in 11g Release 2 (11.1.2.1).

28.1.2 Benefits of using Identity Federation 11.1.2 with Access Manager

Some benefits of using the Identity Federation server with Access Manager in 11g Release 2 (11.1.2.1) are as follows:

  • This eliminates the need to install and maintain separate servers.

  • It simplifies post-install configuration of the federation features, particularly with the ability to access those features through the Oracle Access Management Console.

  • It improves the scalability of the two servers working together.

  • It provides enhanced diagnostics and troubleshooting.

28.1.3 Key Elements of Access Manager with Identity Federation

From a functional perspective, the key building blocks for federated access in this scenario are as follows:

  1. The user attempts to log in at the browser. Calls are routine HTTP calls.

  2. The Access Manager server contains all the components needed to provide access management services in the federated context, including:

    • a credential collector

    • a federation authentication plugin

    • the federation engine to process assertions

    • a federation data cache

  3. Oracle WebLogic Server hosts and provides key infrastructure services, including:

    • the authorization engine, which interacts with Oracle Entitlement Server

    • federation data including circle of trust details and other configuration

    • the Coherence map store

  4. Data stores, including the identity store and Coherence database, maintain the identity data needed for authentication tasks.

28.1.4 Key Features

This section describes key features available in Identity Federation with Access Manager.

28.1.4.1 Operational Modes

Identity Federation operates in these modes:

  • Single Sign-On (SSO) mode

    The server supports federated SSO acting as a Service Provider (SP). There are two variations to this mode:

    • In SP-initiated SSO, the federated SSO flow begins when the SP sends an authentication request to the IdP.

    • In IdP-initiated SSO, the IdP sends the SP an unsolicited assertion response (that is, in the absence of an authentication request from the SP).

  • Logout mode

    Logout may be initiated from:

    • A remote federation partner

    • Access Manager protected applications

Note:

If the Administrator terminates a user session is from the Oracle Access Management Console, the logout is not propagated to any remote identity providers involved in the session. This could result in a logged-out user being automatically re-authenticated to Access Manager through Identity Federation.

28.1.4.2 Supported Protocols

Identity Federation supports the following federation protocols for Access Manager in 11g Release 2 (11.1.2.1):

Table 28-1 Supported Protocols

Protocol Modes/Extensions Bindings NameID Formats

SAML 1.1

Single Sign-On (SSO)

POST, Artifact

Email, SubjectDN, Kerberos, Windows, Unspecified, Custom

SAML 2.0

SSO, Single Logout (SLO)

Redirect, POST, Artifact

Email, SubjectDN, Kerberos, Windows, Transient, Unspecified, Custom.

OpenID 2.0

Authentication/SSO, Attribute Exchange (AX), PAPE, UI Extension, Discovery/XRDS

Redirect, POST

Claimed Identifier


28.1.4.3 Supported Data Stores

Identity Federation supports the Access Manager common user store and provides multi-ID store support.

Federation data stores for persistent account linking data are not supported.

28.1.4.4 User Mapping

After Identity Federation acting as SP validates the SAML assertion created by the IdP partner, it can map the assertion to the local user in one of three ways:

  • by mapping the SAML subject to the UserID attribute (uid).

  • by mapping the SAML subject to another specified user record attribute.

  • by mapping one or more attributes contained in the SAML assertion AttributeStatement element, or the SAML subject, using an LDAP query. You must configure both the SAML attribute name and the user record attribute to which it is mapped.

28.1.4.5 Multi-Tenant Support

Multi-tenancy is supported for SP flows.

28.1.4.6 Platform Dependencies

This architecture leverages the Oracle Fusion Middleware platform for the Credential Store Framework (CSF).

About use of Credential Store Framework (CSF)

Identity Federation uses CSF to securely store keystore passwords, as well as server credentials such as HTTP Basic Authentication usernames and passwords.

28.1.5 Administration

Access Manager with Identity Federation is administered with a combination of:

  • Oracle Access Management Console

    Use the console to enable the Identity Federation service, manage Identity Provider (IdP) partners, and work with federated authentication schemes and policies.

  • Oracle WebLogic Scripting Tool (WLST) command-line tools

    Use the WLST utilities to manage additional server and partner configuration properties.

For details, refer to the remaining sections in this chapter, and subsequent chapters in this part of the book.

28.2 Introduction to Identity Federation within Oracle Access Management Console

The Oracle Access Management Console enables Administrators to manage configuration related to the server's federation service and partners. Table 28-2 summarizes the types of information that you can configure within Oracle Access Management Console for Identity Federation.

Table 28-2 Identity Federation Configuration in Oracle Access Management Console

Element Description and Location in this Book

Federation Administrators

Administrators who can manage federated partners and related configuration. See "Introduction to the Oracle Access Management Console and Controls".

Federation Service

Enable and disable the Identity Federation service in Access Manager. See "Managing the Federation Service".

Federation Settings

Manage basic Identity Federation service configuration properties. See Chapter 30, "Managing Settings for Identity Federation Using Oracle Access Management Console".

Identity Providers for Federation

Managing federation IdP partners. See "Managing Identity Provider Partners for Federation".

Authentication Schemes and Modules for Federation

Manage federation authentication schemes. See "Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.1)".

Policies for Use with Federation

Manage policies for use with federation partners. See "Managing Access Manager Policies for Use with Identity Federation".


Table 28-3 outlines the tasks required to implement identity federation using the Oracle Access Management Console.

Table 28-3 Integration of Identity Federation and Access Manager 11g Release 2 (11.1.2.1)

Task Reference

Enable the Identity Federation service.

Section 28.3

Configure federation settings.

Section 30.3

Identify the IdP partner and configure attributes for the partner.

Section 29.3

Configure an authentication or authorization policy.

Chapter 31

Protect a resource with this policy.

Chapter 18


28.3 Managing the Federation Service

Identity Federation is an authentication module in Oracle Access Management. To use Identity Federation, both the Access Manager service and the Identity Federation service must be enabled.

Figure 28-1 illustrates the Available Services page in Oracle Access Management Console. Use this page to enable Identity Federation service together with the Access Manager service.

Figure 28-1 Available Services Page

Surrounding text describes Figure 28-1 .

To manage the Identity Federation service with Access Manager

  1. Log in to the Oracle Access Management Console as usual:

         https://hostname:port/oamconsole/
    
  2. From the Welcome page, under Configuration, click Available Services.

  3. Enable Identity Federation: Click Enable beside Identity Federation (or confirm that the green Status check mark displays).

  4. Enable Access Manager: Click Enable beside Access Manager (or confirm that the green Status check mark displays).