Skip Headers
Oracle® Identity Federation Administrator's Guide
10
g
(10.1.4.0.1)
B25355-02
Home
Index
Next
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New
New Features in Oracle Identity Federation
Documentation Updates
Terminology Changes
1
Introduction to Oracle Identity Federation
1.1
Federated Identity Management
1.1.1
Challenges of User Identity Management
1.1.2
Federation Use Cases
1.1.3
Concepts and Terminology
1.1.4
Federation Protocols
1.1.4.1
SAML Basics
1.1.4.2
Evolution of the Federated Identity Standards
1.1.4.3
SAML 1.x
1.1.4.4
Liberty ID-FF 1.1
1.1.4.5
Liberty ID-FF 1.2
1.1.4.6
SAML 2.0
1.1.4.7
WS-Federation
1.2
About Oracle Identity Federation
1.2.1
Features and Benefits of Oracle Identity Federation
1.2.2
Architecture
1.2.3
High-Level Processing Flow
1.2.4
Federation Protocol Profiles
1.2.4.1
Browser POST Profile
1.2.4.2
Browser Artifact Profile
1.2.4.3
SOAP Binding
1.2.4.4
Browser HTTP Redirect Profile
1.2.4.5
Name Identifier Profiles
1.2.4.6
SAML Attribute Sharing Profile
1.2.4.7
WS-Federation Passive Requester Profile
1.2.4.8
Federation Termination Profile
1.2.4.9
Global Logout Profile
1.2.5
Affiliations
1.2.6
Cryptographic Provider
1.2.7
Example of Federation Event Flow
1.2.8
Supported Standards and Applications
2
Planning Oracle Identity Federation Deployment
2.1
Architecture Options
2.1.1
Role in Federation
2.1.2
Topology
2.1.2.1
Hub-and-Spoke
2.1.2.2
Peer-to-Peer
2.1.3
Proxy Server
2.1.4
Server Security
2.1.4.1
SSL Encryption
2.1.4.2
Certificate-based Authentication
2.1.4.3
Certificate Repository and Validation
2.1.5
Protocol
2.2
Profiles and Bindings
2.2.1
Supported Protocols
2.2.2
Choosing a Profile
2.2.2.1
Using the Artifact Profile
2.2.2.2
Using the POST Profile
2.2.2.3
SAML Security Considerations
2.2.2.4
Using the SAML Attribute Sharing Profile
2.2.2.5
Using the WS-Federation Logout Profile
2.3
Authentication Engines
2.3.1
Authentication Methods in Oracle Identity Federation
2.3.2
Authenticating with a Repository in IdP Mode
2.3.3
Authenticating with an IdM Solution in IdP Mode
2.3.4
Authenticating with Oracle Access Manager or CA eTrust SiteMinder in SP Mode
2.3.5
Authenticating with OracleAS Single Sign-On in SP Mode
2.3.6
HTTP Basic Authentication
2.4
Data Repositories
2.4.1
Federation Data Store
2.4.2
User Data Store
2.4.3
Transient Data Store
2.5
Installation Requirements
2.5.1
Required Components
2.5.2
Supported platforms
2.6
Sizing Guidelines
2.6.1
Deployment and Architecture Considerations
2.6.1.1
Profiles
2.6.1.2
Repositories
2.6.1.3
Transient Storage
2.6.1.4
Security for Assertions
2.6.1.5
Connection Tuning
2.6.1.6
High Availability
2.6.1.7
Tuning Servers
2.6.1.8
Impact of Additional Security
2.6.2
Typical Deployment Scenario
2.6.3
Reference Server Footprint
2.6.4
Topology
2.6.5
Performance Figures
2.7
Implementation Checklist
3
Installing Oracle Identity Federation
3.1
Prerequisites
3.2
Overview of Installation Steps
3.3
Basic Installation Procedure
3.4
Advanced Installation Procedure
3.4.1
Enabling SSL
3.5
Testing Your Installation
3.6
What To Do Next
3.6.1
Reassociating the Server
4
Deploying Oracle Identity Federation
4.1
Introduction
4.2
Deployment Scenarios
4.2.1
Deploying Oracle Identity Federation with OracleAS Single Sign-On
4.2.1.1
Testing Federated Single Sign-On
4.2.2
Deploying Oracle Identity Federation with Oracle Access Manager
4.2.2.1
Install OracleAS Infrastructure
4.2.2.2
Install Oracle Access Manager
4.2.2.3
Install Oracle Identity Federation
4.2.2.4
Integrate Oracle Identity Federation and Oracle Access Manager
4.2.3
Deploying Oracle Identity Federation with eTrust SiteMinder
4.2.3.1
Requirements for Integrating with eTrust SiteMinder
4.2.3.2
Installing the eTrust SiteMinder SDK
4.2.3.3
Defining the RDBMS DataSource
4.2.3.4
Configuring the Oracle Identity Federation User Data Store
4.2.3.5
Configuring the eTrust SiteMinder Web Agent
4.2.3.6
eTrust SiteMinder Policy Objects
4.2.4
Deploying Oracle Identity Federation with a Sun Java System Web Server
4.2.4.1
Requirements
4.2.4.2
Configuring Oracle Identity Federation Without a Web Proxy Server
4.2.4.3
Configuring Oracle Identity Federation Behind a Web Proxy Server
4.2.4.4
Integrating Oracle Identity Federation with OracleAS Single Sign-On
4.2.4.5
Sample Configuration Files
4.2.5
Configuring Oracle Identity Federation to Use IBM Tivoli Directory Server as the Data Store
4.2.5.1
Prerequisites
4.2.5.2
Configuring IBM Tivoli Directory Server as the Federation Data Store for IDP or SP
4.2.5.3
Configuring IBM Tivoli Directory Server as the User Data Store for an IdP
4.2.6
Integrating with Third-Party Identity & Access Management Modules
4.2.6.1
Architecture and Flows
4.2.6.2
Creating a Custom Authentication Engine
4.2.6.3
Creating a Custom SP Integration Engine
4.2.6.4
Logout
4.2.6.5
The GenericSPCookieProvider Example
4.2.7
Implementing HTTP Basic Authentication
4.2.7.1
Basic Authentication with an Identity Store
4.2.7.2
Basic Authentication without an Identity Store
4.2.8
Integrating WebGate with Oracle Identity Federation Server
5
Server Administration
5.1
Basic Administration
5.1.1
Role of the Federation Server Administrator
5.1.1.1
Deployment Planning
5.1.1.2
Other Planning Tasks
5.1.2
Logging into Oracle Identity Federation
5.1.3
Starting and Stopping the Server
5.1.4
Changing your Administrator Password
5.1.5
Oracle Identity Federation Log Files
5.1.6
Backups
5.2
Managing Identity Federations
5.2.1
Edit Trusted Provider Configuration
5.2.2
Federations for [Provider]
5.2.3
Users
5.2.4
Federations for a User
5.3
Reassociation
5.3.1
Changing the Federation Data Store
5.3.2
Changing the User Data Store
5.3.3
Changing the RDBMS Data Store
5.3.4
Deleting Federation Data
5.3.5
Changing the Oracle Access Manager Instance
5.3.6
Deleting Policy Objects from Oracle Access Manager
5.4
Un-installing Oracle Identity Federation
5.4.1
Overview of Un-installation
5.4.2
Uninstallation Steps
5.4.2.1
Uninstall Error Messages
5.4.3
Oracle Application Server Instance Deconfig Tool
5.4.3.1
Deconfig Tool Syntax and Parameters
5.4.3.2
Deconfig Tool Log Files
5.4.4
Un-installing OracleAS Cold Failover Cluster Installations
5.4.5
Cleaning Up Oracle Application Server Processes
5.4.6
Reinstallation
6
Configuring Oracle Identity Federation
6.1
Data Maintained by Oracle Identity Federation
6.1.1
Server Configuration Data
6.1.2
User Federation Data
6.2
Administration Console Overview
6.3
Basic Server Configuration
6.3.1
Server Configuration Tab
6.3.2
Editing Server Properties
6.3.3
Editing Global Properties
6.3.3.1
Identity Provider - Global Settings
6.3.3.2
Identity Provider - Select Messages to Send Signed
6.3.3.3
Identity Provider - Select Messages to Require Signed
6.3.3.4
Service Provider - Global Settings
6.3.3.5
Service Provider - Select Messages to Send Signed
6.3.3.6
Service Provider - Select Messages to Receive Signed
6.3.4
Editing Protocol-specific IdP Properties
6.3.4.1
Identity Provider - Liberty 1.1 Properties
6.3.4.2
Enable Liberty 1.1 Identity Provider Profiles
6.3.4.3
Identity Provider - Liberty 1.2 Properties
6.3.4.4
Enable Liberty 1.2 Identity Provider Profiles
6.3.4.5
Select Liberty 1.2 Identity Provider NameID Formats
6.3.4.6
Identity Provider - SAML 2.0 Properties
6.3.4.7
Enable SAML 2.0 Identity Provider Profiles
6.3.4.8
Select SAML 2.0 Identity Provider NameID Formats
6.3.5
Editing Protocol-specific SP Properties
6.3.5.1
Service Provider - Liberty 1.1 Properties
6.3.5.2
Enable Liberty 1.1 Service Provider Profiles
6.3.5.3
Service Provider - Liberty 1.2 Properties
6.3.5.4
Enable Liberty 1.2 Service Provider Profiles
6.3.5.5
Service Provider - SAML 2.0 Properties
6.3.5.6
Enable SAML 2.0 Service Provider Profiles
6.3.5.7
Select SAML 2.0 Service Provider NameID Formats
6.3.6
Service Provider - Attribute Requester
6.3.7
Editing Circles of Trust
6.3.7.1
Circle of Trust
6.3.7.2
Editing a Trusted Provider
6.3.7.3
Edit Trusted Provider: Attribute Mappings
6.3.7.4
Select Messages to Send Signed
6.3.7.5
Select Messages to Require Signed
6.3.7.6
Edit Trusted Provider: Select NameID Formats
6.3.8
Configuring and Using Affiliations
6.3.8.1
About Affiliations
6.3.8.2
Affiliation Support in Oracle Identity Federation
6.3.8.3
Configuring Affiliations
6.3.8.4
Runtime Behavior of Affiliations
6.3.8.5
How Affiliations are Displayed
6.3.9
Editing the Certificate Validation Store
6.4
Configuring IdM Data Stores
6.4.1
Edit Federation Data Store
6.4.2
Edit User Data Store
6.4.2.1
Configuring an RDBMS as the User Data Store
6.5
Configuring SAML 1.x and WS-Federation Properties
6.5.1
Certificate Store
6.5.2
Regenerate Encryption Key
6.5.3
Audits and Logs
6.5.4
Assertion Profiles
6.5.5
Add Assertion Profile
6.5.6
Edit Assertion Profile
6.5.7
Destination Mappings
6.5.8
Modify Destination Mappings
6.5.9
Domains
6.5.10
Update MyDomain
6.5.11
Add Oracle Identity Federation Domain
6.5.12
Add a Non-Oracle Identity Federation Domain
6.5.13
Exchanging SAML 1.x and WS-Federation Configuration Data with Peers
6.5.13.1
When Oracle Identity Federation is an IdP
6.5.13.2
When Oracle Identity Federation is an SP
6.6
Configuring Attribute Sharing
6.6.1
Components Used for Attribute Sharing
6.6.2
Remote and Local Users
6.6.3
Configuring the Oracle Access Manager Plugins
6.6.4
Configuring Oracle Access Manager Schemes and Policies
6.6.4.1
Configuring the Attribute Sharing Authentication Scheme
6.6.4.2
Configuring the Attribute Sharing Authorization Scheme
6.6.4.3
Configuring an Oracle Access Manager Policy using Attribute Sharing
6.6.5
Configuring Oracle Identity Federation as an SP Attribute Requester
6.6.5.1
If Using Basic Authentication
6.6.5.2
If Using Client Certificate Authentication
6.6.6
Configuring Oracle Identity Federation as an IdP Attribute Responder
6.6.7
Configuring Oracle Identity Federation for SSL
6.7
Web Services Interface for Attribute Sharing
6.7.1
Overview of the Service Interface
6.7.2
Attribute Request Message
6.7.3
Attribute Response Message
6.7.4
Interface WSDL
6.7.5
References
6.8
Configuring Attribute Mapping
6.8.1
Introduction to Attribute Mapping
6.8.1.1
Attribute Name Mapping
6.8.1.2
Attribute Value Mapping
6.8.1.3
Attribute Value Filtering
6.8.2
Mapping Configuration
6.8.2.1
Configuration Files
6.8.2.2
Server Configuration
6.8.2.3
Mapping & Filtering Configuration
6.8.3
Sample attr-config.xml File
6.8.4
Examples
6.8.4.1
Example 1
6.8.4.2
Example 2
6.8.4.3
Example 3
6.9
Configuring the Logout Service
6.9.1
WS-Federation Logout
6.10
Using SSL with Oracle Identity Federation
6.10.1
Connecting to SSL Servers
6.10.2
Authenticating to SSL Servers
6.10.3
Configuring SSL Server on Oracle Identity Federation
6.10.4
Requiring a Client SSL Certificate for SOAP Requests
6.11
Protecting the Liberty 1.x / SAML 2.0 SOAP Endpoint
6.11.1
SSL Client Authentication
6.11.2
HTTP Basic Authentication
6.11.2.1
Configuring HTTP Basic Authentication to protect the SOAP URL
6.11.2.2
Configuring Oracle Identity Federation to Connect to a Protected SOAP URL
7
Additional Server Configuration
7.1
Setting up Single Sign-On Services
7.1.1
OracleAS Single Sign-On with Liberty 1.x/SAML 2.0
7.1.1.1
URL Query Parameters
7.1.2
Oracle Access Manager with Liberty 1.x/SAML 2.0
7.1.2.1
URL Query Parameters
7.1.3
Oracle Access Manager with SAML 1.x/WS-Federation
7.1.3.1
Using the Fed SSO - SAML 1.x Authentication Scheme
7.1.3.2
Using the Fed SSO - WS-Federation Authentication Scheme
7.1.4
eTrust SiteMinder with Liberty 1.x/SAML 2.0
7.1.4.1
URL Query Parameters
7.1.5
eTrust SiteMinder with SAML 1.x/WS-Federation
7.1.5.1
Using SAML 1.x Authentication
7.1.5.2
Using WS-Federation Authentication
7.1.6
SP-initiated SSO with Liberty 1.x/SAML 2.0
7.1.6.1
URL Query Parameters
7.1.7
SP-initiated SSO with SAML 1.x
7.1.8
SP-initiated SSO with WS-Federation
7.1.9
IdP-initiated SSO with Liberty 1.x/SAML 2.0
7.1.9.1
URL Query Parameters
7.1.10
IdP-initiated SSO with SAML 1.x
7.1.11
IdP-initiated SSO with WS-Federation
7.2
Working with Affiliations
7.3
Exporting the IdP's self-signed certificate to the SP
7.4
How to Use the Transient/One-time Identifier
7.5
Configuring Name ID Formats
7.5.1
Configuring the Name ID Formats as an IdP
7.5.2
Configuring the Name ID Formats as an SP
7.5.3
Configuring the Name ID Formats for a Specific Remote Provider
7.5.4
Configuring Attributes in SSO Assertions with Oracle Identity Federation/IdP
7.6
How to Allow the IdP to Determine the Name ID Format
7.7
How to Use Automatic Account Linking at the SP
7.7.1
What is Automatic Account Linking at the SP?
7.7.2
Configuring Automatic Account Linking at the SP
7.8
How to Use Automatic Account Linking at the IdP
7.8.1
What is Automatic Account Linking at the IdP?
7.8.2
Configuring Automatic Account Linking at the IdP
7.9
Interoperating with Microsoft ADFS
7.9.1
Terms and Definitions
7.9.2
Configuring ADFS as IdP with Oracle Identity Federation as SP
7.9.2.1
Prerequisites
7.9.2.2
Collect Information from Oracle Identity Federation
7.9.2.3
Collect Information from ADFS
7.9.2.4
Configure Oracle Identity Federation as Service Provider
7.9.2.5
Configure ADFS to recognize Oracle Identity Federation as SP
7.9.2.6
Configure claims
7.9.2.7
IdP-initiated SSO with WS-Federation
7.9.2.8
SP-initiated SSO with WS-Federation
7.9.2.9
IdP-initiated Logout with WS-Federation
7.9.2.10
SP-initiated Logout with WS-Federation
7.9.3
Configuring ADFS as SP with Oracle Identity Federation as an IdP
7.9.3.1
Prerequisites
7.9.3.2
Collect Information from Oracle Identity Federation
7.9.3.3
Collect information from ADFS
7.9.3.4
Configure Oracle Identity Federation to recognize ADFS as SP
7.9.3.5
Configure ADFS as SP to recognize Oracle Identity Federation as IdP
7.9.3.6
Configure Claims
7.9.3.7
IdP-initiated SSO with WS-Federation
7.9.3.8
SP-initiated SSO with WS-Federation
7.9.3.9
IdP-initiated logout with WS-Federation
7.9.3.10
SP-initiated logout with WS-Federation
7.10
Logout no-fail-on-error Option
7.10.1
Overview of the no-fail-on-error Feature
7.10.2
Configuring the Option
7.11
Logout Status
7.12
Configuring SAML 2.0 Authentication Query Response
7.13
Configuring SAML 2.0 Assertion ID Request
7.14
Additional eTrust SiteMinder Configuration
7.14.1
Types of Policy Objects
7.14.2
Creating the Policy Objects
7.14.3
Configuring Oracle Identity Federation for Startup eTrust SiteMinder Operations
7.14.4
Configuring Oracle Identity Federation to use a different User Data Store
8
Monitoring Oracle Identity Federation
8.1
About Oracle Identity Federation Monitoring
8.1.1
Metrics
8.1.2
Monitoring Components
8.1.3
Monitoring Data Flow
8.2
Monitoring Console
8.2.1
Accessing the Console
8.2.1.1
Monitoring Agent Home Tab
8.2.1.2
Monitoring Agent Configuration Tab
8.2.2
Monitor Agent Home
8.2.3
Monitor Agent IdP Statistics Home
8.2.4
Monitor Agent IdP Statistics (SSO)
8.2.5
Monitor Agent IdP Statistics (Identity Federation)
8.2.6
Monitor Agent IdP Statistics (Peer Provider)
8.2.7
Monitor Agent SP Statistics Home
8.2.8
Monitor Agent SP Statistics (SSO)
8.2.9
Monitor Agent SP Statistics (Identity Federation)
8.2.10
Monitor Agent SP Statistics (Peer Provider)
8.2.11
Metric Display at the Console
8.3
Managing Monitored Installations
8.3.1
Monitored Installations
8.3.2
Statistics Repository
8.4
Archiving Metrics
9
Advanced Topics
9.1
Configuration Assistants
9.1.1
Prerequisites for the Configuration Assistants
9.1.2
Configuration Assistant Operations
9.1.2.1
Repository Maintenance
9.1.2.2
Deployment
9.2
Command-line Tools
9.2.1
Bulk Federation Utility
9.2.1.1
The Create Mode
9.2.1.2
The Read Mode
9.2.1.3
Output Files Generated by Bulk Load
9.2.1.4
Syntax and Examples
9.2.2
Command-Line Configuration Assistant to Change the Transient Data Store
9.2.2.1
Syntax and Examples
9.2.3
Command-Line Configuration Assistant for Uninstallation
9.2.3.1
Syntax and Examples
9.2.4
Command line Federation Delete Tool
9.2.4.1
Syntax and Examples
9.3
Managing Oracle Identity Federation Performance
9.3.1
Setting Concurrent Connection Limits
9.3.2
Setting JDBC Connection Limits
9.3.3
Tuning Oracle HTTP Server
9.4
High Availability
9.4.1
Web Application Session State Replication
9.4.2
Centralized Storage of Configuration Information
9.4.3
Data Tier
9.4.3.1
Configuring Redundant LDAP Servers
9.4.4
Additional Information
9.5
Setting Up a Load Balancer with Oracle Identity Federation
9.5.1
Additional Considerations for SAML 1.x or WS-Federation
9.5.2
Additional Steps for the Oracle Identity Federation Monitoring console
9.6
Setting Up a Proxy for Oracle Identity Federation
A
Troubleshooting Oracle Identity Federation
A.1
Problems and Solutions
A.1.1
General Issues
A.1.1.1
Reauthentication after Session Timeout with OracleAS Single Sign-On and SAML 1.x or WS-Federation
A.1.1.2
Attribute Sharing with the Microsoft Internet Information Server
A.1.1.3
Redirection Loops with Oracle Access Manager
A.1.1.4
Truncated Text in Japanese Version of Oracle Universal Installer
A.1.1.5
Unused Assertion Profile With Invalid Attribute Mapping Can Cause SSO Failure
A.1.1.6
Signed SAML 1.0 Assertions Can Cause SSO Failures
A.1.1.7
Encrypting Network Connections
A.1.2
Oracle Identity Federation Configuration Issues
A.1.2.1
Administration Console Is Not Accessible After Changing Transient Data Store
A.1.2.2
Signing SAML Response with Assertion
A.1.2.3
Assertions Using SAML 1.x POST Method Fail in Japanese Locale
A.1.2.4
Requester ID in SAML 1.x Artifacts
A.1.2.5
Logout Displays No Return Page
A.1.2.6
No JSESSIONID cookie Error
A.1.2.7
Failed to find orclfednamevalue Error
A.1.3
Oracle Single Sign-On Login Issues
A.1.3.1
Incorrect Login Page Appears
A.1.3.2
Bookmarked Login Pages
A.1.3.3
Error When Reissuing SAML 1.x URL After Timeout
A.1.4
Oracle Access Manager Configuration Issues
A.1.4.1
AccessGate Permission Error
A.1.4.2
Non-ASCII AccessGate ID
A.1.4.3
Setting LD_ASSUME_KERNEL Value
A.1.4.4
Using the Same Cookie Domain for Two Back-ends
A.1.5
Operating System Configuration Issues
A.1.5.1
File Descriptors on Linux
A.1.5.2
Search Fails Against Microsoft Active Directory with an Unknown Host Exception
A.1.6
Runtime/Single Sign-On Issues
A.1.6.1
404 Error when Using Oracle SmartMarks
A.1.6.2
Incorrect Identity Provider for SAML 1.x or WS-Federation
A.1.6.3
Bookmarking a WS-Federation Protected Resource
A.1.7
Oracle Identity Federation Administration Console Issues
A.1.7.1
Cannot Log in to the Administration Console
B
References
Glossary
Index