4 Integrating Oracle Identity Federation

This chapter describes how to integrate Oracle Access Manager with Oracle Identity Federation to create an authenticated session.

Sections include:

4.1 Background and Integration Overview

This section provides background about the integration procedure. Topics include:

4.1.1 About Integration with Oracle Identity Federation

About Oracle Identity Federation

Oracle Identity Federation is a standalone, self-contained federation server that enables single sign-on and authentication in a multiple-domain identity network.

The SP integration Engine included with Oracle Identity Federation consists of a servlet that processes requests from the server to create a user authenticated session at the IAM server. The engine includes several internal plug-ins that allow it to interact with different IAM servers, including Oracle Access Manager.

About the Integration

The integration described in this chapter configures Oracle Identity Federation to propagate the authentication state to Oracle Access Manager in SP mode.

In this mode, Oracle Identity Federation uses the federation protocols to identify a user, and requests the authentication module to create an authenticated session at Oracle Access Manager so that the user can access the requested resource, which is protected by WebGate.

4.1.2 Overview of Integration Procedure

The basic steps required to integrate Oracle Access Manager with Oracle Identity Federation are as follows:

  1. Ensure that the necessary components, including Oracle WebLogic Server and Identity Management (IdM) components, are installed.

  2. Register Oracle HTTP Server as a partner with the Oracle Access Manager server to protect a resource.

  3. Configure the Oracle Identity Federation server to function as a service provider (SP) with Oracle Access Manager.

  4. Configure the Oracle Access Manager server to delegate the authentication to Oracle Identity Federation.

  5. Test the integration.

The remaining sections provide details about each step.

4.1.3 Prerequisites

You must install the following components prior to undertaking the integration tasks:

  • Oracle WebLogic Server

  • Oracle HTTP Server 11g

  • Oracle Access Manager 11g

  • Oracle Identity Federation 11g


Refer to the Certification Matrix for platform and version details.

4.1.4 Additional Setup

Oracle WebLogic Server

Ensure that the administration and managed servers are up and running.

Oracle HTTP Server

For testing purposes, identify or create a resource to be protected; for example, create an index.html file to serve as a test resource.

Oracle Identity Federation

Access the Fusion Middleware Control console for the Oracle Identity Federation server using a URL of the form:


Verify that all the servers are running.

4.2 Register Oracle HTTP Server with Oracle Access Manager

Follow these steps to register Oracle HTTP Server with Oracle Access Manager for authentication:


MW_HOME represents the Oracle Fusion Middleware Home directory.
  1. Before registering Oracle HTTP Server with Oracle Access Manager, try accessing the protected resource. For example, if you have the test resource index.html, access it as:

    http://OHS host:OHS port/private/index.html
  2. Locate the OSSORequest.xml file in the directory:


    Make the necessary changes to the file.

  3. Locate the oamreg.sh script, which resides in:


    Execute the script using this command string:

    ./oamreg.sh inband input/OSSORequest.xml
  4. The script executed in Step 3 generates an osso.conf file in the directory:


    Copy the file to the following location:

  5. Locate the mod_osso.conf file in the directory:


    Add these directives to the file:

    OssoSecureCookies offOssoConfigFile path_to_osso.conf_file
  6. Uncomment the Location tag and fill in the protected resource path:

    <Location /private>require valid-userAuthType Osso</Location>
  7. Restart Oracle HTTP Server.

    Oracle_WT1/instances/instance1/bin/opmnctl restartproc process-type=OHS
  8. Try accessing the protected resource again. You should be redirected to the Oracle Access Manager server for authentication.

4.3 Configure Oracle Identity Federation Providers

Take these steps to generate and load the metadata for the IdP and SP:

4.3.1 Generated Provider Metadata

  1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

  2. Navigate to Administration, then Security and Trust.

  3. Click the Provider Metadata tab.

  4. In the Generate Metadata section of the page, using the Provider Type drop-down, select Service Provider.

    Surrounding text describes oiftrustprovmet.gif.
  5. Click Generate. This creates metadata for the service provider.

  6. Repeat Steps 4 and 5 to generate metadata for the identity provider.

4.3.2 Register the Providers

  1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

  2. Navigate to Administration, then Federations.

  3. Click Add. The Add Trusted Provider dialog appears.

    Surrounding text describes aiing_ss_03.gif.
  4. Check the Load Metadata box.

  5. Click Choose File, and select the metadata file you generated for the IdP in Section 4.3.1, "Generated Provider Metadata".

  6. Repeat the procedure to load metadata for the SP.

    Both providers appear in the list of trusted providers:

    Surrounding text describes aiing_ss_04.gif.

4.3.3 Configure Data Store

  1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

  2. Navigate to Administration, then Data Stores.

  3. Specify the details of the user data store, as in this example:

    Surrounding text describes aiing_ss_05.gif.

4.3.4 Configure the Authentication Engine

In this task, the authentication engine is configured to point to a user data store, enabling Oracle Identity Federation to validate users against that store.

  1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

  2. Navigate to Administration, then Authentication Engines.

  3. in the Default Authentication Engine drop down, select LDAP Directory.

  4. Enter the user data store that was configured in the previous task, Section 4.3.3, "Configure Data Store".

4.3.5 Set the Default Identity Provider

This task sets the IdP that was created in an earlier task as the default IdP.

  1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

  2. Navigate to Administration, then Service Provider.

  3. Check the Enable Service Provider box.

  4. For Default SSO Identity Provider, specify the IdP set up in Section 4.3.2, "Register the Providers".

  5. Click Apply.

4.3.6 Configure Oracle Identity Federation in SP Mode

Having generated the IdP/SP metadata and registered those modules, the final task of configuring Oracle Identity Federation for the integration is to provide the Oracle Access Manager server details, so that Oracle Identity Federation can send assertion tokens and direct session management to Oracle Access Manager.

The steps to achieve this are as follows:

  1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

  2. Navigate to Administration, then Service Provider Integration Modules.

  3. Select the Oracle Single Sign-On tab.

    Surrounding text describes spintosso.gif.
  4. Configure the page as follows:

    • In the Default SP Integration Module drop-down, select Oracle Single Sign On.

    • Check the Enable SP Module box.

    • Configure these URLs:

      Login URL  :  http://oam_host:oam_port/ngam/server/dap/cred_submit
      Logout URL :  http://oam_host:oam_port/ngam/server/logout

      where oam_host and oam_port are the host and port number of the Oracle Access Manager server respectively.

  5. Click Regenerate.

    This action generates a keystore file that contains the keys used to encrypt and decrypt the tokens that are exchanged between the Oracle Access Manager and Oracle Identity Federation servers.

  6. Copy the keystore file to a location within the installation directory of Oracle Access Manager. Make a note of the location, since you will need to refer to it later.

4.4 Delegate Authentication to Oracle Identity Federation

As a result of performing the task in Section 4.2, "Register Oracle HTTP Server with Oracle Access Manager", clients seeking access to a protected resource are directed to Oracle Access Manager for authentication.

The final task in the integration procedure is to configure Oracle Access Manager to redirect the user to Oracle Identity Federation for authentication. The steps needed to achieve this are as follows:

  1. Log in to the Oracle Access Manager Admin Console.

  2. Select the Policy Configuration tab.

  3. Protect the resource by selecting 'OIFScheme' in the Authentication Scheme drop-down.

    Surrounding text describes aiing_ss_06.gif.
  4. Click Apply.

  5. Copy the keystore file to a directory under the middleware home in which the Oracle Access Manager server is installed.

  6. Use a WLST command to update the OIFDAP partner block in the oam-config.xml configuration file. The syntax is as follows:

    registerOIFDAPPartner(keystoreLocation=location of keystore file, logoutURL=logoutURL)

    where logoutURL is the Oracle Identity Federation logout URL to invoke when the Oracle Access Manager server logs out the user.

    For example:

    registerOIFDAPPartner(keystoreLocation="/home/pjones/keystore", logoutURL="http://abcdef0123.in.mycorp.com:1200/fed/user/spsloosso?doneURL=


To verify the action you took in Step 6 above, examine the oam-config.xml file to confirm that the properties in the OIFDAPPartner block were updated as mandated in Step 6.

If the configuration is correct, a logout initiated from Oracle Access Manager should cause logout in Oracle Identity Federation.

4.5 Test the Configuration

You can test that the integration is correctly configured by taking these steps:

  1. Try accessing the protected resource.

  2. When set up correctly, you should be redirected to an Oracle Identity Federation login page.

  3. Enter valid credentials on the login page.


    The user should exist in both the Oracle Identity Federation Data Store and in the Oracle Access Manager Embedded LDAP store.
  4. Check that you are redirected to the protected page.

  5. Verify that the following cookies are created:

    OHS Cookie