This chapter introduces identity federation features available from the Oracle Access Management Console. This chapter includes the following sections:
This chapter introduces the Identity Federation capabilities that are available within Oracle Access Management in 11g Release 2 (11.1.2).
The topics in this chapter presume some familiarity with identity federation. See "Federated Identity Management" for background and conceptual information.
The Oracle Identity Management framework supports two approaches to cross-domain single sign-on:
An Oracle Access Management Identity Federation server built into the Oracle Access Management Access Manager server (OAM Server). All configuration for the Identity Federation server is performed in Oracle Access Management Console.
This new approach has been introduced in 11g Release 2 (11.1.2) and is the subject of this document.
Note:
Only service provider functionality is present in this release.Separate Oracle Identity Federation Release 1 (11.1.1) and Oracle Access Manager Servers that you can integrate to provide federation capabilities. Both servers must be configured and managed for this integration.
This approach existed in 11g Release 1 (11.1.1), and continues to be available. For details about this approach, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Note:
You cannot mix-and-match the above approaches, as each integration stands on its own. Choose the approach that best fits your installation.The current document is limited to describing the features in 11g Release 2 (11.1.2).
Some benefits of using the Identity Federation server with Access Manager in 11g Release 2 (11.1.2) are as follows:
This eliminates the need to install and maintain separate servers.
It simplifies post-install configuration of the federation features, particularly with the ability to access those features through the Oracle Access Management Console.
It improves the scalability of the two servers working together.
It provides enhanced diagnostics and troubleshooting.
From a functional perspective, the key building blocks for federated access in this scenario are as follows:
The user attempts to log in at the browser. Calls are routine HTTP calls.
The Access Manager server contains all the components needed to provide access management services in the federated context, including:
a credential collector
a federation authentication plugin
the federation engine to process assertions
a federation data cache
Oracle WebLogic Server hosts and provides key infrastructure services, including:
the authorization engine, which interacts with Oracle Entitlement Server
federation data including circle of trust details and other configuration
the Coherence map store
Data stores, including the identity store and Coherence database, maintain the identity data needed for authentication tasks.
This section describes key features available in Identity Federation with Access Manager.
Identity Federation operates in these modes:
Single Sign-On (SSO) mode
The server supports federated SSO acting as a Service Provider (SP). There are two variations to this mode:
In SP-initiated SSO, the federated SSO flow begins when the SP sends an authentication request to the IdP.
In IdP-initiated SSO, the IdP sends the SP an unsolicited assertion response (that is, in the absence of an authentication request from the SP).
Logout mode
Logout may be initiated from:
A remote federation partner
Access Manager protected applications
Note:
If the Administrator terminates a user session is from the Oracle Access Management Console, the logout is not propagated to any remote identity providers involved in the session. This could result in a logged-out user being automatically re-authenticated to Access Manager through Identity Federation.Identity Federation supports the following federation protocols for Access Manager in 11g Release 2 (11.1.2):
Table 27-1 Supported Protocols
Protocol | Modes/Extensions | Bindings | NameID Formats |
---|---|---|---|
SAML 1.1 |
Single Sign-On (SSO) |
POST, Artifact |
Email, SubjectDN, Kerberos, Windows, Unspecified, Custom |
SAML 2.0 |
SSO, Single Logout (SLO) |
Redirect, POST, Artifact |
Email, SubjectDN, Kerberos, Windows, Transient, Unspecified, Custom. |
OpenID 2.0 |
Authentication/SSO, Attribute Exchange (AX), PAPE, UI Extension, Discovery/XRDS |
Redirect, POST |
Claimed Identifier |
Identity Federation supports the Access Manager common user store and provides multi-ID store support.
Federation data stores for persistent account linking data are not supported.
After Identity Federation acting as SP validates the SAML assertion created by the IdP partner, it can map the assertion to the local user in one of three ways:
by mapping the SAML subject to the UserID attribute (uid
).
by mapping the SAML subject to another specified user record attribute.
by mapping one or more attributes contained in the SAML assertion AttributeStatement
element, or the SAML subject, using an LDAP query. You must configure both the SAML attribute name and the user record attribute to which it is mapped.
This architecture leverages the Oracle Fusion Middleware platform for the Credential Store Framework (CSF).
About use of Credential Store Framework (CSF)
Identity Federation uses CSF to securely store keystore passwords, as well as server credentials such as HTTP Basic Authentication usernames and passwords.
Access Manager with Identity Federation is administered with a combination of:
Oracle Access Management Console
Use the console to enable the Identity Federation service, manage Identity Provider (IdP) partners, and work with federated authentication schemes and policies.
Oracle WebLogic Scripting Tool (WLST) command-line tools
Use the WLST utilities to manage additional server and partner configuration properties.
For details, refer to the remaining sections in this chapter, and subsequent chapters in this part of the book.
The Oracle Access Management Console enables Administrators to manage configuration related to the server's federation service and partners. Table 27-2 summarizes the types of information that you can configure within Oracle Access Management Console for Identity Federation.
Table 27-2 Identity Federation Configuration in Oracle Access Management Console
Element | Description and Location in this Book |
---|---|
Federation Administrators |
Administrators who can manage federated partners and related configuration. See "Introduction to the Oracle Access Management Console and Controls". |
Federation Service |
Enable and disable the Identity Federation service in Access Manager. See "Managing the Federation Service". |
Federation Settings |
Manage basic Identity Federation service configuration properties. See Chapter 29, "Managing Settings for Identity Federation Using Oracle Access Management Console". |
Identity Providers for Federation |
Managing federation IdP partners. See "Managing Identity Provider Partners for Federation". |
Authentication Schemes and Modules for Federation |
Manage federation authentication schemes. See "Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2)". |
Policies for Use with Federation |
Manage policies for use with federation partners. See "Managing Access Manager Policies for Use with Identity Federation". |
Table 27-3 outlines the tasks required to implement identity federation using the Oracle Access Management Console.
Table 27-3 Integration of Identity Federation and Access Manager 11g Release 2 (11.1.2)
Task | Reference |
---|---|
Enable the Identity Federation service. |
|
Configure federation settings. |
|
Identify the IdP partner and configure attributes for the partner. |
|
Configure an authentication or authorization policy. |
|
Protect a resource with this policy. |
Identity Federation is an authentication module in Oracle Access Management. To use Identity Federation, both the Access Manager service and the Identity Federation service must be enabled.
Figure 27-1 illustrates the Available Services page in Oracle Access Management Console. Use this page to enable Identity Federation service together with the Access Manager service.
To manage the Identity Federation service with Access Manager
Log in to the Oracle Access Management Console as usual:
https://hostname:port/oamconsole/
From the Welcome page, under Configuration, click Available Services.
Enable Identity Federation: Click Enable beside Identity Federation (or confirm that the green Status check mark displays).
Enable Access Manager: Click Enable beside Access Manager (or confirm that the green Status check mark displays).