This chapter explains how to configure Oracle Identity Federation (OIF).
This chapter discusses the following topics:
Performing Advanced Oracle Identity Federation Configurations
Advanced Example: Configuring OIF in a New or Existing WebLogic Domain with RDBMS Data Stores
Oracle Identity Federation deployments vary greatly. As described in the following topics, there are several components, and several options for those components, that comprise an Oracle Identity Federation deployment.
Use this chapter as a starting point for your Oracle Identity Federation deployment, as it does not describe every possible installation and configuration. You should also use the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, which provides additional and detailed deployment information, to supplement the information in this chapter.
When you configure Oracle Identity Federation 11g Release 1 (11.1.1), a WebLogic Managed Server is created and the Oracle Identity Federation J2EE application is installed on it. If you configure Oracle Identity Federation in a new Oracle WebLogic Server administration domain by selecting the Create Domain option, the Fusion Middleware Control management component is also deployed.
Oracle Identity Federation functionality depends on several components and modules. You can integrate and configure these components and modules during or after the Oracle Identity Federation installation.
The following is a list and brief description of some of the components and modules that determine Oracle Identity Federation functionality. Refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation for complete information.
Authentication Engine: The module that challenges users when they log in.
User Data Store: The repository containing the identity information of the users the Oracle Identity Federation system authenticates.
Federation Data Store: The repository containing federated user account linking data.
Service Provider (SP) Integration Engine: The module that creates a local authenticated session for the user based on a received federated Single Sign-On (SSO) token.
User Session Store and Message Store: The repository containing transient runtime session state data and protocol messages.
Configuration Data Store: The repository containing Oracle Identity Federation configuration data.
There are two types of Oracle Identity Federation 11g Release 1 (11.1.1) deployments: Basic and Advanced. This topic describes both types of deployments and includes the following sections:
The Basic deployment includes Oracle Identity Federation with minimum functionality enabled and the following configuration:
No User Data Store
No Federation Store
JAAS Authentication Engine
Test Service Provider (SP) Engine
Memory Session Data Store
Memory Message Data Store
XML file system Configuration Store
The Advanced deployments allows you to choose between different types of data stores and authentication engines. The following is a list and description of the types of data stores and authentication engines you can choose during an Advanced installation:
JAAS: Delegates authentication to the application server.
LDAP: Uses form login and LDAP bind with credentials supplied by user to authenticate against LDAP repository.
None: No User Data Store. Typically used with Custom or JAAS Authentication Engines, environments without user attributes, or Windows CardSpace.
LDAP: Typical configuration that stores user data in an LDAP repository.
RDBMS: Uses database tables with user names (and optionally user attributes) in columns.
None: No Federation Data Store. Typically used when there are no persistent account linking records. No Federation Data Store is also an alternative to using name identifiers, such as e-mail address, X.509 DN, Kerberos, or Windows Name Identifier.
LDAP: Stores federation in an LDAP repository. Commonly deployed when the User Data Store is also LDAP.
RDBMS: Stores federation in a relational database repository. Commonly deployed when the User Data Store is also RDBMS.
XML: Stores federation data in an XML file system. Commonly used for testing purposes.
Memory: Stores transient runtime session state data and protocol messages in in-memory tables. Commonly used for single instance deployments. Memory provides better performance than the RDBMS User Session Store, but increases runtime memory requirements.
RDBMS: Stores transient runtime session state data and protocol messages in a relational database. Recommended for High Availability cluster environments.
Note:
User Session Store and Message Store appear in the Installer as separate configuration items, however, most deployments use the same type of repository for both stores.
File System: Stores Oracle Identity Federation configuration data on the local file system. Commonly used in single-instance and testing environments.
RDBMS: Stores Oracle Identity Federation configuration data in a relational database. Commonly used in High Availability environments or single-instances with failover redundancy.
When you install Oracle Identity Federation (OIF), Oracle HTTP Server also gets installed. Oracle HTTP Server is required when using Oracle Identity Federation for enterprise level single sign-on with Oracle Single Sign-On and Oracle Access Manager. Although Oracle Identity Federation can function without Oracle HTTP Server, there are advantages to configuring it as a proxy for Oracle Identity Federation.
To configure the Oracle HTTP Server so that the Oracle Identity Federation application can be accessed through Oracle HTTP Server ports, you can:
Ensure that Oracle Identity Federation is installed, as described in Installation Roadmap and Installing Oracle Identity Management Using "Install and Configure" Option.
Run <ORACLE_HOME>/bin/config.sh (On UNIX) or <ORACLE_HOME>\bin\config.bat to start the Oracle Identity Management Configuration Wizard. Click Next to continue.
On the Configure Components screen, select Oracle HTTP Server and Oracle Identity Federation.
See:
The "Deploying Oracle Identity Federation with Oracle HTTP Server" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation for more information about integrating Oracle Identity Federation and Oracle HTTP Server.
This topic describes how to perform a Basic Oracle Identity Federation (OIF) configuration. It includes the following sections:
The Basic Oracle Identity Federation configuration is appropriate for:
Creating a base to gradually build complex implementations upon after installation
Deploying test environments
Deploying small, self-contained configurations
Performing the Basic Oracle Identity Federation configuration deploys the following components:
If you install Oracle Identity Federation in a new domain:
WebLogic Managed Server
Oracle Identity Federation
WebLogic Administration Server
Fusion Middleware Control
Optionally, Oracle HTTP Server
If you install Oracle Identity Federation in an existing domain:
WebLogic Managed Server
Oracle Identity Federation
Optionally, Oracle HTTP Server
The Basic Oracle Identity Federation configuration depends on Oracle WebLogic Server.
Perform the following steps to deploy a Basic Oracle Identity Federation configuration:
Ensure that Oracle Identity Federation is installed, as described in Installation Roadmap and Installing Oracle Identity Management Using "Install and Configure" Option.
Run <ORACLE_HOME>/bin/config.sh (On UNIX) or <ORACLE_HOME>\bin\config.bat to start the Oracle Identity Management Configuration Wizard. Click Next to continue.
On the Select Domain screen, choose whether to configure Oracle Identity Federation in a new or existing domain:
To configure Oracle Identity Federation in a new domain:
Select Create New Domain.
Enter the user name for the new domain in the User Name field.
Enter the user password for the new domain in the User Password field.
Enter the user password again in the Confirm Password field.
Enter a name for the new domain in the Domain Name field.
Click Next. The Specify Installation Location screen appears.
Continue the installation by going to step 4 now.
To configure Oracle Identity Federation in an existing domain:
Select Extend Existing Domain.
Enter the name of the host that contains the domain in the Host Name field.
Enter the listen port for the WebLogic Administration Server in the Port field.
Enter the user name for the domain in the User Name field.
Enter the password for the domain user in the User Password field.
Click Next. The Specify Installation Location screen appears.
Identify the Homes, Instances, and the WebLogic Server directory by referring to Section 2.6, "Identifying Installation Directories".
Note:
To configure Oracle Identity Management components in an existing Oracle WebLogic Server administration domain, each Oracle WebLogic Server Home, Oracle Middleware Home, and Oracle Home directory in the domain must have identical directory paths and names.
After you enter information for each field, click Next. The Specify Security Updates screen appears.
Choose how you want to be notified about security issues:
If you want to be notified about security issues through email, enter your email address in the Email field.
If you want to be notified about security issues through My Oracle Support (formerly MetaLink), select the My Oracle Support option and enter your My Oracle Support Password.
If you do not want to be notified about security issues, leave all fields empty.
Click Next. The Configure Components screen appears.
Select Oracle Identity Federation—and optionally, Oracle HTTP Server. Refer to "Configuring Oracle HTTP Server for OIF" for information about configuring these two components simultaneously.
If you are installing Oracle Identity Federation in a new domain, the Fusion Middleware Control management component is automatically selected for installation.
Ensure no other components are selected and click Next. The Configure Ports screen appears.
Choose how you want the Installer to configure ports:
Select Auto Port Configuration if you want the Installer to configure ports from a predetermined range.
Select Specify Ports using Configuration File if you want the Installer to configure ports using the staticports.ini file. You can click View/Edit File to update the settings in the staticports.ini file.
Click Next. The Select Oracle Identity Federation Configuration Type screen appears.
Select Basic and click Next. The Specify OIF Details screen appears.
Enter the following information:
PKCS12 Password: Enter the password Oracle Identity Federation will use for encryption and for signing wallets. The Installer automatically generates these wallets with self-signed certificates. Oracle recommends using the wallets only for testing.
Confirm Password: Enter the PKCS12 password again.
Server ID: Enter a string that will be used to identify this Oracle Identity Federation instance. A prefix of oif will be added to the beginning of the string you enter. Each logical Oracle Identity Federation instance within an Oracle WebLogic Server administration domain must have a unique Server ID. Clustered Oracle Identity Federation instances acting as a single logical instance will have the same Server ID.
Click Next.
The Installation Summary screen appears. Verify the information on this screen. Click Configure to begin the configuration.
The Configuration Progress screen appears. Click Next to continue.
The Installation Complete screen appears. Click Save to save the configuration information to a file, and then click Finish to exit the installer.
This topic generally describes how to perform an Advanced Oracle Identity Federation (OIF) configuration. Refer to the next two topics in this chapter for information on performing specific Advanced Oracle Identity Federation configurations.
This topic includes the following sections:
The Advanced Oracle Identity Federation configuration provides a fast and simplified method for deploying Oracle Identity Federation with its vital components integrated and configured.
Performing the Advanced Oracle Identity Federation configuration deploys the following components:
If you configure Oracle Identity Federation in a new domain:
WebLogic Managed Server
Oracle Identity Federation
WebLogic Administration Server
Fusion Middleware Control
Optionally, Oracle HTTP Server
If you configure Oracle Identity Federation in an existing domain:
WebLogic Managed Server
Oracle Identity Federation
Optionally, Oracle HTTP Server
The Advanced Oracle Identity Federation configuration depends on the following components:
Oracle WebLogic Server
Oracle Database, if using RDBMS for User Store, Federation Store, Session Store, Message Store, or Configuration Store.
New Identity Management - Oracle Identity Federation schema existing in the database, if using RDBMS for Federation Store, Session Store, Message Store, or Configuration Store.
Database table for storing user dative using RDBMS for User Store
LDAP repository, if using LDAP for Authentication, User Store, or Federation Store.
Perform the following steps to deploy an Advanced Oracle Identity Federation configuration:
Decide if you want to use RDBMS for User Store, Federation Store, Session Store, Message Store, or Configuration Store. If you do, perform the following steps a and b.
Install the database for Oracle Identity Federation. Refer to Installing Oracle Database for more information.
Create the Identity Management - Oracle Identity Federation schema in the database. Refer to "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" for more information.
Note:
The schema is not required for RDBMS User Stores.
Decide if you want to use an LDAP repository for Authentication, User Store, or Federation Store. If you do, you must install the LDAP repository before you can install Oracle Identity Federation.
Ensure that Oracle Identity Federation is installed, as described in Installation Roadmap and Installing Oracle Identity Management Using "Install and Configure" Option.
Run <ORACLE_HOME>/bin/config.sh (On UNIX) or <ORACLE_HOME>\bin\config.bat to start the Oracle Identity Management Configuration Wizard. Click Next to continue.
On the Select Domain screen, choose whether to install Oracle Identity Federation in a new or existing domain:
To configure Oracle Identity Federation in a new domain:
Select Create New Domain.
Enter the user name for the new domain in the User Name field.
Enter the user password for the new domain in the User Password field.
Enter the user password again in the Confirm Password field.
Enter a name for the new domain in the Domain Name field.
Click Next. The Specify Installation Location screen appears.
Continue the installation by going to step 6 now.
To configure Oracle Identity Federation in an existing domain:
Select Extend Existing Domain.
Enter the name of the host that contains the domain in the Host Name field.
Enter the listen port for the WebLogic Administration Server in the Port field.
Enter the user name for the domain in the User Name field.
Enter the password for the domain user in the User Password field.
Click Next. The Specify Installation Location screen appears.
Identify the Homes, Instances, and the WebLogic Server directory by referring to Section 2.6, "Identifying Installation Directories".
Note:
To install Oracle Identity Management components in an existing Oracle WebLogic Server administration domain, each Oracle WebLogic Server Home, Oracle Middleware Home, and Oracle Home directory in the domain must have identical directory paths and names.
After you enter information for each field, click Next. The Specify Security Updates screen appears.
Choose how you want to be notified about security issues:
If you want to be notified about security issues through email, enter your email address in the Email field.
If you want to be notified about security issues through My Oracle Support (formerly MetaLink), select the My Oracle Support option and enter your My Oracle Support Password.
If you do not want to be notified about security issues, leave all fields empty.
Click Next. The Configure Components screen appears.
Select Oracle Identity Federation—and optionally, Oracle HTTP Server. Refer to "Configuring Oracle HTTP Server for OIF" for information about configuring these two components simultaneously.
If you are installing Oracle Identity Federation in a new domain, the Fusion Middleware Control management component is automatically selected for installation.
Ensure no other components are selected and click Next. The Configure Ports screen appears.
Choose how you want the Installer to configure ports:
Select Auto Port Configuration if you want the Installer to configure ports from a predetermined range.
Select Specify Ports using Configuration File if you want the Installer to configure ports using the staticports.ini file. You can click View/Edit File to update the settings in the staticports.ini file.
Click Next. The Select Oracle Identity Federation Configuration Type screen appears.
Select Advanced and click Next. The Specify OIF Details screen appears.
Enter the following information:
PKCS12 Password: Enter the password Oracle Identity Federation will use for encryption and for signing wallets. The Installer automatically generates these wallets with self-signed certificates. Oracle recommends using the wallets only for testing.
Confirm Password: Enter the PKCS12 password again.
Server ID: Enter a string that will be used to identify this Oracle Identity Federation instance. A prefix of oif will be added to the beginning of the string you enter. Each logical Oracle Identity Federation instance within an Oracle WebLogic Server administration domain must have a unique Server ID. Clustered Oracle Identity Federation instances acting as a single logical instance will have the same Server ID.
Click Next. The Select OIF Advanced Flow Attributes screen appears.
Select the appropriate option for each configuration item and click Next.
Note:
User Session Store and Message Store appear in the Installer as separate configuration items, however, most deployments use the same type of repository for both stores.
The screens that appear next depend on the options you selected for the configuration items on the Select OIF Advanced Flow Attributes screen. The following information describes all possible screens that may appear. This information about all possible screens that may appear is not presented in a linear sequence and your installation may not encounter all of the screens. Enter information for the appropriate screens and proceed to step 13.
If you selected LDAP for Authentication Type, the Specify Authentication LDAP Details screen will appear. Enter the following information:
LDAP Type: Select the appropriate LDAP repository.
LDAP URL: Enter the URL connection string for the LDAP repository in the form: protocol://hostname:port
Note:
If you selected Microsoft Active Directory for the LDAP Type, you must specify an SSL LDAP URL, that is, ldaps://hostname:port.
LDAP Bind DN: Enter the bind DN for the LDAP repository.
LDAP Password: Enter the password for the bind DN.
User Credential ID Attribute: Enter the LDAP attribute Oracle Identity Federation will use to authenticate users. For example, if you enter mail and the value of the mail attribute for a user is jane.doe@domain.com, then Jane Doe must enter jane.doe.@domain.com when challenged. Values for the LDAP attribute you identify for User Credential ID Attribute must be unique for all users.
User Unique ID Attribute: Enter the LDAP attribute that will uniquely identify users to Oracle Identity Federation. The value you enter must be identical to the value you enter for the User Data Store's User ID Attribute parameter. For example, if you enter mail for User Unique ID Attribute and you configure the User Data Store's User ID Attribute parameter with a value of EmailAddress, then the value of mail in the authentication engine repository must equal the value of EmailAddress in the User Data Store. Values for the LDAP attribute you identify for User Unique ID Attribute must be unique for all users.
Person Object Class: Enter the LDAP object class that represents a user in the LDAP repository. For example: inetOrgPerson for Oracle Internet Directory and Sun Java System Directory Server, and user for Microsoft Active Directory.
Base DN: Enter the root DN that searches will start from.
If you selected LDAP for User Store, the Specify LDAP Attributes for User Data Store screen will appear. Enter the following information:
LDAP Type: Select the appropriate LDAP repository.
LDAP URL: Enter the URL connection string for the LDAP repository in the form: protocol://hostname:port
Note:
If you selected Microsoft Active Directory for the LDAP Type, you must specify an SSL LDAP URL, that is, ldaps://hostname:port.
LDAP Bind DN: Enter the bind DN for the LDAP repository.
LDAP Password: Enter the password for the bind DN.
User Description Attribute: Enter the readable LDAP attribute that will identify the owner of a federation record. For example: uid for Oracle Internet Directory and Sun Java System Directory Server, and sAMAccountName for Microsoft Active Directory.
User ID Attribute: Enter the LDAP attribute that will uniquely identify the user during authentication. For example: uid for Oracle Internet Directory and Sun Java System Directory Server, and sAMAccountName for Microsoft Active Directory.
Person Object Class: Enter the LDAP object class that represents a user in the LDAP repository. For example: inetOrgPerson for Oracle Internet Directory and Sun Java System Directory Server, and user for Microsoft Active Directory.
Base DN: Enter the root DN that searches will start from.
If you selected RDBMS for User Store, the Specify User Store Database Details screen will appear. Enter the following information:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the database username.
Password: Enter the password for the database user.
Login Table: Enter the name of the table that will store user data. The value you enter must be a valid table name, and the values you enter for User ID Attribute and User Description Attribute must be valid column names in the table you identify.
User ID Attribute: Enter the name of the table column to use for the Oracle Identity Federation user ID. The value you enter must be a valid column name in the table you identified for the Login Table parameter.
User Description Attribute: Enter the name of the table column to use for the user description. The value you enter must be a valid column name in the table you identified for the Login Table parameter.
If you selected LDAP for Federation Store, the Specify LDAP Attributes for Federation Data Store screen will appear. Enter the following information:
LDAP Type: Select the appropriate LDAP repository.
LDAP URL: Enter the URL connection string for the LDAP repository in the form: protocol://hostname:port
Note:
If you selected Microsoft Active Directory for the LDAP Type, you must specify an SSL LDAP URL, that is, ldaps://hostname:port.
LDAP Bind DN: Enter the bind DN for the LDAP repository.
LDAP Password: Enter the password for the bind DN.
User Federation Record Context: Enter the location of the container where you want Oracle Identity Federation to store federation records. If the container you identify does not exist, it will be created at runtime. However, if you identify cn=example,dc=test,dc=com as the User Federation Record Context, dc=test,dc=com must exist in the LDAP repository.
LDAP Container Object Class: Optional. Enter the object class for the container that stores federation records. If this field is empty, the default value of applicationProcess is used.
Active Directory Domain: Appears only if you select Microsoft Active Directory for the LDAP Type. Enter the name of the Microsoft Active Directory domain.
If you selected RDBMS for Federation Store, the Specify Federation Store Database Details screen will appear. Enter the following information:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the name of the schema owner created by RCU, which is of the form PREFIX_OIF.
Password: Enter the password for the database user.
If you selected RDBMS for User Session Store, Message Store, or Configuration Store, the Specify Transient Store Database Details screen will appear. Enter the following information:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the name of the schema owner created by RCU, which is of the form PREFIX_OIF.
Password: Enter the password for the database user.
Click Next.
The Installation Summary screen appears. Verify the information on this screen. Click Configure to begin the configuration.
The Configuration Progress screen appears. Click Next to continue.
The Installation Complete screen appears. Click Save to save the configuration information to a file, and then click Finish to exit the installer.
This section describes how to configure Oracle Identity Federation (OIF) with Oracle Internet Directory in a new WebLogic administration domain for LDAP Authentication, User Store, and Federation Store.
Note:
When you configure Oracle Identity Federation with Oracle Internet Directory, the Installer automatically configures connection, credential, attribute, and container settings using the Oracle Internet Directory configuration.
This section includes the following information about this configuration:
Perform the configuration in this topic to quickly deploy Oracle Identity Federation with Oracle Internet Directory as the LDAP repository for Authentication, User Store, and Federation Store.
Performing the configuration in this section deploys the following components:
WebLogic Managed Server
Oracle Identity Federation
Oracle Internet Directory
Oracle Directory Services Manager
WebLogic Administration Server
Fusion Middleware Control
Optionally, Oracle HTTP Server
The configuration in this section depends on the following components:
Oracle WebLogic Server
Oracle Database for Oracle Internet Directory
Identity Management - Oracle Internet Directory schema existing in the database for Oracle Internet Directory
Oracle Database for Oracle Identity Federation, if using RDBMS for Session Store, Message Store, or Configuration Store.
New Identity Management - Oracle Identity Federation schema existing in the database for Oracle Identity Federation, if using RDBMS for Session Store, Message Store, or Configuration Store.
Perform the following steps to configure Oracle Identity Federation with Oracle Internet Directory in a new domain for LDAP Authentication, User Store, and Federation Store:
Decide if you want to use RDBMS for Session Store, Message Store, or Configuration Store. If you do, perform the following steps a and b.
Install the database for Oracle Identity Federation. Refer to Installing Oracle Database for more information.
Create the Identity Management - Oracle Identity Federation schema in the database. Refer to Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU) for more information.
Install the Oracle Database for Oracle Internet Directory. Refer to Installing Oracle Database for more information.
Create the Identity Management - Oracle Internet Directory schema in the database for Oracle Internet Directory. Refer to "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" for more information.
Ensure that Oracle Identity Federation is installed, as described in Installation Roadmap and Installing Oracle Identity Management Using "Install and Configure" Option.
Run <ORACLE_HOME>/bin/config.sh (On UNIX) or <ORACLE_HOME>\bin\config.bat to start the Oracle Identity Management Configuration Wizard. Click Next to continue.
On the Select Domain screen, select Create New Domain and enter the following information:
User Name: Enter the user name for the new domain.
User Password: Enter the user password for the new domain.
Enter the user password again in the Confirm Password field.
Domain Name: Enter a name for the new domain.
Click Next. The Specify Installation Location screen appears.
Identify the Homes, Instances, and the WebLogic Server directory by referring to Section 2.6, "Identifying Installation Directories". After you enter information for each field, click Next. The Specify Security Updates screen appears.
Choose how you want to be notified about security issues:
If you want to be notified about security issues through email, enter your email address in the Email field.
If you want to be notified about security issues through My Oracle Support (formerly MetaLink), select the My Oracle Support option and enter your My Oracle Support Password.
If you do not want to be notified about security issues, leave all fields empty.
Click Next. The Configure Components screen appears.
Select Oracle Internet Directory, Oracle Identity Federation, and optionally, Oracle HTTP Server. Refer to "Configuring Oracle HTTP Server for OIF" for information about configuring Oracle HTTP Server with Oracle Identity Federation.
The Oracle Directory Services Manager and Fusion Middleware Control management components are automatically selected for this installation.
Ensure no other components are selected and click Next. The Configure Ports screen appears.
Choose how you want the Installer to configure ports:
Select Auto Port Configuration if you want the Installer to configure ports from a predetermined range.
Select Specify Ports using Configuration File if you want the Installer to configure ports using the staticports.ini file. You can click View/Edit File to update the settings in the staticports.ini file.
Click Next. The Specify Schema Database screen appears.
Identify the ODS schema for Oracle Internet Directory that you created in step 3 by selecting Use Existing Schema and entering the following information:
Enter the database connection information in the Connect String field. The connection string must be in the form of hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form of hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Enter the password for the ODS schema in the Password field and click Next.
Note:
If your existing ODS and ODSSM schemas have different passwords, the Specify ODSSM Password screen will appear after you click Next. Enter the password for your existing ODSSM schema and click Next.
The Create Oracle Internet Directory screen appears.
Enter the following information for Oracle Internet Directory:
Realm: Enter the location for your realm.
Administrator Password: Enter the password for the Oracle Internet Directory Administrator.
Confirm Password: Enter the administrator password again.
Click Next. The Specify OIF Details screen appears.
Enter the following information:
PKCS12 Password: Enter the password Oracle Identity Federation will use for encryption and for signing wallets. The Installer automatically generates these wallets with self-signed certificates. Oracle recommends using the wallets only for testing.
Confirm Password: Enter the PKCS12 password again.
Server ID: Enter a string that will be used to identify this Oracle Identity Federation instance. A prefix of oif will be added to the beginning of the string you enter. Each logical Oracle Identity Federation instance within an Oracle WebLogic Server administration domain must have a unique Server ID. Clustered Oracle Identity Federation instances acting as a single logical instance will have the same Server ID.
Click Next. The Select OIF Advanced Flow Attributes screen appears.
Notes:
Notice that the options for Authentication Type, User Store and Federation Store are automatically set to LDAP because you are installing Oracle Internet Directory with Oracle Identity Federation.
The Installer sets the User Federation Record Context to cn=fed,BASE_REALM, where BASE_REALM is typically dc=myhost,dc=mycompany,dc=com.
Select the appropriate option for each configuration item and click Next:
Note:
User Session Store and Message Store appear in the Installer as separate configuration items, however, most deployments use the same type of repository for both stores.
User Session Store: Memory or RDBMS
Select Memory to store transient runtime session state data in in-memory tables.
Select RDBMS to store transient runtime session state data in a relational database.
Message Store: Memory or RDBMS
Select Memory to store transient protocol messages in in-memory tables
Select RDBMS to store transient protocol messages in a relational database.
Configuration Store: File or RDBMS
Select File to store Oracle Identity Federation configuration data on the local file system.
Select RDBMS to store Oracle Identity Federation configuration data in a relational database.
Note:
The screens that appear next depend on the options you selected for the configuration items.
If you selected RDBMS for User Session Store, Message Store, or Configuration Store, go to step 15 now.
If you did not select RDBMS for User Session Store, Message Store, or Configuration Store, go to step 16 now.
Enter the following information on the Specify Transient Store Database Details screen:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the name of the schema owner created by RCU, which is of the form PREFIX_OIF.
Password: Enter the password for the database user.
Click Next.
The Installation Summary screen appears. Verify the information on this screen. Click Configure to begin the configuration.
The Configuration Progress screen appears. Click Next to continue.
The Installation Complete screen appears. Click Save to save the configuration information to a file, and then click Finish to exit the installer.
This topic describes how to configure Oracle Identity Federation (OIF) in a new or existing WebLogic administration domain with RDBMS data stores. It includes the following sections:
Perform the configuration in this topic to quickly deploy Oracle Identity Federation with RDBMS User Store, Federation Store, Session Store, Message Store, and Configuration Store.
Performing the configuration in this section deploys the following components:
If you configure Oracle Identity Federation in a new domain:
WebLogic Administration Server
Fusion Middleware Control
WebLogic Managed Server
Oracle Identity Federation
Optionally, Oracle HTTP Server
If you configure Oracle Identity Federation in an existing domain:
WebLogic Managed Server
Oracle Identity Federation
Optionally, Oracle HTTP Server
The configuration in this section depends on the following:
Oracle WebLogic Server
Oracle Database for User Store, Federation Store, Session Store, Message Store, and Configuration Store.
New Identity Management - Oracle Identity Federation schema existing in the database for Federation Store, Session Store, Message Store, and Configuration Store.
Table for storing user data in the User Store database.
LDAP repository, if using LDAP for Authentication.
Perform the following steps to configure Oracle Identity Federation in a new or existing domain with RDBMS User Store, Federation Store, User Session Store, Message Store, and Configuration Store:
Install the database(s) for the RDBMS User Store, Federation Store, User Session Store, Message Store, and Configuration Store. Refer to Installing Oracle Database for more information.
Create the Identity Management - Oracle Identity Federation schema in the database(s). Refer to Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU) for more information.
Decide if you want to use an LDAP repository for Authentication. If you do, you must install the LDAP repository before you can install Oracle Identity Federation.
Ensure that Oracle Identity Federation is installed, as described in Installation Roadmap and Installing Oracle Identity Management Using "Install and Configure" Option.
Run <ORACLE_HOME>/bin/config.sh (On UNIX) or <ORACLE_HOME>\bin\config.bat to start the Oracle Identity Management Configuration Wizard. Click Next to continue.
On the Select Domain screen, choose whether to install Oracle Identity Federation in a new or existing domain:
To configure Oracle Identity Federation in a new domain:
Select Create New Domain.
Enter the user name for the new domain in the User Name field.
Enter the user password for the new domain in the User Password field.
Enter the user password again in the Confirm Password field.
Enter a name for the new domain in the Domain Name field.
Click Next. The Specify Installation Location screen appears.
Continue the installation by going to step 7 now.
To install Oracle Identity Federation in an existing domain:
Select Extend Existing Domain.
Enter the name of the host that contains the domain in the Host Name field.
Enter the listen port for the WebLogic Administration Server in the Port field.
Enter the user name for the domain in the User Name field.
Enter the password for the domain user in the User Password field.
Click Next. The Specify Installation Location screen appears.
Identify the Homes, Instances, and the WebLogic Server directory by referring to Section 2.6, "Identifying Installation Directories".
Note:
To install Oracle Identity Management components in an existing Oracle WebLogic Server administration domain, each Oracle WebLogic Server Home, Oracle Middleware Home, and Oracle Home directory in the domain must have identical directory paths and names.
After you enter information for each field, click Next. The Specify Security Updates screen appears.
Choose how you want to be notified about security issues:
If you want to be notified about security issues through email, enter your email address in the Email field.
If you want to be notified about security issues through My Oracle Support (formerly MetaLink), select the My Oracle Support option and enter your My Oracle Support Password.
If you do not want to be notified about security issues, leave all fields empty.
Click Next. The Configure Components screen appears.
Select Oracle Identity Federation—and optionally, Oracle HTTP Server. Refer to "Configuring Oracle HTTP Server for OIF" for information about configuring these two components simultaneously.
If you are installing Oracle Identity Federation in a new domain, the Fusion Middleware Control management component is automatically selected for installation.
Ensure no other components are selected and click Next. The Configure Ports screen appears.
Choose how you want the Installer to configure ports:
Select Auto Port Configuration if you want the Installer to configure ports from a predetermined range.
Select Specify Ports using Configuration File if you want the Installer to configure ports using the staticports.ini file. You can click View/Edit File to update the settings in the staticports.ini file.
Click Next. The Select Oracle Identity Federation Configuration Type screen appears.
Select Advanced and click Next. The Specify OIF Details screen appears.
Enter the following information:
PKCS12 Password: Enter the password Oracle Identity Federation will use for encryption and for signing wallets. The Installer automatically generates these wallets with self-signed certificates. Oracle recommends using the wallets only for testing.
Confirm Password: Enter the PKCS12 password again.
Server ID: Enter a string that will be used to identify this Oracle Identity Federation instance. A prefix of oif will be added to the beginning of the string you enter. Each logical Oracle Identity Federation instance within an Oracle WebLogic Server administration domain must have a unique Server ID. Clustered Oracle Identity Federation instances acting as a single logical instance will have the same Server ID.
Click Next. The Select OIF Advanced Flow Attributes screen appears.
Select the following and click Next:
Authentication Type: JAAS or LDAP
Select JAAS to delegate authentication to the application server.
Select LDAP to authenticate against an LDAP repository.
User Store: RDBMS
Federation Store: RDBMS
User Session Store: RDBMS
Message Store: RDBMS
Configuration Store: RDBMS
Note:
The screen that appears next depends on what you selected for Authentication:
If you selected LDAP for Authentication Type, the Specify Authentication LDAP Details screen appears. Continue you installation by going to step 14 now.
If you selected JAAS for Authentication Type, the Specify User Store Database Details screen appears. Continue you installation by going to step 15 now.
Enter the following information on the Specify Authentication LDAP Details screen to identify the LDAP repository that will perform authentication:
LDAP Type: Select the appropriate LDAP repository.
LDAP URL: Enter the URL connection string for the LDAP repository in the form: protocol://hostname:port
Note:
If you selected Microsoft Active Directory for the LDAP Type, you must specify an SSL LDAP URL, that is, ldaps://hostname:port.
LDAP Bind DN: Enter the bind DN for the LDAP repository.
LDAP Password: Enter the password for the bind DN.
User Credential ID Attribute: Enter the LDAP attribute Oracle Identity Federation will use to authenticate users. For example, if you enter mail and the value of the mail attribute for a user is jane.doe@domain.com, then Jane Doe must enter jane.doe.@domain.com when challenged. Values for the LDAP attribute you identify for User Credential ID Attribute must be unique for all users.
User Unique ID Attribute: Enter the LDAP attribute that will uniquely identify users to Oracle Identity Federation. The value you enter must be identical to the value you enter for the User Data Store's User ID Attribute parameter. For example, if you enter mail for User Unique ID Attribute and you configure the User Data Store's User ID Attribute parameter with a value of EmailAddress, then the value of mail in the authentication engine repository must equal the value of EmailAddress in the User Data Store. Values for the LDAP attribute you identify for User Unique ID Attribute must be unique for all users.
Person Object Class: Enter the LDAP object class that represents a user in the LDAP repository. For example: inetOrgPerson for Oracle Internet Directory and Sun Java System Directory Server, and user for Microsoft Active Directory.
Base DN: Enter the root DN that searches will start from.
Click Next. The Specify User Store Database Details screen appears.
Enter the following information to identify the database that will store user data:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the database username.
Password: Enter the password for the database user.
Login Table: Enter the name of the table that will store user data. The value you enter must be a valid table name, and the values you enter for User ID Attribute and User Description Attribute must be valid column names in the table you identify.
User ID Attribute: Enter the name of the table column to use for the Oracle Identity Federation user ID. The value you enter must be a valid column name in the table you identified for the Login Table parameter.
User Description Attribute: Enter the name of the table column to use for the user description. The value you enter must be a valid column name in the table you identified for the Login Table parameter.
Click Next. The Specify Federation Store Database Details screen appears.
Enter the following information to identify the database that will store federated user account linking data:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the name of the schema owner created by RCU, which is of the form PREFIX_OIF.
Password: Enter the password for the database user.
Click Next. The Specify Transient Store Database screen appears.
Enter the following information to identify the database that will store transient runtime session state data, protocol messages, and Oracle Identity Federation configuration data:
HostName: Enter the connection string to the database host in the form: hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form: hostname1:port1:instance1^hostname2:port2:instance2@servicename.
Username: Enter the name of the schema owner created by RCU, which is of the form PREFIX_OIF.
Password: Enter the password for the database user.
Click Next.
The Installation Summary screen appears. Verify the information on this screen. Click Configure to begin the configuration.
The Configuration Progress screen appears. Click Next to continue.
The Installation Complete screen appears. Click Save to save the configuration information to a file, and then click Finish to exit the installer.
Verify the Oracle Identity Federation (OIF) installation by:
Accessing the Oracle Identity Federation metadata at the following URL. Oracle Identity Federation was installed and the Oracle Identity Federation server is running if you can access the metadata.
http://host:port/fed/sp/metadata
Note:
host represents the name of the WebLogic Managed Server where Oracle Identity Federation was installed. port represents the listen port on that WebLogic Managed Server.
Accessing Fusion Middleware Control to verify that Oracle Identity Federation is available and running. For more information, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in the Oracle Fusion Middleware Administrator's Guide.
After installing Oracle Identity Federation (OIF), refer to the "Common Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.