This chapter describes how to migrate data from Oracle Identity Federation (OIF) 11g Release 1 environments to Oracle Access Management Identity Federation 11g Release 2 (11.1.2.3.0) without metadata redistribution or URL update requirement.
The Oracle Identity and Access Management 11g Release 2 introduces the new version of Oracle Identity Federation as an integrated component of Oracle Access Management suite. This version of OIF generates SAML provider meatdata or new endpoints URLs (for OpenID, Ws-Fed) that are different from Oracle Identity Federation 11g Release 1.
This chapter includes the following sections:
Section 7.4, "Review System Requirements and Certifications"
Section 7.5, "Installing and Configuring Oracle Access Management 11.1.2.3.0"
Migrating the configuration data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0 involves two major tasks - migrating the server configuration data and migration the partner configuration data. This can be done by running the WLST commands. As part of the upgrade facilities, along with the migration scripts, a servlet is provided which inspects requests to the /fed service URLs and reroutes them to the corresponding endpoints in Oracle Identity Federation 11.1.2.3.0 server.
Before you start the migration process, review the configurations that are not migrated using the procedure described in this chapter.
The following configurations are not migrated as part of the migration process:
Global Configurations that are not Migrated:
User data store: The identity store in the upgraded Oracle Access Management Identity Federation 11.1.2.3.0 can be configured to use the old LDAP as the identity store.
Federation data store
If the old Federation data store is Database, then Oracle Access Management Identity Federation 11.1.2.3.0 can be configured to use the old Database as the Federation data store. This change involves creating a JDBC Datasource with JNDI name for the Oracle Access Manager Server and configuring Oracle Identity Federation to use that JDBC Datasource by providing the JNDI name.
If the old Federation data store is LDAP, a script has to extract the data from the LDAP Federation store and create the records in the new RDBMS Federation Data Store. Then, create a JDBC Datasource with JNDI name for the Oracle Access Manager Server and configure the Oracle Identity Federation to use that JDBC Datasource by providing the JNDI name.
Transient or message store
Configuration store: All configuration data required for Oracle Access Management Identity Federation 11.1.2.3.0 is copied by the migration script to the new configuration store.
Authentication engines (OOTB and custom): The only authentication engine post-upgrade would be Oracle Access Manager. Any custom engine used in Oracle Identity Federation 11g Release 1 will not be migrated.
Federation authentication methods
Service provider integration modules (OOTB and custom): After migration, Oracle Access Manager would be the SP engine. Any customizations done to the SP engine in Oracle Identity Federation 11g Release 1 will not be migrated.
Certificate validation
SSL Settings (WebLogic Server, Oracle HTTP Server, passwords in Oracle Identity Federation when acting as an SSL client).
User consent page settings
Attribute value filtering and attribute value mapping
Transient or message data will not be migrated.
IdP Configurations that are not Migrated
Attributes sent in SSO assertions are not migrated. Oracle Identity Federation session attributes are not supported in 11.1.2.3.0.
NameID based on Oracle Identity Federation session attribute
Attributes retrieved from HTTP headers and saved as Oracle Identity Federation session attributes are not migrated.
SP Configurations that are not Migrated
User provisioning via custom authentication engine will not be migrated. A separate user provisioning can be configured in Oracle Access Management Identity Federation 11.1.2.3.0 post migration.
User registration via custom authentication engine will not be migrated. A separate user registration can be configured in Oracle Access Management Identity Federation 11.1.2.3.0 post migration.
Table 7-1 compares the features of Oracle Identity Federation 11g Release 1 with the features of Oracle Access Management Identity Federation 11g Release 2 (11.1.2.3.0).
| Oracle Identity Federation 11g Release 1 | Oracle Access Management Identity Federation 11.1.2.3.0 |
|---|---|
|
Oracle Identity Federation 11g Release 1 is a standalone product which maintains its configuration data in its own file or database schema. It has a separate storage for server configuration and partner data. |
Identity Federation is an integral part of the Oracle Access Management infrastructure and leverages all the shared services provided by that infrastructure |
|
The URLs in Oracle Identity Federation 11g Release 1 had |
The URLs in Oracle Access Management Identity Federation has |
|
The certificates used in Oracle Identity Federation 11g Release 1 had one certificate which could be used for signing and another configurable to use for encryption. |
In Oracle Access Management Identity Federation 11.1.2.3.0, it is possible for different certificates to be used for different partners by choosing different aliases in the keystore. |
|
Oracle Identity Federation 11g Release 1 stored separate |
Oracle Access Management Identity Federation 11.1.2.3.0 uses single ProviderID for both |
Oracle Identity Federation metadata differences between 11g Release 1 and 11g Release 2 (11.1.2.3.0) include:
Host and port information
EntityID/ProviderID
Signing and encryption certificates
The URLs in descriptors used as endpoints for the OIF server
Table 7-2 lists the steps to migrate data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0.
| Sl No | Task | For More Information |
|---|---|---|
|
1 |
Review the features of Oracle Identity Federation 11.1.2.3.0. |
|
|
2 |
Review the system requirements and certifications before you start with the migration process. |
|
|
3 |
Install and configure Oracle Access Management 11.1.2.3.0, if you have not done already. |
See Installing and Configuring Oracle Access Management 11.1.2.3.0 |
|
4 |
Migrate the server configuration data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0. |
|
|
5 |
Migrate the partner configuration data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0. |
|
|
6 |
Update the |
See Redirecting the /fed URLs from Oracle Identity Federation Server to Oracle Access Manager Server |
|
7 |
Delete the partner property |
You must complete the following prerequisites before migrating Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0:
Read the system requirements and certification documents to ensure that your environment meets the minimum requirements for the products you are installing.
Oracle Fusion Middleware System Requirements and Specifications
This document contains information related to hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches.
Oracle Fusion Middleware Supported System Configurations
This document contains information related to supported installation types, platforms, operating systems, databases, JDKs, and third-party products.
For interoperability and compatibility issues that may arise when installing, refer to Oracle Fusion Middleware Interoperability and Compatibility Guide.
This document contains important information regarding the ability of Oracle Fusion Middleware products to function with previous versions of other Oracle Fusion Middleware, Oracle, or third-party products. This information is applicable to both new Oracle Fusion Middleware users and existing users who are upgrading their existing environment.
Note:
For information about Oracle Fusion Middleware concepts and directory structure, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.Verify that the Oracle Identity Federation version that you are using is supported for migration. For information about supported starting points for OpenSSO Enterprise 8.0 migration, see Section 1.4, "Supported Starting Points for Migration and Coexistence".
Oracle Access Management Identity Federation is a service provided by the Oracle Access Management suite. Therefore, in order to migrate the configuration data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0, you must install and configure Oracle Access Management 11.1.2.3.0. Oracle Access Management is a component of Oracle Identity and Access Management suite. Oracle Access Management can be installed using the Oracle Identity and Access Management 11.1.2.3.0 Installer, and can be configured using Oracle Fusion Middleware Configuration Wizard.
Note:
If you already have Oracle Access Management 11.1.2.3.0 configured, skip this task.For more information about installing and configuring Oracle Access Management 11.1.2.3.0, see "Installing and Configuring Oracle Identity and Access Management (11.1.2.3.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
To migrate the server configuration data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0, do the following:
Run the following command from the location ORACLE_HOME/common/bin to launch the WebLogic Scripting Tool (WLST):
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Run the following command to migrate the server configurations:
migrate11gR1To11gR23FedServerConfig(mode, migrateKeyAndCertificates)
In the above command:
The value of mode can be "idp", "sp", or "idsp". Specify "idp" if the server acts as IdP. Specify "sp" if the server acts as SP. Specify "idpsp" if the server acts as IdP or SP.
If you specify idp, only IdP configuration will be migrated to Oracle Identity Federation 11.1.2.3.0.
If you specify sp, only SP configuration will be migrated to Oracle Identity Federation 11.1.2.3.0.
If you specify idpsp, both the IdP and SP configuration will be migrated to Oracle Identity Federation 11.1.2.3.0.
The value of migrateKeysAndCertificates can be "true" or "false".
If you specify true, the certificates from Oracle Identity Federation 11g Release 1 will be migrated to Oracle Identity Federation 11.1.2.3.0.
If you specify false, the certificates from Oracle Identity Federation 11g Release 1 will not be migrated to Oracle Identity Federation 11.1.2.3.0.
Enter the connection details for WebLogic Server 11g Release 1 Managed Server, Administration Server, and 11.1.2.3.0 Administration Server when prompted.
The following is an example for running the command to migrate server configuration:
ORACLE_HOME/common/bin/wlsh.sh
wls:/offline>migrate11gR1To11gR23FedServerConfig("idpsp","true")
The command shown in the above example migrates the server configuration data in idp and sp mode. It also migrates the keys and certificates from Oracle Identity Federation 11g Release 1 to 11.1.2.3.0.
To migrate the partner configuration data from Oracle Identity Federation 11g Release 1 to Oracle Access Management Identity Federation 11.1.2.3.0, do the following:
Run the following command from the location ORACLE_HOME/common/bin to launch the WebLogic Scripting Tool (WLST):
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Run the following command to migrate the server configurations:
migrate11gR1To11gR23FedPartners(mode, promptForPartnerName, promptForNameIDSettings, createAttrProfilePerPartner)
In the above command:
The value of mode can be "idp", "sp", or "idsp".
If you specify idp, only IdP configuration will be migrated to Oracle Access Management Identity Federation 11.1.2.3.0.
If you specify sp, only SP configuration will be migrated to Oracle Access Management Identity Federation 11.1.2.3.0.
If you specify idpsp, both the IdP and SP configuration will be migrated to Oracle Access Management Identity Federation 11.1.2.3.0.
The value of promptForPartnerName can be "true" or "false".
If you specify true, the script prompts for partner name before creating in Oracle Access Management Identity Federation 11.1.2.3.0.
If you specify false, the script creates a name based on the providerid, and by removing the prefix http(s)://, and by replacing ".", "/", "~", and ":" characters by "-".
The value of promptForNameIDSettings can be "true" or "false".
If you specify true, the script prompts for user mapping settings.
If you specify false, the script derives the user mapping settings from Oracle Identity Federation 11g Release 1 configuration.
The value of createAttrProfilePerPartner can be "true" or "false".
If you specify true, the script creates one attribute profile for each partner.
If you specify false, the script uses the default attribute profile for setting data.
Enter the connection details for WebLogic Server 11g Release 1 Managed Server, Administration Server, and 11.1.2.3.0 Administration Server when prompted.
The following is an example for running the command to migrate server configuration:
ORACLE_HOME/common/bin/wlsh.sh
wls:/offline>migrate11gR1To11gR23FedPartners("idsp","true")
The command shown in the above example migrates all the partners to Oracle Access Management Identity Federation 11.1.2.3.0 without prompting for new partner names, nameid settings, and will use the default attribute profile for all of the partners.
The change in proxy or load balancer involves redirecting the /fed URLs from Oracle Identity Federation Managed Server host and port to Oracle Access Manager Managed Server Host and Port. To do this, update the mod_wl_ohs file in the Oracle HTTP Server (OHS) host by replacing Oracle Identity Federation Server hostname with Oracle Access Manager Server hostname for the entry WebLogicHost, and Oracle Identity Federation Server port with Oracle Access Manager Server port for the entry WebLogicPort. In case of a highly available environment, specify the hostnames and ports of all the Oracle Access Manager Managed Servers for the entry WebLogicCluster.
For example:
In a single node setup:
<Location /fed> SetHandler weblogic-handler WebLogicHost OAM_HOST (Before update, this would be OIF_HOST) WebLogicPort OAM_PORT (Before update, this would be OIF_PORT) </Location>
In a high availability (HA) setup:
<Location /fed> WebLogicCluster OAM_HOST1:OAM_PORT1,OAM_HOST2:OAM_PORT2 SetHandler weblogic-handler </Location>
After migration, the Single Sign-On (SSO) with all partners will work seamlessly with partners not to make any updates to interact with the new server.
Once the partner is ready to update the metadata (for SAML) or update the endpoint URLs (for OpenID 2.0, WS-Fed), the Oracle Access Management Identity Federation 11.1.2.3.0 server needs to be updates to indicate that. This is because, during migration, to avoid the differences in providerid configured for Oracle Identity Federation 11g Release 1 and Oracle Access Management Identity Federation 11.1.2.3.0, a property called localproviderid is set for all the migrated IdP partners; this needs to be removed once the IdP is updated with the latest URLs or metadata of the Oracle Identity Federation 11.1.2.3.0 SP.
When a partner receives the new SAML 2.0 metadata containing the new URLs, or updates its configuration to use the new Oracle Identity Federation URLs (in case where SAML 2.0 metadata is not used), you must delete the partner property localproviderid by running the wlst command deletePartnerProperty. To do this, complete the following steps:
Run the following command from the location ORACLE_HOME/common/bin to launch the WebLogic Scripting Tool (WLST):
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Run the following command to delete the partner property localproviderid:
deletePartnerProperty(partnerName, partnertype, "localproviderid")
In this command,
partnerName refers to the name of the partner.
partnerType refers to the type of the partner.