40.2 Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2)

The following topics describe how to use authentication schemes and modules for Identity Federation 11G Release 2 (11.1.2.2):

• About the FederationScheme Authentication Scheme

• About the FederationMTScheme

• About the FederationPlugin Authentication Module

• Managing Authentication with Identity Federation in 11g Release 2

40.2.1 About the FederationScheme Authentication Scheme

FederationScheme is a general-purpose scheme for use with Identity Federation 11g Release 2 (11.1.2.2).

Figure 40-1 shows the Access Console page for FederationScheme:.

Figure 40-1 FederationScheme

Description of "Figure 40-1 FederationScheme"

Table 40-1 describes the FederationScheme.

Table 40-1 FederationScheme Element Definitions

Element	Description
Name	This is the scheme name.
Description	This is a brief description of the scheme.
Authentication Level	This is the trust level of the authentication scheme.
Default	This is a non-editable box that is checked when the Set as Default button is clicked.
Challenge Method	You may select a challenge method from those available in the drop-down box.
Challenge Redirect URL	This is the URL of another server to which user requests must be redirected for processing.
Authentication Module	This is the authentication module to use with the scheme.
Challenge URL	This is the URL to which the credential collector will redirect for credential collection. Not used by the federation plug-in.
Context Type	This element is used to build the final URL for the credential collector.
Context Value	This element is used to build the final URL for the credential collector. The value depends on the context type.
Challenge Parameters	This is the list of parameters, if any, to use with the challenge.

Table 22-21 lists the specifications for FederationScheme.

40.2.2 About the FederationMTScheme

The FederationMTScheme authentication scheme is a scheme that is designed for use in multi-tenancy environments.

40.2.3 About the FederationPlugin Authentication Module

The FederationPlugin provides a custom authentication module.

Figure 40-2 displays the module's Console page.

Figure 40-2 FederationPlugin Steps

Description of "Figure 40-2 FederationPlugin Steps"

Table 40-2 describes the attributes that you need to configure the FederationPlugin.

Table 40-2 FederationPlugin Steps

Element	Description
Step Name	This is the name of the step within the module.
Description	This element contains a brief description of the step.
Plugin Name	This element specifies the plugin associated with the step.

The value of FedSSOIdP is the IDP to be picked up by the authentication plugin.

Orchestration enables you to specify the order of the steps within the plugin, and what to do if each of those steps succeeds or fails.

Figure 40-3 illustrates the orchestration of the FederationPlugin.

See Table 22-14 for a similar orchestration.

Figure 40-3 FederationPlugin Orchestration

Description of "Figure 40-3 FederationPlugin Orchestration"

Table 40-3 describes the attributes for the orchestration of the FederationPlugin.

Table 40-3 Orchestration of FederationPlugin

Element	Description
Name	This is the step name. The steps appear in this column in order of execution, which can be modified with the Initial Step drop-down.
Description	This is a brief description of the step.
On Success	This is the action to take upon successful completion of the step, such as execution of next step in the orchestration.
On Error	This is the action to take upon error, such as taking the specified failure action.
On Failure	This is the action to take upon step failure.

40.2.4 Managing Authentication with Identity Federation in 11g Release 2

When you manage authentication with Identity Federation in 11g Release 2, you work with the FerationScheme and the FederationPlugin plug-in, a custom authentication module.

The following topics introduce authentication with Identity Federation in 11g Release 2:

• Prerequisites for the Authentication with Identity Federation in 11g Release 2

• Viewing or Modifying FederationScheme

• Viewing or Modifying FederationPlugin

• Adding an Authentication Policy with FederationScheme

40.2.4.1 Prerequisites for the Authentication with Identity Federation in 11g Release 2

None.

40.2.4.2 Viewing or Modifying FederationScheme

You can view or modify FederationScheme authentication scheme.

To view or modify FederationScheme:

1. In the Oracle Access Management Console, click Application Security at the top of the window.
2. In the Application Security console, click Authentication Schemes in the Access Manager section.
3. Search for and open the FederationScheme authentication scheme.
4. Review FederationScheme details to ensure these are desired for your deployment.

   Table 40-1 describes field details.

5. Click Save.

40.2.4.3 Viewing or Modifying FederationPlugin

You can view or modify FederationPlugin authentication plug-in.

To view or modify FederationPlugin:

1. In the Oracle Access Management Console, click Application Security at the top of the window.
2. In the Application Security console, click Authentication Plug-ins in the Plug-ins section.
3. Search for and open the FederationPlugin authentication plug-in.
4. Review FederationPlugin details to ensure these are desired for your deployment.

   Table 40-2 provides plugin step details.

5. Use the icons above the step table to add a step (+) or delete a step (x).
6. Modify the order of steps as needed using the Steps Orchestration tab.

   Table 40-3 provides orchestration details.

7. Click Save.

40.2.4.4 Adding an Authentication Policy with FederationScheme

A Prerequisite represents any resource to be added to a policy that you must define in the same Application Domain as the policy. You can add an authentication policy with FederationScheme to associate a resource that is protected by this policy.

To add an authentication policy with FederationScheme to associate a resource that is protected by this policy:

1. In the Oracle Access Management Console, click Application Security at the top of the window.

2. In the Application Security console, click Application Domains in the Access Manager section.

3. Search for and open the target application domain.

4. In the application domain configuration page, click the Authentication Policies tab.

5. Click Create and enter the following General Policy Details.

   Table 25-9.

   • Name

   • Authentication Scheme

6. Add these Global Policy Elements and Specifications:

   • Description (optional)

   • Success URL

   • Failure URL

7. To add resources:

   1. Click the Resources tab on the Authentication Policy page.

   2. Click the Add button on the tab.

   3. Choose a URL from the list.

   4. Repeat these steps as needed to add more resources.

8. Click Apply to save changes and close the confirmation window.

9. Responses:

   See Introduction to Policy Responses for SSO.

   See Adding and Managing Policy Responses for SSO.

Figure 40-4 shows the console page to define the authentication policy and associate the policy to the resources.

Figure 40-4 Setting Up the Authentication Policy with FederationScheme

Description of "Figure 40-4 Setting Up the Authentication Policy with FederationScheme"