38.4 Administering Identity Federation As An Identity Provider

When the integrated Identity Federation is configured as an IdP, you must define any remote SP partners as trusted by creating and managing profiles that contain details regarding each remote SP.

This section provides the following topics.

38.4.1 Creating Remote Service Provider Partners

Use the Service Provider Partner page to define a partner profile when Identity Federation is configured as an IdP. You can specify service details manually or load them from a metadata file.

To create remote service provider partners:

  1. In the Oracle Access Management Console, click Federation at the top of the window.
  2. In the Federation console, select Create Service Provider Partner from the Create (+) drop-down list in the Federation section.
  3. Enter values for the parameters.

    Table 38-6 describes each element on the Create Service Provider page.

    Table 38-6 Service Provider Partner Settings

    Element Description

    Name

    This is the provider name.

    Enable Partner

    Select whether this partner is currently participating in the federation.

    Description

    This is a brief description of the provider. (Optional).

    Protocol

    This is the provider protocol (SAML 1.1, SAML 2.0 or OpenID 2.0).

    Service Details

    Select whether to enter service details manually or load from metadata. If selecting the latter, browse for the metadata file. Applies to SAML 2.0 only.

    Metadata File

    This field appears if loading metadata from a file. Click Browse to select a file to use. Applies to SAML 2.0 only.

    Provider ID

    The provider ID or issuer ID of the remote Service Provider. Applies to SAML 2.0 and SAML 1.1 only.

    Assertion Consumer URL

    A URL to which Assertion responses are sent. Applies to SAML 2.0 and SAML 1.1 only.

    Load Signing Certificate

    Upload the signing certificate used by this SP. Only visible when Enter Manually is selected. Applies to SAML 2.0 and SAML 1.1 only.

    Logout Request URL

    A URL to which logout requests are sent. Applies to SAML 2.0 only.

    Logout Response URL

    A URL to which responses to logout requests are sent. Applies to SAML 2.0 only.

    Load Encryption Certificate

    Upload the encryption certificate used by this SP. Only visible when Enter Manually is selected. Applies to SAML 2.0 only.

    NameID Format

    Indicates which NameID format should be used for this SP. Applies to SAML 2.0 and SAML 1.1 only.

    See Using SAML 2.0.

    See Using SAML 1.1.

    NameID Value

    Indicates how to populate the NameID Value. Applies to SAML 2.0 and SAML 1.1 only.

    • If User ID Store Attribute is selected, specify the user attribute to be used.

    • If Expression is specified, enter the expression to be used

    Attribute Mapping Profile

    Indicates the attribute mapping profile to which the partner is bound. Applies to SAML 2.0 and SAML 1.1 only.

    User Identity Store

    This is the identity store in which the IdP's users will be located and mapped. Identity Federation supports multiple identity stores, defined on a per-partner basis. If no user identity store is selected, the default store defined for Access Manager is used.

    User Search Base DN

    This is the base search DN used when looking up user records. (Optional. If omitted, the default user search base DN configured for the selected user identity store is used.)

    Enable Global Logout

    Indicates whether or not OIF should notify the remote partner when the user is signing off, during the logout flow. Applies to SAML 2.0 only.

    SSO Response Binding

    Indicates whether the SAML Assertion should be sent back from the IdP using the HTTP POST Binding or the Artifact Binding, Applies to SAML 2.0 and SAML 1.1 only.

    Encrypt Assertion

    Indicates whether or not the Assertion should be encrypted for this partner. Applies to SAML 2.0 only.

    Realm

    The URL identifying an OpenID SP. Applies to OpenID 2.0 only.

    Endpoint URL

    The URL to which the IdP will redirect the user with the OpenID Assertion. Applies to OpenID 2.0 only.
  4. Click Save to create the remote SP partner profile.

38.4.2 Managing the Remote Service Provider Partners

You can edit and manage the profiles of remote SP partners, search for the profile and make changes to the attribute values.

To search for existing service provider partner profiles:

  1. In the Oracle Access Management Console, click Federation at the top of the window.
  2. In the Federation console, click Service Provider Management in the Federation section.
  3. In the Search section of the page, enter appropriate search criteria for identity provider(s). The characters "*" (asterisk) and "." (period) are supported as search wildcards.

    See Table 38-5 for details about the search parameters.

  4. Click Search.
  5. Select the appropriate partner in the Search Results table and click Edit in the toolbar.

    A new tab is activated that displays the partner's attributes. In addition to the attributes.

    See Table 38-6 for more information about advanced attributes that you can modify.

    • Enable Global Logout

    • Encrypt Assertion

    • SSO Response Binding (HTTP POST or Artifact)

  6. Click Save to keep the changes.

Note:

If using SAML 1.1, you can include a certificate in the signature.

See WLST Command Reference for WebLogic Server.