49.7 Defining Service Domains

You need to create a Service Domain to associate Service Profiles with Application Profiles and the corresponding configuration settings.

When the Create Service Domain page is displayed, you can:

  • Choose if the Service Domain is for managing mobile applications or desktop applications.

  • Choose an authentication scheme and, optionally, a Security Handler Plug-in for the Service Domain.

  • Add one or more Mobile SSO Agents to the Service Domain and configure which agents have priority over others.

  • Add one or more applications to the Service Domain and configure which applications can use a Mobile SSO Agent.

  • Choose at least one Service Profile for the Service Domain.

  • Configure security settings to protect the Service Domain's selected services.

See Creating a Service Domain.

See Editing or Deleting a Service Domain.

49.7.1 Creating a Service Domain

You can create a service domain from the Mobile and Social Services configuration page.

To create a service domain:

  1. Access the Mobile and Social Services configuration page.

    See Opening the Mobile and Social Services Configuration Page.

  2. Click Create in the Service Domains panel in the home area.

    The Create Service Domain Configuration page displays.

  3. Enter values for the Service Domain general properties.

    Table 49-16 Service Domain General Properties

    Name Notes

    Name

    Type a unique name for this Service Domain.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Type

    Choose Mobile Application or Desktop Application. A mobile application is an application that runs on a mobile operating system, such as the Android or iOS operating systems. A desktop application is an application that runs on a non-mobile operating system.

    Credential for Registering an Application

    If configuring a mobile Service Domain, choose the minimum credential level required to register an application. If you choose User Password, the server will prompt the User for a user name and password every time an application is registered, even if a mobile single sign-on agent is installed on the device. If you choose User Token, the server asks the mobile SSO agent to provide the User name and password. Subsequent application registrations on that device then will use the User Token issued to the mobile SSO agent for that purpose. User Password provides added security around the application registration process. User Token makes the application registration process more convenient for the User.

    Authentication Scheme

    If configuring a mobile Service Domain, choose Mobile Service Authentication or Social Identity Authentication. If you choose Mobile Service Authentication, the client will prompt the User for a User name and password. If you choose, Social Identity Authentication, the client will redirect to the Mobile and Social server and the User will use Social Identity to authenticate with an Identity Provider, for example Google or Facebook. This selection determines which Authentication Service Profiles you can choose on the Service Profile Selection configuration screen.

    Security Handler Plug-in Name

    Security Handler Plug-in Name - If configuring a mobile Service Domain, choose the Security Handler Plug-in to use. For information about the available Security Handler Plug-ins, see Security Handler Plug-ins.

  4. Use one or all of the following options to add or select Application Profiles.

    If configuring a mobile domain, only mobile apps can be selected. Similarly, if configuring a non-mobile domain, only desktop apps can be selected

    1. Click Browse Application Profiles (under Application Profile Selection) to open a Search window from which you can search for one or more previously configured Application Profiles to add to the Service Domain. Select the Profiles to add and click Select.

    2. Alternately, if you know the exact name of the Application Profile, click Add and type the name directly into the table.

    Table 49-17 Application Profile Selection Properties

    Name Notes

    Application Profile Name

    The name that uniquely identifies the client application to Mobile and Social.

    Mobile Single Sign-on (SSO) Configuration

    If configuring a mobile Service Domain, choose if each application should participate in mobile single sign-on as an SSO Agent, as an SSO Client, or not at all (None).

    • Choose None if this application does not want to participate in mobile SSO and instead wants to perform User authentication with the Mobile and Social server directly.

    • Choose As an SSO Agent if the application is a mobile single sign-on agent that can accept authentication requests from other apps. For details about creating a custom mobile SSO agent, refer to the Android or iOS SDK information in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management.

    • Choose As an SSO Client if the application is configured to work with mobile single sign-on and it delegates user authentication and user session management responsibilities to a mobile SSO agent.

    Agent Priority

    Displays the numerical ranking for applications that are configured as mobile SSO Agents. When multiple agent apps are installed on the device, the Agent application with highest priority (smallest numerical rank) acts as the Agent application for all other Agent apps. If that Agent is deleted from the device, the Agent with the next highest ranking becomes the active Agent. Click Move Up and Move Down to reorder the agents by priority.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

  5. Click Next to select a Service Profile.

    The Service Profile page displays.

  6. Use one or both of the following options to add at least one Service Profile to the Service Domain.

    For a mobile Service Domain, you can add one Service Profile for each authentication, authorization, and User Profile Services Service Provider. For a non-mobile Service Domain, you can add multiple Service Profiles for each authentication, authorization, and User Profile Services Service Provider.

    1. Click Select to open a Search window from which you can search for a previously configured Service Profile. If configuring a mobile Domain, you can only select a mobile-compatible Authentication Service Profile. Similarly, if configuring a non-mobile domain, you can only select a desktop-compatible Authentication Service Profile. Select the Profile to assign and click Select. If you know the exact name of the Service Profile, click Add and type the name directly into the table.

    2. Click Create to create a new Service Profile.

      Table 49-18 Service Profile Selection Properties

      Name Notes

      Authentication Service

      (Optional) Displays the name of the Authentication Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Defining, Modifying, and Deleting an Authentication Service Profile

      Authorization Service

      (Optional) Displays the name of the Authorization Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Defining, Modifying and Deleting an Authorization Service Profile

      User Profile Service

      (Optional) Displays the name of the User Profile Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Defining, Modifying and Deleting a User Profile Service Profile

  7. Click Next to configure Service Protection (authentication).

    The Service Protection page displays.

  8. Configure authentication for the Service Profile using one of the following options.

    1. If you previously selected a User Profile Service for this Service Domain, configure the security settings to protect it.

      Table 49-19 User Profile Service Protection Properties

      Name Notes

      Authentication

      Choose from the menu the Authentication Service Profile configured for this Service Domain, with which you would like to protect this User Profile service.

      Secured Application

      Select to require the client application to authenticate, either by presenting a Client Resource Handle or a Client Token.

      Secured User

      Select to require a User to authenticate, either by presenting a User Token or an Access Token, where the access token is previously acquired with a User Token.

      Allow Read

      Select to allow users to view User Profile data.

      Allow Write

      Select to allow users to update User Profile data.

    2. If you previously selected an Authorization Service for this Service Domain, configure the security settings to protect it.

      Table 49-20 Authorization Service Protection Properties

      Name Notes

      Authentication

      Choose the Authentication Service Profile configured for this Service Domain, with which you would like to protect this Authorization service.

      Secured Application

      Select to require the client application to authenticate, either by presenting a Client Resource Handle or a Client Token.

      Secured User

      Select to require a User to authenticate, either by presenting a User Token or an Access Token, where the access token is previously acquired with a User Token.

  9. Click Next to verify your selections.

  10. Click Finish to create the Service Domain.

49.7.2 Editing or Deleting a Service Domain

You can edit or delete a Service Domain.

To edit or delete:

  1. Select the definition in the panel.
  2. Click Edit or Delete on the panel's tool bar.