The following tasks explain how to manage a custom security token service configuration:
Users with valid Oracle Access Management Administrator credentials can create a Validation Template with a Token Protocol of Webservice Trust to map the token to the requester.
The template in this example can be used for the module classes described earlier in this chapter. Full implementation details are shown in the following figures. As you review these, notice how specifications for this template reference the module class code:
Figure 45-18 General Details: email-wstrust-valid-temp
Figure 45-19 Token Mapping: email-wstrust-valid-temp
To create a validation template for custom module classes:
Users with valid Oracle Access Management Administrator credentials can create a Token Issuance Template.
This is a server side configuration. Each Token Issuance Template indicates how to construct a token, and which signing or encryption to use when constructing a token. Each Token Issuance Template also defines the attributes to be sent as part of the outbound token for mapping, and filtering data. However, Issuance Templates do not list mapping or filtering rules, which are defined in the Relying Party Partner Profile.
You can use the template in this example for the email custom token as described earlier. Implementation details are shown in the following figures, and described in the accompanying procedure. As you review them, you can review how specifications for this template reference the module class code:
Figure 45-20 General Details: email-issuance-temp
When you have a custom token type deployed, the Issuance Properties are tailored to accommodate the custom token. For instance, the custom email token type was chosen for the issuance template.
See Figure 45-21.
Figure 45-21 Issuance Properties: email-issuance-temp
This procedure creates a companion Issuance Template for the custom module classes in this chapter. For the example:
Ignore the Token Encryption Algorithm, which is not used for the custom token type: email.
Fill in a value for the Custom Token Attribute, which is populated from the custom token code.
To create an Issuance Template for custom module classes:
In the Oracle Access Management Console, click Federation at the top of the window.
Select Token Issuance Templates from the View menu in the Security Token Service section.
New Token Issuance Template:
Click the New Issuance Template button in the upper-right corner (or click the Add (+) command button above the Search Results table).
General: Set the following for use with the custom token in this chapter.
Click Save and dismiss the confirmation window (or click Cancel without saving).
Issuance Properties: Set the following for use with the custom token in this chapter.
Click Apply and dismiss the confirmation window (or click Revert without saving it).
Close the definition (or edit it as described in Step 4).
Edit a Template: Find the desired template, edit details, and click Apply.
You can either edit an existing requester profile to add your custom token to the Token Type Configuration table, or create a new requester profile to use with the custom token.
Either way, configure:
Token Type: email (your custom token)
Validation Template: email-wstrust-valid-temp
You must define a Custom Token and Validation Template.
You can add or edit a Requester Profile for a custom token from the Security Token Service section.
To add or edit a Requester Profile:
In the Oracle Access Management Console Launch Pad, click Federation at the top of the window.
Select Partner Profiles from the View menu in the Security Token Service section.
Select the Requester Profiles tab.
Existing Profile:
In the Search Results table of the Requester Profiles page, click the name of the desired profiles.
Token and Attributes: Fill in the following details for the custom token in this chapter and then click the Save button at the top of the page.
email
email-wstrust-valid-temp
Click Save, dismiss the confirmation window, and close the page (or click Cancel to dismiss the page without submitting it).
Proceed as follows:
New Profile: Click the New Requester Profile button to display the New Partner Profile page where you enter details:
General: Fill in the following details for the custom token in this chapter and then click the Next button at the top of the page.
unique_requesterprofile_name
unique_relyingparty_name
Add Token Type Configuration: Fill in the following details for the custom token in this chapter and then click the Save button at the top of the page.
email
email-wstrust-valid-temp
Proceed as follows:
You can either edit an existing Relying Party profile, or create a new one to issue the custom token by default, and refer to the Issuance Template and related information.
Either way, configure:
Default token to issue: email (your custom token)
Issuance Template: email-issuance-temp
Your Custom Token and Issuance Template must be defined.
You can edit a requester profile from a custom module using Security Token Service section.
To edit a requester profile:
In the Oracle Access Management Console Launch Pad, click Federation at the top of the window.
Select Partner Profiles from the View menu in the Security Token Service section.
Select the Relying Party Profiles tab.
Existing Profile:
In the Search Results table of the Relying Party Profiles page, click the name of the desired profile.
Click the Token and Attributes tab.
Token Type Configuration: Click the Add (+) button above the Token Type Configuration table and enter the following details:
email
email-issuance-temp
Attributes: Click the Add (+) button above the Attributes table and define the following:
Userstore
(check to enable)
Click Apply, dismiss the confirmation window, and close the page (or click Cancel to dismiss the page without submitting it).
New Profile: Click the New Relying Party Profile button to display the New Partner Profile page where you enter details:
General: Fill in the following details for the custom token in this chapter and then click the Next button at the top of the page.
unique_relyingparty-name
email
Click the Token and Attributes tab and perform Steps 2c and 2d and then click Apply.
If you don't have a Username Validation Template (username-wss-valid-template), use the Oracle Access Management Console to create one to map the token to the requester.
Validation Template Name: username-wss-valid-template
Token Type: Username
Proceed as follows:
If you want to create an /wssuser EndPoint, you need to follow this procedure:
You can create an endpoint using Security Token Service section.
To create an endpoint:
In the Oracle Access Management Console Launch Pad, click Federation at the top of the window.
Select Endpoints from the View drop-down menu in the Security Token Service section.
New Endpoint:
Click the Add (+) button above the table (or choose New Endpoint from the Actions menu).
Enter the new Endpoint URI: /wssuser
Choose the Oracle WSM policy: sts/wss_username_service_policy
Choose the Validation Template: username-wss-validation-template.
Click Apply to submit the definition and dismiss the confirmation window (or click Revert to dismiss the page without submitting it).
Close the page.