11g Release 2 (22.214.171.124) features a plug-in that you can optionally use to provision a missing identity during a federated SSO operation.
The following topics describe how to use a provisioning plug-in:
When a federated SSO transaction is initiated, the processing flows as follows:
The IdP authenticates a user and sends an assertion to Oracle Access Management Identity Federation.
Acting as SP, Identity Federation maps the user to the local identity store.
If the user does not exist in the local store, the mapping fails.
Resolving this issue requires you to provision the user so the transaction can continue.
To handle the identity mapping failure, Identity Federation supports the ability to set up a plug-in, known as the default provisioning plug-in, to provision the missing user in the identity store and enable the federated single sign-on to proceed.
The user is provisioned in the identity store associated with the IdP partner. You can specify a list of attributes to use in provisioning the plug-in, as explained in the next section.
You can enable this default provisioning plug-in from the plug-in configuration interface.
To use the default provisioning plug-in:
KEY_USER_RECORD_ATTRIBUTE_LIST - This is the list of attributes with which the user should be provisioned. These attributes are available as part of the assertion, for example:
KEY_PROVIDERID_ATTRIBUTE_NAME – This is the tenant ID attribute name in the identity store which Identity Federation populates at run-time with the tenant name. (optional)
KEY_USERID_ATTRIBUTE_NAME – This is the attribute name to use for the
userid value from the assertion attributes. (optional)
A custom provisioning plug-in is also available with Identity Federation.
To switch from the default plug-in to the custom plug-in, follow the guidelines in Developing a Custom User Provisioning Plug-in chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Access Management.
When you use the custom plug-in, set the plug-in name with the WLST command: