46.3 Managing Token Service Partners

The following topics describe how to manage Token Service partners:

46.3.1 New Requester Partner Page

When you choose to create a new partner, a fresh page appears for the specific Partner Type you selected.

Figure 46-1 shows the New Requester partner page in the Oracle Access Management Console, which includes all Partner elements.

Figure 46-1 New Requester Partner Page

Description of Figure 46-1 follows
Description of "Figure 46-1 New Requester Partner Page"

While most elements are common to all partners (name, description, and whether this partner is trusted), certain elements depend upon the specific partner type.

Table 46-5 describe partner elements for partner types.

Table 46-5 Partner Elements for Partner Types

Partner Type Description

Requester partners

Can specify an encryption certificate and a signing certificate, as well as Token Authentication and Identity Attributes.

Relying Party partners

Can specify only an encryption certificate and Resource URLs.

See Figure 46-2

Issuing Authority partners

Can specify only a signing certificate.

Figure 46-2 New Relying Party Partners Page

Description of Figure 46-2 follows
Description of "Figure 46-2 New Relying Party Partners Page"

Table 46-6 describes elements for Security Token Service partners.

Unless explicitly stated otherwise, all elements apply to every partner type.

Table 46-6 Elements for Security Token Service Partners

Element Description

Partner Name

Enter a name for this partner.

Issuer ID

Issuing Authority Only

Unique identifier used in SAML Assertion Issuer field referencing this Issuing Authority.

Partner Type

Uneditable description, depending upon the type of partner you are creating or editing:

  • Requester

  • Relying Party

  • Issuing Authority

Partner Profile

Choose from the profiles listed to define your chosen partner.

Description

Optional.

Trusted

Check this box to indicate whether or not the partner is trusted. If not checked, the Security Token Service server will report an error when a request involves such an entry.

Load Certificate

Browse for and upload the requested certificates, which depend on partner type:

  • Encryption and signing certificates

  • Encryption certificate

  • Signing certificate

Username Token Authentication

Requester only

Values can be entered for the following for Username Token Authentication:

  • Username

  • Password

  • Confirm Password

New Requester Partner Identification Attributes can be defined in the STS Settings section and will appear in the requester partner Identity Attributes table.

Note: the username and password data will be used to validate the credentials of a username token. It is also possible to only enter a username and no password, when the data will be used only to map an incoming token to this requester partner using the username.

Identity Attributes

Requester only

At runtime, Security Token Service will use the data defined in the section to map an incoming request to a requester partner entry, using:

  • The token data or binding data such as the SSL Client Certificate's Subject DN if present, or HTTP Basic Authentication username.

  • The identity attributes present in each requester partner entry.

New mappings can be added in the Relying Party Partner section as follows: http://relying.party.test.com/testing.service. At runtime, the Security Token Service server will use those URLs to map the AppliesTo service location contained in a WS-Trust request to a Relying Party Partner.

Resource URL

Relying Party only

Enter the resource URL in the resource pattern column of the table, and enter a description beside it. For instance:

Pattern:

http://relying.party.test.com/testing/service

The resource URL listed in the table will be used when mapping the AppliesTo location element from the WS-Trust request to this Relying Party Partner.

The AppliesTo location value will be mapped to this Relying Party Partner:

  • A Resource URL matches exactly the AppliesTo location value. For example, the AppliesTo location is http://relying.party.test.com/testing/service and the Resource URL is also http://relying.party.test.com/testing/service).

  • Or, a Resource URL is the parent of the AppliesTo location value. For example, the AppliesTo location is http://relying.party.test.com/testing/service and the Resource URL is http://relying.party.test.com/testing, or Resource URL is http://relying.party.test.com/

46.3.2 Managing a Token Service Partner

Users with valid Administrator credentials can create, find, edit, or delete a token service partner using Oracle Access Management Console.

Prerequisites

A partner profile must be defined for the type of partner you will create.

To manage a token service partner

  1. In the Oracle Access Management Console, click Federation at the top of the window.

  2. In the Federation console, select Partners from the View menu in the Security Token Service section.

  3. Select the desired partner type tab and proceed with following steps as needed.

    • Requesters

    • Relying Parties

    • Issuing Authorities

  4. New Partner:

    1. Click the New [Partner Type] button to display a fresh page for your definition.

    2. Enter general information for the chosen partner type (Table 46-6).

    3. Trusted: Click to select (or leave blank if this is not a trusted partner).

    4. Certificates: Load any necessary certificates.

    5. Relying Party: Enter Resource URLs, if needed.

    6. Issuing Authority: Enter the Issuer ID of this Authority.

    7. Requester: Enter Username Token credentials, if needed.

    8. Click Save to submit (or click Cancel to dismiss the page) and then dismiss the confirmation window.

  5. Refine a Partner Search: "Refining Partner Searches"

    1. Perform Steps 1 and 2.

    2. Define your query and click the Search button.

    3. In the Search Results table, click the name of partner to view, edit, or remove.

  6. Edit a Partner:

    1. In the Search Results table, click the name of partner to edit and click the Edit button (or choose Edit from the Actions menu).

    2. Make desired changes to partner information (Table 46-6).

    3. Click Apply to submit the changes (or Revert to cancel changes) and then dismiss the confirmation window.

  7. Remove a Partner: Use the Search controls to refine and submit your query, as needed.

    1. In the Search Results table, highlight the row containing the partner to remove.

    2. Click the Delete (X) button (or choose Delete Selected from the Actions menu), then dismiss the confirmation window.

46.3.3 Refining Partner Searches

From the console Launch Pad, when you click Partners, all Partner types can be viewed from tabs. When you choose a specific Partner, relevant Search controls, and the Search Results table, become available.

Figure 46-3 illustrates a Requester Partner, where only the results differ from that of other Partner Types.

Figure 46-3 Partner Search Controls

Description of Figure 46-3 follows
Description of "Figure 46-3 Partner Search Controls"

From the Search page you can simply select a name in the Search Results table, or use the controls to refine your search to locate a specific Partner or Partners with specific characteristics.