5 Identity Federation WLST Commands

This chapter provides descriptions of custom WebLogic Scripting Tool (WLST) commands for Oracle Access Management Identity Federation (Identity Federation), including command syntax, arguments and examples.

The Identity Federation WLST commands are organized into two categories. The following sections list the Identity Federation WLST commands by category and contain links to the command reference details.

• Identity Federation Commands

• Advanced Identity Federation Commands

Note:

Identity Federation WLST commands take attributes specified as key-value pairs or only the value; Oracle Access Management Access Manager takes only key-value pairs. Thus, WLST examples in this document might be defined in either manner. This WLST example uses key-value pairs.

setIdPPartnerAttributeProfileEntry(attrProfileID="openid-idp-attribute-profile", messageAttributeName="http://axschema.org/namePerson", oamSessionAttributeName="name", requestFromIdP="true")

Identity Federation Commands

Use the WLST commands listed in Table 5-1 to configure federation partners and partner profiles.

Note:

The Identity Federation command definitions begin with "addWSFed11IdPFederationPartner."

Table 5-1 WLST Commands for Identity Federation

Use this command...	To...	Use with WLST...
addWSFed11IdPFederationPartner	Create a WS-Fed 1.1 IdP partner.	Online
addWSFed11SPFederationPartner	Create a WS-Fed 1.1 SP partner.	Online
addOpenID20IdPFederationPartner	Create an OpenID 2.0 IdP partner.	Online
addOpenID20SPFederationPartner	Create an OpenID 2.0 SP partner.	Online
addOpenID20GoogleIdPFederationPartner	Create a Google OpenID 2.0 IdP partner.	Online
addOpenID20YahooIdPFederationPartner	Create a Yahoo OpenID 2.0 IdP partner.	Online
addSAML11IdPFederationPartner	Create an IdP federation partner, including metadata, under the SAML 1.1 protocol.	Online
addSAML11SPFederationPartner	Create an SP federation partner, including metadata, under the SAML 1.1 protocol.	Online
addSAML20IdPFederationPartner	Create an IdP federation partner under the SAML 2.0 protocol.	Online
addSAML20SPFederationPartner	Create an SP federation partner under the SAML 2.0 protocol.	Online
addSAML20IdPFederationPartnerWithoutMetadata	Create an IdP federation partner under the SAML 2.0 protocol without importing metadata.	Online
addSAML20SPFederationPartnerWithoutMetadata	Create an SP federation partner under the SAML 2.0 protocol without importing metadata.	Online
configureIdPPartnerAttributeProfile	Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored.	Online
configureSAML20Logout	Configure global federation logout for a SAML 2.0 federation partner.	Online
configureSAMLBinding	Configure the preferred binding for a SAML federation partner.	Online
configureUserSelfRegistration	Enable user self registration.	Online
configureUserSelfRegistrationAttr	Sets which attributes from the assertion should be used as email, first name, last name or username during self registration.	Online
createAuthnSchemeAndModule	Create an authentication scheme and module for an IdP partner.	Online
createIdPPartnerAttributeProfile	Create an IdP partner attribute profile for a federation partner.	Online
createSPPartnerAttributeProfile	Create an SP partner attribute profile for a federation partner.	Online
deleteAuthnSchemeAndModule	Delete an authentication scheme and module for an IdP partner.	Online
deleteFederationPartner	Delete a specific federation partner.	Online
deleteFederationPartnerEncryptionCert	Delete the encryption certificate of a federation partner.	Online
deleteFederationPartnerSigningCert	Delete the signing certificate of a federation partner.	Online
deleteIdPPartnerAttributeProfile	Delete the attribute profile of an IdP federation partner.	Online
deleteSPPartnerAttributeProfile	Delete the attribute profile of an SP federation partner.	Online
deleteIdPPartnerAttributeProfileEntry	Delete an entry from the attribute profile of a federation partner.	Online
deleteSPPartnerAttributeProfileEntry	Delete an entry from the attribute profile of a federation partner.	Online
deletePartnerProperty	Delete a partner-specific property that was added to the partner's configuration.	Online
displayIdPPartnerAttributeProfile	Display an IdP federation partner's attribute profile.	Online
displaySPPartnerAttributeProfile	Display an SP federation partner's attribute profile.	Online
getAllFederationIdentityProviders	List all IdP federation partners.	Online
getFederationPartnerEncryptionCert	Retrieve the encryption certificate for a federation partner.	Online
getFederationPartnerSigningCert	Retrieve the signing certificate for a federation partner	Online
getIdPPartnerBasicAuthCredentialUsername	Retrieve the HTTP basic authentication username for a federation partner.	Online
getPartnerProperty	Retrieve a property for a federation partner.	Online
getStringProperty	Retrieve a string property from a federation partner profile.	Online
isFederationPartnerPresent	Check whether a partner is configured.	Online
listIdPPartnerAttributeProfileIDs	List an IdP partner's attribute profiles.	Online
listSPPartnerAttributeProfileIDs	List an SP partner's attribute profiles.	Online
putStringProperty	Sets an OpenID partner as the default Federation IdP.	Online
setDefaultSSOIdPPartner	Set an IdP partner as the default identity provider for a federation single sign-on.	Online
setFederationPartnerEncryptionCert	Set the encryption certificate for a federation partner.	Online
setFederationPartnerSigningCert	Set the signing certificate for a federation partner.	Online
setIdPPartnerAttributeProfile	Set the attribute profile to use during federated single sign-on with an IdP partner.	Online
setIdPDefaultScheme	Sets the default OAM Authentication Scheme.	Online
setSPPartnerAttributeProfile	Set the attribute profile to use during federated single sign-on with an SP partner.	Online
setIdPPartnerAttributeProfileEntry	Set an entry in an IdP federation partner's profile.	Online
setSPPartnerAttributeProfileEntry	Set an entry in an SP federation partner's profile.	Online
setIdPPartnerBasicAuthCredential	Update a federation partner's HTTP basic auth credential.	Online
setIdPPartnerMappingAttribute	Set the attribute used for assertion mapping for a federation partner.	Online
setIdPPartnerMappingAttributeQuery	Set the attribute query used for assertion mapping for a federation partner.	Online
setIdPPartnerMappingNameID	Set the assertion mapping nameID value for an IdP federation partner	Online
setPartnerAlias	Update a federation partner's alias name.	Online
setPartnerIDStoreAndBaseDN	Set a federation partner's identity store and base DN.	Online
setSPPartnerAlternateScheme	Configure an alternate Authentication Scheme.	Online
setSPPartnerDefaultScheme	Configure a default Authentication Scheme.	Online
setSPPartnerProfileDefaultScheme	Configure the profile with a default Authentication Scheme.	Online
setSPPartnerProfileAlternateScheme	Configure the profile for an alternate Authentication Scheme.	Online
updatePartnerMetadata	Update a federation partner's metadata.	Online
updatePartnerProperty	Update a property for a federation partner.	Online

Advanced Identity Federation Commands

The Advanced Identity Federation WLST commands do not have applicable administrative fields for configuration in the Oracle Access Management Console. Administration for Authentication mappings and partner profiles are available using WLST commands only. Table 5-2 lists the Advanced Identity Federation commands documented in this section. The commands are organized as follows.

• Federation Service and Datastore

• Federation Access Configuration

• Attribute Sharing Configuration

• Authentication Method Mapping Management - All Authentication Method/Scheme/Level mappings are configured using WLST at the partner level or, if not defined at the partner level, at the partner profile level.

• Partner Profile Management - All Partner Profile management is done with WLST.

• Using WLST with SAML 1.1

Note:

The Advanced Identity Federation command definitions begin with "configureFederationService."

Table 5-2 Advanced Identity Federation WLST Commands

Use this command...	To...	Use with WLST...
Federation Service and Datastore
configureFederationService	Enable or disable Federation Service features.
setFederationStore	Enables and configures the federation store.
Federation Access Configuration
configureIdPAuthnRequest	Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.
configureFedSSOAuthz	Enables or disables Authorization for Federation SSO.
configureFedDigitalSignature	Configure the Hashing algorithm used in digital signatures.
configureFedSignEncKey	Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.
Attribute Sharing Configuration
configureAttributeSharingSPPartnerNameIDMapping	Configures the NameID to user store attribute mapping to be used during Attribute Sharing.
configureAttributeSharingIdPPartner	Configures the default attribute sharing nameid and nameid format for the IdP Partner.
configureAttributeSharingUserDNToIdPPartnerMapping	Configures Attribute Sharing DN to IdP Mappings.
configureAttributeSharing	Configures the Attribute Sharing feature by setting a default attribute authority.
removeAttributeSharingFromAuthnModule	Removes the Attribute Sharing plug-in from the Authentication Module.
configureAttributeSharingPlugin	Lists the Federated Authentication Method mappings for a specific Partner Profile.
insertAttributeSharingInToAuthnModule	Inserts the attribute sharing step into the Authentication Module flow.
Authentication Method Mapping Management
setSPPartnerAlternateScheme	Provides a way to authenticate clients with an alternate Authentication Scheme (Partner).
setSPPartnerDefaultScheme	Defines the default Authentication Scheme for the SP partner.
setSPPartnerProfileAlternateScheme	Provides a way to authenticate clients with an alternate Authentication Scheme (Partner Profile).
setSPPartnerProfileDefaultScheme	Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.
addSPPartnerAuthnMethod	Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.
addSPPartnerProfileAuthnMethod	Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.
addIdPPartnerAuthnMethod	Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.
addIdPPartnerProfileAuthnMethod	Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.
listPartnerAuthnMethods	Lists the Federated Authentication Method mappings for a specific Partner.
listPartnerProfileAuthnMethods	Lists the Federated Authentication Method mappings for a specific Partner Profile.
removePartnerAuthnMethod	Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
removePartnerProfileAuthnMethod	Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
setIdPPartnerRequestAuthnMethod	Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.
setIdPPartnerProfileRequestAuthnMethod	Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.
useProxiedFedAuthnMethod	Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.
Partner Profile Management
createFedPartnerProfileFrom	Creates a Federation Partner Profile based on the specified existing one.
deleteFedPartnerProfile	Deletes the specified Federation Partner Profile.
displayFedPartnerProfile	Displays the properties defined in the specified Federation Partner Profile.
listFedPartnerProfiles	Lists all of the existing Federation Partner Profiles.
listFedPartnersForProfile	Lists the partners bound to the specified Federation Partner Profile.
getFedPartnerProfile	Gets the ID of the Partner Profile bound to the specified partner.
setFedPartnerProfile	Sets the Federation Partner Profile ID for the specified partner.
Using WLST with SAML 1.1
When an IDP partner is configured for SAML 1.1, the following URL is used by the SP to start the SSO process. http://idphost:idpport/ssourl?TARGET=targeturl&providerid=http://spproviderid By using these WLST commands, the URL can be populated with the applicable information.
idpinitiatedssoprovideridparam	Value is used by the peer provider to identify the provider ID of the SP.
idpinitiatedssotargetparam	Sets the target URL for the specified SP partner.
The following SAML 1.1 configuration parameters are not exposed through the Oracle Access Management Console. The values of these parameters can be modified using WLST.
"deletePartnerProperty"	Delete a partner property.
"getPartnerProperty"	Retrieve a partner property.
"updatePartnerProperty"	Update a partner property.
Subject Confirmation Check
subjectconfirmationcheck	Enables or Disables the subject confirmation data check in SAML assertion.

addWSFed11IdPFederationPartner

Creates a WS-Federation 1.1 IdP partner.

Description

Creates an IdP partner under the WS-Federation 1.1 protocol. The NameID will be mapped to the LDAP user mail attribute.

Syntax

addWSFed11IdPFederationPartner(partnerName,ssoURL, providerID, description) 

Argument	Definition
partnerName	The name of the partner to be created.
ssoURL	The Identity Realm Secure Token URL where users will be redirected at the IdP for WS-Federation 1.1 operations.
providerID	Provider ID/Issuer used in the SAML Assertion.
description	The description of the partner. Optional.

Example

addWSFed11IdPFederationPartner("testpartner1", "http://idp.com/wsfed11",
 "http://idp.com", description="WS-Fed IdP1")

addWSFed11SPFederationPartner

Creates a WS-Federation 1.1 SP partner.

Description

Creates an SP partner under the WS-Federation 1.1 protocol.

Syntax

addWSFed11SPFederationPartner(partnerName, realm, ssoURL, samlVersion, msftADFSCompatible, description) 

Argument	Definition
partnerName	The name of the partner to be created.
realm	The realm identifier for this SP partner. It will be used in the WS-Federation 1.1 protocol exchange.
ssoURL	The Identity Realm Secure Token URL where users will be redirected at the SP for WS-Federation 1.1 operations.
samlVersion	The optional SAML version indicating what kind of Assertion to issue. Takes a value of saml11 (default) or saml20.
msftADFSCompatible	An optional boolean indicating if the issued SSO Response should be in the Microsoft ADFS compatible format WS-Trust 1.2 or WS-Trust 1.3.
description	The description of the partner. Optional.

Example

addWSFed11SPFederationPartner("testpartner1", "http://sp.com",
 "http://sp.com/wsfed11", description="Test SP1")

addOpenID20IdPFederationPartner

Creates an OpenID 2.0 IdP partner.

Description

Creates an IdP partner under the OpenID 2.0 protocol.

Syntax

addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description) 

Argument	Definition
partnerName	The name of the partner to be created.
idpSSOURL	The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used.
discoveryURL	The OpenID discovery URL of the IdP.
description	The description of the partner. Optional.

Example

addOpenID20IdPFederationPartner("testpartner1", "", 
 "http://host:port/discoveryurl", description="Test IdP1")

addOpenID20SPFederationPartner

Creates an OpenID 2.0 SP partner.

Description

Creates an SP partner under the OpenID 2.0 protocol.

Syntax

addOpenID20SPFederationPartner(partnerName, realm, ssoURL, description) 

Argument	Definition
partnerName	The name of the partner to be created.
realm	The realm for the SP (RP).
ssoURL	The endpoint URL of the SP (RP).
description	The description of the partner. Optional.

Example

addOpenID20SPFederationPartner(partnerName="partnerID", 
 realm="http://realm.domain.com", ssoURL="http://host:port/endpoint", 
 description="some description")

addOpenID20GoogleIdPFederationPartner

Creates an IdP partner with the name google.

Description

Creates an IdP partner with the name google using a discovery URL https://www.google.com/accounts/o8/id.

Syntax

addOpenID20GoogleIdPFederationPartner()

Example

addOpenID20GoogleIdPFederationPartner()

addOpenID20YahooIdPFederationPartner

Creates an IdP partner with the name yahoo.

Description

create an IdP partner with the name yahoo using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds.

Syntax

addOpenID20YahooIdPFederationPartner()

Example

addOpenID20YahooIdPFederationPartner()

addSAML11IdPFederationPartner

Creates a SAML 1.1 IdP federation partner.

Description

Creates a SAML 1.1 IdP federation partner.

Syntax

addSAML11IdPFederationPartner(partnerName,providerID, ssoURL,
soapURL, succinctID, description)

Argument	Definition
partnerName	The name of the partner to be created.
providerID	The providerID of the partner.
ssoURL	The initiate SSO URL of the IdP.
soapURL	The artifact resolution SOAP endpoint URL of the IdP.
succinctID	The succinctID of the provider.
description	The description of the partner. Optional.

Example

addSAML11IdPFederationPartner(partnerName="partnerID",
providerID="providerA", ssoURL="http://host:port/saml11sso",
soapURL="http://host:port/soapurl", succinctID="1234", 
description="somedescription")

addSAML11SPFederationPartner

Creates a SAML 1.1 SP federation partner.

Description

Creates a SAML 1.1 SP federation partner.

Syntax

addSAML11SPFederationPartner(partnerName,providerID, ssoURL, description)

Argument	Definition
partnerName	The name of the partner to be created.
providerID	The providerID of the partner.
ssoURL	The initiate SSO URL of the IdP.
description	The description of the partner. Optional.

Example

addSAML11SPFederationPartner(partnerName="partnerID", providerID="providerA", 
ssoURL="http://host:port/saml11sso", description="somedescription")

addSAML20IdPFederationPartner

Creates a SAML 2.0 IdP Federation partner.

Description

Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.

Syntax

addSAML20IdPFederationPartner(partnerName, metadataFile, description)

Argument	Definition
partnerName	The name of the partner to be created.
metadataFile	The location of the metadata file (full path).
description	The description of the partner. Optional.

Example

addSAML20IdPFederationPartner(partnerName="partnerID", 
metadataFile="location_metadata_file", description="somedescription")

addSAML20SPFederationPartner

Creates a SAML 2.0 SP Federation partner.

Description

Creates a federation partner as a service provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.

Syntax

addSAML20SPFederationPartner(partnerName, metadataFile, description)

Argument	Definition
partnerName	The name of the partner to be created.
metadataFile	The location of the metadata file (full path).
description	The description of the partner. Optional.

Example

addSAML20SPFederationPartner(partnerName="partnerID", 
metadataFile="location_metadata_file", description="somedescription")

addSAML20IdPFederationPartnerWithoutMetadata

Creates a SAML20 IdP federation partner without SAML 2.0 metadata.

Description

Creates a SAML20 IdP federation partner without loading SAML 2.0 metadata.

Syntax

addSAML20IdPFederationPartnerWithoutMetadata(partnerName,
providerID, ssoURL, soapURL, succinctID, description)

Argument	Definition
partnerName	The name of the federation partner to be created.
providerID	The providerID of the partner.
ssoURL	The initiate SSO URL of the IdP.
soapURL	The artifact resolution SOAP endpoint URL of the IdP.
succinctID	The succinctID of the provider.
description	The description of the partner. Optional.

Example

addSAML20IdPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", soapURL="http://host:port/saml/soap",description="some description")

addSAML20SPFederationPartnerWithoutMetadata

Creates a SAML20 SP federation partner without SAML 2.0 metadata.

Description

Creates a SAML20 SP federation partner without loading SAML 2.0 metadata.

Syntax

addSAML20SPFederationPartnerWithoutMetadata(partnerName,
providerID, ssoURL, description)

Argument	Definition
partnerName	The name of the federation partner to be created.
providerID	The providerID of the partner.
ssoURL	The initiate SSO URL of the IdP.
description	The description of the partner. Optional.

Example

addSAML20SPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", description="somedescription")

configureIdPPartnerAttributeProfile

Configures an IdP partner attribute profile to process incoming attributes.

Description

Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.

Syntax

configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)

Argument	Definition
attrProfileID	The identifier referencing the IdP partner attribute profile to configure.
ignoreUnmappedAttributes	Determines whether incoming attributes that are not defined in the profile should be ignored. Valid values are true (ignore) or (the default) false (process).

Example

configureIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile", 
ignoreUnmappedAttributes="false")

configureSAML20Logout

Configures global federation logout for a SAML 2.0 partner.

Description

Configures global federation logout for a SAML 2.0 federation partner.

Syntax

configureSAML20Logout(partnerName, partnerType, enable,
saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)

Argument	Definition
partnerName	The ID of the partner to be updated.
partnerType	Whether the partner is a service provider or identity provider. Valid values are sp, idp.
enable	Enable or disable global logout for that partner. Valid values true (enable), false (disable)
saml20LogoutRequestURL	The SAML 2.0 logout request service URL. Optional if the partner was created using metadata, or if logout is disabled.
saml20LogoutResponseURL	The SAML 2.0 logout response service URL. This is optional if the partner was created using metadata, or if logout is disabled.
soapURL	The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported.

Example

configureSAML20Logout(partnerName="partnerID", partnerType="sp", enable="true",
saml20LogoutRequestURL="http://host:port/saml/logoutrequest",
saml20LogoutResponseURL="http://host:port/saml/logoutresponse",
soapURL="http://host:port/saml/soap")

configureSAMLBinding

Specifies the binding for a SAML partner.

Description

Configures the preferred binding for a SAML Partner.

Syntax

configureSAMLBinding(partnerName, partnerType, binding, ssoResponseBinding="httppost")

Argument	Definition
partnerName	The name of the partner to be configured.
partnerType	Indicates whether the partner is a service provider or an identity provider. Valid values are sp, idp.
binding	Specifies the binding to use for messages other than SSO responses (authentication requests, logout messages). Valid options are httppost for HTTP-POST binding and httpredirect for HTTP-Redirect binding.
ssoResponseBinding	This optional attribute defines the binding to use for an SSO response. Valid options are httppost for HTTP-POST binding (the default value), httpredirect for HTTP-Redirect binding or artifact for Artifact binding.

Example

configureSAMLBinding(partnerName="partnerID", 
partnerType="sp", binding="httpredirect", ssoResponseBinding="httppost")

configureUserSelfRegistration

Enables the user self-registration module.

Description

Enables the user self-registration module.

Syntax

configureUserSelfRegistration(<enabled>, <registrationURL>, 
 <regDataRetrievalAuthnEnabled>, <regDataRetrievalAuthnUsername>, 
 <regDataRetrievalAuthnPassword>, <partnerName>) 

Argument	Definition
enabled	Indicates if the user self-registration module is enabled. Takes a value of true or false.
registrationURL	The location to which the user will be redirected for self-registration. If partnerName is not specified, and if registrationURL is empty or missing, the current property will be unchanged. If partnerName is specified, and if registrationURL is empty or missing, this property will be removed from the partner's configuration.
regDataRetrievalAuthnEnabled	Indicates if authentication of the registration page is enabled when contacting the server to retrieve registration data.
regDataRetrievalAuthnUsername	Specifies the username the registration page will send to the server when retrieving the registration data from the server.
regDataRetrievalAuthnPassword	Specifies the password the registration page will send to the server when retrieving the registration data from the server.
partnerName	Indicates the IdP partner for which to enable user self-registration. If missing, the configuration operation will be global.

Example

configureUserSelfRegistration("true", regDataRetrievalAuthnEnabled="true", 
 regDataRetrievalAuthnUsername="username", 
 regDataRetrievalAuthnPassword="password")

configureUserSelfRegistrationAttr

Sets the attributes in an assertion that will be used as email, first name, last name and username.

Description

Sets the attributes in an assertion that will be used as email, first name, last name and username.

Syntax

configureUserSelfRegistration(<registrationAttrName>, <assertionAttrNames>, 
 <partnerName>) 

Argument	Definition
registrationAttrName	The self-registration page attribute to set. Can be one of the following values: email, firstname, lastname or username.
assertionAttrNames	The possible attributes from the assertion that can be used to populate the self-registration page field specified as the registrationAttrName.
partnerName	Indicates the IdP partner for which to configure user self-registration. If missing, the configuration operation will be global.

Example

configureUserSelfRegistrationAttr("email", "mail,fed.nameidvalue") 

The second parameter means that mail or fed.nameidvalue from the assertion can be used to populate the email attribute in the user's self registration page.

createAuthnSchemeAndModule

Creates an authentication scheme that uses an OpenD IdP.

Description

Creates an authentication scheme that uses an OpenD IdP to protect resources in Access Manager.

Syntax

createAuthnSchemeAndModule(partnerName)

Argument	Definition
partnerName	The name of the partner for whom the scheme is to be created.

Example

createAuthnSchemeAndModule("testpartner")

createIdPPartnerAttributeProfile

Creates an IdP attribute profile.

Description

Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions

Syntax

createIdPPartnerAttributeProfile(attrProfileID)

Argument	Definition
attrProfileID	The identifier of the IdP attribute profile.

Example

createIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

createSPPartnerAttributeProfile

Creates an SP attribute profile.

Description

Creates an SP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions

Syntax

createSPPartnerAttributeProfile(attrProfileID)

Argument	Definition
attrProfileID	The identifier of the SP attribute profile.

Example

createSPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")

deleteAuthnSchemeAndModule

Deletes an authentication scheme for an IdP.

Description

Deletes an authentication scheme for an IdP partner.

Syntax

deleteAuthnSchemeAndModule(partnerName)

Argument	Definition
partnerName	The name of the partner whose scheme is to be deleted.

Example

deleteAuthnSchemeAndModule("testpartner")

deleteFederationPartner

Deletes a federation partner.

Description

Deletes a federation partner from Access Manager.

Syntax

deleteFederationPartner(partnerName, partnerType)

Argument	Definition
partnerName	The ID of the partner to be deleted.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.

Example

deleteFederationPartner(partnerName="partnerID", partnerType="idp")

deleteFederationPartnerEncryptionCert

Deletes the encryption certificate of a partner.

Description

Deletes the encryption certificate of a federation partner.

Syntax

deleteFederationPartnerEncryptionCert(partnerName, partnerType)

Argument	Definition
partnerName	The ID of the partner whose encryption certificate is to be deleted.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.

Example

deleteFederationPartnerEncryptionCert(partnerName="customPartner", partnerType="idp")

deleteFederationPartnerSigningCert

Deletes the signing certificate of a partner.

Description

Deletes the signing certificate of a federation partner.

Syntax

deleteFederationPartnerSigningCert(partnerName, partnerType)

Argument	Definition
partnerName	The ID of the partner whose signing certificate is to be deleted.
partnerType	Specifies whether the partner is a service provider or identity provider. Valid values are sp, idp.

Example

deleteFederationPartnerSigningCert(partnerName="customPartner",partnerType="idp")

deleteIdPPartnerAttributeProfile

Deletes an IdP partner attribute profile.

Description

Deletes an IdP partner attribute profile.

Syntax

deleteIdPPartnerAttributeProfile(attrProfileID)

Argument	Definition
attrProfileID	The identifier referencing the IdP partner attribute profile.

Example

deleteIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

deleteSPPartnerAttributeProfile

Deletes an SP partner attribute profile.

Description

Deletes an SP partner attribute profile.

Syntax

deleteSPPartnerAttributeProfile(attrProfileID)

Argument	Definition
attrProfileID	The identifier referencing the SP partner attribute profile.

Example

deleteSPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")

deleteIdPPartnerAttributeProfileEntry

Deletes an IdP Partner Attribute Profile entry.

Description

Deletes an attribute from the attribute profile.

Syntax

deleteIdPPartnerAttributeProfileEntry(attrProfileID,
messageAttributeName)

Argument	Definition
attrProfileID	The identifier referencing the IdP partner attribute profile.
messageAttributeName	The name of the attribute to delete, as it appears in the outgoing message.

Example

deleteIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", 
messageAttributeName="first_name")

deleteSPPartnerAttributeProfileEntry

Deletes an SP Partner Attribute Profile entry.

Description

Deletes an attribute from the attribute profile.

Syntax

deleteSPPartnerAttributeProfileEntry(attrProfileID,
 messageAttributeName)

Argument	Definition
attrProfileID	The identifier referencing the IdP partner attribute profile.
messageAttributeName	The name of the attribute to delete, as it appears in the outgoing message.

Example

deleteSPPartnerAttributeProfileEntry(attrProfileID="sp-attribute-profile", 
 messageAttributeName="first_name") 

deletePartnerProperty

Deletes a partner property.

See Advanced Identity Federation Commands for information regarding SAML 1.1.

Description

Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.

Syntax

deletePartnerProperty(partnerName,partnerType,propName)

Argument	Definition
partnerName	The ID of the partner to be updated. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. See Advanced Identity Federation Commands for information regarding SAML 1.1.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.
propName	The name of the configured property to be removed.

Example

deletePartnerProperty(partnerName="partner1025", partnerType="sp/idp", propName="includecertinsignature")

displayIdPPartnerAttributeProfile

Displays a partner attribute profile.

Description

Display the content of an IdP Partner Attribute Profile.

Syntax

displayIdPPartnerAttributeProfile(attrProfileID)

Argument	Definition
attrProfileID	The identifier referencing the IdP partner attribute profile to be displayed.

Example

displayIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

displaySPPartnerAttributeProfile

Displays an SP partner attribute profile.

Description

Display the content of an SP Partner Attribute Profile.

Syntax

displaySPPartnerAttributeProfile(attrProfileID)

Argument	Definition
attrProfileID	The identifier referencing the SP partner attribute profile to be displayed.

Example

displaySPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")

getAllFederationIdentityProviders

Lists all federation identity providers.

Description

Displays a list of all federation identity providers for Access Manager.

Syntax

getAllFederationIdentityProviders()

Example

getAllFederationIdentityProviders()

getAllFederationServiceProviders

Lists all federation service providers.

Description

Displays a list of all federation service providers for Access Manager.

Syntax

getAllFederationServiceProviders()

Example

getAllFederationServiceProviders()

getFederationPartnerEncryptionCert

Retrieves the encryption certificate for a partner.

Description

Retrieves the encryption certificate for a federation partner.

Syntax

Argument	Definition
partnerName	The ID of the partner for which the encryption certificate will be retrieved.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.

Example

getFederationPartnerEncryptionCert(partnerName="customPartner",partnerType="idp")

getFederationPartnerSigningCert

Retrieves the signing certificate for a partner.

Description

Retrieves the signing certificate for a federation partner.

Syntax

Argument	Definition
partnerName	The ID of the partner for which the signing certificate will be retrieved.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.

Example

getFederationPartnerSigningCert(partnerName="partnerID1", partnerType="idp")

getIdPPartnerBasicAuthCredentialUsername

Gets a partner's basic authentication username.

Description

Retrieves the HTTP basic authentication username for a federation partner.

Syntax

getIdPPartnerBasicAuthCredentialUsername(partnerName)

Argument	Definition
partnerName	The ID of the partner for which the username will be retrieved and displayed.

Example

getIdPPartnerBasicAuthCredentialUsername(partnerName="partnerID5")

getPartnerProperty

Retrieves a partner property.

Description

Retrieves a property for a federation partner.

Syntax

getPartnerProperty(partnerName, partnerType, propName)

Argument	Definition
partnerName	The ID of the partner for which the proeprty will be retrieved. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. See Advanced Identity Federation Commands for information regarding SAML 1.1.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.
propName	The name of the property to configure.

Example

getPartnerProperty(partnerName="partnerID4", partnerType="sp", 
 propName="providertrusted")

getStringProperty

Retrieves a string property.

Description

Retrieves a string property for a federation partner profile.

If a Partner does not have an Attribute Profile assigned to it, the default Attribute Profile (based on whether the partner is an IdP or SP) will be used. The defaultattributeprofileidp and defaultattributeprofilesp properties in the fedserverconfig file reference the default profiles.

Syntax

getStringProperty("/fedserverconfig/<propertyName>")

Argument

Definition

propertyName

The name of the property to be retrieved. Default Partner Profiles are available after installation and the following properties reference them. Default property values can be retrieved by replacing propertyName with one of the following: defaultpartnerprofileidpsaml20: default Partner Profile for SAML 2.0 IdP Partners defaultpartnerprofilespsaml20: default Partner Profile for SAML 2.0 SP Partners defaultpartnerprofileidpsaml11: default Partner Profile for SAML 1.1 IdP Partners defaultpartnerprofilespsaml11: default Partner Profile for SAML 1.1 SP Partners defaultpartnerprofileidpopenid20: default Partner Profile for OpenID 2.0 IdP Partners defaultpartnerprofilespopenid20: default Partner Profile for OpenID 2.0 SP Partners If : "defaultattributeprofileidp: default Attribute Profile for IdP Partners "defaultattributeprofilesp: default Attribute Profile SP Partners

Example

getStringProperty("/fedserverconfig/defaultpartnerprofileidpopenid20")

isFederationPartnerPresent

Checks whether a partner is configured.

Description

Checks whether the specified federation partner is defined in Access Manager.

Syntax

isFederationPartnerPresent(partnerName, partnerType)

Argument	Definition
partnerName	The partner ID.
partnerType	Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.

Example

isFederationPartnerPresent(partnerABC, SP)

listIdPPartnerAttributeProfileIDs

Lists the IdP partner attribute profiles.

Description

List the identifiers of the existing IdP Partner Attribute Profiles.

Syntax

listIdPPartnerAttributeProfileIDs()

Example

listIdPPartnerAttributeProfileIDs()

listSPPartnerAttributeProfileIDs

Lists the SP partner attribute profiles.

Description

List the identifiers of the existing SP Partner Attribute Profiles.

Syntax

listSPPartnerAttributeProfileIDs()

Example

listSPPartnerAttributeProfileIDs()

putStringProperty

Puts a string value under a designated path in the OSTS configuration.

Description

Puts a string value under a designated path in the OSTS configuration.

Syntax

putStringProperty(path="/validationtemplates/username-wss-validation-template/StringNAME",value="TestString")

Argument	Definition
path	Path inside the configuration where the String property will be put.
value	The string.

Example

putStringProperty("/spglobal/defaultssoidp", "testpartner")

setDefaultSSOIdPPartner

Sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).

Description

If not set by the federation authentication plugin at run time, sets the IdP partner to serve as the default IdP during federated SSO.

Syntax

setDefaultSSOIdPPartner(partnerName)

Argument	Definition
partnerName	ID of the partner which will serve as the default IdP for federated SSO.

Example

setDefaultSSOIdPPartner(partnerName="partner25")

setFederationPartnerEncryptionCert

Sets the encryption certificate for a partner.

Description

Sets the encryption certificate for a federation partner.

Syntax

setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)

Argument	Definition
partnerName	The ID of the partner to be updated
partnerType	The partner type. Valid values are idp, sp.
certFile	The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format.

Example

setFederationPartnerEncryptionCert
(partnerName="customPartner",partnerType="idp",
certFile="/temp/encryption_cert")

setFederationPartnerSigningCert

Sets the signing certificate for a partner.

Description

Sets the signing certificate for a federation partner.

Syntax

setFederationPartnerSigningCert(partnerName,partnerType,certFile)

Argument	Definition
partnerName	The ID of the partner to be updated.
partnerType	The partner type. Valid values are idp, sp.
certFile	Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format.

Example

setFederationPartnerSigningCert
(partnerName="customPartner", partnerType="idp", 
certFile="/temp/signing_cert")

setIdPPartnerAttributeProfile

Sets a partner attribute profile.

Description

Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.

Syntax

setIdPPartnerAttributeProfile(partnerName, attrProfileID)

Argument	Definition
partnerName	The ID of the partner to be updated.
attrProfileID	The IdP partner attribute profile ID to be set.

Example

setIdPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="idp-attribute-profile")

setIdPDefaultScheme

Sets the default OAM Authentication Scheme to be used to challenge a user.

Description

Sets the default OAM Authentication Scheme that will be used to challenge a user.

Syntax

setIdPDefaultScheme(authnScheme, appDomain, hostID, 
 authzPolicy="ProtectedResourcePolicy")

Argument	Definition
authnScheme	The OAM Authentication Scheme.
appDomain	Optional. The application domain in which the underlying policy components will be created.
hostID	Optional. The HostID to be used when creating the underlying resource policy object.
authzPolicy	Optional. The name of the Authorization Policy to be used to protect underlying resource policy object being created.

Example

setIdPDefaultScheme('LDAPScheme')

Prepend the command with "fed." if running on the WebSphere platform.

setSPPartnerAttributeProfile

Sets an SP partner attribute profile to an SP partner.

Description

Sets the SP partner attribute profile to use with an SP partner.

Syntax

setSPPartnerAttributeProfile(partnerName, attrProfileID)

Argument	Definition
partnerName	The ID of the partner to be updated.
attrProfileID	The ID of the SP partner attribute profile to be set.

Example

setSPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="sp-attribute-profile")

setIdPPartnerAttributeProfileEntry

Sets the IdP federation partner profile.

Description

Update an entry in the IdP Partner Attribute Profile.

Syntax

setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName,
oamSessionAttributeName, requestFromIdP)

Argument	Definition
attrProfileID	The IdP partner attribute profile.
messageAttributeName	The name of the message attribute.
oamSessionAttributeName	The name of the attribute as it will appear in the Access Manager session.
requestFromIdP	Determines whether this attribute should be requested from the IdP partner. Valid values are true, false.

Example

setIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", messageAttributeName="first_name",
oamSessionAttributeName="first_name", requestFromIdP="true")

setSPPartnerAttributeProfileEntry

Sets the SP federation partner profile.

Description

Sets an entry in the SP Partner Attribute Profile.

Syntax

setSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName,
value, alwaysSend)

Argument	Definition
attrProfileID	The identifier referencing the SP Partner Attribute Profile in which the entry will be set.
messageAttributeName	The name of the attribute as it will appear in the outgoing message.
value	Value of the attribute element. It can be a static string, user attribute, session attribute or a combination of those types.
alwaysSend	Signifies whether or not this attribute should always be sent to the SP Partner. Valid values are true, false. If false it will only be sent if the SP Partner requests it (OpenID supports this).

Example

setSPPartnerAttributeProfileEntry(attrProfileID="sp-attribute-profile", 
 messageAttributeName="first_name", value="$user.attr.givenname", 
 alwaysSend="true")

setIdPPartnerBasicAuthCredential

Sets a partner's basic authentication credentials.

Description

Sets or updates a federation partner's HTTP basic authentication credentials.

Syntax

setIdPPartnerBasicAuthCredential(partnerName,username,password)

Argument	Definition
partnerName	The ID of the partner to be updated.
username	The user ID of the user.
password	The password corresponding to the username.

Example

setIdPPartnerBasicAuthCredential(partnerName="partnerID4", username="user1")

setIdPPartnerMappingAttribute

Sets a partner's assertion mapping attribute.

Description

Specify that an attribute from the OpenID assertion received from the IdP be mapped to a given data store attribute in order to identify the user.

Syntax

setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)

Argument	Definition
partnerName	The ID of the partner to be updated.
assertionAttr	The attribute name in the assertion used to map the user to the identity store.
userstoreAttr	The name of the attribute in the identity store to which to map the assertion attribute value.

Example

setIdPPartnerMappingAttribute(partnerName="partnerID", 
assertionAttr="email", userstoreAttr="mail")

setIdPPartnerMappingAttributeQuery

Updates a partner for assertion mapping of user with attribute query.

Description

Sets or updates a partner to specify the attribute query to map an assertion to the user store.

Syntax

setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)

Argument	Definition
partnerName	The ID of the partner to be updated
attrQuery	The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%.

Example

setIdPPartnerMappingAttributeQuery(partnerName="partnerID", 
attrQuery="(&(sn=%Userlastname%)(givenname=%Userfirstname%))")

setIdPPartnerMappingNameID

Sets a partner's mapping nameID.

Description

Sets the assertion mapping nameID value for an IdP federation partner.

Syntax

setIdPPartnerMappingNameID(partnerName,userstoreAttr)

Argument	Definition
partnerName	The ID of the partner to be updated.
userstoreAttr	The attribute name in the identity store to which the assertion nameID is to be mapped.

Example

setIdPPartnerMappingNameID
(partnerName="partnerID", userstoreAttr="ldapattr")

setPartnerAlias

Sets a partner's alias.

Description

Sets or updates a federation partner's alias.

Syntax

setPartnerAlias(partnerName,partnerType,partnerAlias)

Argument	Definition
partnerName	The ID of the partner to be updated.
partnerType	Specifies the partner type. Valid values are sp or idp.
partnerAlias	The partner's alias.

Example

setPartnerAlias(partnerName="partnerID", 
partnerType="sp", partnerAlias="tenant1")

setPartnerIDStoreAndBaseDN

Sets a partner's identity store and base DN.

Description

Sets or updates the identity store and base DN of a federation partner.

Syntax

setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)

Argument	Definition
partnerName	The ID of the partner to be updated.
partnerType	The partner type. Valid values are sp or idp.
storeName	The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional)
searchBaseDN	The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional)

Example

setPartnerIDStoreAndBaseDN(partnerName="partnerID", 
 partnerType="sp/idp", storeName="testldap",
 searchBaseDN="dc=company,dc=com")

setSPSAMLPartnerNameID

Updates a partner by setting the NameID during assertion issuance.

Description

Sets the NameID for a SAML partner.

Syntax

setSPSAMLPartnerNameID(<partnerName>, <nameIDFormat>, <nameIDValue>) 

Argument	Definition
partnerName	The name of the partner to be configured.
nameIDFormat	The NameID format to be used. Possible values include: orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:Kerberos orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified orafed-none for no NameID If the format is set to any other value, the Assertion will be populated with that value.
nameIDValue	Value of the NameID element. It can be a static string, user attribute, session attribute or a combination of those types.

Example

setSPSAMLPartnerNameID(partnerName="partnerID", nameIDFormat="emailAddress", 
 nameIDValue="$user.attr.mail")

updatePartnerMetadata

Updates partner metadata.

Description

Updates the metadata for a federation partner.

Syntax

updatePartnerMetadata(partnerName,partnerType,metadataFile)

Argument	Definition
partnerName	The ID of the partner to be updated
partnerType	Specifies the partner type. Valid values are sp or idp.
metadataFile	The location of the metadata file. Specify the complete path and name.

Example

updatePartnerMetadata(partnerName="partnerID", 
partnerType="sp", metadataFile="/common/idm/abc_metadata_file")

updatePartnerProperty

Updates a partner property.

See Advanced Identity Federation Commands for information regarding SAML 1.1.

Description

Configures or updates the specified property for a federation partner.

Syntax

updatePartnerProperty(partnerName,partnerType,propName,propValue,type)

Argument	Definition
partnerName	The ID of the partner to be updated. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. See Advanced Identity Federation Commands for information regarding SAML 1.1.
partnerType	Specifies the partner type. Valid values are sp or idp.
propName	The name of the property to configure.
propValue	The property value to be set.
type	The data type of the property. Valid values are string, long, or boolean.

Example

updatePartnerProperty(partnerName="partnerID", partnerType="idp", 
propName="providertrusted",
propValue="true",type="boolean")

subjectconfirmationcheck

Enable or disable the Subject Confirmation Data check.

Description

Enable or disable the Subject Confirmation Data check in SAML assertion.

Syntax

updatePartnerProperty(partnerName,partnerType,propName,propValue,type)

Argument	Definition
partnerName	The ID of the partner to be updated.
partnerType	Specifies the partner type. Valid values are sp or idp.
propName	Set the property name as 'subjectconfirmationcheck'.
propValue	Specify the property value. Valid values are true or false.
type	Data type of the property. It can only be boolean.

Example

updatePartnerProperty(partnerName="testIDP", partnerType="IDP", 
propName="subjectconfirmationcheck",
propValue="true",type="boolean")

configureFederationService

Enable or disable the Federation Service AttributeRequester or AttributeResponder.

Description

Enable or disable Federation Service features.

Syntax

configureFederationService(<serviceType>,<enabled>)  

Argument	Definition
serviceType	Takes as a value IDP, SP, AttributeResponder or AttributeRequester.
enabled	Takes as a value either true or false.

Example

configureFederationService("idp", "true")

configureFederationService("AttributeResponder", "true")

setFederationStore

Enables and configures for the use of the federation store.

Description

This will set the jndiname of the datastore to be used to store federation records and will set the store as a RDBMS.

Syntax

setFederationStore (<enable>, <jndiname>)

Argument	Definition
enable	Enable or disable the Federation data store.
jndiname	Indicates the JNDI name of the datastore.

Example

setFederationStore(enable="true", jndiname="jdbc/oamds")

configureIdPAuthnRequest

Configure an IdP partner or an IdP partner profile for Force Authentication and/or IsPassive.

Description

Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.

Syntax

configureIdPAuthnRequest(<partner="">, <partnerProfile="">, <partnerType="">, <isPassive="false">, <forceAuthn="false">, <displayOnly="false">, <delete="false">)

Argument	Definition
partner	Indicates the IdP partner to be configured. partner and partnerProfile are exclusive, with one of the two required.
partnerProfile	Indicates the IdP partner profile to be configured. partner and partnerProfile are exclusive, with one of the two required.
partnerType	The type of partner (sp or idp).
isPassive	Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should not interact with the user during Federation SSO. True indicates that the IdP should not interact with the user. Optional.
forceAuthn	Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should challenge the user even if a valid session exists. True indicates that the user will be challenged. Optional.
displayOnly	Indicates whether or not this command should display the Is Passive and Force Authn settings. Default is false. Optional.
delete	Indicates whether or not this command should delete the Is Passive and Force Authn settings from the specified partner or partner profile. Default is false. Optional.

Example

configureIdPAuthnRequest(partner="acme", isPassive="false", forceAuthn="true")

configureFedSSOAuthz

A boolean indicating whether or not Authorization for Federation SSO should be enabled.

Description

Enables or disables Authorization for Federation SSO. By default, the authorization feature for Federation SSO will be turned off.

Syntax

configureFedSSOAuthz(enabled)

Argument	Definition
enabled	Takes as a value true or false.

Example

configureFedSSOAuthz("true")

configureFedDigitalSignature

Configure the Hashing algorithm used in digital signatures.

Description

If the displayOnly and delete parameters are false, this command will set the algorithm.

Syntax

configureFedDigitalSignature(<partner="">, 
 <partnerProfile="">, <partnerType="">, <default="false">, 
 <algorithm="SHA-256">, <displayOnly="false">, <delete="false">)

Argument	Definition
partner	The ID of the SP partner profile
partnerProfile	The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped
partnerType	The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped
default	Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method
algorithm	Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level
displayOnly	Optional. The application domain in which the underlying policy components will be created
delete	Optional. The HostID used when creating the underlying resource policy object

Example

configureFedDigitalSignature(default="true", 
 algorithm="SHA-256")

configureFedSignEncKey

Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.

Description

Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.

Syntax

configureFedSignEncKey(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <signAlias="">, <encAlias="">, <displayOnly="false">, <delete="false"> 

Argument	Definition
partner	Indicates the partner for which the signing and/or encryption key alias is to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required
partnerProfile	Indicates the partner profile for which the signing and/or encryption key alias is configured for. partner, partnerProfile and default parameters are exclusive, with one of the three required.
partnerType	Indicates the partner type for which the signing and/or encryption key alias is to be configured. Required when specifying partner or partnerProfile. Valid values are sp or idp.
default	Indicates the global default signing and/or encryption key alias to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required.
signAlias	The signing key alias. Required when setting the value.
encAlias	The encryption key alias. Required when setting the value.
displayOnly	Indicates whether or not this command should display the signing and encryption key aliases. Default is false. Optional.
delete	Indicates whether or not this command should delete the signing and/or encryption key alias from the specified partner or partner profile. Default is false. Optional.

Example

configureFedSignEncKey(default="true", signAlias="osts_signing")

configureAttributeSharingSPPartnerNameIDMapping

Configures the NameID to user store attribute mapping to be used during Attribute Sharing.

Description

If displayOnly is true the command displays the NameID to userstore attribute mapping. Else if delete is true the command deletes the specified mapping. Else it sets the enabled flag to the given value and the sets a nameid to userstore attribute mapping.

Syntax

configureAttributeSharingSPPartnerNameIDMapping(<partner="">, 
 <partnerProfile="">, <enabled="true">, <nameidformat="">, 
 <userStoreAttribute="">, <displayOnly="false">, <delete="false">)

Argument	Definition
partner	ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required.
partnerProfile	Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required
enabled	Boolean indicating if the nameID to userstore attribute mapping is enabled/disabled. Optional. Default value is true.
nameidformat	The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are: orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified <customnameidformaturi> for a custom nameid format If the format is set to any other value, the Assertion will be populated with that value.
userStoreAttribute	The userstore attribute to which the specified NameID Format is mapped. Optional. Needs to be specified only for a create or update operation.
displayOnly	Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed.
delete	Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional.

Examples

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", userStoreAttribute="mail")

configureAttributeSharingSPPartnerNameIDMapping(partnerProfile="saml20-idp-partner-profile", nameidformat="orafed-emailaddress", userStoreAttribute="mail")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", enabled="false")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", 
 displayOnly="true")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", 
 nameidformat="orafed-emailaddress", delete="true")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", 
 nameidformat="orafed-emailaddress", displayOnly="true")

configureAttributeSharingIdPPartner

Configures the default attribute sharing nameid and nameid format for the IdP Partner.

Description

Configures the default attribute sharing nameid and nameid format for the IdP Partner.

Syntax

configureAttributeSharingIdPPartner(<partner="">, <partnerProfile="">,<nameidformat="">, <nameidattribute="">)

Argument	Definition
partner	ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required.
partnerProfile	Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required
nameidformat	The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are: orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified orafed-custom for a custom nameid
nameIDAttribute	The attribute in the userstore that should be used as the nameid. Optional.
displayOnly	Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed.

Example

configureAttributeSharingIdPPartner(partner="acme", 
 nameidformat="orafed-emailaddress", nameidattribute="mail")

configureAttributeSharingUserDNToIdPPartnerMapping

Configures Attribute Sharing DN to IdP Mappings.

Description

If displayOnly is set to true the configuration is displayed. If delete is set to true the command deletes a specified mapping; otherwise, a mapping is created or updated.

Syntax

configureAttributeSharingUserDNToIdPPartnerMapping(<dn="">,
 <idp="">, <displayOnly="false">, <delete="false">)  

Argument	Definition
dn	The DN string to map to the given IdP. Optional. Needs to be specified to delete a mapping and set a mapping. If specified for a display operation the mapping for this DN only is displayed.
idp	The partner ID of the IdP to use as Attribute Authority for the given DN. Optional. Needs to be specified only when creating or updating a mapping.
displayOnly	Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed.
delete	Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional.

Examples

configureAttributeSharingUserDNToIdPPartnerMapping
 (dn="dc=us,dc=oracle, dc=com", displayOnly="true")

configureAttributeSharingUserDNToIdPPartnerMapping(displayOnly="true")

configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", 
 delete="true")

configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", 
 idp="acme")

configureAttributeSharing

Configures the Attribute Sharing feature by setting a default attribute authority.

Description

Configures the Attribute Sharing feature by setting a default attribute authority.

Syntax

configureAttributeSharing(<defaultAttributeAuthority="">)  

Argument	Definition
defaultAttributeAuthority	ID of the partner to use as the default Attribute Authority. Only used when this server is functioning in the SP mode.

Example

configureAttributeSharing(defaultAttributeAuthority="acme")

configureAttributeSharing("acme")

removeAttributeSharingFromAuthnModule

Removes the Attribute Sharing plug-in from the Authentication Module.

Description

Lists the Federated Authentication Method mappings for the specified Partner.

Syntax

removeAttributeSharingFromAuthnModule(<authnModule>, <stepName="">) 

Argument	Definition
authnModule	The name of the authnModule from which to delete Attribute Sharing plugin.
stepName	The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional.

Example

removeAttributeSharingFromAuthnModule(authnModule="LDAPPlugin") 

removeAttributeSharingFromAuthnModule(authnModule="LDAPPlugin", 
 stepName="FedAttributeSharing")

configureAttributeSharingPlugin

Lists the Federated Authentication Method mappings for a specific Partner Profile.

Description

Configures the input parameters of the Attribute Sharing plugin.

Syntax

configureAttributeSharingPlugin(<authnModule>, <stepName=None>, 
 <nameIDVariable=None>, <idpVariable=None>, <defaultIdP=None>, 
 <nameIDFormatVariable=None>, <defaultNameIDFormat=None>, 
 <requestedAttributes=None>)  

Argument	Definition
authnModule	The name of the authnModule from which to delete Attribute Sharing plugin.
stepName	The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional.
nameIDVariable	The name of the variable in the session or context that contains the nameID of the user.
idpVariable	The name of the variable in the session or context that contains the idp name to which to send the attribute request.
defaultIdP	The name of the default IdP to send the attribute request to if no IdP can be determined from the session or context.
nameIDFormatVariable	The name of the variable in the session or context that contains the nameID format to use in the attribute request.
defaultNameIDFormat	The default NameID format to use if no nameid format could be determined from the session or context. Allowed NameID formats are: orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified If the format is set to any other value, the Assertion will be populated with that value.
requestedAttributes	The attributes to request from the IdP. This string is in the URL query string format.

Example

configureAttributeSharingPlugin(authnModule="LDAPPlugin", 
 nameIDVariable="dn", idpVariable="attr.idpname", defaultIdP="acme", 
 nameIDFormatVariable="attr.nameidformat", defaultNameIDFormat="orafed-x509", 
 requestedAttributes="mail&accessAllowed=allowed") 

insertAttributeSharingInToAuthnModule

Inserts the attribute sharing step into the Authentication Module flow.

Description

Can also be used to remove the attribute sharing step from the Authentication Module flow.

Syntax

insertAttributeSharingInToAuthnModule(<authnModule>, 
 <fromStep=None>, <fromCond=None>, <toStep=None>, <toCond=None>, <stepName=None>)  

Argument	Definition
authnModule	The name of the authnModule into which the Attribute Sharing plugin is inserted.
fromStep	The name of the step after which the Attribute Sharing Step (or the step of given name) should be inserted.
fromCond	The condition under which the Attribute Sharing (or step of given name) is called after the fromStep. It has to be one of OnSuccess, OnFailure or OnError.
toStep	The name of the step to go to after the attribute sharing step (or step of given name).
toCond	The condition under which the toStep is called after the Attribute Sharing step (or step of given name).
stepName	The name of the step being added to the flow.

Example

insertAttributeSharingInToAuthnModule(authnModule="LDAPPlugin", 
 fromStep="stepUA", fromCond="OnSuccess")

insertAttributeSharingInToAuthnModule(authnModule="LDAPPlugin", fromStep="stepUA", 
 fromCond="OnSuccess", stepName="success")

setSPPartnerAlternateScheme

Provides a way to authenticate clients with an alternate Authentication Scheme.

Description

Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for this Partner.

Syntax

setSPPartnerAlternateScheme(<partner>, <enabled="true">, <httpHeaderName="">, 
 <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, 
 <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, 
 <remove="false">)

Argument	Definition
partner	The ID of the partner.
enabled	Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client
httpHeaderName	Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners.
httpHeaderExpression	Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header.
authnScheme	Required if enabled is true, the alternate Authentication Scheme to be used instead of the default.
appDomain	Optional. The application domain in which the underlying policy components will be created
hostID	Optional. The HostID used when creating the underlying resource policy object
authzPolicy	Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created.
remove	Optional. If set to true, removes the properties for the alternate scheme in the partner configuration.

Note:

ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.

Example

In this example, Identity Federation is configured to enable the alternate Authentication Scheme at a partner level for the SP partner Acme because the user's browser sends the HTTP Header "User-Agent" with the iPhone string in it. The string triggers the BasicScheme for authentication rather than the default Authentication Scheme.

setSPPartnerAlternateScheme("acmeSP", "true", httpHeaderName="User-Agent", 
  httpHeaderExpression=".*iPhone.*", authnScheme="BasicScheme") 

setSPPartnerDefaultScheme

Defines the default Authentication Scheme for the SP partner.

Description

Defines the default Authentication Scheme for the SP partner.

Syntax

setSPPartnerDefaultScheme(<partner>, <authnScheme="">, <appDomain="IAM Suite">, 
 <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)

Argument	Definition
partner	The ID of the partner.
authnScheme	The OAM Authentication Scheme to be used.
appDomain	Optional. The application domain in which the underlying policy components will be created
hostID	Optional. The HostID used when creating the underlying resource policy object
authzPolicy	Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Example

setSPPartnerDefaultScheme(partnerProfile="acmeSP",
 authnScheme="BasicScheme")

setSPPartnerProfileAlternateScheme

Provides a way to authenticate clients with an alternate Authentication Scheme.

Description

Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for partners assigned to this Partner Profile.

Syntax

setSPPartnerProfileAlternateScheme(<partnerProfile>, 
 <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, 
 <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, 
 <authzPolicy="Protected Resource Policy">, <remove="false">) 

Argument	Definition
partnerProfile	The ID of the partner profile.
enabled	Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client
httpHeaderName	Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners.
httpHeaderExpression	Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header.
authnScheme	Required if enabled is true, the alternate Authentication Scheme to be used instead of the default.
appDomain	Optional. The application domain in which the underlying policy components will be created
hostID	Optional. The HostID used when creating the underlying resource policy object
authzPolicy	Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Note:

ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.

Example

setSPPartnerProfileAlternateScheme("acmeSP", "true", 
 httpHeaderName="User-Agent", httpHeaderExpression=".*iPhone.*", 
 authnScheme="BasicScheme")

setSPPartnerProfileDefaultScheme

Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.

Description

Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.

Syntax

setSPPartnerProfileDefaultScheme(<partnerProfile>, 
 <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, 
 <authzPolicy="Protected Resource Policy">) 

Argument	Definition
partnerProfile	The ID of the partner profile.
authnScheme	The OAM Authentication Scheme to be used.
appDomain	Optional. The application domain in which the underlying policy components will be created
hostID	Optional. The HostID used when creating the underlying resource policy object
authzPolicy	Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Example

setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", 
 "LDAPScheme")

addSPPartnerAuthnMethod

Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.

Description

Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner.

Syntax

addSPPartnerAuthnMethod(partner, authnMethod, authnScheme, 
 isDefault="true", authnLevel="-1", appDomain="IAM Suite", 
 hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)

Argument	Definition
partner	The ID of the SP partner.
authnMethod	The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped
authnScheme	The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped
isDefault	Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method
authnLevel	Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level
appDomain	Optional. The application domain in which the underlying policy components will be created
hostID	Optional. The HostID used when creating the underlying resource policy object
authzPolicy	Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created.

Example

addSPPartnerAuthnMethod("acmeSP", 
 "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", 
 "LDAPScheme")

addSPPartnerProfileAuthnMethod

Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.

Description

Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner Profile.

Syntax

addSPPartnerProfileAuthnMethod(partnerProfile, authnMethod, 
 authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", 
 hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)

Argument	Definition
partnerProfile	The ID of the SP partner profile
authnMethod	The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped
authnScheme	The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped
isDefault	Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method
authnLevel	Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level
appDomain	Optional. The application domain in which the underlying policy components will be created
hostID	Optional. The HostID used when creating the underlying resource policy object
authzPolicy	Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created.

Example

addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", 
  "LDAPScheme") 

addIdPPartnerAuthnMethod

Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.

Description

Defines the level to which to which users from this IdP partner are authenticated.

Syntax

addIdPPartnerAuthnMethod(partner, authnMethod, authnLevel)  

Argument	Definition
partner	The ID of the SP partner profile
authnMethod	The Federated Authentication Method
authnLevel	The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method

Example

addIdPPartnerAuthnMethod("acmeIdP", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "1") 

addIdPPartnerProfileAuthnMethod

Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.

Description

Defines the level to which to which users from this IdP partner profile are authenticated.

Syntax

addIdPPartnerProfileAuthnMethod(partnerProfile, authnMethod, 
 authnLevel)  

Argument	Definition
partnerProfile	The ID of the SP partner profile
authnMethod	The Federated Authentication Method
authnLevel	The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method

Example

addIdPPartnerProfileAuthnMethod("saml20-idp-partner-profile", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "1") 

listPartnerAuthnMethods

Lists the Federated Authentication Method mappings for a specific Partner.

Description

Lists the Federated Authentication Method mappings for the specified Partner.

Syntax

listPartnerAuthnMethods(partner, partnerType)  

Argument	Definition
partner	The ID of the partner
partnerType	The type of the partner (SP or IdP)

Example

listPartnerAuthnMethods("acmeSP", "SP") 

listPartnerProfileAuthnMethods

Lists the Federated Authentication Method mappings for a specific Partner Profile.

Description

Lists the Federated Authentication Method mappings for the specified Partner Profile.

Syntax

listPartnerProfileAuthnMethods(partnerProfile, partnerType)  

Argument	Definition
partnerProfile	The ID of the partner profile
partnerType	The type of the partner (SP or IdP)

Example

listPartnerProfileAuthnMethods("saml20-sp-partner-profile", "SP") 

removePartnerAuthnMethod

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.

Description

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.

Syntax

removePartnerAuthnMethod(<partner>, <partnerType>, <authnMethod>)  

Argument	Definition
partner	The ID of the partner
partnerType	The type of the partner (SP or IdP)
authnMethod	The Access Manager Authentication Scheme

Example

removePartnerAuthnMethod("acmeSP", "SP",  
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport") 

removePartnerProfileAuthnMethod

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.

Description

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.

Syntax

removePartnerProfileAuthnMethod(<partnerProfile>, 
 <partnerType>, <authnMethod>)  

Argument	Definition
partnerProfile	The ID of the partner profile
partnerType	The type of the partner (SP or IdP)
authnMethod	The Federated Authentication Method

Example

removePartnerProfileAuthnMethod("saml20-sp-partner-profile", 
"SP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

setIdPPartnerRequestAuthnMethod

Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.

Description

Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner.

Syntax

setIdPPartnerRequestAuthnMethod(<partner>, <authnMethod>) 

Argument	Definition
partner	The ID of the IdP partner
authnMethod	The Federated Authentication Method

Example

setIdPPartnerRequestAuthnMethod("acmeIdP", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

setIdPPartnerProfileRequestAuthnMethod

Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.

Description

Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner Profile.

Syntax

setIdPPartnerProfileRequestAuthnMethod(<partnerProfile>, 
 <authnMethod>)  

Argument	Definition
partnerProfile	The ID of the IdP partner profile
authnMethod	The Federated Authentication Method

Example

setIdPPartnerProfileRequestAuthnMethod("saml20-idp-partner-profile",  
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

useProxiedFedAuthnMethod

Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.

Description

If the server acts as an SP with a remote IdP to authenticate the user, when acting as an Identity Provider in a different Federation SSO operation, the server can use the Federation Authentication Method sent by the remote Identity Provider. The server will send the proxied Federation Authentication Method for the list of specified Federation Authentication Schemes. The server will only send the proxied Federation Authentication Method if the Federation protocol used between the server and the Service Provider is the same Federation protocol as the one used between the server and the Identity Provider.

Syntax

useProxiedFedAuthnMethod(<enabled="false">, 
 <displayOnly="false">, <authnSchemeToAdd="">, <authnSchemeToRemove="">,
 <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, 
 <authzPolicy="Protected Resource Policy">)

Argument	Definition
enabled	Indicates whether or not the proxied Federation Authentication Method should be used. Default is to disable the feature. Optional.
displayOnly	Indicates whether or not this command should display the list of Federation Schemes for which the server should send the proxied Federation Authentication Method. Default is false. Optional.
authnSchemeToAdd	The OAM Federation Authentication Scheme to be added to the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive.
authnSchemeToRemove	The OAM Federation Authentication Scheme to be removed from the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive.
appDomain	The application domain in which the underlying policy components will be created. Optional.
hostID	The HostID that will be used when creating the underlying resource policy object. Optional.
authzPolicy	Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Example

useProxiedFedAuthnMethod(enabled="true", 
 authnSchemeToAdd="FederationScheme")

createFedPartnerProfileFrom

Creates a Federation Partner Profile based on the specified existing one.

Description

Creates a new partner profile based on the specified existing partner profile.

Syntax

createFedPartnerProfileFrom(<newPartnerProfile>, 
  <existingPartnerProfile>) 

Argument	Definition
newPartnerProfile	The ID of the new partner profile.
existingPartnerProfile	The ID of the existing partner profile

Example

createFedPartnerProfileFrom("newAcmeSPProfile", "acmeSPProfile")

deleteFedPartnerProfile

Deletes the specified Federation Partner Profile.

Description

Removes the specified partner profile.

Syntax

deleteFedPartnerProfile(<PartnerProfile>) 

Argument	Definition
PartnerProfile	The ID of the partner profile being deleted.

Example

deleteFedPartnerProfile("acmeSPProfile")

displayFedPartnerProfile

Displays the properties defined in the specified Federation Partner Profile.

Description

Displays the properties in the specified Federation Partner Profile.

Syntax

displayFedPartnerProfile(<PartnerProfile>)

Argument	Definition
PartnerProfile	The ID of the partner profile.

Example

displayFedPartnerProfile("saml20-idp-partner-profile")

listFedPartnerProfiles

Lists all of the existing Federation Partner Profiles.

Description

Lists the existing Federation Partner Profiles.

Syntax

listFedPartnerProfiles()

This command has no arguments.

Example

listFedPartnerProfiles()

listFedPartnersForProfile

Lists the partners bound to the specified Federation Partner Profile.

Description

lLists all the partners bound to the specified Federation Partner Profile.

Syntax

listFedPartnersForProfile(<PartnerProfile>) 

Argument	Definition
PartnerProfile	The ID of the partner profile.

Example

listFedPartnersForProfile("acmeSPProfile")

getFedPartnerProfile

Gets the ID of the Partner Profile bound to the specified partner.

Description

Retrieves the ID of the Partner Profile bound to the specified partner.

Syntax

getFedPartnerProfile(<partner>, <partnerType>) 

Argument	Definition
partner	The ID of the partner.
partnerType	The type of the partner (sp or idp).

Example

getFedPartnerProfile("acmeIDP", "idp")

setFedPartnerProfile

Sets the Federation Partner Profile ID for the specified partner.

Description

Sets the partner profile for the specified partner profile based on the specified partner profile ID.

Syntax

setFedPartnerProfile(<partner>, <partnerType>, <partnerProfile>)

Argument	Definition
partner	The ID of the partner.
partnerType	The type of the partner (sp or idp).
partnerProfile	The ID of the partner profile.

Example

setFedPartnerProfile("acmeIDP", "idp", 
   "saml20-idp-partner-profile")

idpinitiatedssoprovideridparam

The value held by idpinitiatedssoprovideridparam is used by the peer provider to identify the provider ID of the SP.

Description

Sets the value used to identify the provider ID for the SP.

Syntax

updatePartnerProperty(partnerName, partnerType, 
   "idpinitiatedssoprovideridparam","providerid", "string")

Argument	Definition
partnerName	The ID of the partner
partnerType	Takes as a value either idp or sp
propName	Name of the property being configured or modified
propValue	The value of the property being configured. For an OIF peer IDP, the parameter name must be "providerid". Changing this property will change the parameter name used in the above URL.
type	The data type of the property value. Valid values are string, long, or boolean.

Example

updatePartnerProperty(partnerName, "idp", 
   "idpinitiatedssoprovideridparam","providerid", "string")

idpinitiatedssotargetparam

Sets the target URL for the specified SP partner.

Description

Identifies the target resource. The value held by idpinitiatedssotargetparam is used by the peer provider to identify the desired resource; TARGET in the case of Oracle Identity Federation.

Syntax

updatePartnerProperty(partnerName, partnerType, 
   "idpinitiatedssotargetparam", "TARGET", "string")

Argument	Definition
partnerName	The ID of the partner
partnerType	Takes as a value either idp or sp
propName	Name of the property being configured or modified
propValue	The location of the resource. The default value is TARGET.
type	The data type of the property value. Valid values are string, long, or boolean.

Example

updatePartnerProperty(partnerName, "idp", 
   "idpinitiatedssotargetparam", "TARGET", "string")

Note:

A certificate can be included in a SAML 1.1 signature. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. For example:

updatePartnerProperty("<partnerName>", "sp", 
 "includecertinsignature", "true", "boolean")

getPartnerProperty("<partnerName>", "sp", "includecertinsignature")

deletePartnerProperty("<partnerName>", "sp", 
 "includecertinsignature")