This chapter provides descriptions of custom WebLogic Scripting Tool (WLST) commands for Oracle Access Management Identity Federation (Identity Federation), including command syntax, arguments and examples.
The Identity Federation WLST commands are organized into two categories. The following sections list the Identity Federation WLST commands by category and contain links to the command reference details.
Note:
Identity Federation WLST commands take attributes specified as key-value pairs or only the value; Oracle Access Management Access Manager takes only key-value pairs. Thus, WLST examples in this document might be defined in either manner. This WLST example uses key-value pairs.setIdPPartnerAttributeProfileEntry(attrProfileID="openid-idp-attribute-profile", messageAttributeName="http://axschema.org/namePerson", oamSessionAttributeName="name", requestFromIdP="true")
Use the WLST commands listed in Table 5-1 to configure federation partners and partner profiles.
Note:
The Identity Federation command definitions begin with "addWSFed11IdPFederationPartner."Table 5-1 WLST Commands for Identity Federation
Use this command... | To... | Use with WLST... |
---|---|---|
Create a WS-Fed 1.1 IdP partner. |
Online |
|
Create a WS-Fed 1.1 SP partner. |
Online |
|
Create an OpenID 2.0 IdP partner. |
Online |
|
Create an OpenID 2.0 SP partner. |
Online |
|
Create a Google OpenID 2.0 IdP partner. |
Online |
|
Create a Yahoo OpenID 2.0 IdP partner. |
Online |
|
Create an IdP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an SP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an SP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Create an SP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored. |
Online |
|
Configure global federation logout for a SAML 2.0 federation partner. |
Online |
|
Configure the preferred binding for a SAML federation partner. |
Online |
|
Enable user self registration. |
Online |
|
Sets which attributes from the assertion should be used as email, first name, last name or username during self registration. |
Online |
|
Create an authentication scheme and module for an IdP partner. |
Online |
|
Create an IdP partner attribute profile for a federation partner. |
Online |
|
Create an SP partner attribute profile for a federation partner. |
Online |
|
Delete an authentication scheme and module for an IdP partner. |
Online |
|
Delete a specific federation partner. |
Online |
|
Delete the encryption certificate of a federation partner. |
Online |
|
Delete the signing certificate of a federation partner. |
Online |
|
Delete the attribute profile of an IdP federation partner. |
Online |
|
Delete the attribute profile of an SP federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete a partner-specific property that was added to the partner's configuration. |
Online |
|
Display an IdP federation partner's attribute profile. |
Online |
|
Display an SP federation partner's attribute profile. |
Online |
|
List all IdP federation partners. |
Online |
|
Retrieve the encryption certificate for a federation partner. |
Online |
|
Retrieve the signing certificate for a federation partner |
Online |
|
Retrieve the HTTP basic authentication username for a federation partner. |
Online |
|
Retrieve a property for a federation partner. |
Online |
|
Retrieve a string property from a federation partner profile. |
Online |
|
Check whether a partner is configured. |
Online |
|
List an IdP partner's attribute profiles. |
Online |
|
List an SP partner's attribute profiles. |
Online |
|
Sets an OpenID partner as the default Federation IdP. |
Online |
|
Set an IdP partner as the default identity provider for a federation single sign-on. |
Online |
|
Set the encryption certificate for a federation partner. |
Online |
|
Set the signing certificate for a federation partner. |
Online |
|
Set the attribute profile to use during federated single sign-on with an IdP partner. |
Online |
|
Sets the default OAM Authentication Scheme. |
Online |
|
Set the attribute profile to use during federated single sign-on with an SP partner. |
Online |
|
Set an entry in an IdP federation partner's profile. |
Online |
|
Set an entry in an SP federation partner's profile. |
Online |
|
Update a federation partner's HTTP basic auth credential. |
Online |
|
Set the attribute used for assertion mapping for a federation partner. |
Online |
|
Set the attribute query used for assertion mapping for a federation partner. |
Online |
|
Set the assertion mapping nameID value for an IdP federation partner |
Online |
|
Update a federation partner's alias name. |
Online |
|
Set a federation partner's identity store and base DN. |
Online |
|
Configure an alternate Authentication Scheme. |
Online |
|
Configure a default Authentication Scheme. |
Online |
|
Configure the profile with a default Authentication Scheme. |
Online |
|
Configure the profile for an alternate Authentication Scheme. |
Online |
|
Update a federation partner's metadata. |
Online |
|
Update a property for a federation partner. |
Online |
The Advanced Identity Federation WLST commands do not have applicable administrative fields for configuration in the Oracle Access Management Console. Administration for Authentication mappings and partner profiles are available using WLST commands only. Table 5-2 lists the Advanced Identity Federation commands documented in this section. The commands are organized as follows.
Federation Service and Datastore
Federation Access Configuration
Attribute Sharing Configuration
Authentication Method Mapping Management - All Authentication Method/Scheme/Level mappings are configured using WLST at the partner level or, if not defined at the partner level, at the partner profile level.
Partner Profile Management - All Partner Profile management is done with WLST.
Using WLST with SAML 1.1
Note:
The Advanced Identity Federation command definitions begin with "configureFederationService."Table 5-2 Advanced Identity Federation WLST Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Federation Service and Datastore |
||
Enable or disable Federation Service features. |
||
Enables and configures the federation store. |
||
Federation Access Configuration |
||
Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive. |
||
Enables or disables Authorization for Federation SSO. |
||
Configure the Hashing algorithm used in digital signatures. |
||
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations. |
||
Attribute Sharing Configuration |
||
Configures the NameID to user store attribute mapping to be used during Attribute Sharing. |
||
Configures the default attribute sharing nameid and nameid format for the IdP Partner. |
||
Configures Attribute Sharing DN to IdP Mappings. |
||
Configures the Attribute Sharing feature by setting a default attribute authority. |
||
Removes the Attribute Sharing plug-in from the Authentication Module. |
||
Lists the Federated Authentication Method mappings for a specific Partner Profile. |
||
Inserts the attribute sharing step into the Authentication Module flow. |
||
Authentication Method Mapping Management |
||
Provides a way to authenticate clients with an alternate Authentication Scheme (Partner). |
||
Defines the default Authentication Scheme for the SP partner. |
||
Provides a way to authenticate clients with an alternate Authentication Scheme (Partner Profile). |
||
Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile. |
||
Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner. |
||
Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile. |
||
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner. |
||
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile. |
||
Lists the Federated Authentication Method mappings for a specific Partner. |
||
Lists the Federated Authentication Method mappings for a specific Partner Profile. |
||
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner. |
||
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner. |
||
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner. |
||
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile. |
||
Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO. |
||
Partner Profile Management |
||
Creates a Federation Partner Profile based on the specified existing one. |
||
Deletes the specified Federation Partner Profile. |
||
Displays the properties defined in the specified Federation Partner Profile. |
||
Lists all of the existing Federation Partner Profiles. |
||
Lists the partners bound to the specified Federation Partner Profile. |
||
Gets the ID of the Partner Profile bound to the specified partner. |
||
Sets the Federation Partner Profile ID for the specified partner. |
||
Using WLST with SAML 1.1 |
||
When an IDP partner is configured for SAML 1.1, the following URL is used by the SP to start the SSO process.
By using these WLST commands, the URL can be populated with the applicable information. |
||
Value is used by the peer provider to identify the provider ID of the SP. |
||
Sets the target URL for the specified SP partner. |
||
The following SAML 1.1 configuration parameters are not exposed through the Oracle Access Management Console. The values of these parameters can be modified using WLST. |
||
Delete a partner property. |
||
Retrieve a partner property. |
||
Update a partner property. |
||
Subject Confirmation Check |
||
Enables or Disables the subject confirmation data check in SAML assertion. |
Creates a WS-Federation 1.1 IdP partner.
Creates an IdP partner under the WS-Federation 1.1 protocol. The NameID will be mapped to the LDAP user mail attribute.
addWSFed11IdPFederationPartner(partnerName,ssoURL, providerID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
ssoURL
|
The Identity Realm Secure Token URL where users will be redirected at the IdP for WS-Federation 1.1 operations. |
providerID
|
Provider ID/Issuer used in the SAML Assertion. |
description |
The description of the partner. Optional. |
Creates a WS-Federation 1.1 SP partner.
addWSFed11SPFederationPartner(partnerName, realm, ssoURL, samlVersion, msftADFSCompatible, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
realm |
The realm identifier for this SP partner. It will be used in the WS-Federation 1.1 protocol exchange. |
ssoURL
|
The Identity Realm Secure Token URL where users will be redirected at the SP for WS-Federation 1.1 operations. |
samlVersion
|
The optional SAML version indicating what kind of Assertion to issue. Takes a value of saml11 (default) or saml20. |
msftADFSCompatible |
An optional boolean indicating if the issued SSO Response should be in the Microsoft ADFS compatible format WS-Trust 1.2 or WS-Trust 1.3. |
description |
The description of the partner. Optional. |
Creates an OpenID 2.0 IdP partner.
addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
idpSSOURL
|
The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used. |
discoveryURL
|
The OpenID discovery URL of the IdP. |
description |
The description of the partner. Optional. |
Creates an OpenID 2.0 SP partner.
addOpenID20SPFederationPartner(partnerName, realm, ssoURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
realm
|
The realm for the SP (RP). |
ssoURL
|
The endpoint URL of the SP (RP). |
description |
The description of the partner. Optional. |
Creates an IdP partner with the name google
.
Creates an IdP partner with the name google
using a discovery URL https://www.google.com/accounts/o8/id
.
Creates an IdP partner with the name yahoo
.
create an IdP partner with the name yahoo
using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds
.
Creates a SAML 1.1 IdP federation partner.
addSAML11IdPFederationPartner(partnerName,providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
soapURL
|
The artifact resolution SOAP endpoint URL of the IdP. |
succinctID
|
The succinctID of the provider. |
description |
The description of the partner. Optional. |
Creates a SAML 1.1 SP federation partner.
addSAML11SPFederationPartner(partnerName,providerID, ssoURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
description |
The description of the partner. Optional. |
Creates a SAML 2.0 IdP Federation partner.
Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
addSAML20IdPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
metadataFile
|
The location of the metadata file (full path). |
description
|
The description of the partner. Optional. |
Creates a SAML 2.0 SP Federation partner.
Creates a federation partner as a service provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
addSAML20SPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
metadataFile
|
The location of the metadata file (full path). |
description
|
The description of the partner. Optional. |
Creates a SAML20 IdP federation partner without SAML 2.0 metadata.
addSAML20IdPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the federation partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
soapURL
|
The artifact resolution SOAP endpoint URL of the IdP. |
succinctID
|
The succinctID of the provider. |
description
|
The description of the partner. Optional. |
Creates a SAML20 SP federation partner without SAML 2.0 metadata.
addSAML20SPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the federation partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
description
|
The description of the partner. Optional. |
Configures an IdP partner attribute profile to process incoming attributes.
Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.
configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile to configure. |
ignoreUnmappedAttributes
|
Determines whether incoming attributes that are not defined in the profile should be ignored.
Valid values are true (ignore) or (the default) false (process). |
Configures global federation logout for a SAML 2.0 partner.
configureSAML20Logout(partnerName, partnerType, enable, saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Whether the partner is a service provider or identity provider.
Valid values are sp, idp. |
enable
|
Enable or disable global logout for that partner.
Valid values true (enable), false (disable) |
saml20LogoutRequestURL
|
The SAML 2.0 logout request service URL.
Optional if the partner was created using metadata, or if logout is disabled. |
saml20LogoutResponseURL
|
The SAML 2.0 logout response service URL.
This is optional if the partner was created using metadata, or if logout is disabled. |
soapURL
|
The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported. |
Specifies the binding for a SAML partner.
configureSAMLBinding(partnerName, partnerType, binding, ssoResponseBinding="httppost")
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be configured. |
partnerType
|
Indicates whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
binding
|
Specifies the binding to use for messages other than SSO responses (authentication requests, logout messages). Valid options are httppost for HTTP-POST binding and httpredirect for HTTP-Redirect binding. |
ssoResponseBinding
|
This optional attribute defines the binding to use for an SSO response. Valid options are httppost for HTTP-POST binding (the default value), httpredirect for HTTP-Redirect binding or artifact for Artifact binding. |
Enables the user self-registration module.
configureUserSelfRegistration(<enabled>, <registrationURL>, <regDataRetrievalAuthnEnabled>, <regDataRetrievalAuthnUsername>, <regDataRetrievalAuthnPassword>, <partnerName>)
Argument | Definition |
---|---|
enabled
|
Indicates if the user self-registration module is enabled. Takes a value of true or false. |
registrationURL
|
The location to which the user will be redirected for self-registration. If partnerName is not specified, and if registrationURL is empty or missing, the current property will be unchanged. If partnerName is specified, and if registrationURL is empty or missing, this property will be removed from the partner's configuration. |
regDataRetrievalAuthnEnabled
|
Indicates if authentication of the registration page is enabled when contacting the server to retrieve registration data. |
regDataRetrievalAuthnUsername
|
Specifies the username the registration page will send to the server when retrieving the registration data from the server. |
regDataRetrievalAuthnPassword
|
Specifies the password the registration page will send to the server when retrieving the registration data from the server. |
partnerName
|
Indicates the IdP partner for which to enable user self-registration. If missing, the configuration operation will be global. |
Sets the attributes in an assertion that will be used as email, first name, last name and username.
Sets the attributes in an assertion that will be used as email, first name, last name and username.
configureUserSelfRegistration(<registrationAttrName>, <assertionAttrNames>, <partnerName>)
Argument | Definition |
---|---|
registrationAttrName
|
The self-registration page attribute to set. Can be one of the following values: email, firstname, lastname or username. |
assertionAttrNames
|
The possible attributes from the assertion that can be used to populate the self-registration page field specified as the registrationAttrName. |
partnerName
|
Indicates the IdP partner for which to configure user self-registration. If missing, the configuration operation will be global. |
Creates an authentication scheme that uses an OpenD IdP.
Creates an authentication scheme that uses an OpenD IdP to protect resources in Access Manager.
createAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
partnerName
|
The name of the partner for whom the scheme is to be created. |
Creates an IdP attribute profile.
Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions
createIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier of the IdP attribute profile. |
Creates an SP attribute profile.
Creates an SP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions
createSPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier of the SP attribute profile. |
Deletes an authentication scheme for an IdP.
deleteAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
partnerName
|
The name of the partner whose scheme is to be deleted. |
Deletes a federation partner.
deleteFederationPartner(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider.
Valid values are sp, idp. |
Deletes the encryption certificate of a partner.
deleteFederationPartnerEncryptionCert(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner whose encryption certificate is to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider.
Valid values are sp, idp. |
Deletes the signing certificate of a partner.
deleteFederationPartnerSigningCert(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner whose signing certificate is to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or identity provider.
Valid values are sp, idp. |
Deletes an IdP partner attribute profile.
deleteIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
Deletes an SP partner attribute profile.
deleteSPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the SP partner attribute profile. |
Deletes an IdP Partner Attribute Profile entry.
deleteIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
messageAttributeName
|
The name of the attribute to delete, as it appears in the outgoing message. |
Deletes an SP Partner Attribute Profile entry.
deleteSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
messageAttributeName
|
The name of the attribute to delete, as it appears in the outgoing message. |
Deletes a partner property.
See Advanced Identity Federation Commands for information regarding SAML 1.1.
Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.
deletePartnerProperty(partnerName,partnerType,propName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated.
By replacing the value of <partnerName> with the partner ID and including the |
partnerType
|
Specifies whether the partner is a service provider or an identity provider.
Valid values are sp, idp. |
propName
|
The name of the configured property to be removed. |
Displays a partner attribute profile.
displayIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile to be displayed. |
Displays an SP partner attribute profile.
displaySPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the SP partner attribute profile to be displayed. |
Lists all federation identity providers.
Retrieves the encryption certificate for a partner.
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the encryption certificate will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider.
Valid values are sp, idp. |
Retrieves the signing certificate for a partner.
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the signing certificate will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider.
Valid values are sp, idp. |
Gets a partner's basic authentication username.
getIdPPartnerBasicAuthCredentialUsername(partnerName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the username will be retrieved and displayed. |
Retrieves a partner property.
getPartnerProperty(partnerName, partnerType, propName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the proeprty will be retrieved.
By replacing the value of <partnerName> with the partner ID and including the |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
propName
|
The name of the property to configure. |
Retrieves a string property.
Retrieves a string property for a federation partner profile.
If a Partner does not have an Attribute Profile assigned to it, the default Attribute Profile (based on whether the partner is an IdP or SP) will be used. The defaultattributeprofileidp
and defaultattributeprofilesp
properties in the fedserverconfig
file reference the default profiles.
getStringProperty("/fedserverconfig/<propertyName>")
Argument | Definition |
---|---|
propertyName
|
The name of the property to be retrieved.
Default Partner Profiles are available after installation and the following properties reference them. Default property values can be retrieved by replacing propertyName with one of the following:
|
Checks whether a partner is configured.
isFederationPartnerPresent(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The partner ID. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider.
Valid values are sp, idp. |
Lists the IdP partner attribute profiles.
Lists the SP partner attribute profiles.
Puts a string value under a designated path in the OSTS configuration.
putStringProperty(path="/validationtemplates/username-wss-validation-template/StringNAME",value="TestString")
Argument | Definition |
---|---|
path
|
Path inside the configuration where the String property will be put. |
value
|
The string. |
Sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).
If not set by the federation authentication plugin at run time, sets the IdP partner to serve as the default IdP during federated SSO.
setDefaultSSOIdPPartner(partnerName)
Argument | Definition |
---|---|
partnerName
|
ID of the partner which will serve as the default IdP for federated SSO. |
Sets the encryption certificate for a partner.
setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
The partner type. Valid values are idp, sp. |
certFile
|
The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format. |
Sets the signing certificate for a partner.
setFederationPartnerSigningCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
The partner type. Valid values are idp, sp. |
certFile
|
Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format. |
Sets a partner attribute profile.
Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.
setIdPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
attrProfileID
|
The IdP partner attribute profile ID to be set. |
Sets the default OAM Authentication Scheme to be used to challenge a user.
setIdPDefaultScheme(authnScheme, appDomain, hostID, authzPolicy="ProtectedResourcePolicy")
Argument | Definition |
---|---|
authnScheme
|
The OAM Authentication Scheme. |
appDomain
|
Optional. The application domain in which the underlying policy components will be created. |
hostID
|
Optional. The HostID to be used when creating the underlying resource policy object. |
authzPolicy
|
Optional. The name of the Authorization Policy to be used to protect underlying resource policy object being created. |
Sets an SP partner attribute profile to an SP partner.
setSPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
attrProfileID
|
The ID of the SP partner attribute profile to be set. |
Sets the IdP federation partner profile.
setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, oamSessionAttributeName, requestFromIdP)
Argument | Definition |
---|---|
attrProfileID
|
The IdP partner attribute profile. |
messageAttributeName
|
The name of the message attribute. |
oamSessionAttributeName
|
The name of the attribute as it will appear in the Access Manager session. |
requestFromIdP
|
Determines whether this attribute should be requested from the IdP partner.
Valid values are true, false. |
Sets the SP federation partner profile.
setSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, value, alwaysSend)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the SP Partner Attribute Profile in which the entry will be set. |
messageAttributeName
|
The name of the attribute as it will appear in the outgoing message. |
value
|
Value of the attribute element. It can be a static string, user attribute, session attribute or a combination of those types. |
alwaysSend
|
Signifies whether or not this attribute should always be sent to the SP Partner. Valid values are true, false. If false it will only be sent if the SP Partner requests it (OpenID supports this). |
Sets a partner's basic authentication credentials.
setIdPPartnerBasicAuthCredential(partnerName,username,password)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
username
|
The user ID of the user. |
password
|
The password corresponding to the username. |
Sets a partner's assertion mapping attribute.
Specify that an attribute from the OpenID assertion received from the IdP be mapped to a given data store attribute in order to identify the user.
setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
assertionAttr
|
The attribute name in the assertion used to map the user to the identity store. |
userstoreAttr
|
The name of the attribute in the identity store to which to map the assertion attribute value. |
Updates a partner for assertion mapping of user with attribute query.
Sets or updates a partner to specify the attribute query to map an assertion to the user store.
setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
attrQuery
|
The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%. |
Sets a partner's mapping nameID.
setIdPPartnerMappingNameID(partnerName,userstoreAttr)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
userstoreAttr
|
The attribute name in the identity store to which the assertion nameID is to be mapped. |
Sets a partner's alias.
setPartnerAlias(partnerName,partnerType,partnerAlias)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
partnerAlias
|
The partner's alias. |
Sets a partner's identity store and base DN.
setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
The partner type. Valid values are sp or idp. |
storeName
|
The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional) |
searchBaseDN
|
The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional) |
Updates a partner by setting the NameID during assertion issuance.
setSPSAMLPartnerNameID(<partnerName>, <nameIDFormat>, <nameIDValue>)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be configured. |
nameIDFormat
|
The NameID format to be used. Possible values include:
|
nameIDValue |
Value of the NameID element. It can be a static string, user attribute, session attribute or a combination of those types. |
Updates partner metadata.
updatePartnerMetadata(partnerName,partnerType,metadataFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
metadataFile
|
The location of the metadata file. Specify the complete path and name. |
Updates a partner property.
See Advanced Identity Federation Commands for information regarding SAML 1.1.
updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated.
By replacing the value of <partnerName> with the partner ID and including the |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
propName
|
The name of the property to configure. |
propValue
|
The property value to be set. |
type
|
The data type of the property. Valid values are string, long, or boolean. |
Enable or disable the Subject Confirmation Data check.
updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
propName
|
Set the property name as 'subjectconfirmationcheck'. |
propValue
|
Specify the property value. Valid values are true or false. |
type
|
Data type of the property. It can only be boolean. |
Enable or disable the Federation Service AttributeRequester or AttributeResponder.
configureFederationService(<serviceType>,<enabled>)
Argument | Definition |
---|---|
serviceType
|
Takes as a value IDP, SP, AttributeResponder or AttributeRequester. |
enabled
|
Takes as a value either true or false. |
Enables and configures for the use of the federation store.
This will set the jndiname of the datastore to be used to store federation records and will set the store as a RDBMS.
setFederationStore (<enable>, <jndiname>)
Argument | Definition |
---|---|
enable
|
Enable or disable the Federation data store. |
jndiname
|
Indicates the JNDI name of the datastore. |
Configure an IdP partner or an IdP partner profile for Force Authentication and/or IsPassive.
Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.
configureIdPAuthnRequest(<partner="">, <partnerProfile="">, <partnerType="">, <isPassive="false">, <forceAuthn="false">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
partner
|
Indicates the IdP partner to be configured. partner and partnerProfile are exclusive, with one of the two required. |
partnerProfile
|
Indicates the IdP partner profile to be configured. partner and partnerProfile are exclusive, with one of the two required. |
partnerType
|
The type of partner (sp or idp). |
isPassive
|
Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should not interact with the user during Federation SSO. True indicates that the IdP should not interact with the user. Optional. |
forceAuthn
|
Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should challenge the user even if a valid session exists. True indicates that the user will be challenged. Optional. |
displayOnly
|
Indicates whether or not this command should display the Is Passive and Force Authn settings. Default is false. Optional. |
delete
|
Indicates whether or not this command should delete the Is Passive and Force Authn settings from the specified partner or partner profile. Default is false. Optional. |
A boolean indicating whether or not Authorization for Federation SSO should be enabled.
Enables or disables Authorization for Federation SSO. By default, the authorization feature for Federation SSO will be turned off.
Configure the Hashing algorithm used in digital signatures.
If the displayOnly and delete parameters are false, this command will set the algorithm.
configureFedDigitalSignature(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <algorithm="SHA-256">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
partner
|
The ID of the SP partner profile |
partnerProfile
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
partnerType
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
default |
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
algorithm |
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
displayOnly |
Optional. The application domain in which the underlying policy components will be created |
delete |
Optional. The HostID used when creating the underlying resource policy object |
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.
configureFedSignEncKey(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <signAlias="">, <encAlias="">, <displayOnly="false">, <delete="false">
Argument | Definition |
---|---|
partner
|
Indicates the partner for which the signing and/or encryption key alias is to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required |
partnerProfile
|
Indicates the partner profile for which the signing and/or encryption key alias is configured for. partner, partnerProfile and default parameters are exclusive, with one of the three required. |
partnerType
|
Indicates the partner type for which the signing and/or encryption key alias is to be configured. Required when specifying partner or partnerProfile. Valid values are sp or idp. |
default |
Indicates the global default signing and/or encryption key alias to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required. |
signAlias |
The signing key alias. Required when setting the value. |
encAlias |
The encryption key alias. Required when setting the value. |
displayOnly |
Indicates whether or not this command should display the signing and encryption key aliases. Default is false. Optional. |
delete |
Indicates whether or not this command should delete the signing and/or encryption key alias from the specified partner or partner profile. Default is false. Optional. |
Configures the NameID to user store attribute mapping to be used during Attribute Sharing.
If displayOnly is true the command displays the NameID to userstore attribute mapping. Else if delete is true the command deletes the specified mapping. Else it sets the enabled flag to the given value and the sets a nameid to userstore attribute mapping.
configureAttributeSharingSPPartnerNameIDMapping(<partner="">, <partnerProfile="">, <enabled="true">, <nameidformat="">, <userStoreAttribute="">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
partner
|
ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required. |
partnerProfile
|
Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required |
enabled
|
Boolean indicating if the nameID to userstore attribute mapping is enabled/disabled. Optional. Default value is true. |
nameidformat |
The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:
If the format is set to any other value, the Assertion will be populated with that value. |
userStoreAttribute |
The userstore attribute to which the specified NameID Format is mapped. Optional. Needs to be specified only for a create or update operation. |
displayOnly |
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
delete |
Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional. |
configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", userStoreAttribute="mail") configureAttributeSharingSPPartnerNameIDMapping(partnerProfile="saml20-idp-partner-profile", nameidformat="orafed-emailaddress", userStoreAttribute="mail") configureAttributeSharingSPPartnerNameIDMapping(partner="acme") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", enabled="false") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", displayOnly="true") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", delete="true") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", displayOnly="true")
Configures the default attribute sharing nameid and nameid format for the IdP Partner.
configureAttributeSharingIdPPartner(<partner="">, <partnerProfile="">,<nameidformat="">, <nameidattribute="">)
Argument | Definition |
---|---|
partner
|
ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required. |
partnerProfile
|
Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required |
nameidformat |
The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:
|
nameIDAttribute |
The attribute in the userstore that should be used as the nameid. Optional. |
displayOnly |
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
Configures Attribute Sharing DN to IdP Mappings.
If displayOnly is set to true the configuration is displayed. If delete is set to true the command deletes a specified mapping; otherwise, a mapping is created or updated.
configureAttributeSharingUserDNToIdPPartnerMapping(<dn="">, <idp="">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
dn
|
The DN string to map to the given IdP. Optional. Needs to be specified to delete a mapping and set a mapping. If specified for a display operation the mapping for this DN only is displayed. |
idp
|
The partner ID of the IdP to use as Attribute Authority for the given DN. Optional. Needs to be specified only when creating or updating a mapping. |
displayOnly |
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
delete |
Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional. |
configureAttributeSharingUserDNToIdPPartnerMapping (dn="dc=us,dc=oracle, dc=com", displayOnly="true") configureAttributeSharingUserDNToIdPPartnerMapping(displayOnly="true") configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", delete="true") configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", idp="acme")
Configures the Attribute Sharing feature by setting a default attribute authority.
configureAttributeSharing(<defaultAttributeAuthority="">)
Argument | Definition |
---|---|
defaultAttributeAuthority
|
ID of the partner to use as the default Attribute Authority. Only used when this server is functioning in the SP mode. |
Removes the Attribute Sharing plug-in from the Authentication Module.
removeAttributeSharingFromAuthnModule(<authnModule>, <stepName="">)
Argument | Definition |
---|---|
authnModule
|
The name of the authnModule from which to delete Attribute Sharing plugin. |
stepName
|
The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional. |
Lists the Federated Authentication Method mappings for a specific Partner Profile.
configureAttributeSharingPlugin(<authnModule>, <stepName=None>, <nameIDVariable=None>, <idpVariable=None>, <defaultIdP=None>, <nameIDFormatVariable=None>, <defaultNameIDFormat=None>, <requestedAttributes=None>)
Argument | Definition |
---|---|
authnModule
|
The name of the authnModule from which to delete Attribute Sharing plugin. |
stepName
|
The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional. |
nameIDVariable
|
The name of the variable in the session or context that contains the nameID of the user. |
idpVariable
|
The name of the variable in the session or context that contains the idp name to which to send the attribute request. |
defaultIdP
|
The name of the default IdP to send the attribute request to if no IdP can be determined from the session or context. |
nameIDFormatVariable
|
The name of the variable in the session or context that contains the nameID format to use in the attribute request. |
defaultNameIDFormat
|
The default NameID format to use if no nameid format could be determined from the session or context. Allowed NameID formats are:
If the format is set to any other value, the Assertion will be populated with that value. |
requestedAttributes
|
The attributes to request from the IdP. This string is in the URL query string format. |
Inserts the attribute sharing step into the Authentication Module flow.
Can also be used to remove the attribute sharing step from the Authentication Module flow.
insertAttributeSharingInToAuthnModule(<authnModule>, <fromStep=None>, <fromCond=None>, <toStep=None>, <toCond=None>, <stepName=None>)
Argument | Definition |
---|---|
authnModule
|
The name of the authnModule into which the Attribute Sharing plugin is inserted. |
fromStep
|
The name of the step after which the Attribute Sharing Step (or the step of given name) should be inserted. |
fromCond
|
The condition under which the Attribute Sharing (or step of given name) is called after the fromStep. It has to be one of OnSuccess, OnFailure or OnError. |
toStep
|
The name of the step to go to after the attribute sharing step (or step of given name). |
toCond
|
The condition under which the toStep is called after the Attribute Sharing step (or step of given name). |
stepName
|
The name of the step being added to the flow. |
Provides a way to authenticate clients with an alternate Authentication Scheme.
Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for this Partner.
setSPPartnerAlternateScheme(<partner>, <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, <remove="false">)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
enabled
|
Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client |
httpHeaderName
|
Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners. |
httpHeaderExpression
|
Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header. |
authnScheme
|
Required if enabled is true, the alternate Authentication Scheme to be used instead of the default. |
appDomain |
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
remove |
Optional. If set to true, removes the properties for the alternate scheme in the partner configuration. |
Note:
ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.In this example, Identity Federation is configured to enable the alternate Authentication Scheme at a partner level for the SP partner Acme because the user's browser sends the HTTP Header "User-Agent" with the iPhone string in it. The string triggers the BasicScheme for authentication rather than the default Authentication Scheme.
setSPPartnerAlternateScheme("acmeSP", "true", httpHeaderName="User-Agent", httpHeaderExpression=".*iPhone.*", authnScheme="BasicScheme")
Defines the default Authentication Scheme for the SP partner.
setSPPartnerDefaultScheme(<partner>, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
authnScheme
|
The OAM Authentication Scheme to be used. |
appDomain |
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Provides a way to authenticate clients with an alternate Authentication Scheme.
Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for partners assigned to this Partner Profile.
setSPPartnerProfileAlternateScheme(<partnerProfile>, <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, <remove="false">)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile. |
enabled
|
Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client |
httpHeaderName
|
Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners. |
httpHeaderExpression
|
Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header. |
authnScheme
|
Required if enabled is true, the alternate Authentication Scheme to be used instead of the default. |
appDomain |
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Note:
ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.
Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.
setSPPartnerProfileDefaultScheme(<partnerProfile>, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile. |
authnScheme
|
The OAM Authentication Scheme to be used. |
appDomain |
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.
Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner.
addSPPartnerAuthnMethod(partner, authnMethod, authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partner
|
The ID of the SP partner. |
authnMethod
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
authnScheme
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
isDefault |
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
authnLevel |
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
appDomain |
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.
Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner Profile.
addSPPartnerProfileAuthnMethod(partnerProfile, authnMethod, authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the SP partner profile |
authnMethod
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
authnScheme
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
isDefault |
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
authnLevel |
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
appDomain |
Optional. The application domain in which the underlying policy components will be created |
hostID | Optional. The HostID used when creating the underlying resource policy object |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.
addIdPPartnerAuthnMethod(partner, authnMethod, authnLevel)
Argument | Definition |
---|---|
partner
|
The ID of the SP partner profile |
authnMethod
|
The Federated Authentication Method |
authnLevel
|
The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method |
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.
Defines the level to which to which users from this IdP partner profile are authenticated.
addIdPPartnerProfileAuthnMethod(partnerProfile, authnMethod, authnLevel)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the SP partner profile |
authnMethod
|
The Federated Authentication Method |
authnLevel
|
The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method |
Lists the Federated Authentication Method mappings for a specific Partner.
listPartnerAuthnMethods(partner, partnerType)
Argument | Definition |
---|---|
partner
|
The ID of the partner |
partnerType
|
The type of the partner (SP or IdP) |
Lists the Federated Authentication Method mappings for a specific Partner Profile.
listPartnerProfileAuthnMethods(partnerProfile, partnerType)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile |
partnerType
|
The type of the partner (SP or IdP) |
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.
removePartnerAuthnMethod(<partner>, <partnerType>, <authnMethod>)
Argument | Definition |
---|---|
partner
|
The ID of the partner |
partnerType
|
The type of the partner (SP or IdP) |
authnMethod
|
The Access Manager Authentication Scheme |
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.
removePartnerProfileAuthnMethod(<partnerProfile>, <partnerType>, <authnMethod>)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile |
partnerType
|
The type of the partner (SP or IdP) |
authnMethod
|
The Federated Authentication Method |
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.
Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner.
setIdPPartnerRequestAuthnMethod(<partner>, <authnMethod>)
Argument | Definition |
---|---|
partner
|
The ID of the IdP partner |
authnMethod
|
The Federated Authentication Method |
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.
Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner Profile.
setIdPPartnerProfileRequestAuthnMethod(<partnerProfile>, <authnMethod>)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the IdP partner profile |
authnMethod
|
The Federated Authentication Method |
Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.
If the server acts as an SP with a remote IdP to authenticate the user, when acting as an Identity Provider in a different Federation SSO operation, the server can use the Federation Authentication Method sent by the remote Identity Provider. The server will send the proxied Federation Authentication Method for the list of specified Federation Authentication Schemes. The server will only send the proxied Federation Authentication Method if the Federation protocol used between the server and the Service Provider is the same Federation protocol as the one used between the server and the Identity Provider.
useProxiedFedAuthnMethod(<enabled="false">, <displayOnly="false">, <authnSchemeToAdd="">, <authnSchemeToRemove="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
enabled
|
Indicates whether or not the proxied Federation Authentication Method should be used. Default is to disable the feature. Optional. |
displayOnly
|
Indicates whether or not this command should display the list of Federation Schemes for which the server should send the proxied Federation Authentication Method. Default is false. Optional. |
authnSchemeToAdd
|
The OAM Federation Authentication Scheme to be added to the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive. |
authnSchemeToRemove |
The OAM Federation Authentication Scheme to be removed from the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive. |
appDomain |
The application domain in which the underlying policy components will be created. Optional. |
hostID |
The HostID that will be used when creating the underlying resource policy object. Optional. |
authzPolicy |
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Creates a Federation Partner Profile based on the specified existing one.
createFedPartnerProfileFrom(<newPartnerProfile>, <existingPartnerProfile>)
Argument | Definition |
---|---|
newPartnerProfile
|
The ID of the new partner profile. |
existingPartnerProfile
|
The ID of the existing partner profile |
Deletes the specified Federation Partner Profile.
deleteFedPartnerProfile(<PartnerProfile>)
Argument | Definition |
---|---|
PartnerProfile
|
The ID of the partner profile being deleted. |
Displays the properties defined in the specified Federation Partner Profile.
displayFedPartnerProfile(<PartnerProfile>)
Argument | Definition |
---|---|
PartnerProfile
|
The ID of the partner profile. |
Lists all of the existing Federation Partner Profiles.
Lists the partners bound to the specified Federation Partner Profile.
listFedPartnersForProfile(<PartnerProfile>)
Argument | Definition |
---|---|
PartnerProfile
|
The ID of the partner profile. |
Gets the ID of the Partner Profile bound to the specified partner.
getFedPartnerProfile(<partner>, <partnerType>)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
partnerType
|
The type of the partner (sp or idp). |
Sets the Federation Partner Profile ID for the specified partner.
Sets the partner profile for the specified partner profile based on the specified partner profile ID.
setFedPartnerProfile(<partner>, <partnerType>, <partnerProfile>)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
partnerType
|
The type of the partner (sp or idp). |
partnerProfile |
The ID of the partner profile. |
The value held by idpinitiatedssoprovideridparam
is used by the peer provider to identify the provider ID of the SP.
updatePartnerProperty(partnerName, partnerType, "idpinitiatedssoprovideridparam","providerid", "string")
Argument | Definition |
---|---|
partnerName | The ID of the partner |
partnerType | Takes as a value either idp or sp |
propName | Name of the property being configured or modified |
propValue | The value of the property being configured. For an OIF peer IDP, the parameter name must be "providerid". Changing this property will change the parameter name used in the above URL. |
type | The data type of the property value. Valid values are string, long, or boolean. |
Sets the target URL for the specified SP partner.
Identifies the target resource. The value held by idpinitiatedssotargetparam
is used by the peer provider to identify the desired resource; TARGET in the case of Oracle Identity Federation.
updatePartnerProperty(partnerName, partnerType, "idpinitiatedssotargetparam", "TARGET", "string")
Argument | Definition |
---|---|
partnerName | The ID of the partner |
partnerType | Takes as a value either idp or sp |
propName | Name of the property being configured or modified |
propValue | The location of the resource. The default value is TARGET . |
type | The data type of the property value. Valid values are string, long, or boolean. |
updatePartnerProperty(partnerName, "idp", "idpinitiatedssotargetparam", "TARGET", "string")
Note:
A certificate can be included in a SAML 1.1 signature. By replacing the value of <partnerName> with the partner ID and including theincludecertinsignature
parameter, the certificate will be included with the signature. For example:
updatePartnerProperty("<partnerName>", "sp", "includecertinsignature", "true", "boolean") getPartnerProperty("<partnerName>", "sp", "includecertinsignature") deletePartnerProperty("<partnerName>", "sp", "includecertinsignature")