• Install/Provision all the software on the various platforms ready for configuration. The installation and configuration documentation will outline the steps involved in getting the software installed and configured at a basic working level.

• Identity Provider Configuration - Setup your Identity Provider (IdP) to point to your security repositories and accept the necessary SAML 2.0 request to format the appropriate SAML 2.0 response.

• Oracle HTTP Server/WebGate Configuration - Configure your proxy servers to accept requests and, optionally, support reverse proxy (to detect the client connection).

• Define Identity Provider Partner in Oracle Access Manager – Configure the access management solution with the details of the Identity Provider.

• Enable Just In Time Provisioning in Identity Federation – Whilst the user would exist in the security repository and the product, it needs to be in the access management repository on first use.

• Define WebGate Agent – In a hybrid solution agents need to be configured to enable communication across partners.

• Copy WebGate Agent Configuration to OHS/WebGate – As agents need to communicate effectively ensure that the agent configurations match.

• Define Authentication Policy for the Product Domain – The domains must be configured with the linking policies to link all the components together.

• Export the OAM SAML Metadata (optional) – Optionally, each provider may differing SAML formats. This step exports the suggested format from the access management software into the Identity Provider to ensure SAML responses are formatted correctly.

• The Identity Provider (or its networking component) must be configured to allow connections from the browsers access to the provider. This can be hostnames, IP addresses or IP Address ranges allocated to your users. These addresses can be via Virtual Private networks or direct according to your networking policies. For example, in a Shibboleth installation, the allowedRanges in the access-control.xml configuration file needs to be set:

• Oracle Identity Federation uses the uid LDAP attribute for user identification. Ensure your Identity Provider uses this identifier in any communication to the solution. For example, in a Shibboleth installation, the Requester should be Oracle Access Management (with Oracle Identity Federation installed) with uid as the AttributeRule in the attribute-filter.xml configuration file:

• Some Identity Providers require that the IdP be defined explicitly. For example, in a Shibboleth installation, the idp.entityID property must be set in the idp.properties configuration file:

• Configure your Identity Provider to connect to your LDAP security repository. Refer to the documentation with your Identity Provider for detailed information on this process. For example, in a Shibboleth installation, the ldap.properties file controls the interface to the LDAP.

• Some Identity Providers need to understand the SAML request and response from/to the Oracle Access Management solution. The provider needs to understand how to download the SAML metadata to understand the interface. For example, in a Shibboleth installation, the metadata-providers.xml configuration file needs to be configured:

• Some Identity Providers specify their meta data for use with the Service Provider. Ensure the Identity Provider also has correct certificate usage (including X.509) for secure transmission of data. It is important that signing and encryption certificate match the certificates used in the architecture to avoid issues (such as "Signature verification failed for provider ID…" errors). Refer to Doc Id: 2032605.1 from My Oracle Support for more details. For example, in a Shibboleth installation, the X509 signing and encryption certificates in the idp-metadata.xml configuration file should match the certificates in idp-signing.crt and idp-encrpytion.crt files. In a default installation of Shibboleth the certificates are in the credentials subdirectory. Correct if necessary.

• This should complete the configuration of the Identity Provider.

• Enable the partner using the Enable Partner function in the Identity Provider Partner portal within Oracle Identity Federation/Oracle Access Manager.

• Load the SAML 2.0 Metadata that was exported from your IdP (or enter it manually). For the example Shibboleth interface, this is located in the idp-metadata.xml configuration file.

• Configure the User Mapping to refer to the following:

• Select the appropriate Identity Store that was configured for your Access Management solution. This is used for Single Sign On.

• The above attribute must be mapped to the uid attribute in Oracle Access Manager

• Optionally, set Enable global logout and HTTP POST SSO Response Binding for SSO integration.

• Within Oracle Access Manager, use the Create Authentication Scheme and Module option to generate and implement the definitions. If necessary, this generated configuration can be viewed or altered using Access Manager  Authentication Schemes and Plug-ins  Authentication Modules respectively.

• Set the Security to Simple (or Cert for two way certificate implementations).

• Set Auto Create Policies to create default access policies.

• Set the Base URL to the Oracle HTTP Server/Webgate used for the product.

• Set the Access Client Password to the password for the Webgate.

• Set the Relative URI to the WEB_CONTEXT_ROOT setting in the ENVIRON.INI (prefixed with /) in the Protected Resource List. For example, /spl.

• It is recommended to add the User Defined Parameter. authorizationResultCacheTimeout to 0 to avoid Invalid SAML Assertion errors.

• An Application Domain is automatically created by the WebGate configuration implementation. This will be used by the process.

• Create an Authentication Policy for the selected domain with the authentication scheme appropriate for the IdP.

• Set the Resources to the protocol and resource URLs (set to the WEB_CONTEXT_ROOT setting in the ENVIRON.INI, prefixed with / and suffixed with *, for example /ouaf*) as a Protected Resource Policy.

• Set the Operations to All and ensure the Authentication Policy is set correctly for the IdP for each policy.

• Configure the Oracle Access Manager Identity Asserter to provide the identity from the transaction flow to the product.

• Configure the Custom Authentication Service Provider that is available with the product to participate in the authentication process.

• If Oracle Unified Directory is used, as a supplemental security repository, then its Authentication Adapter must be configured to participate in the authentication process.

• If the Default Authenticator is used, as a supplemental security repository, then it must be configured to participate in the authentication process. This Authenticator is used by the administration consoles to administrate the product.

• Set the Type to OAMIdentityAsserter.

• Set the Control Flag to SUFFICIENT. This tells the security system that if the user existence is confirmed by this adapter then it is a valid user.

• Set the Active Types to OAM_REMOTE_USER and OAM_IDENTITY_ASSERTION. This denotes the login types used by federation.

• Set the userGroup property to the user group used for the subsetting the users accessing this plugin.

• Set the excludeUsers property to the comma separated list of system and administration users that are not checked by this plugin. This assumes they will be checked by other authentication providers.

• Optionally set the debug property to true for non-production debugging of your configuration to send debug log messages to the Web Server logs.

• The most important aspect of configuring multiple authentication providers is to order them in the right order to optimize the login process. Reordering can be performed as outlined in Changing the Order of Authentication Providers with the following guidelines:

• It is highly recommended that Oracle Access Manager Identity Asserter and Custom Authenticator be placed first and second respectively. This will ensure the bulk of the users are authenticated efficiently.

• If the Oracle Unified Authenticator (optional)is used, then it can be placed in the third place to catch administration accounts. It can also be placed in second place, if it is required, but if that is before the Custom Authenticator then the group used for authentication, for example cisusers, must also be defined in Oracle Unified Directory.

• It is recommended that the Default Authenticator be placed last as it is typically only used for the accounts that start and stop the product.