3 Identity Federation WLST Commands

Use these custom WebLogic Scripting Tool (WLST) commands for Oracle Access Management Identity Federation (Identity Federation) to configure federation partners and partner profiles.

The Identity Federation WLST commands are organized into two categories.

Note:

Identity Federation WLST commands take attributes specified as key-value pairs or only the value; Oracle Access Management Access Manager takes only key-value pairs. Thus, WLST examples in this document might be defined in either manner. This WLST example uses key-value pairs.

setIdPPartnerAttributeProfileEntry(attrProfileID="openid-idp-attribute-profile", messageAttributeName="http://axschema.org/namePerson", oamSessionAttributeName="name", requestFromIdP="true")

3.1 Identity Federation Commands

Use the WLST commands listed in Table 3-1 to configure federation partners and partner profiles.

Note:

The Identity Federation command definitions begin with "addWSFed11IdPFederationPartner."

Table 3-1 WLST Commands for Identity Federation

Use this command... To... Use with WLST...

addWSFed11IdPFederationPartner

Create a WS-Fed 1.1 IdP partner.

Online

addWSFed11SPFederationPartner

Create a WS-Fed 1.1 SP partner.

Online

addOpenID20IdPFederationPartner

Create an OpenID 2.0 IdP partner.

Online

addOpenID20SPFederationPartner

Create an OpenID 2.0 SP partner.

Online

addOpenID20GoogleIdPFederationPartner

Create a Google OpenID 2.0 IdP partner.

Online

addOpenID20YahooIdPFederationPartner

Create a Yahoo OpenID 2.0 IdP partner.

Online

addSAML11IdPFederationPartner

Create an IdP federation partner, including metadata, under the SAML 1.1 protocol.

Online

addSAML11SPFederationPartner

Create an SP federation partner, including metadata, under the SAML 1.1 protocol.

Online

addSAML20IdPFederationPartner

Create an IdP federation partner under the SAML 2.0 protocol.

Online

addSAML20SPFederationPartner

Create an SP federation partner under the SAML 2.0 protocol.

Online

addSAML20IdPFederationPartnerWithoutMetadata

Create an IdP federation partner under the SAML 2.0 protocol without importing metadata.

Online

addSAML20SPFederationPartnerWithoutMetadata

Create an SP federation partner under the SAML 2.0 protocol without importing metadata.

Online

configureIdPPartnerAttributeProfile

Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored.

Online

configureSAML20Logout

Configure global federation logout for a SAML 2.0 federation partner.

Online

configureSAMLBinding

Configure the preferred binding for a SAML federation partner.

Online

configureUserSelfRegistration

Enable user self registration.

Online

configureUserSelfRegistrationAttr

Sets which attributes from the assertion should be used as email, first name, last name or username during self registration.

Online

createAuthnSchemeAndModule

Create an authentication scheme and module for an IdP partner.

Online

createIdPPartnerAttributeProfile

Create an IdP partner attribute profile for a federation partner.

Online

createSPPartnerAttributeProfile

Create an SP partner attribute profile for a federation partner.

Online

deleteAuthnSchemeAndModule

Delete an authentication scheme and module for an IdP partner.

Online

deleteFederationPartner

Delete a specific federation partner.

Online

deleteFederationPartnerEncryptionCert

Delete the encryption certificate of a federation partner.

Online

deleteFederationPartnerSigningCert

Delete the signing certificate of a federation partner.

Online

deleteIdPPartnerAttributeProfile

Delete the attribute profile of an IdP federation partner.

Online

deleteSPPartnerAttributeProfile

Delete the attribute profile of an SP federation partner.

Online

deleteIdPPartnerAttributeProfileEntry

Delete an entry from the attribute profile of a federation partner.

Online

deleteSPPartnerAttributeProfileEntry

Delete an entry from the attribute profile of a federation partner.

Online

deletePartnerProperty

Delete a partner-specific property that was added to the partner's configuration.

Online

displayIdPPartnerAttributeProfile

Display an IdP federation partner's attribute profile.

Online

displaySPPartnerAttributeProfile

Display an SP federation partner's attribute profile.

Online

getAllFederationIdentityProviders

List all IdP federation partners.

Online

getFederationPartnerEncryptionCert

Retrieve the encryption certificate for a federation partner.

Online

getFederationPartnerSigningCert

Retrieve the signing certificate for a federation partner

Online

getIdPPartnerBasicAuthCredentialUsername

Retrieve the HTTP basic authentication username for a federation partner.

Online

getPartnerProperty

Retrieve a property for a federation partner.

Online

getStringProperty

Retrieve a string property from a federation partner profile.

Online

isFederationPartnerPresent

Check whether a partner is configured.

Online

listIdPPartnerAttributeProfileIDs

List an IdP partner's attribute profiles.

Online

listSPPartnerAttributeProfileIDs

List an SP partner's attribute profiles.

Online

putStringProperty

Sets an OpenID partner as the default Federation IdP.

Online

setDefaultSSOIdPPartner

Set an IdP partner as the default identity provider for a federation single sign-on.

Online

setFederationPartnerEncryptionCert

Set the encryption certificate for a federation partner.

Online

setFederationPartnerSigningCert

Set the signing certificate for a federation partner.

Online

setIdPPartnerAttributeProfile

Set the attribute profile to use during federated single sign-on with an IdP partner.

Online

setIdPDefaultScheme

Sets the default OAM Authentication Scheme.

Online

setSPPartnerAttributeProfile

Set the attribute profile to use during federated single sign-on with an SP partner.

Online

setIdPPartnerAttributeProfileEntry

Set an entry in an IdP federation partner's profile.

Online

setSPPartnerAttributeProfileEntry

Set an entry in an SP federation partner's profile.

Online

setIdPPartnerBasicAuthCredential

Update a federation partner's HTTP basic auth credential.

Online

setIdPPartnerMappingAttribute

Set the attribute used for assertion mapping for a federation partner.

Online

setIdPPartnerMappingAttributeQuery

Set the attribute query used for assertion mapping for a federation partner.

Online

setIdPPartnerMappingNameID

Set the assertion mapping nameID value for an IdP federation partner

Online

setPartnerAlias

Update a federation partner's alias name.

Online

setPartnerIDStoreAndBaseDN

Set a federation partner's identity store and base DN.

Online

setSPPartnerAlternateScheme

Configure an alternate Authentication Scheme.

Online

setSPPartnerDefaultScheme

Configure a default Authentication Scheme.

Online

setSPPartnerProfileDefaultScheme

Configure the profile with a default Authentication Scheme.

Online

setSPPartnerProfileAlternateScheme

Configure the profile for an alternate Authentication Scheme.

Online

updatePartnerMetadata

Update a federation partner's metadata.

Online

updatePartnerProperty

Update a property for a federation partner.

Online

3.1.1 addWSFed11IdPFederationPartner

The addWSFed11IdPFederationPartner command is an online command that creates a WS-Federation 1.1 IdP partner.

Description

Creates an IdP partner under the WS-Federation 1.1 protocol. The NameID will be mapped to the LDAP user mail attribute.

Syntax

addWSFed11IdPFederationPartner(partnerName,ssoURL, providerID, description) 
Argument Definition
partnerName

The name of the partner to be created.

ssoURL 

The Identity Realm Secure Token URL where users will be redirected at the IdP for WS-Federation 1.1 operations.

providerID 

Provider ID/Issuer used in the SAML Assertion.

description

The description of the partner. Optional.

Example

addWSFed11IdPFederationPartner("testpartner1", "http://idp.com/wsfed11",
 "http://idp.com", description="WS-Fed IdP1")

3.1.2 addWSFed11SPFederationPartner

The addWSFed11SPFederationPartner command is an online command that creates a WS-Federation 1.1 SP partner.

Description

Creates an SP partner under the WS-Federation 1.1 protocol.

Syntax

addWSFed11SPFederationPartner(partnerName, realm, ssoURL, samlVersion, msftADFSCompatible, description) 
Argument Definition
partnerName

The name of the partner to be created.

realm

The realm identifier for this SP partner. It will be used in the WS-Federation 1.1 protocol exchange.

ssoURL 

The Identity Realm Secure Token URL where users will be redirected at the SP for WS-Federation 1.1 operations.

samlVersion 

The optional SAML version indicating what kind of Assertion to issue. Takes a value of saml11 (default) or saml20.

msftADFSCompatible

An optional boolean indicating if the issued SSO Response should be in the Microsoft ADFS compatible format WS-Trust 1.2 or WS-Trust 1.3.

description

The description of the partner. Optional.

Example

addWSFed11SPFederationPartner("testpartner1", "http://sp.com",
 "http://sp.com/wsfed11", description="Test SP1")

3.1.3 addOpenID20IdPFederationPartner

The addOpenID20IdPFederationPartner command is an online command that creates an OpenID 2.0 IdP partner.

Description

Creates an IdP partner under the OpenID 2.0 protocol.

Syntax

addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description) 
Argument Definition
partnerName

The name of the partner to be created.

idpSSOURL 

The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used.

discoveryURL 

The OpenID discovery URL of the IdP.

description

The description of the partner. Optional.

Example

addOpenID20IdPFederationPartner("testpartner1", "", 
 "http://host:port/discoveryurl", description="Test IdP1")

3.1.4 addOpenID20SPFederationPartner

The addOpenID20SPFederationPartner command is an online that creates an OpenID 2.0 SP partner.

Description

Creates an SP partner under the OpenID 2.0 protocol.

Syntax

addOpenID20SPFederationPartner(partnerName, realm, ssoURL, description) 
Argument Definition
partnerName

The name of the partner to be created.

realm 

The realm for the SP (RP).

ssoURL 

The endpoint URL of the SP (RP).

description

The description of the partner. Optional.

Example

addOpenID20SPFederationPartner(partnerName="partnerID", 
 realm="http://realm.domain.com", ssoURL="http://host:port/endpoint", 
 description="some description")

3.1.5 addOpenID20GoogleIdPFederationPartner

The addOpenID20GoogleIdPFederationPartner command is an online command that creates an IdP partner with the name google.

Description

Creates an IdP partner with the name google using a discovery URL https://www.google.com/accounts/o8/id.

Syntax

addOpenID20GoogleIdPFederationPartner()

Example

addOpenID20GoogleIdPFederationPartner()

3.1.6 addOpenID20YahooIdPFederationPartner

The addOpenID20YahooIdPFederationPartner command is an online command that creates an IdP partner with the name yahoo.

Description

create an IdP partner with the name yahoo using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds.

Syntax

addOpenID20YahooIdPFederationPartner()

Example

addOpenID20YahooIdPFederationPartner()

3.1.7 addSAML11IdPFederationPartner

The addSAML11IdPFederationPartner command is an online command that creates a SAML 1.1 IdP federation partner.

Description

Creates a SAML 1.1 IdP federation partner.

Syntax

addSAML11IdPFederationPartner(partnerName,providerID, ssoURL,
soapURL, succinctID, description)
Argument Definition
partnerName

The name of the partner to be created.

providerID 

The providerID of the partner.

ssoURL 

The initiate SSO URL of the IdP.

soapURL 

The artifact resolution SOAP endpoint URL of the IdP.

succinctID 

The succinctID of the provider.

description

The description of the partner. Optional.

Example

addSAML11IdPFederationPartner(partnerName="partnerID",
providerID="providerA", ssoURL="http://host:port/saml11sso",
soapURL="http://host:port/soapurl", succinctID="1234", 
description="somedescription")

3.1.8 addSAML11SPFederationPartner

The addSAML11SPFederationPartner command is an online command that creates a SAML 1.1 SP federation partner.

Description

Creates a SAML 1.1 SP federation partner.

Syntax

addSAML11SPFederationPartner(partnerName,providerID, ssoURL, description)
Argument Definition
partnerName

The name of the partner to be created.

providerID 

The providerID of the partner.

ssoURL 

The initiate SSO URL of the IdP.

description

The description of the partner. Optional.

Example

addSAML11SPFederationPartner(partnerName="partnerID", providerID="providerA", 
ssoURL="http://host:port/saml11sso", description="somedescription")

3.1.9 addSAML20IdPFederationPartner

The addSAML20IdPFederationPartner command is an online command that creates a SAML 2.0 IdP Federation partner.

Description

Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.

Syntax

addSAML20IdPFederationPartner(partnerName, metadataFile, description)
Argument Definition
partnerName

The name of the partner to be created.

metadataFile

The location of the metadata file (full path).

description

The description of the partner. Optional.

Example

addSAML20IdPFederationPartner(partnerName="partnerID", 
metadataFile="location_metadata_file", description="somedescription")

3.1.10 addSAML20SPFederationPartner

The addSAML20SPFederationPartner command is an online command that creates a SAML 2.0 SP Federation partner.

Description

Creates a federation partner as a service provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.

Syntax

addSAML20SPFederationPartner(partnerName, metadataFile, description)
Argument Definition
partnerName

The name of the partner to be created.

metadataFile

The location of the metadata file (full path).

description

The description of the partner. Optional.

Example

addSAML20SPFederationPartner(partnerName="partnerID", 
metadataFile="location_metadata_file", description="somedescription")

3.1.11 addSAML20IdPFederationPartnerWithoutMetadata

The addSAML20IdPFederationPartnerWithoutMetadata command is an online command that creates a SAML20 IdP federation partner without SAML 2.0 metadata.

Description

Creates a SAML20 IdP federation partner without loading SAML 2.0 metadata.

Syntax

addSAML20IdPFederationPartnerWithoutMetadata(partnerName,
providerID, ssoURL, soapURL, succinctID, description)
Argument Definition
partnerName 

The name of the federation partner to be created.

providerID 

The providerID of the partner.

ssoURL 

The initiate SSO URL of the IdP.

soapURL 

The artifact resolution SOAP endpoint URL of the IdP.

succinctID 

The succinctID of the provider.

description 

The description of the partner. Optional.

Example

addSAML20IdPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", soapURL="http://host:port/saml/soap",description="some description")

3.1.12 addSAML20SPFederationPartnerWithoutMetadata

The addSAML20SPFederationPartnerWithoutMetadata command is an online command that creates a SAML20 SP federation partner without SAML 2.0 metadata.

Description

Creates a SAML20 SP federation partner without loading SAML 2.0 metadata.

Syntax

addSAML20SPFederationPartnerWithoutMetadata(partnerName,
providerID, ssoURL, description)
Argument Definition
partnerName 

The name of the federation partner to be created.

providerID 

The providerID of the partner.

ssoURL 

The initiate SSO URL of the IdP.

description 

The description of the partner. Optional.

Example

addSAML20SPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", description="somedescription")

3.1.13 configureIdPPartnerAttributeProfile

The configureIdPPartnerAttributeProfile command is an online command that configures an IdP partner attribute profile to process incoming attributes.

Description

Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.

Syntax

configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile to configure.

ignoreUnmappedAttributes  

Determines whether incoming attributes that are not defined in the profile should be ignored.

Valid values are true (ignore) or (the default) false (process).

Example

configureIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile", 
ignoreUnmappedAttributes="false")

3.1.14 configureSAML20Logout

The configureSAML20Logout command is an online command that configures global federation logout for a SAML 2.0 partner.

Description

Configures global federation logout for a SAML 2.0 federation partner.

Syntax

configureSAML20Logout(partnerName, partnerType, enable,
saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Whether the partner is a service provider or identity provider.

Valid values are sp, idp.

enable  

Enable or disable global logout for that partner.

Valid values true (enable), false (disable)

saml20LogoutRequestURL  

The SAML 2.0 logout request service URL.

Optional if the partner was created using metadata, or if logout is disabled.

saml20LogoutResponseURL  

The SAML 2.0 logout response service URL.

This is optional if the partner was created using metadata, or if logout is disabled.

soapURL  

The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported.

Example

configureSAML20Logout(partnerName="partnerID", partnerType="sp", enable="true",
saml20LogoutRequestURL="http://host:port/saml/logoutrequest",
saml20LogoutResponseURL="http://host:port/saml/logoutresponse",
soapURL="http://host:port/saml/soap")

3.1.15 configureSAMLBinding

The configureSAMLBinding command is an online command that specifies the binding for a SAML partner.

Description

Configures the preferred binding for a SAML Partner.

Syntax

configureSAMLBinding(partnerName, partnerType, binding, ssoResponseBinding="httppost")
Argument Definition
partnerName 

The name of the partner to be configured.

partnerType 

Indicates whether the partner is a service provider or an identity provider. Valid values are sp, idp.

binding

Specifies the binding to use for messages other than SSO responses (authentication requests, logout messages). Valid options are httppost for HTTP-POST binding and httpredirect for HTTP-Redirect binding.

ssoResponseBinding

This optional attribute defines the binding to use for an SSO response. Valid options are httppost for HTTP-POST binding (the default value), httpredirect for HTTP-Redirect binding or artifact for Artifact binding.

Example

configureSAMLBinding(partnerName="partnerID", 
partnerType="sp", binding="httpredirect", ssoResponseBinding="httppost")

3.1.16 configureUserSelfRegistration

The configureUserSelfRegistration command is an online command that enables the user self-registration module.

Description

Enables the user self-registration module.

Syntax

configureUserSelfRegistration(<enabled>, <registrationURL>, 
 <regDataRetrievalAuthnEnabled>, <regDataRetrievalAuthnUsername>, 
 <regDataRetrievalAuthnPassword>, <partnerName>) 
Argument Definition
enabled

Indicates if the user self-registration module is enabled. Takes a value of true or false.

registrationURL

The location to which the user will be redirected for self-registration. If partnerName is not specified, and if registrationURL is empty or missing, the current property will be unchanged. If partnerName is specified, and if registrationURL is empty or missing, this property will be removed from the partner's configuration.

regDataRetrievalAuthnEnabled

Indicates if authentication of the registration page is enabled when contacting the server to retrieve registration data.

regDataRetrievalAuthnUsername

Specifies the username the registration page will send to the server when retrieving the registration data from the server.

regDataRetrievalAuthnPassword

Specifies the password the registration page will send to the server when retrieving the registration data from the server.

partnerName

Indicates the IdP partner for which to enable user self-registration. If missing, the configuration operation will be global.

Example

configureUserSelfRegistration("true", regDataRetrievalAuthnEnabled="true", 
 regDataRetrievalAuthnUsername="username", 
 regDataRetrievalAuthnPassword="password")

3.1.17 configureUserSelfRegistrationAttr

The configureUserSelfRegistrationAttr command is an online command that sets the attributes in an assertion that will be used as email, first name, last name, and username.

Description

Sets the attributes in an assertion that will be used as email, first name, last name and username.

Syntax

configureUserSelfRegistration(<registrationAttrName>, <assertionAttrNames>, 
 <partnerName>) 
Argument Definition
registrationAttrName

The self-registration page attribute to set. Can be one of the following values: email, firstname, lastname or username.

assertionAttrNames

The possible attributes from the assertion that can be used to populate the self-registration page field specified as the registrationAttrName.

partnerName

Indicates the IdP partner for which to configure user self-registration. If missing, the configuration operation will be global.

Example

configureUserSelfRegistrationAttr("email", "mail,fed.nameidvalue") 

The second parameter means that mail or fed.nameidvalue from the assertion can be used to populate the email attribute in the user's self registration page.

3.1.18 createAuthnSchemeAndModule

The createAuthnSchemeAndModule command is an online command that creates an authentication scheme that uses an OpenD IdP.

Description

Creates an authentication scheme that uses an OpenD IdP to protect resources in Access Manager.

Syntax

createAuthnSchemeAndModule(partnerName)
Argument Definition
partnerName

The name of the partner for whom the scheme is to be created.

Example

createAuthnSchemeAndModule("testpartner")

3.1.19 createIdPPartnerAttributeProfile

The createIdPPartnerAttributeProfile command is an online command that creates an IdP attribute profile. This will contain name mapping rules used to process attributes in incoming SAML assertions.

Description

Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions.

Syntax

createIdPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID

The identifier of the IdP attribute profile.

Example

createIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

3.1.20 createSPPartnerAttributeProfile

The createSPPartnerAttributeProfile command is an online command that creates an SP attribute profile. This will contain name mapping rules used to process attributes in incoming SAML Assertions.

Description

Creates an SP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions.

Syntax

createSPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID

The identifier of the SP attribute profile.

Example

createSPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")

3.1.21 deleteAuthnSchemeAndModule

The deleteAuthnSchemeAndModule command is an online command that deletes an authentication scheme for an IdP partner.

Description

Deletes an authentication scheme for an IdP partner.

Syntax

deleteAuthnSchemeAndModule(partnerName)
Argument Definition
partnerName

The name of the partner whose scheme is to be deleted.

Example

deleteAuthnSchemeAndModule("testpartner")

3.1.22 deleteFederationPartner

The deleteFederationPartner command is an online command that deletes a federation partner from Access Manager.

Description

Deletes a federation partner from Access Manager.

Syntax

deleteFederationPartner(partnerName, partnerType)
Argument Definition
partnerName 

The ID of the partner to be deleted.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

Example

deleteFederationPartner(partnerName="partnerID", partnerType="idp")

3.1.23 deleteFederationPartnerEncryptionCert

The deleteFederationPartnerEncryptionCert command is an online command that deletes the encryption certificate of a federation partner.

Description

Deletes the encryption certificate of a federation partner.

Syntax

deleteFederationPartnerEncryptionCert(partnerName, partnerType)
Argument Definition
partnerName 

The ID of the partner whose encryption certificate is to be deleted.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

Example

deleteFederationPartnerEncryptionCert(partnerName="customPartner", partnerType="idp")

3.1.24 deleteFederationPartnerSigningCert

The deleteFederationPartnerSigningCert command is an online command that deletes the signing certificate of a federation partner.

Description

Deletes the signing certificate of a federation partner.

Syntax

deleteFederationPartnerSigningCert(partnerName, partnerType)
Argument Definition
partnerName 

The ID of the partner whose signing certificate is to be deleted.

partnerType 

Specifies whether the partner is a service provider or identity provider.

Valid values are sp, idp.

Example

deleteFederationPartnerSigningCert(partnerName="customPartner",partnerType="idp")

3.1.25 deleteIdPPartnerAttributeProfile

The deleteIdPPartnerAttributeProfile command is an online command that deletes an IdP partner attribute profile.

Description

Deletes an IdP partner attribute profile.

Syntax

deleteIdPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile.

Example

deleteIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

3.1.26 deleteSPPartnerAttributeProfile

The deleteSPPartnerAttributeProfile command is an online command that deletes an SP partner attribute profile.

Description

Deletes an SP partner attribute profile.

Syntax

deleteSPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID 

The identifier referencing the SP partner attribute profile.

Example

deleteSPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")

3.1.27 deleteIdPPartnerAttributeProfileEntry

The deleteIdPPartnerAttributeProfileEntry command is an online command that deletes an entry from the IdP partner attribute profile.

Description

Deletes an attribute from the attribute profile.

Syntax

deleteIdPPartnerAttributeProfileEntry(attrProfileID,
messageAttributeName)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile.

messageAttributeName

The name of the attribute to delete, as it appears in the outgoing message.

Example

deleteIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", 
messageAttributeName="first_name")

3.1.28 deleteSPPartnerAttributeProfileEntry

The deleteSPPartnerAttributeProfileEntry command is an online command that deletes an entry from the SP Partner attribute profile.

Description

Deletes an attribute from the attribute profile.

Syntax

deleteSPPartnerAttributeProfileEntry(attrProfileID,
 messageAttributeName)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile.

messageAttributeName

The name of the attribute to delete, as it appears in the outgoing message.

Example

deleteSPPartnerAttributeProfileEntry(attrProfileID="sp-attribute-profile", 
 messageAttributeName="first_name") 

3.1.29 deletePartnerProperty

The deletePartnerProperty command is an online command that deletes a partner-specific property.

Description

Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.

See Advanced Identity Federation Commands for information regarding SAML 1.1.

Syntax

deletePartnerProperty(partnerName,partnerType,propName)
Argument Definition
partnerName 

The ID of the partner to be updated.

By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. See Advanced Identity Federation Commands for information regarding SAML 1.1.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

propName 

The name of the configured property to be removed.

Example

deletePartnerProperty(partnerName="partner1025", partnerType="sp/idp", propName="includecertinsignature")

3.1.30 displayIdPPartnerAttributeProfile

The displayIdPPartnerAttributeProfile command is an online command that displays a partner attribute profile.

Description

Display the content of an IdP Partner Attribute Profile.

Syntax

displayIdPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile to be displayed.

Example

displayIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

3.1.31 displaySPPartnerAttributeProfile

The displaySPPartnerAttributeProfile command is an online command that displays an SP partner attribute profile.

Description

Display the content of an SP Partner Attribute Profile.

Syntax

displaySPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID 

The identifier referencing the SP partner attribute profile to be displayed.

Example

displaySPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")

3.1.32 getAllFederationIdentityProviders

The getAllFederationIdentityProviders command is an online command that lists all federation identity providers.

Description

Displays a list of all federation identity providers for Access Manager.

Syntax

getAllFederationIdentityProviders()

Example

getAllFederationIdentityProviders()

3.1.33 getAllFederationServiceProviders

The getAllFederationServiceProviders command is an online command that lists all federation service providers.

Description

Displays a list of all federation service providers for Access Manager.

Syntax

getAllFederationServiceProviders()

Example

getAllFederationServiceProviders()

3.1.34 getFederationPartnerEncryptionCert

The getFederationPartnerEncryptionCert command is an online command that retrieves the encryption certificate for a partner.

Description

Retrieves the encryption certificate for a federation partner.

Syntax

Argument Definition
partnerName 

The ID of the partner for which the encryption certificate will be retrieved.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

Example

getFederationPartnerEncryptionCert(partnerName="customPartner",partnerType="idp")

3.1.35 getFederationPartnerSigningCert

The getFederationPartnerSigningCert command is an online command that retrieves the signing certificate for a partner.

Description

Retrieves the signing certificate for a federation partner.

Syntax

Argument Definition
partnerName 

The ID of the partner for which the signing certificate will be retrieved.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

Example

getFederationPartnerSigningCert(partnerName="partnerID1", partnerType="idp")

3.1.36 getIdPPartnerBasicAuthCredentialUsername

The getIdPPartnerBasicAuthCredentialUsername command is an online command that gets a partner's basic authentication username.

Description

Retrieves the HTTP basic authentication username for a federation partner.

Syntax

getIdPPartnerBasicAuthCredentialUsername(partnerName)
Argument Definition
partnerName 

The ID of the partner for which the username will be retrieved and displayed.

Example

getIdPPartnerBasicAuthCredentialUsername(partnerName="partnerID5")

3.1.37 getPartnerProperty

The getPartnerProperty command is an online command that retrieves a partner property.

Description

Retrieves a property for a federation partner.

Syntax

getPartnerProperty(partnerName, partnerType, propName)
Argument Definition
partnerName 

The ID of the partner for which the proeprty will be retrieved.

By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. See Advanced Identity Federation Commands for information regarding SAML 1.1.

partnerType 

Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp.

propName 

The name of the property to configure.

Example

getPartnerProperty(partnerName="partnerID4", partnerType="sp", 
 propName="providertrusted")

3.1.38 getStringProperty

The getStringProperty command is an online command that retrieves a string property for a federation partner profile.

Description

Retrieves a string property for a federation partner profile.

If a Partner does not have an Attribute Profile assigned to it, the default Attribute Profile (based on whether the partner is an IdP or SP) will be used. The defaultattributeprofileidp and defaultattributeprofilesp properties in the fedserverconfig file reference the default profiles.

Syntax

getStringProperty("/fedserverconfig/<propertyName>")
Argument Definition
propertyName 

The name of the property to be retrieved.

Default Partner Profiles are available after installation and the following properties reference them. Default property values can be retrieved by replacing propertyName with one of the following:

  • defaultpartnerprofileidpsaml20: default Partner Profile for SAML 2.0 IdP Partners

  • defaultpartnerprofilespsaml20: default Partner Profile for SAML 2.0 SP Partners

  • defaultpartnerprofileidpsaml11: default Partner Profile for SAML 1.1 IdP Partners

  • defaultpartnerprofilespsaml11: default Partner Profile for SAML 1.1 SP Partners

  • defaultpartnerprofileidpopenid20: default Partner Profile for OpenID 2.0 IdP Partners

  • defaultpartnerprofilespopenid20: default Partner Profile for OpenID 2.0 SP Partners

  • If :

    "defaultattributeprofileidp: default Attribute Profile for IdP Partners

    "defaultattributeprofilesp: default Attribute Profile SP Partners

Example

getStringProperty("/fedserverconfig/defaultpartnerprofileidpopenid20")

3.1.39 isFederationPartnerPresent

The isFederationPartnerPresent command is an online command that verifies if the partner is configured in Access Manager.

Description

Checks whether the specified federation partner is defined in Access Manager.

Syntax

isFederationPartnerPresent(partnerName, partnerType)
Argument Definition
partnerName 

The partner ID.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

Example

isFederationPartnerPresent(partnerABC, SP)

3.1.40 listIdPPartnerAttributeProfileIDs

The listIdPPartnerAttributeProfileIDs command is an online command that lists the IdP partner attribute profiles.

Description

List the identifiers of the existing IdP Partner Attribute Profiles.

Syntax

listIdPPartnerAttributeProfileIDs()

Example

listIdPPartnerAttributeProfileIDs()

3.1.41 listSPPartnerAttributeProfileIDs

The listSPPartnerAttributeProfileIDs command is an online command that lists the SP partner attribute profiles.

Description

List the identifiers of the existing SP Partner Attribute Profiles.

Syntax

listSPPartnerAttributeProfileIDs()

Example

listSPPartnerAttributeProfileIDs()

3.1.42 putStringProperty

The putStringProperty command is an online command that puts a string value under a designated path in the OSTS configuration.

Description

Puts a string value under a designated path in the OSTS configuration.

Syntax

putStringProperty(path="/validationtemplates/username-wss-validation-template/StringNAME",value="TestString")
Argument Definition
path

Path inside the configuration where the String property will be put.

value 

The string.

Example

putStringProperty("/spglobal/defaultssoidp", "testpartner")

3.1.43 setDefaultSSOIdPPartner

The setDefaultSSOIdPPartner command is an online command that sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).

Description

If not set by the federation authentication plugin at run time, sets the IdP partner to serve as the default IdP during federated SSO.

Syntax

setDefaultSSOIdPPartner(partnerName)
Argument Definition
partnerName 

ID of the partner which will serve as the default IdP for federated SSO.

Example

setDefaultSSOIdPPartner(partnerName="partner25")

3.1.44 setFederationPartnerEncryptionCert

The setFederationPartnerEncryptionCert command is an online command that sets the encryption certificate for a partner.

Description

Sets the encryption certificate for a federation partner.

Syntax

setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)
Argument Definition
partnerName 

The ID of the partner to be updated

partnerType

The partner type. Valid values are idp, sp.

certFile

The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format.

Example

setFederationPartnerEncryptionCert
(partnerName="customPartner",partnerType="idp",
certFile="/temp/encryption_cert")

3.1.45 setFederationPartnerSigningCert

The setFederationPartnerSigningCert command is an online command that sets the signing certificate for a federation partner.

Description

Sets the signing certificate for a federation partner.

Syntax

setFederationPartnerSigningCert(partnerName,partnerType,certFile)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType

The partner type. Valid values are idp, sp.

certFile

Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format.

Example

setFederationPartnerSigningCert
(partnerName="customPartner", partnerType="idp", 
certFile="/temp/signing_cert")

3.1.46 setIdPPartnerAttributeProfile

The setIdPPartnerAttributeProfile command is an online command that sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.

Description

Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.

Syntax

setIdPPartnerAttributeProfile(partnerName, attrProfileID)
Argument Definition
partnerName 

The ID of the partner to be updated.

attrProfileID 

The IdP partner attribute profile ID to be set.

Example

setIdPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="idp-attribute-profile")

3.1.47 setIdPDefaultScheme

The setIdPDefaultScheme command is an online command that sets the default OAM Authentication Scheme to be used to challenge a user.

Description

Sets the default OAM Authentication Scheme that will be used to challenge a user.

Syntax

setIdPDefaultScheme(authnScheme, appDomain, hostID, 
 authzPolicy="ProtectedResourcePolicy")
Argument Definition
authnScheme 

The OAM Authentication Scheme.

appDomain 

Optional. The application domain in which the underlying policy components will be created.

hostID 

Optional. The HostID to be used when creating the underlying resource policy object.

authzPolicy 

Optional. The name of the Authorization Policy to be used to protect underlying resource policy object being created.

Example

setIdPDefaultScheme('LDAPScheme')

Prepend the command with "fed." if running on the WebSphere platform.

3.1.48 setSPPartnerAttributeProfile

The setSPPartnerAttributeProfile command is an online command that sets an SP partner attribute profile to an SP partner.

Description

Sets the SP partner attribute profile to use with an SP partner.

Syntax

setSPPartnerAttributeProfile(partnerName, attrProfileID)
Argument Definition
partnerName 

The ID of the partner to be updated.

attrProfileID 

The ID of the SP partner attribute profile to be set.

Example

setSPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="sp-attribute-profile")

3.1.49 setIdPPartnerAttributeProfileEntry

The setIdPPartnerAttributeProfileEntry command is an online command that sets the IdP federation partner profile.

Description

Update an entry in the IdP Partner Attribute Profile.

Syntax

setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName,
oamSessionAttributeName, requestFromIdP)
Argument Definition
attrProfileID 

The IdP partner attribute profile.

messageAttributeName

The name of the message attribute.

oamSessionAttributeName

The name of the attribute as it will appear in the Access Manager session.

requestFromIdP 

Determines whether this attribute should be requested from the IdP partner.

Valid values are true, false.

Example

setIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", messageAttributeName="first_name",
oamSessionAttributeName="first_name", requestFromIdP="true")

3.1.50 setSPPartnerAttributeProfileEntry

The setSPPartnerAttributeProfileEntry command is an online command that sets the SP federation partner profile.

Description

Sets an entry in the SP Partner Attribute Profile.

Syntax

setSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName,
value, alwaysSend)
Argument Definition
attrProfileID 

The identifier referencing the SP Partner Attribute Profile in which the entry will be set.

messageAttributeName

The name of the attribute as it will appear in the outgoing message.

value

Value of the attribute element. It can be a static string, user attribute, session attribute or a combination of those types.

alwaysSend 

Signifies whether or not this attribute should always be sent to the SP Partner. Valid values are true, false. If false it will only be sent if the SP Partner requests it (OpenID supports this).

Example

setSPPartnerAttributeProfileEntry(attrProfileID="sp-attribute-profile", 
 messageAttributeName="first_name", value="$user.attr.givenname", 
 alwaysSend="true")

3.1.51 setIdPPartnerBasicAuthCredential

The setIdPPartnerBasicAuthCredential command is an online command that sets a partner's basic authentication credentials.

Description

Sets or updates a federation partner's HTTP basic authentication credentials.

Syntax

setIdPPartnerBasicAuthCredential(partnerName,username,password)
Argument Definition
partnerName 

The ID of the partner to be updated.

username

The user ID of the user.

password 

The password corresponding to the username.

Example

setIdPPartnerBasicAuthCredential(partnerName="partnerID4", username="user1")

3.1.52 setIdPPartnerMappingAttribute

The setIdPPartnerMappingAttribute command is an online command that sets a partner's assertion mapping attribute.

Description

Specify that an attribute from the OpenID assertion received from the IdP be mapped to a given data store attribute in order to identify the user.

Syntax

setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)
Argument Definition
partnerName 

The ID of the partner to be updated.

assertionAttr 

The attribute name in the assertion used to map the user to the identity store.

userstoreAttr 

The name of the attribute in the identity store to which to map the assertion attribute value.

Example

setIdPPartnerMappingAttribute(partnerName="partnerID", 
assertionAttr="email", userstoreAttr="mail")

3.1.53 setIdPPartnerMappingAttributeQuery

The setIdPPartnerMappingAttributeQuery command is an online command that updates a partner for assertion mapping of user with attribute query.

Description

Sets or updates a partner to specify the attribute query to map an assertion to the user store.

Syntax

setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)
Argument Definition
partnerName 

The ID of the partner to be updated

attrQuery 

The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%.

Example

setIdPPartnerMappingAttributeQuery(partnerName="partnerID", 
attrQuery="(&(sn=%Userlastname%)(givenname=%Userfirstname%))")

3.1.54 setIdPPartnerMappingNameID

The setIdPPartnerMappingNameID command is an online command that sets the assertion mapping nameID value for an IdP federation partner.

Description

Sets the assertion mapping nameID value for an IdP federation partner.

Syntax

setIdPPartnerMappingNameID(partnerName,userstoreAttr)
Argument Definition
partnerName 

The ID of the partner to be updated.

userstoreAttr 

The attribute name in the identity store to which the assertion nameID is to be mapped.

Example

setIdPPartnerMappingNameID
(partnerName="partnerID", userstoreAttr="ldapattr")

3.1.55 setPartnerAlias

The setPartnerAlias command is an online command that sets a federation partner's alias.

Description

Sets or updates a federation partner's alias.

Syntax

setPartnerAlias(partnerName,partnerType,partnerAlias)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Specifies the partner type. Valid values are sp or idp.

partnerAlias

The partner's alias.

Example

setPartnerAlias(partnerName="partnerID", 
partnerType="sp", partnerAlias="tenant1")

3.1.56 setPartnerIDStoreAndBaseDN

The setPartnerIDStoreAndBaseDN command is an online command that sets a partner's identity store and base DN of a federation partner.

Description

Sets or updates the identity store and base DN of a federation partner.

Syntax

setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

The partner type. Valid values are sp or idp.

storeName  

The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional)

searchBaseDN  

The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional)

Example

setPartnerIDStoreAndBaseDN(partnerName="partnerID", 
 partnerType="sp/idp", storeName="testldap",
 searchBaseDN="dc=company,dc=com")

3.1.57 setSPSAMLPartnerNameID

The setSPSAMLPartnerNameID command is an online command that updates a partner by setting the NameID during assertion issuance.

Description

Sets the NameID for a SAML partner.

Syntax

setSPSAMLPartnerNameID(<partnerName>, <nameIDFormat>, <nameIDValue>) 
Argument Definition
partnerName

The name of the partner to be configured.

nameIDFormat 

The NameID format to be used. Possible values include:

  • orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:Kerberos

  • orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • orafed-none for no NameID

  • If the format is set to any other value, the Assertion will be populated with that value.

nameIDValue

Value of the NameID element. It can be a static string, user attribute, session attribute or a combination of those types.

Example

setSPSAMLPartnerNameID(partnerName="partnerID", nameIDFormat="emailAddress", 
 nameIDValue="$user.attr.mail")

3.1.58 setSPPartnerAlternateScheme

The setSPPartnerAlternateScheme command is an online command that provides a way to authenticate clients with an alternate Authentication Scheme.

Description

Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for this Partner.

Syntax

setSPPartnerAlternateScheme(<partner>, <enabled="true">, <httpHeaderName="">, 
 <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, 
 <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, 
 <remove="false">)
Argument Definition
partner

The ID of the partner.

enabled 

Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client

httpHeaderName 

Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners.

httpHeaderExpression 

Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header.

authnScheme 

Required if enabled is true, the alternate Authentication Scheme to be used instead of the default.

appDomain

Optional. The application domain in which the underlying policy components will be created

hostID

Optional. The HostID used when creating the underlying resource policy object

authzPolicy

Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created.

remove

Optional. If set to true, removes the properties for the alternate scheme in the partner configuration.

Note:

ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.

Example

In this example, Identity Federation is configured to enable the alternate Authentication Scheme at a partner level for the SP partner Acme because the user's browser sends the HTTP Header "User-Agent" with the iPhone string in it. The string triggers the BasicScheme for authentication rather than the default Authentication Scheme.

setSPPartnerAlternateScheme("acmeSP", "true", httpHeaderName="User-Agent", 
  httpHeaderExpression=".*iPhone.*", authnScheme="BasicScheme") 

3.1.59 setSPPartnerDefaultScheme

The setSPPartnerDefaultScheme command is an online command that defines the default Authentication Scheme for the SP partner.

Description

Defines the default Authentication Scheme for the SP partner.

Syntax

setSPPartnerDefaultScheme(<partner>, <authnScheme="">, <appDomain="IAM Suite">, 
 <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument Definition
partner

The ID of the partner.

authnScheme 

The OAM Authentication Scheme to be used.

appDomain

Optional. The application domain in which the underlying policy components will be created

hostID

Optional. The HostID used when creating the underlying resource policy object

authzPolicy

Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Example

setSPPartnerDefaultScheme(partnerProfile="acmeSP",
 authnScheme="BasicScheme")

3.1.60 setSPPartnerProfileAlternateScheme

The setSPPartnerProfileAlternateScheme command is an online command that provides a way to authenticate clients with an alternate Authentication Scheme.

Description

Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for partners assigned to this Partner Profile.

Syntax

setSPPartnerProfileAlternateScheme(<partnerProfile>, 
 <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, 
 <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, 
 <authzPolicy="Protected Resource Policy">, <remove="false">) 
Argument Definition
partnerProfile

The ID of the partner profile.

enabled 

Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client

httpHeaderName 

Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners.

httpHeaderExpression 

Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header.

authnScheme 

Required if enabled is true, the alternate Authentication Scheme to be used instead of the default.

appDomain

Optional. The application domain in which the underlying policy components will be created

hostID

Optional. The HostID used when creating the underlying resource policy object

authzPolicy

Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Note:

ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.

Example

setSPPartnerProfileAlternateScheme("acmeSP", "true", 
 httpHeaderName="User-Agent", httpHeaderExpression=".*iPhone.*", 
 authnScheme="BasicScheme")

3.1.61 setSPPartnerProfileDefaultScheme

The setSPPartnerProfileDefaultScheme command is an online command that sets the default OAM authentication scheme to be used to challenge a user for a specific SP partner profile.

Description

Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.

Syntax

setSPPartnerProfileDefaultScheme(<partnerProfile>, 
 <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, 
 <authzPolicy="Protected Resource Policy">) 
Argument Definition
partnerProfile

The ID of the partner profile.

authnScheme 

The OAM Authentication Scheme to be used.

appDomain

Optional. The application domain in which the underlying policy components will be created

hostID

Optional. The HostID used when creating the underlying resource policy object

authzPolicy

Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Example

setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", 
 "LDAPScheme")

3.1.62 updatePartnerMetadata

The updatePartnerMetadata command is an online command that updates federation partner metadata.

Description

Updates the metadata for a federation partner.

Syntax

updatePartnerMetadata(partnerName,partnerType,metadataFile)
Argument Definition
partnerName 

The ID of the partner to be updated

partnerType 

Specifies the partner type. Valid values are sp or idp.

metadataFile 

The location of the metadata file. Specify the complete path and name.

Example

updatePartnerMetadata(partnerName="partnerID", 
partnerType="sp", metadataFile="/common/idm/abc_metadata_file")

3.1.63 updatePartnerProperty

The updatePartnerProperty command is an online command that updates a partner property.

Description

Configures or updates the specified property for a federation partner.

See Advanced Identity Federation Commands for information regarding SAML 1.1.

Syntax

updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument Definition
partnerName 

The ID of the partner to be updated.

By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. See Advanced Identity Federation Commands for information regarding SAML 1.1.

partnerType 

Specifies the partner type. Valid values are sp or idp.

propName 

The name of the property to configure.

propValue 

The property value to be set.

type

The data type of the property. Valid values are string, long, or boolean.

Example

updatePartnerProperty(partnerName="partnerID", partnerType="idp", 
propName="providertrusted",
propValue="true",type="boolean")

3.2 Advanced Identity Federation Commands

The Advanced Identity Federation WLST commands do not have applicable administrative fields for configuration in the Access Management console. Administration for Authentication mappings and partner profiles are available using WLST commands only. Table 3-2 lists the Advanced Identity Federation commands documented in this section. The commands are organized as follows.

  • Federation Service and Datastore

  • Federation Access Configuration

  • Attribute Sharing Configuration

  • Authentication Method Mapping Management - All Authentication Method/Scheme/Level mappings are configured using WLST at the partner level or, if not defined at the partner level, at the partner profile level.

  • Partner Profile Management - All Partner Profile management is done with WLST.

  • Using WLST with SAML 1.1

Note:

The Advanced Identity Federation command definitions begin with "configureFederationService."

Table 3-2 Advanced Identity Federation WLST Commands

Use this command... To... Use with WLST...

Federation Service and Datastore

configureFederationService

Enable or disable Federation Service features.

setFederationStore

Enables and configures the federation store.

Federation Access Configuration

configureIdPAuthnRequest

Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.

configureFedSSOAuthz

Enables or disables Authorization for Federation SSO.

configureFedDigitalSignature

Configure the Hashing algorithm used in digital signatures.

configureFedSignEncKey

Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.

Attribute Sharing Configuration

configureAttributeSharingSPPartnerNameIDMapping

Configures the NameID to user store attribute mapping to be used during Attribute Sharing.

configureAttributeSharingIdPPartner

Configures the default attribute sharing nameid and nameid format for the IdP Partner.

configureAttributeSharingUserDNToIdPPartnerMapping

Configures Attribute Sharing DN to IdP Mappings.

configureAttributeSharing

Configures the Attribute Sharing feature by setting a default attribute authority.

removeAttributeSharingFromAuthnModule

Removes the Attribute Sharing plug-in from the Authentication Module.

configureAttributeSharingPlugin

Lists the Federated Authentication Method mappings for a specific Partner Profile.

insertAttributeSharingInToAuthnModule

Inserts the attribute sharing step into the Authentication Module flow.

Authentication Method Mapping Management

setSPPartnerAlternateScheme

Provides a way to authenticate clients with an alternate Authentication Scheme (Partner).

setSPPartnerDefaultScheme

Defines the default Authentication Scheme for the SP partner.

setSPPartnerProfileAlternateScheme

Provides a way to authenticate clients with an alternate Authentication Scheme (Partner Profile).

setSPPartnerProfileDefaultScheme

Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.

addSPPartnerAuthnMethod

Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.

addSPPartnerProfileAuthnMethod

Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.

addIdPPartnerAuthnMethod

Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.

addIdPPartnerProfileAuthnMethod

Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.

listPartnerAuthnMethods

Lists the Federated Authentication Method mappings for a specific Partner.

listPartnerProfileAuthnMethods

Lists the Federated Authentication Method mappings for a specific Partner Profile.

removePartnerAuthnMethod

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.

removePartnerProfileAuthnMethod

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.

setIdPPartnerRequestAuthnMethod

Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.

setIdPPartnerProfileRequestAuthnMethod

Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.

useProxiedFedAuthnMethod

Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.

Partner Profile Management

createFedPartnerProfileFrom

Creates a Federation Partner Profile based on the specified existing one.

deleteFedPartnerProfile

Deletes the specified Federation Partner Profile.

displayFedPartnerProfile

Displays the properties defined in the specified Federation Partner Profile.

listFedPartnerProfiles

Lists all of the existing Federation Partner Profiles.

listFedPartnersForProfile

Lists the partners bound to the specified Federation Partner Profile.

getFedPartnerProfile

Gets the ID of the Partner Profile bound to the specified partner.

setFedPartnerProfile

Sets the Federation Partner Profile ID for the specified partner.

Using WLST with SAML 1.1

When an IDP partner is configured for SAML 1.1, the following URL is used by the SP to start the SSO process.

http://idphost:idpport/ssourl?TARGET=targeturl&providerid=http://spproviderid

By using these WLST commands, the URL can be populated with the applicable information.

Use this command... To... Use with WLST...

idpinitiatedssoprovideridparam

Value is used by the peer provider to identify the provider ID of the SP.

idpinitiatedssotargetparam

Sets the target URL for the specified SP partner.

The following SAML 1.1 configuration parameters are not exposed through the Oracle Access Management Console. The values of these parameters can be modified using WLST.

Use this command... To... Use with WLST...

"deletePartnerProperty"

Delete a partner property.

"getPartnerProperty"

Retrieve a partner property.

"updatePartnerProperty"

Update a partner property.

Subject Confirmation Check

subjectconfirmationcheck

Enables or Disables the subject confirmation data check in SAML assertion.

3.2.1 configureFederationService

The configureFederationService command enables or disables the Federation Service AttributeRequester or AttributeResponder.

Description

Enable or disable Federation Service features.

Syntax

configureFederationService(<serviceType>,<enabled>)  
Argument Definition
serviceType

Takes as a value IDP, SP, AttributeResponder or AttributeRequester.

enabled 

Takes as a value either true or false.

Example

configureFederationService("idp", "true")

configureFederationService("AttributeResponder", "true")

3.2.2 setFederationStore

The setFederationStore command enables and configures for the use of the federation store.

Description

This will set the jndiname of the datastore to be used to store federation records and will set the store as a RDBMS.

Syntax

setFederationStore (<enable>, <jndiname>)
Argument Definition
enable

Enable or disable the Federation data store.

jndiname

Indicates the JNDI name of the datastore.

Example

setFederationStore(enable="true", jndiname="jdbc/oamds")

3.2.3 configureIdPAuthnRequest

The configureIdPAuthnRequest command configures an IdP partner or an IdP partner profile for Force Authentication and/or IsPassive.

Description

Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.

Syntax

configureIdPAuthnRequest(<partner="">, <partnerProfile="">, <partnerType="">, <isPassive="false">, <forceAuthn="false">, <displayOnly="false">, <delete="false">)
Argument Definition
partner

Indicates the IdP partner to be configured. partner and partnerProfile are exclusive, with one of the two required.

partnerProfile

Indicates the IdP partner profile to be configured. partner and partnerProfile are exclusive, with one of the two required.

partnerType

The type of partner (sp or idp).

isPassive

Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should not interact with the user during Federation SSO. True indicates that the IdP should not interact with the user. Optional.

forceAuthn

Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should challenge the user even if a valid session exists. True indicates that the user will be challenged. Optional.

displayOnly

Indicates whether or not this command should display the Is Passive and Force Authn settings. Default is false. Optional.

delete

Indicates whether or not this command should delete the Is Passive and Force Authn settings from the specified partner or partner profile. Default is false. Optional.

Example

configureIdPAuthnRequest(partner="acme", isPassive="false", forceAuthn="true")

3.2.4 configureFedSSOAuthz

The configureFedSSOAuthz command enables or disables Authorization for Federation SSO.

Description

Enables or disables Authorization for Federation SSO. By default, the authorization feature for Federation SSO will be turned off.

Syntax

configureFedSSOAuthz(enabled)
Argument Definition
enabled

Takes as a value true or false.

Example

configureFedSSOAuthz("true")

3.2.5 configureFedDigitalSignature

The configureFedDigitalSignature command configures the Hashing algorithm used in digital signatures.

Description

If the displayOnly and delete parameters are false, this command will set the algorithm.

Syntax

configureFedDigitalSignature(<partner="">, 
 <partnerProfile="">, <partnerType="">, <default="false">, 
 <algorithm="SHA-256">, <displayOnly="false">, <delete="false">)
Argument Definition
partner

The ID of the SP partner profile

partnerProfile 

The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped

partnerType 

The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped

default

Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method

algorithm

Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level

displayOnly

Optional. The application domain in which the underlying policy components will be created

delete

Optional. The HostID used when creating the underlying resource policy object

Example

configureFedDigitalSignature(default="true", 
 algorithm="SHA-256")

3.2.6 configureFedSignEncKey

The configureFedSignEncKey command configures the signing and/or encryption key alias to be used for digital signature and encryption operations.

Description

Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.

Syntax

configureFedSignEncKey(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <signAlias="">, <encAlias="">, <displayOnly="false">, <delete="false"> 
Argument Definition
partner

Indicates the partner for which the signing and/or encryption key alias is to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required

partnerProfile 

Indicates the partner profile for which the signing and/or encryption key alias is configured for. partner, partnerProfile and default parameters are exclusive, with one of the three required.

partnerType 

Indicates the partner type for which the signing and/or encryption key alias is to be configured. Required when specifying partner or partnerProfile. Valid values are sp or idp.

default

Indicates the global default signing and/or encryption key alias to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required.

signAlias

The signing key alias. Required when setting the value.

encAlias

The encryption key alias. Required when setting the value.

displayOnly

Indicates whether or not this command should display the signing and encryption key aliases. Default is false. Optional.

delete

Indicates whether or not this command should delete the signing and/or encryption key alias from the specified partner or partner profile. Default is false. Optional.

Example

configureFedSignEncKey(default="true", signAlias="osts_signing")

3.2.7 configureAttributeSharingSPPartnerNameIDMapping

The configureAttributeSharingSPPartnerNameIDMapping command configures the NameID to user store attribute mapping to be used during Attribute Sharing.

Description

If displayOnly is true the command displays the NameID to userstore attribute mapping. Else if delete is true the command deletes the specified mapping. Else it sets the enabled flag to the given value and the sets a nameid to userstore attribute mapping.

Syntax

configureAttributeSharingSPPartnerNameIDMapping(<partner="">, 
 <partnerProfile="">, <enabled="true">, <nameidformat="">, 
 <userStoreAttribute="">, <displayOnly="false">, <delete="false">)
Argument Definition
partner

ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required.

partnerProfile 

Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required

enabled 

Boolean indicating if the nameID to userstore attribute mapping is enabled/disabled. Optional. Default value is true.

nameidformat

The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:

  • orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • <customnameidformaturi> for a custom nameid format

If the format is set to any other value, the Assertion will be populated with that value.

userStoreAttribute

The userstore attribute to which the specified NameID Format is mapped. Optional. Needs to be specified only for a create or update operation.

displayOnly

Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed.

delete

Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional.

Examples

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", userStoreAttribute="mail")

configureAttributeSharingSPPartnerNameIDMapping(partnerProfile="saml20-idp-partner-profile", nameidformat="orafed-emailaddress", userStoreAttribute="mail")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", enabled="false")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", 
 displayOnly="true")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", 
 nameidformat="orafed-emailaddress", delete="true")

configureAttributeSharingSPPartnerNameIDMapping(partner="acme", 
 nameidformat="orafed-emailaddress", displayOnly="true")

3.2.8 configureAttributeSharingIdPPartner

The configureAttributeSharingIdPPartner command configures the default attribute sharing nameid and nameid format for the IdP Partner.

Description

Configures the default attribute sharing nameid and nameid format for the IdP Partner.

Syntax

configureAttributeSharingIdPPartner(<partner="">, <partnerProfile="">,<nameidformat="">, <nameidattribute="">)
Argument Definition
partner

ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required.

partnerProfile 

Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required

nameidformat

The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:

  • orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • orafed-custom for a custom nameid

nameIDAttribute

The attribute in the userstore that should be used as the nameid. Optional.

displayOnly

Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed.

Example

configureAttributeSharingIdPPartner(partner="acme", 
 nameidformat="orafed-emailaddress", nameidattribute="mail")

3.2.9 configureAttributeSharingUserDNToIdPPartnerMapping

The configureAttributeSharingUserDNToIdPPartnerMapping command configures Attribute Sharing DN to IdP Mappings.

Description

If displayOnly is set to true the configuration is displayed. If delete is set to true the command deletes a specified mapping; otherwise, a mapping is created or updated.

Syntax

configureAttributeSharingUserDNToIdPPartnerMapping(<dn="">,
 <idp="">, <displayOnly="false">, <delete="false">)  
Argument Definition
dn

The DN string to map to the given IdP. Optional. Needs to be specified to delete a mapping and set a mapping. If specified for a display operation the mapping for this DN only is displayed.

idp 

The partner ID of the IdP to use as Attribute Authority for the given DN. Optional. Needs to be specified only when creating or updating a mapping.

displayOnly

Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed.

delete

Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional.

Examples

configureAttributeSharingUserDNToIdPPartnerMapping
 (dn="dc=us,dc=oracle, dc=com", displayOnly="true")

configureAttributeSharingUserDNToIdPPartnerMapping(displayOnly="true")

configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", 
 delete="true")

configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", 
 idp="acme")

3.2.10 configureAttributeSharing

The configureAttributeSharing command configures the Attribute Sharing feature by setting a default attribute authority.

Description

Configures the Attribute Sharing feature by setting a default attribute authority.

Syntax

configureAttributeSharing(<defaultAttributeAuthority="">)  
Argument Definition
defaultAttributeAuthority

ID of the partner to use as the default Attribute Authority. Only used when this server is functioning in the SP mode.

Example

configureAttributeSharing(defaultAttributeAuthority="acme")

configureAttributeSharing("acme")

3.2.11 removeAttributeSharingFromAuthnModule

The removeAttributeSharingFromAuthnModule command removes the Attribute Sharing plug-in from the Authentication Module.

Description

Lists the Federated Authentication Method mappings for the specified Partner.

Syntax

removeAttributeSharingFromAuthnModule(<authnModule>, <stepName="">) 
Argument Definition
authnModule

The name of the authnModule from which to delete Attribute Sharing plugin.

stepName 

The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional.

Example

removeAttributeSharingFromAuthnModule(authnModule="LDAPPlugin") 

removeAttributeSharingFromAuthnModule(authnModule="LDAPPlugin", 
 stepName="FedAttributeSharing")

3.2.12 configureAttributeSharingPlugin

The configureAttributeSharingPlugin command lists the Federated Authentication Method mappings for a specific Partner Profile.

Description

Configures the input parameters of the Attribute Sharing plugin.

Syntax

configureAttributeSharingPlugin(<authnModule>, <stepName=None>, 
 <nameIDVariable=None>, <idpVariable=None>, <defaultIdP=None>, 
 <nameIDFormatVariable=None>, <defaultNameIDFormat=None>, 
 <requestedAttributes=None>)  
Argument Definition
authnModule

The name of the authnModule from which to delete Attribute Sharing plugin.

stepName 

The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional.

nameIDVariable

The name of the variable in the session or context that contains the nameID of the user.

idpVariable

The name of the variable in the session or context that contains the idp name to which to send the attribute request.

defaultIdP

The name of the default IdP to send the attribute request to if no IdP can be determined from the session or context.

nameIDFormatVariable

The name of the variable in the session or context that contains the nameID format to use in the attribute request.

defaultNameIDFormat

The default NameID format to use if no nameid format could be determined from the session or context. Allowed NameID formats are:

  • orafed-emailaddress for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • orafed-x509 for urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • orafed-windowsnamequalifier for urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • orafed-kerberos for urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • orafed-transient for urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • orafed-persistent for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • orafed-unspecified for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

If the format is set to any other value, the Assertion will be populated with that value.

requestedAttributes

The attributes to request from the IdP. This string is in the URL query string format.

Example

configureAttributeSharingPlugin(authnModule="LDAPPlugin", 
 nameIDVariable="dn", idpVariable="attr.idpname", defaultIdP="acme", 
 nameIDFormatVariable="attr.nameidformat", defaultNameIDFormat="orafed-x509", 
 requestedAttributes="mail&accessAllowed=allowed") 

3.2.13 insertAttributeSharingInToAuthnModule

The insertAttributeSharingInToAuthnModule command inserts the attribute sharing step into the Authentication Module flow.

Description

Can also be used to remove the attribute sharing step from the Authentication Module flow.

Syntax

insertAttributeSharingInToAuthnModule(<authnModule>, 
 <fromStep=None>, <fromCond=None>, <toStep=None>, <toCond=None>, <stepName=None>)  
Argument Definition
authnModule

The name of the authnModule into which the Attribute Sharing plugin is inserted.

fromStep

The name of the step after which the Attribute Sharing Step (or the step of given name) should be inserted.

fromCond

The condition under which the Attribute Sharing (or step of given name) is called after the fromStep. It has to be one of OnSuccess, OnFailure or OnError.

toStep

The name of the step to go to after the attribute sharing step (or step of given name).

toCond

The condition under which the toStep is called after the Attribute Sharing step (or step of given name).

stepName 

The name of the step being added to the flow.

Example

insertAttributeSharingInToAuthnModule(authnModule="LDAPPlugin", 
 fromStep="stepUA", fromCond="OnSuccess")

insertAttributeSharingInToAuthnModule(authnModule="LDAPPlugin", fromStep="stepUA", 
 fromCond="OnSuccess", stepName="success")

3.2.14 addSPPartnerAuthnMethod

The addSPPartnerAuthnMethod command defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.

Description

Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner.

Syntax

addSPPartnerAuthnMethod(partner, authnMethod, authnScheme, 
 isDefault="true", authnLevel="-1", appDomain="IAM Suite", 
 hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument Definition
partner

The ID of the SP partner.

authnMethod 

The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped

authnScheme 

The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped

isDefault

Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method

authnLevel

Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level

appDomain

Optional. The application domain in which the underlying policy components will be created

hostID

Optional. The HostID used when creating the underlying resource policy object

authzPolicy

Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created.

Example

addSPPartnerAuthnMethod("acmeSP", 
 "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", 
 "LDAPScheme")

3.2.15 addSPPartnerProfileAuthnMethod

The addSPPartnerProfileAuthnMethod command defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.

Description

Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner Profile.

Syntax

addSPPartnerProfileAuthnMethod(partnerProfile, authnMethod, 
 authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", 
 hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument Definition
partnerProfile

The ID of the SP partner profile

authnMethod 

The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped

authnScheme 

The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped

isDefault

Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method

authnLevel

Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level

appDomain

Optional. The application domain in which the underlying policy components will be created

hostID

Optional. The HostID used when creating the underlying resource policy object

authzPolicy

Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created.

Example

addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", 
  "LDAPScheme") 

3.2.16 addIdPPartnerAuthnMethod

The addIdPPartnerAuthnMethod command sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.

Description

Defines the level to which to which users from this IdP partner are authenticated.

Syntax

addIdPPartnerAuthnMethod(partner, authnMethod, authnLevel)  
Argument Definition
partner

The ID of the SP partner profile

authnMethod 

The Federated Authentication Method

authnLevel 

The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method

Example

addIdPPartnerAuthnMethod("acmeIdP", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "1") 

3.2.17 addIdPPartnerProfileAuthnMethod

The addIdPPartnerProfileAuthnMethod command sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.

Description

Defines the level to which to which users from this IdP partner profile are authenticated.

Syntax

addIdPPartnerProfileAuthnMethod(partnerProfile, authnMethod, 
 authnLevel)  
Argument Definition
partnerProfile

The ID of the SP partner profile

authnMethod 

The Federated Authentication Method

authnLevel 

The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method

Example

addIdPPartnerProfileAuthnMethod("saml20-idp-partner-profile", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "1") 

3.2.18 listPartnerAuthnMethods

The listPartnerAuthnMethods command lists the Federated Authentication Method mappings for a specific Partner.

Description

Lists the Federated Authentication Method mappings for the specified Partner.

Syntax

listPartnerAuthnMethods(partner, partnerType)  
Argument Definition
partner

The ID of the partner

partnerType 

The type of the partner (SP or IdP)

Example

listPartnerAuthnMethods("acmeSP", "SP") 

3.2.19 listPartnerProfileAuthnMethods

The listPartnerProfileAuthnMethods command lists the Federated Authentication Method mappings for a specific Partner Profile.

Description

Lists the Federated Authentication Method mappings for the specified Partner Profile.

Syntax

listPartnerProfileAuthnMethods(partnerProfile, partnerType)  
Argument Definition
partnerProfile

The ID of the partner profile

partnerType 

The type of the partner (SP or IdP)

Example

listPartnerProfileAuthnMethods("saml20-sp-partner-profile", "SP") 

3.2.20 removePartnerAuthnMethod

The removePartnerAuthnMethod command removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.

Description

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.

Syntax

removePartnerAuthnMethod(<partner>, <partnerType>, <authnMethod>)  
Argument Definition
partner

The ID of the partner

partnerType 

The type of the partner (SP or IdP)

authnMethod 

The Access Manager Authentication Scheme

Example

removePartnerAuthnMethod("acmeSP", "SP",  
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport") 

3.2.21 removePartnerProfileAuthnMethod

The removePartnerProfileAuthnMethod command removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.

Description

Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.

Syntax

removePartnerProfileAuthnMethod(<partnerProfile>, 
 <partnerType>, <authnMethod>)  
Argument Definition
partnerProfile

The ID of the partner profile

partnerType 

The type of the partner (SP or IdP)

authnMethod 

The Federated Authentication Method

Example

removePartnerProfileAuthnMethod("saml20-sp-partner-profile", 
"SP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

3.2.22 setIdPPartnerRequestAuthnMethod

The setIdPPartnerRequestAuthnMethod command sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.

Description

Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner.

Syntax

setIdPPartnerRequestAuthnMethod(<partner>, <authnMethod>) 
Argument Definition
partner

The ID of the IdP partner

authnMethod 

The Federated Authentication Method

Example

setIdPPartnerRequestAuthnMethod("acmeIdP", 
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

3.2.23 setIdPPartnerProfileRequestAuthnMethod

The setIdPPartnerProfileRequestAuthnMethod command sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.

Description

Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner Profile.

Syntax

setIdPPartnerProfileRequestAuthnMethod(<partnerProfile>, 
 <authnMethod>)  
Argument Definition
partnerProfile

The ID of the IdP partner profile

authnMethod 

The Federated Authentication Method

Example

setIdPPartnerProfileRequestAuthnMethod("saml20-idp-partner-profile",  
  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

3.2.24 useProxiedFedAuthnMethod

The useProxiedFedAuthnMethod command configures the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.

Description

If the server acts as an SP with a remote IdP to authenticate the user, when acting as an Identity Provider in a different Federation SSO operation, the server can use the Federation Authentication Method sent by the remote Identity Provider. The server will send the proxied Federation Authentication Method for the list of specified Federation Authentication Schemes. The server will only send the proxied Federation Authentication Method if the Federation protocol used between the server and the Service Provider is the same Federation protocol as the one used between the server and the Identity Provider.

Syntax

useProxiedFedAuthnMethod(<enabled="false">, 
 <displayOnly="false">, <authnSchemeToAdd="">, <authnSchemeToRemove="">,
 <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, 
 <authzPolicy="Protected Resource Policy">)
Argument Definition
enabled

Indicates whether or not the proxied Federation Authentication Method should be used. Default is to disable the feature. Optional.

displayOnly 

Indicates whether or not this command should display the list of Federation Schemes for which the server should send the proxied Federation Authentication Method. Default is false. Optional.

authnSchemeToAdd

The OAM Federation Authentication Scheme to be added to the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive.

authnSchemeToRemove

The OAM Federation Authentication Scheme to be removed from the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive.

appDomain

The application domain in which the underlying policy components will be created. Optional.

hostID

The HostID that will be used when creating the underlying resource policy object. Optional.

authzPolicy

Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created.

Example

useProxiedFedAuthnMethod(enabled="true", 
 authnSchemeToAdd="FederationScheme")

3.2.25 createFedPartnerProfileFrom

The createFedPartnerProfileFrom command creates a Federation Partner Profile based on the specified existing one.

Description

Creates a new partner profile based on the specified existing partner profile.

Syntax

createFedPartnerProfileFrom(<newPartnerProfile>, 
  <existingPartnerProfile>) 
Argument Definition
newPartnerProfile

The ID of the new partner profile.

existingPartnerProfile 

The ID of the existing partner profile

Example

createFedPartnerProfileFrom("newAcmeSPProfile", "acmeSPProfile")

3.2.26 deleteFedPartnerProfile

The deleteFedPartnerProfile command deletes the specified Federation Partner Profile.

Description

Removes the specified partner profile.

Syntax

deleteFedPartnerProfile(<PartnerProfile>) 
Argument Definition
PartnerProfile

The ID of the partner profile being deleted.

Example

deleteFedPartnerProfile("acmeSPProfile")

3.2.27 displayFedPartnerProfile

The displayFedPartnerProfile command displays the properties defined in the specified Federation Partner Profile.

Description

Displays the properties in the specified Federation Partner Profile.

Syntax

displayFedPartnerProfile(<PartnerProfile>)
Argument Definition
PartnerProfile

The ID of the partner profile.

Example

displayFedPartnerProfile("saml20-idp-partner-profile")

3.2.28 listFedPartnerProfiles

The listFedPartnerProfiles command lists all of the existing Federation Partner Profiles.

Description

Lists the existing Federation Partner Profiles.

Syntax

listFedPartnerProfiles()

This command has no arguments.

Example

listFedPartnerProfiles()

3.2.29 listFedPartnersForProfile

The listFedPartnersForProfile command lists the partners bound to the specified Federation Partner Profile.

Description

Lists all the partners bound to the specified Federation Partner Profile.

Syntax

listFedPartnersForProfile(<PartnerProfile>) 
Argument Definition
PartnerProfile

The ID of the partner profile.

Example

listFedPartnersForProfile("acmeSPProfile")

3.2.30 getFedPartnerProfile

The getFedPartnerProfile command retrieves the ID of the Partner Profile bound to the specified partner.

Description

Retrieves the ID of the Partner Profile bound to the specified partner.

Syntax

getFedPartnerProfile(<partner>, <partnerType>) 
Argument Definition
partner

The ID of the partner.

partnerType 

The type of the partner (sp or idp).

Example

getFedPartnerProfile("acmeIDP", "idp")

3.2.31 setFedPartnerProfile

The setFedPartnerProfile command sets the Federation Partner Profile ID for the specified partner.

Description

Sets the partner profile for the specified partner profile based on the specified partner profile ID.

Syntax

setFedPartnerProfile(<partner>, <partnerType>, <partnerProfile>)
Argument Definition
partner

The ID of the partner.

partnerType 

The type of the partner (sp or idp).

partnerProfile

The ID of the partner profile.

Example

setFedPartnerProfile("acmeIDP", "idp", 
   "saml20-idp-partner-profile")

3.2.32 idpinitiatedssoprovideridparam

The idpinitiatedssoprovideridparam command sets the value to identify the provider ID for the SP.

Description

The value held by idpinitiatedssoprovideridparam is used by the peer provider to identify the provider ID of the SP.

Syntax

updatePartnerProperty(partnerName, partnerType, 
   "idpinitiatedssoprovideridparam","providerid", "string")
Argument Definition

partnerName

The ID of the partner

partnerType

Takes as a value either idp or sp

propName

Name of the property being configured or modified

propValue

The value of the property being configured. For an OIF peer IDP, the parameter name must be "providerid". Changing this property will change the parameter name used in the above URL.

type

The data type of the property value. Valid values are string, long, or boolean.

Example

updatePartnerProperty(partnerName, "idp", 
   "idpinitiatedssoprovideridparam","providerid", "string")

3.2.33 idpinitiatedssotargetparam

The idpinitiatedssotargetparam command sets the target URL for the specified SP partner.

Description

Identifies the target resource. The value held by idpinitiatedssotargetparam is used by the peer provider to identify the desired resource; TARGET in the case of Oracle Identity Federation.

Syntax

updatePartnerProperty(partnerName, partnerType, 
   "idpinitiatedssotargetparam", "TARGET", "string")
Argument Definition

partnerName

The ID of the partner

partnerType

Takes as a value either idp or sp

propName

Name of the property being configured or modified

propValue

The location of the resource. The default value is TARGET.

type

The data type of the property value. Valid values are string, long, or boolean.

Example

updatePartnerProperty(partnerName, "idp", 
   "idpinitiatedssotargetparam", "TARGET", "string")

Note:

A certificate can be included in a SAML 1.1 signature. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature parameter, the certificate will be included with the signature. For example:

updatePartnerProperty("<partnerName>", "sp", 
 "includecertinsignature", "true", "boolean")

getPartnerProperty("<partnerName>", "sp", "includecertinsignature")

deletePartnerProperty("<partnerName>", "sp", 
 "includecertinsignature")

3.2.34 subjectconfirmationcheck

The subjectconfirmationcheck command enables or disables the Subject Confirmation Data check.

Description

Enable or disable the Subject Confirmation Data check in SAML assertion.

Syntax

updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Specifies the partner type. Valid values are sp or idp.

propName 

Set the property name as 'subjectconfirmationcheck'.

propValue 

Specify the property value. Valid values are true or false.

type

Data type of the property. It can only be boolean.

Example

updatePartnerProperty(partnerName="testIDP", partnerType="IDP", 
propName="subjectconfirmationcheck",
propValue="true",type="boolean")