1. REST API for Federation Management in Oracle Access Manager
  2. Tasks
  3. R2PS3 | 12C
  4. Orchestrator

Orchestrator Service

post

/oam/services/rest/11.1.2.0.0/fed/admin/orchestrator

The orchestrator is a service that can be used to configure two Federation servers together:
  • Orchestrator will take as an input the location of the createIDP | createSP | configureSSO | testSP REST services as well as the credentials to access them.
  • The type of Federation servers involved in the operation: if the types of servers are OIF or REST enabled Federation server, then the orchestrator will attempt to connect to the createIDP | createSP | configureSSO | testSP REST services, otherwise it will assume the remote servers do not provide any REST services

Request

Supported Media Types
Body ()
IDP and SP Partner Info
Root Schema : OrchestratorInput
Type: object
Data-Set of IDP and SP Partner
Show Source
Nested Schema : idpPartnerInfo
Type: object
IDP Partner Info.
Show Source
  • Allowed Values: [ "facloud", "onpremise" ]
    indicates the type of Federation partner

    NOTE: 'facloud': represents an FA SaaS Cloud OIF server, 'onpremise': represents a customer owned Federation server

  • the SP SAML 2.0 Assertion Consumer service URL where the user will be redirected by the IdP with a SAML 2.0 Assertion
  • indicates if mapping of the Assertion will be done via a SAML Attribute. This parameter indicates the LDAP attribute to use. attributeLDAP and attributeSAML are both required for SAML attribute mapping to work. If specified, nameIDFormat is ignored for assertion mapping
  • indicates if mapping of the Assertion will be done via a SAML Attribute. This parameter indicates the SAML attribute to use. attributeLDAP and attributeSAML are both required for SAML attribute mapping to work. If specified, nameIDFormat is ignored for assertion mapping
  • indicates a list of optional attributes should be sent by the IdP (if missing, then the attribute will not be sent)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the user's email (if missing, then the attribute name will be set to email)
  • IdP the Base64 encoded X.509 Encryption Certificate used by the IdP to decrypt encrypted SAML messages. This will be sent to the remote SP partner REST service
  • the default relay state to set in that will be used by the SP(optional)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the user's first name (if missing, then the attribute name will be set to lastname)
  • Allowed Values: [ "true", "false" ]
    indicates whether or not new keys and corresponding self signed certificates should be generated by IdP for SAML operations. This will be sent to the remote SP partner REST service (optional). Also indicates if new cryptographic materials should be re-generated (true or false)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the user's last name (if missing, then the attribute name will be set to firstname)
  • the IdP URL that will be used by the SP to redirect the user to the IdP for the Logout Redirect profile with the SAML . This will be sent to the remote SP partner REST service
  • the IdP URL that will be used by the SP to redirect the user to the IdP for the Logout Redirect profile with the SAML LogoutResponse. This will be sent to the remote SP partner REST service
  • the Base64 encoded metadata of the IdP server that will be sent to the SP. If not specified, metadataURL will be used
  • URL where the IdP metadata can be downloaded
  • Allowed Values: [ "emailaddress", "unspecified" ]
    the NameID format used during Federation SSO
  • the hostname where WLS Admin server is installed
  • the password for the WLS Admin username used to issue an OAM admin command
  • the port where WLS Admin server is installed
  • the WLS Admin username used to issue an OAM admin command
  • OAM Logout for the IDP Partner
  • the partner name to be used
  • Allowed Values: [ "emailaddres", "unspecified" ]

    the type of IDP to being configured:

    • If idptype is onpremise, then the orchestrator will not attempt to connect to REST services on the remote IdP server
    • If idptype is something else, then the orchestrator will attempt to connect to REST services on the remote SP server

    NOTE: If emailaddress, then the NameID value of an Assertion created by the IdP will contain t IdP he user's email address; if unspecified, then the NameID value of an Assertion created by the IdP will contain the user ID. This will be sent to the remote SP partner REST service

  • boolean indicating if the call is to perform a pre-verification check. If true, the service will need to ensure the method can be invoked before the changes are performed in a subsequent call. This will be sent to the remote SP partner REST service
  • the IdP's ProviderID. This will be sent to the remote SP partner REST service succinctID: the SHA-1 hash of the IdP's ProviderID
  • the IdP Base64 encoded X.509 Signing Certificate used by the IdP to sign messages or assertions. This will be sent to the remote SP partner REST service
  • Allowed Values: [ "true", "false" ]
    indicates whether or not SSO should be enabled
  • Allowed Values: [ "true", "false" ]
    indicates whether or not SSO should be enabled
  • Mobile SSO for the IDP Partner
  • Allowed Values: [ "artifact", "httppost" ]
    the SAML 2.0 SSO profile to use
  • the IdP SAML 2.0 Single Sign-On service SOAP URL where the SP will send a SOAP request during the SSO Artifact profile. This will be sent to the remote SP partner REST service
  • the IdP SAML 2.0 Single Sign-On service URL where the user will be redirected by the SP with a SAML 2.0 AuthnRequest with Redirect profile. This will be sent to the remote SP partner REST service
  • indicates if a static attribute should be sent and how it should be referenced (if missing, then the attribute will not be sent). staticAttrName and staticAttrValue are required
  • indicates if a static attribute should be sent and what value should be used (if missing, then the attribute will not be sent). staticAttrName and staticAttrValue are required
  • the SHA-1 hash of the IdP's ProviderID
  • tenant key name for IDP Partner
  • tenant key value for IDP Partner
  • the tenant name for this IdP in the SP Multi tenant system (if the SP it MT aware)
  • the tenant URL path for this IdP in the SP Multi tenant system(if the SP it MT aware)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the userID (if missing, then the attribute name will be set to username)
  • indicates the validity in days of the self signed certificates
Nested Schema : spPartnerInfo
Type: object
SP Partner Info.
Show Source
  • Allowed Values: [ "facloud", "onpremise" ]
    indicates the type of Federation partner

    NOTE: 'facloud': represents an FA SaaS Cloud OIF server, 'onpremise': represents a customer owned Federation server

  • Assertion Consumer URL for the SP Partner
  • indicates if mapping of the Assertion will be done via a SAML Attribute. This parameter indicates the LDAP attribute to use. attributeLDAP and attributeSAML are both required for SAML attribute mapping to work. If specified, nameIDFormat is ignored for assertion mapping
  • indicates if mapping of the Assertion will be done via a SAML Attribute. This parameter indicates the SAML attribute to use. attributeLDAP and attributeSAML are both required for SAML attribute mapping to work. If specified, nameIDFormat is ignored for assertion mapping
  • indicates a list of optional attributes should be sent (if missing, then the attribute will not be sent)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the user's email (if missing, then the attribute name will be set to email)
  • the Base64 encoded X.509 SP Encryption Certificate used by the SP to decrypt encrypted SAML messages
  • the default relay state to set in that will be used by the SP(optional)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the user's first name (if missing, then the attribute name will be set to lastname)
  • Allowed Values: [ "true", "false" ]
    indicates whether or not new keys and corresponding self signed certificates should be generated by IdP for SAML operations. This will be sent to the remote SP partner REST service (optional). Also indicates if new cryptographic materials should be re-generated (true or false)
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the user's last name (if missing, then the attribute name will be set to firstname)
  • the SP URL that will be used by the IdP to redirect the user to the SP for the Logout Redirect profile with the SAML
  • the SP URL that will be used by the IdP to redirect the user to the SP for the Logout Redirect profile with the SAML LogoutResponse
  • the Base64 encoded metadata of the SP server that will be sent to the IdP. If not specified, spmetadataurl will be used
  • URL where the SP metadata can be downloaded
  • Allowed Values: [ "emailaddress", "unspecified" ]
    the NameID format used during Federation SSO
  • the hostname where WLS Admin server is installed
  • the password for WLS admin for the SP server
  • the port where WLS Admin server is installed
  • the WLS admin for the SP server
  • OAM Logout URL for the SP Partner
  • the partner name to be used
  • the type of SP being configured
    • If sptype is sp_manual, taleo_manual , eloqua_manual or rightnow_manual, then the orchestrator will not attempt to connect to REST services on the remote SP server
    • If sptype is something else, then the orchestrator will attempt to connect to REST services on the remote SP server
  • boolean indicating if the call is to perform a pre-verification check. If true, the service will need to ensure the method can be invoked before the changes are performed in a subsequent call. This will be sent to the remote SP partner REST service
  • Provider ID of the SP Partner
  • the Base64 encoded X.509 SP Signing Certificate used by the SP to sign messages
  • Allowed Values: [ "true", "false" ]
    indicates whether or not SSO should be enabled
  • Allowed Values: [ "true", "false" ]
    indicates whether or not SSO should be enabled
  • Mobile SSO for the SP Partner
  • Allowed Values: [ "artifact", "httppost" ]
    the SAML 2.0 SSO profile to use (artifact or httppost)
  • the IdP SAML 2.0 Single Sign-On service SOAP URL where the SP will send a SOAP request during the SSO Artifact profile. This will be sent to the remote SP partner REST service
  • the IdP SAML 2.0 Single Sign-On service URL where the user will be redirected by the SP with a SAML 2.0 AuthnRequest with Redirect profile. This will be sent to the remote SP partner REST service
  • indicates if a static attribute should be sent and how it should be referenced (if missing, then the attribute will not be sent). staticAttrName and staticAttrValue are required
  • indicates if a static attribute should be sent and what value should be used (if missing, then the attribute will not be sent). staticAttrName and staticAttrValue are required
  • Succinct ID for the SP Partner
  • the tenant name for this IdP in the SP Multi tenant system (if the SP it MT aware)
  • the tenant URL path for this IdP in the SP Multi tenant system(if the SP it MT aware)
  • Allowed Values: [ "true", "false" ]
    true or false to indicate if the Test SP App should be enabled/disabled
  • indicates the SAML Attribute name to use in the SAML 2.0 Assertion when including the userID (if missing, then the attribute name will be set to username)
  • indicates the validity in days of the self signed certificates
Back to Top

Response

Supported Media Types

200 Response

OK

400 Response

Bad Request. Returned when you try to orchestrate for a service instance where the Identity Federation is not enabled.

500 Response

INTERNAL SERVER ERROR.
Back to Top