Go to main content
1/28
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in This Guide?
Updates in 11g Release 1 (11.1.1.9)
New and Changed Features in 11g Release 1 (11.1.1.7)
New and Changed Features in 11
g
Release 1 (11.1.1.6)
Updates in 11
g
Release 1 (11.1.1) Patch Set 4
New Features in Oracle Identity Federation 11
g
Release 1 (11.1.1) Patch Set 3
New Features In Oracle Identity Federation 11
g
Release 1 (11.1.1)
Part I Introduction
1
Introduction to Oracle Identity Federation
1.1
Federated Identity Management
1.1.1
Challenges of Identity Federation
1.1.2
Federation Use Cases
1.1.3
Concepts
1.1.4
Federation Protocols
1.1.4.1
SAML Basics
1.1.4.2
Evolution of the Federated Identity Standards
1.1.4.3
SAML 1.x
1.1.4.4
SAML 2.0
1.1.4.5
WS-Federation
1.2
About Oracle Identity Federation
1.2.1
Features and Benefits of Oracle Identity Federation
1.2.2
Architecture
1.2.3
High-Level Processing Flow
1.2.4
Federation Protocol Profiles
1.2.4.1
Browser POST Profile
1.2.4.2
Browser Artifact Profile
1.2.4.3
SOAP Binding
1.2.4.4
Browser HTTP Redirect Profile
1.2.4.5
Name Identifier Management Profiles
1.2.4.6
SAML Attribute Sharing Profile
1.2.4.7
WS-Federation Passive Requester Profile
1.2.4.8
Federation Termination Profile
1.2.4.9
Global Logout Profile
1.2.4.10
OpenID Profiles and Extensions
1.2.5
Affiliations
1.2.6
Cryptographic Provider
1.2.7
Example of Federation Event Flow
1.2.8
Supported Standards and Applications
2
Planning Oracle Identity Federation Deployment
2.1
Architecture Options
2.1.1
Role in Federation
2.1.2
Proxy Server
2.1.3
Server Security
2.1.3.1
SSL Encryption
2.1.3.2
Certificate-based Authentication
2.1.3.3
Certificate Repository and Validation
2.1.4
Protocol
2.2
Profiles and Bindings
2.2.1
Supported Protocols
2.2.1.1
SAML 2.0 Protocol
2.2.1.2
SAML 1.x and WS-Federation Protocol
2.2.1.3
OpenID 2.0 Protocol
2.2.2
Choosing a Profile
2.2.2.1
Using the Artifact Profile
2.2.2.2
Using the POST Profile
2.2.2.3
SAML Security Considerations
2.2.2.4
Using the SAML Attribute Sharing Profile
2.2.2.5
Using the WS-Federation Logout Profile
2.2.2.6
Using OpenID Profiles and Extensions
2.3
Authentication Engines
2.3.1
Engines in Oracle Identity Federation
2.3.2
Authenticating with a Repository
2.3.3
Authenticating with an IdM Solution in IdP Mode
2.3.4
Propagating Authentication State to Oracle Access Manager in SP Mode
2.3.5
Propagating Authentication State to Oracle Single Sign-On in SP Mode
2.3.6
HTTP Basic Authentication
2.4
Data Repositories
2.4.1
Federation Data Store
2.4.2
User Data Store
2.4.3
Session and Message Data Stores
2.4.4
Configuration Data Store
2.5
Installation Requirements
2.5.1
Required Components
2.6
Sizing Guidelines
2.6.1
Deployment and Architecture Considerations
2.6.1.1
Profiles
2.6.1.2
Repositories
2.6.1.3
Transient (Session and Message) Storage
2.6.1.4
Security for Assertions
2.6.1.5
Connection Tuning
2.6.1.6
High Availability
2.6.1.7
Tuning Servers
2.6.1.8
HTTP Session Persistence
2.6.1.9
Impact of Additional Security
2.6.2
Typical Deployment Scenario
2.6.3
Reference Server Footprint
2.6.4
Topology
2.7
Implementation Checklist
3
Deploying Oracle Identity Federation
3.1
Introduction
3.2
Deployment Scenarios
3.2.1
Deploying Oracle Identity Federation with Oracle HTTP Server
3.2.1.1
Install Oracle HTTP Server
3.2.1.2
Manage the Oracle HTTP Server Instance
3.2.1.3
Associate Oracle HTTP Server with Managed Server
3.2.1.4
Update Oracle Identity Federation Configuration
3.2.2
Deploying Oracle Identity Federation with Oracle Single Sign-On
3.2.2.1
Create and Manage the Oracle HTTP Server Instance
3.2.2.2
Integrate Oracle Single Sign-On with OHS
3.2.2.3
Configure Oracle Identity Federation to use Oracle Single Sign-On as the Authentication Engine
3.2.2.4
Configure Oracle Identity Federation for Oracle Single Sign-On SP Integration
3.2.2.5
Configure Oracle Single Sign-On
3.2.2.6
Testing Federated Single Sign-On
3.2.3
Deploying Oracle Identity Federation with Oracle Access Manager 11g
3.2.4
Deploying Oracle Identity Federation with Oracle Access Manager 10g
3.2.4.1
Create and Manage OHS
3.2.4.2
Integrate Oracle Access Manager as an Authentication Engine
3.2.4.3
Integrate Oracle Access Manager as an SP Integration Module
3.2.5
Oracle Identity Federation/SP Authenticating to Oracle Access Manager
3.2.5.1
Authentication Overview
3.2.5.2
Enabling Authentication with Existing Federation Schemes
3.2.5.3
Enabling Authentication when Creating New Federation Schemes
3.2.5.4
Updating Oracle Identity Federation Credentials
3.2.5.5
Disabling Authentication to Oracle Access Manager
3.2.6
Deploying Oracle Identity Federation with Oracle Directory Server Enterprise Edition
3.2.6.1
Requirements
3.2.6.2
Configuring Oracle Identity Federation Without a Web Proxy Server
3.2.6.3
Configuring Oracle Identity Federation Behind a Web Proxy Server
3.2.6.4
Updating the Identity and Access Management servers
3.2.6.5
Oracle Directory Server Enterprise Edition Sample Configuration Files
3.2.7
Using the Test SP Engine
3.2.7.1
Configure the Test SP Engine
3.2.7.2
Use the Test SP Engine for SP-Initiated SSO
3.2.7.3
Use the Test SP Engine with IdP-Initiated SSO
3.2.7.4
Test SP Engine Results
3.3
Post-Upgrade Administration
3.3.1
11g Server Signing Certificate
Part II Administering Oracle Identity Federation
4
Server Administration
4.1
Basic Administration
4.1.1
About the Oracle Identity Federation Server Administrator
4.1.1.1
About Roles
4.1.1.2
Deployment Planning
4.1.1.3
Other Planning Tasks
4.1.2
Administering Oracle Identity Federation
4.1.3
Oracle Identity Federation Log Files
4.1.4
Backups
4.2
Common Tasks
4.2.1
Obtain Server Metadata
4.2.1.1
Versions
4.2.1.2
Provider-specific Metadata
4.2.2
Obtain Server Certificates
4.2.2.1
Specifying Certificate Usage
4.2.2.2
Specifying Certificate Type
4.2.3
Perform SP-initiated Single Sign-On
4.2.4
Perform IdP-initiated Single Sign-On
4.2.5
Use the Relay State in IdP-initiated SSO
4.2.6
Launch the Logout Process
4.2.7
Set Signature Verification Certificate Property (SAML 1.x)
4.2.8
Perform SP-initiated Single Sign-On (SAML 1.x)
4.2.9
Send Attribute Requests and Queries (SAML 1.x)
4.2.9.1
NameID Format Strings when Using the Attribute Requester Service
4.2.10
Send Authentication Queries (SAML 1.x)
4.3
Managing Identity Federations
4.3.1
Search for a Provider
4.3.2
Add Trusted Providers
4.3.3
Update Trusted Providers
4.3.4
Delete Trusted Providers
4.3.5
Set Up Single Sign-On for SAML 1.x and WS-Federation
4.4
Configuring Identities
4.4.1
About Federated Identities
4.4.2
Identities - Federations
4.4.3
Identities - Users
4.4.4
Identities - Search Options
4.5
Managing Credentials for Oracle Identity Federation
5
Configuring Oracle Identity Federation
5.1
Data Maintained by Oracle Identity Federation
5.1.1
Server Configuration Data
5.1.2
User Federation Data
5.2
Configuring Server Properties
5.2.1
Host Connection Properties
5.2.2
Outbound Connection Properties
5.3
Configuring Identity Providers - Common Properties
5.4
Configuring Identity Providers - Protocol-Specific Properties
5.4.1
Configure SAML 2.0 IdP Properties
5.4.2
Configure SAML 1.x IdP Properties
5.4.3
Configure WS-Federation IdP Properties
5.4.4
Configure OpenID IdP Properties
5.4.5
Configure an External OpenID Provider
5.5
Configuring Service Providers
5.5.1
Configure Service Provider - Common Properties
5.5.2
Configure SAML 2.0 SP Properties
5.5.3
Configure SAML 1.x SP Properties
5.5.4
Configure WS-Federation 1.1 SP Properties
5.5.5
Configure OpenID SP Properties
5.6
Configuring Attribute Sharing with the Oracle Access Manager AuthZ Plug-in
5.6.1
Components Used for Attribute Sharing
5.6.2
Remote and Local Users
5.6.3
Configuring the Oracle Access Manager Plug-ins
5.6.4
Configuring Oracle Access Manager Schemes and Policies
5.6.4.1
Configuring the Attribute Sharing Authentication Scheme
5.6.4.2
Configuring the Attribute Sharing Authorization Scheme
5.6.4.3
Configuring an Oracle Access Manager Policy using Attribute Sharing
5.6.5
Configuring Oracle Identity Federation as an SP Attribute Requester
5.6.5.1
If Using HTTP Basic Authentication With OHS
5.6.5.2
If Using HTTP Basic Authentication Without OHS
5.6.5.3
If Using SSL Client Authentication
5.6.6
Configuring Oracle Identity Federation as an IdP Attribute Responder
5.6.7
Configuring Oracle Identity Federation for SSL
5.7
Configuring Identity Provider to send attributes in SSO Assertions
5.8
Web Services Interface for Attribute Sharing
5.8.1
Overview of the Service Interface
5.8.2
Attribute Request Message
5.8.3
Attribute Response Message
5.8.4
Interface WSDL
5.9
Configuring Attribute Mapping and Filtering
5.9.1
Introduction to Attribute Mapping and Filtering
5.9.1.1
Attribute Name Mapping
5.9.1.2
Attribute Value Mapping
5.9.1.3
Attribute Value Filtering
5.9.2
Mapping and Filtering Configuration
5.9.2.1
Configuring Attribute Name Mapping
5.9.2.2
Configuring Attribute Value Mapping
5.9.2.3
Configuring Attribute Value Filtering
5.10
Configuring Security and Trust
5.10.1
Security and Trust - Wallet
5.10.2
Security and Trust - Provider Metadata
5.10.3
Security and Trust - Trusted CAs and CRLs
5.11
Configuring Federations
5.12
Configuring Identities
5.13
Managing Data Stores
5.13.1
Manage the User Data Store
5.13.1.1
Configuring Oracle Identity Federation for RDBMS User Data Store
5.13.1.2
Configuring Oracle Identity Federation for an LDAP User Data Store
5.13.1.3
Configuring Oracle Virtual Directory as User Data Store
5.13.1.4
Configuring a Redundancy User Data Store
5.13.1.5
Configuring No User Data Store
5.13.2
Manage the Federation Data Store
5.13.2.1
Configuring Oracle Identity Federation for an RDMBS Federation Data Store
5.13.2.2
Configuring Oracle Identity Federation for an LDAP Federation Data Store
5.13.2.3
Configuring Oracle Identity Federation for an XML Federation Data Store
5.13.2.4
Configuring Oracle Virtual Directory as Federation Data Store
5.13.3
Manage the Session Data Store and the Message Data Store
5.13.4
Manage the Configuration Data Store
5.13.4.1
Using a File System Configuration Data Store
5.13.4.2
Using an RDBMS Configuration Data Store
5.13.4.3
When the RDBMS Configuration Data Store is Down
5.13.5
Create the Oracle Identity Federation Schema Using RCU
5.14
Configuring Authentication Mechanisms
5.14.1
About Authentication Mechanisms
5.14.1.1
Setting the Default Authentication Mechanism
5.14.1.2
Mapping from Protocol-specific Methods to Local Mechanisms To Authentication Engines
5.14.1.3
Mapping Local Authentication Mechanisms to Identity Providers
5.14.2
Configure Authentication Mechanisms - Local
5.14.3
Configure Authentication Mechanisms - SAML 2.0
5.14.4
Configure Authentication Mechanisms - SAML 1.x
5.14.5
Configure Authentication Mechanisms - WS-Federation 1.1
5.15
Configuring Authentication Engines
5.15.1
Authentication Engines - HTTP Header
5.15.1.1
Configuring the HTTP Header Authentication Engine
5.15.1.2
Configuring HTTP Header Attributes
5.15.2
Authentication Engines - Oracle Single Sign-On
5.15.3
Authentication Engines - Oracle Access Manager 11g
5.15.4
Authentication Engines - Oracle Access Manager 10g
5.15.5
Authentication Engines - LDAP Directory
5.15.5.1
Configuring Oracle Virtual Directory as the Authentication Engine
5.15.6
Authentication Engines - Database Security
5.15.7
Authentication Engines - Database Table
5.15.7.1
Configuring Oracle Identity Federation for RDBMS Authentication Engine
5.15.8
Authentication Engines - Infocard
5.15.9
Authentication Engines - Federated SSO Proxy
5.15.9.1
About the Federated SSO Proxy Authentication Engine
5.15.9.2
Selecting the Identity Provider to Use
5.15.9.3
Configuring the Federated SSO Proxy Authentication Engine
5.15.10
Authentication Engines - JAAS
5.15.11
Authentication Engines - Custom
5.16
Configuring SP Integration Modules
5.16.1
SP Integration Module - Oracle Single Sign-On
5.16.2
SP Integration Module - Oracle Access Manager 11g
5.16.3
SP Integration Module - Oracle Access Manager 10g
5.16.4
SP Integration Module - Test SP Engine
5.16.5
SP Integration Module - Custom
6
Additional Server Configuration
6.1
Setting up Single Sign-On Services
6.1.1
Oracle Single Sign-On
6.1.2
Oracle Access Manager
6.1.3
SP-initiated SSO
6.1.4
IdP-initiated SSO
6.2
Working with Affiliations
6.3
Additional LDAP Configuration
6.3.1
Configuring the LDAP Inactivity Setting
6.3.2
Configuring the LDAP Read Timeout Setting
6.3.3
ECID Support for LDAP Connections
6.4
Additional Configuration for High Availability
6.4.1
Configuring High Availability LDAP Servers
6.4.2
Configuring the HTTP Session State Sleep/Retry Interval
6.4.3
Configuring Oracle Identity Federation HA in SSL mode
6.5
Additional RDBMS Configuration
6.5.1
Configuring RDBMS Session Cache
6.5.2
Configuring RDBMS Data Compression
6.6
Session Repository Configuration
6.6.1
Storing Assertion Attributes of User Session
6.7
Additional HTTP Configuration
6.7.1
Configuring HTTP-Only Flag for HTTP Cookies Set by Oracle Identity Federation
6.7.2
Precautions when Customizing the Page in HTTP Post Profile
6.7.3
Using a 303 Status Code for Redirects
6.8
Additional Protocol Configuration
6.8.1
Configuring for eAuth Mode
6.8.2
Configuring the BAE Direct Attribute Exchange Profile
6.8.3
Configuring the SAML 2.0 LDAP Attribute Profile
6.8.4
Configuring On-Demand Global Logout
6.9
Protecting the SOAP Endpoint
6.9.1
SSL Client Authentication
6.9.2
HTTP Basic Authentication
6.9.2.1
Configuring HTTP Basic Authentication to protect the SOAP URLs
6.9.2.2
Configuring Oracle Identity Federation to Connect to a Protected SOAP URL
6.10
Configuring the SAML 2.0 IdP Discovery (Common Domain Cookie) Profile
6.10.1
Preliminary Steps to Set Up the CDC
6.10.2
Configuring the CDC Profile as an Identity Provider
6.10.3
Configuring the CDC Profile as a Service Provider
6.10.4
Configuring Oracle Identity Federation to Display List of Trusted Providers in CDC
6.11
Configuring the Identity Provider Discovery Service
6.11.1
Create the IdP Discovery Service Page
6.12
Setting up Infocard
6.12.1
Server-side Infocard Setup
6.12.1.1
Set up JCE Policy Files for Oracle WebLogic Server
6.12.1.2
Update the Oracle Identity Federation Configuration
6.12.1.3
Add Personal Card Issuer STS
6.12.1.4
Add Infocard Managed STS
6.12.2
Client-side Infocard Setup
6.12.2.1
Import the Oracle Identity Federation SSL Certificate
6.12.2.2
Create a Personal Infocard
6.13
Additional Run-time Configuration
6.13.1
Validating Target URLs for SSO and Logout Operations
6.13.2
Providing XML Message to SP Engine after SSO Completes
6.13.3
Customizing Error Pages
6.13.4
Configuring Schema Validation for SSO Protocol Messages
6.14
Additional Federation Data Store Configuration
6.15
Setting up Backwards Compatibility for Oracle Identity Federation 10g and ShareID service URLs
6.16
Mapping Users through Attributes and NameID in SP Mode
6.16.1
Locating a User
6.16.2
Configuring Oracle Identity Federation
6.16.3
Example 1: Assertion Mapping without federated identities using NameID for SAML 2.0
6.16.4
Example 2: Simple Assertion Mapping without Federated Identities with an LDAP/SQL Query
6.16.5
Example 3: Complex Assertion Mapping without Federated Identities with an LDAP/SQL Query
6.16.6
Example 4: Assertion Mapping without Federated Identities using LDAP/SQL Query and NameID Mapping
6.16.7
Example 5: Assertion Mapping without Federated Identities for a Specific IdP
6.17
Automatic Account Linking Based on Attribute Query Mapping
6.17.1
Locating the User
6.17.2
Configuring Oracle Identity Federation
6.17.3
Example 1: Automatic Account Linking through NameID mapping for SAML 2.0
6.17.4
Example 2: Simple Automatic Account Linking through LDAP/SQL Query
6.17.5
Example 3: Complex Automatic Account Linking through LDAP/SQLQuery
6.17.6
Example 4: Automatic Account Linking through LDAP/SQL Query and NameID Mapping
6.17.7
Example 5: Automatic Account Linking via Attribute Query for a Specific IdP
6.18
User Opt-In and Opt-Out for Single Sign-On
6.18.1
Modes of Operation
6.18.2
Configuring Oracle Identity Federation
6.18.3
Example 1: Off Mode
6.18.4
Example 2: Opt-In Mode
6.18.5
Example 3: Opt-Out Mode
6.18.6
Example 4: Opt-In Mode for a Specific IdP
6.19
Bypassing User Mapping During Assertion Processing
6.19.1
Configuring Oracle Identity Federation
6.20
Overriding NameID Mapping Per Partner
6.21
Configuring Audience Restrictions for Assertions
6.22
Certificate Path Validation
6.23
Sending the ACS URL with the Authentication Request
6.24
Integrating with an OpenID Partner
6.24.1
Integrating with an OpenID Provider (OP)
6.24.1.1
Provision the OP Partner
6.24.1.2
Provide Data to the OP
6.24.2
Integrating with a Relying Party (RP)
6.24.2.1
Provision the RP Partner
6.24.2.2
Provide Data to the RP
6.24.3
Configuring Attributes
6.24.3.1
Attributes for Oracle Identity Federation as an OP
6.24.3.2
Attributes for Oracle Identity Federation as an RP
6.25
Implementing the OpenID UI Extension
7
Diagnostics and Auditing
7.1
Monitoring
7.1.1
Oracle Identity Federation Home Page
7.1.2
Performance Summary
7.1.2.1
About Sensor Weights
7.1.2.2
Event Metrics
7.1.2.3
State Events
7.1.2.4
Phase Events
7.2
Availability
7.3
Logging
7.3.1
About Oracle Identity Federation Logging
7.3.1.1
Types of Logs
7.3.1.2
Log Levels
7.3.1.3
Message IDs
7.3.1.4
Tools for Log Configuration
7.3.2
Viewing Oracle Identity Federation Log Messages
7.3.2.1
Select Messages to View
7.3.2.2
Specify View Options
7.3.3
Configuring Oracle Identity Federation Logs
7.3.3.1
Configure Oracle Identity Federation Log Levels
7.3.3.2
Configure Oracle Identity Federation Log Files
7.3.4
Common Log Messages
7.3.4.1
thread interrupt Messages
7.4
Auditing
7.4.1
About Auditing in Oracle Identity Federation
7.4.1.1
Categories of Audit Events
7.4.1.2
Audit Levels
7.4.2
Configuring Auditing for Oracle Identity Federation
7.4.2.1
Configuring Auditing at the Custom Level
7.4.3
Viewing Audit Data
8
Security
8.1
Configuring SSL for Oracle Identity Federation
8.1.1
Configuring Oracle Identity Federation as an SSL Server
8.1.1.1
Setting up SSL on Oracle WebLogic Server
8.1.1.2
Configuring Oracle Identity Federation
8.1.2
Configuring Oracle Identity Federation as an SSL Client
8.1.2.1
Configuring Oracle WebLogic Server
8.1.2.2
Configuring Keystore Passwords in Oracle Identity Federation
8.1.2.3
Alternative Way to Configure Oracle Identity Federation as SSL Client
8.1.2.4
Connecting to an LDAP Server over SSL
8.1.2.5
Ensuring that Fusion Middleware Control can Manage an Oracle Identity Federation Target
8.1.3
Configuring SSL in HA Mode
8.2
Managing Signing and Encryption Wallets
8.2.1
Signing and Encryption Passwords
8.2.2
Replacing a Signing or Encryption Wallet
8.3
Setting up JCE Policy Files for Oracle WebLogic Server
9
Oracle Identity Federation Command-Line Tools
9.1
Introduction to Command-Line Tools for Oracle Identity Federation
9.1.1
Setting up the WLST Environment
9.1.2
Executing the Commands
9.2
Oracle Identity Federation Commands
9.2.1
addConfigListEntryInMap
9.2.1.1
Description
9.2.1.2
Syntax
9.2.1.3
Example
9.2.2
addConfigMapEntryInMap
9.2.2.1
Description
9.2.2.2
Syntax
9.2.2.3
Example
9.2.3
addConfigPropertyListEntry
9.2.3.1
Description
9.2.3.2
Syntax
9.2.3.3
Example
9.2.4
addConfigPropertyMapEntry
9.2.4.1
Description
9.2.4.2
Syntax
9.2.4.3
Example
9.2.5
addCustomAuthnEngine
9.2.5.1
Description
9.2.5.2
Syntax
9.2.5.3
Example
9.2.6
addCustomSPEngine
9.2.6.1
Description
9.2.6.2
Syntax
9.2.6.3
Example
9.2.7
addFederationListEntryInMap
9.2.7.1
Description
9.2.7.2
Syntax
9.2.7.3
Example
9.2.8
addFederationMapEntryInMap
9.2.8.1
Description
9.2.8.2
Syntax
9.2.8.3
Example
9.2.9
addFederationPropertyListEntry
9.2.9.1
Description
9.2.9.2
Syntax
9.2.9.3
Example
9.2.10
addFederationPropertyMapEntry
9.2.10.1
Description
9.2.10.2
Syntax
9.2.10.3
Example
9.2.11
deleteCustomAuthnEngine
9.2.11.1
Description
9.2.11.2
Syntax
9.2.11.3
Example
9.2.12
deleteCustomSPEngine
9.2.12.1
Description
9.2.12.2
Syntax
9.2.12.3
Example
9.2.13
deleteProviderFederation
9.2.13.1
Description
9.2.13.2
Syntax
9.2.13.3
Example
9.2.14
deleteUserFederations
9.2.14.1
Description
9.2.14.2
Syntax
9.2.14.3
Example
9.2.15
changeMessageStore
9.2.15.1
Description
9.2.15.2
Syntax
9.2.15.3
Example
9.2.16
changePeerProviderDescription
9.2.16.1
Description
9.2.16.2
Syntax
9.2.16.3
Example
9.2.17
changeSessionStore
9.2.17.1
Description
9.2.17.2
Syntax
9.2.17.3
Example
9.2.18
createConfigPropertyList
9.2.18.1
Description
9.2.18.2
Syntax
9.2.18.3
Example
9.2.19
createConfigPropertyListInMap
9.2.19.1
Description
9.2.19.2
Syntax
9.2.19.3
Example
9.2.20
createConfigPropertyMap
9.2.20.1
Description
9.2.20.2
Syntax
9.2.20.3
Example
9.2.21
createConfigPropertyMapInMap
9.2.21.1
Description
9.2.21.2
Syntax
9.2.21.3
Example
9.2.22
createFederationPropertyList
9.2.22.1
Description
9.2.22.2
Syntax
9.2.22.3
Example
9.2.23
createFederationPropertyListInMap
9.2.23.1
Description
9.2.23.2
Syntax
9.2.23.3
Example
9.2.24
createFederationPropertyMap
9.2.24.1
Description
9.2.24.2
Syntax
9.2.24.3
Example
9.2.25
createFederationPropertyMapInMap
9.2.25.1
Description
9.2.25.2
Syntax
9.2.25.3
Example
9.2.26
createPeerProviderEntry
9.2.26.1
Description
9.2.26.2
Syntax
9.2.26.3
Example
9.2.27
getConfigListValueInMap
9.2.27.1
Description
9.2.27.2
Syntax
9.2.27.3
Example
9.2.28
getConfigMapEntryInMap
9.2.28.1
Description
9.2.28.2
Syntax
9.2.28.3
Example
9.2.29
getConfigProperty
9.2.29.1
Description
9.2.29.2
Syntax
9.2.29.3
Example
9.2.30
getConfigPropertyList
9.2.30.1
Description
9.2.30.2
Syntax
9.2.30.3
Example
9.2.31
getConfigPropertyMapEntry
9.2.31.1
Description
9.2.31.2
Syntax
9.2.31.3
Example
9.2.32
getFederationListValueInMap
9.2.32.1
Description
9.2.32.2
Syntax
9.2.32.3
Example
9.2.33
getFederationMapEntryInMap
9.2.33.1
Description
9.2.33.2
Syntax
9.2.33.3
Example
9.2.34
getFederationProperty
9.2.34.1
Description
9.2.34.2
Syntax
9.2.34.3
Example
9.2.35
getFederationPropertyList
9.2.35.1
Description
9.2.35.2
Syntax
9.2.35.3
Example
9.2.36
extractproviderprops
9.2.36.1
Description
9.2.36.2
Syntax
9.2.37
setproviderprops
9.2.37.1
Description
9.2.37.2
Syntax
9.2.38
getFederationPropertyMapEntry
9.2.38.1
Description
9.2.38.2
Syntax
9.2.38.3
Example
9.2.39
listCustomAuthnEngines
9.2.39.1
Description
9.2.39.2
Syntax
9.2.39.3
Example
9.2.40
listCustomSPEngines
9.2.40.1
Description
9.2.40.2
Syntax
9.2.40.3
Example
9.2.41
loadMetadata
9.2.41.1
Description
9.2.41.2
Syntax
9.2.41.3
Example
9.2.42
oifStatus
9.2.42.1
Description
9.2.42.2
Syntax
9.2.42.3
Example
9.2.43
removeConfigListInMap
9.2.43.1
Description
9.2.43.2
Syntax
9.2.43.3
Example
9.2.44
removeConfigMapEntryInMap
9.2.44.1
Description
9.2.44.2
Syntax
9.2.44.3
Example
9.2.45
removeConfigMapInMap
9.2.45.1
Description
9.2.45.2
Syntax
9.2.45.3
Example
9.2.46
removeConfigProperty
9.2.46.1
Description
9.2.46.2
Syntax
9.2.46.3
Example
9.2.47
removeConfigPropertyList
9.2.47.1
Description
9.2.47.2
Syntax
9.2.47.3
Example
9.2.48
removeConfigPropertyMap
9.2.48.1
Description
9.2.48.2
Syntax
9.2.48.3
Example
9.2.49
removeConfigPropertyMapEntry
9.2.49.1
Description
9.2.49.2
Syntax
9.2.49.3
Example
9.2.50
removeFederationListInMap
9.2.50.1
Description
9.2.50.2
Syntax
9.2.50.3
Example
9.2.51
removeFederationMapInMap
9.2.51.1
Description
9.2.51.2
Syntax
9.2.51.3
Example
9.2.52
removeFederationMapEntryInMap
9.2.52.1
Description
9.2.52.2
Syntax
9.2.52.3
Example
9.2.53
removeFederationProperty
9.2.53.1
Description
9.2.53.2
Syntax
9.2.53.3
Example
9.2.54
removeFederationPropertyList
9.2.54.1
Description
9.2.54.2
Syntax
9.2.54.3
Example
9.2.55
removeFederationPropertyMap
9.2.55.1
Description
9.2.55.2
Syntax
9.2.55.3
Example
9.2.56
removeFederationPropertyMapEntry
9.2.56.1
Description
9.2.56.2
Syntax
9.2.56.3
Example
9.2.57
removePeerProviderEntry
9.2.57.1
Description
9.2.57.2
Syntax
9.2.57.3
Example
9.2.58
setConfigProperty
9.2.58.1
Description
9.2.58.2
Syntax
9.2.58.3
Example
9.2.59
setCustomAuthnEngine
9.2.59.1
Description
9.2.59.2
Syntax
9.2.59.3
Example
9.2.60
setCustomSPEngine
9.2.60.1
Description
9.2.60.2
Syntax
9.2.60.3
Example
9.2.61
setFederationProperty
9.2.61.1
Description
9.2.61.2
Syntax
9.2.61.3
Example
Part III Oracle Universal Federation Framework
10
Integrating with Third-Party Identity and Access Management Modules
10.1
Background for Custom Implementations
10.2
Architecture and Flows
10.2.1
Architecture
10.2.2
Authentication Engine Framework
10.2.3
SP Integration Engine Framework
10.2.4
Logout
10.2.5
Requirements
10.3
Creating a Custom Authentication Engine
10.3.1
Planning a Custom Authentication Engine
10.3.2
Developing and Implementing the Authentication Module
10.3.3
Sample Authentication Module for Oracle Single Sign-On Integration
10.3.4
Sample Authentication Module for LDAP Integration
10.4
Creating a Custom SP Integration Engine
10.4.1
Planning a Custom SP Integration Engine
10.4.2
Developing and Implementing the Integration Module
10.4.2.1
Path URLs
10.4.2.2
Adding or Modifying an SP Integration Engine
10.4.2.3
Implementing the Service
10.4.3
Sample Integration Modules
10.4.4
Sample Integration Module 1: Oracle WebLogic Server JavaEE Container Integration
10.4.5
Sample Integration Module 2: Customized Single Sign-On Integration
10.5
Logout
10.5.1
Changing Logout Flow
10.5.2
Sample Logout Services
10.5.3
Logout Service Example #1
10.5.4
Logout Service Example #2
11
Configuring Oracle Identity Federation for the Business Processing Plug-in
11.1
About the Business Processing Plug-in
11.1.1
Basic Flow of Business Processing Plug-in
11.1.2
Implementation
11.1.3
Building the Plug-in, Operations and Parameters
11.2
Configuring the Business Processing Plug-in
11.3
Packaging the Plug-in
11.4
Configuring JavaEE Security
11.5
Example of Plug-in and Redirect Page
11.6
Business Processing Plug-in API
12
Implementing Custom Actions
12.1
Introduction to Custom Actions
12.1.1
Pre- and Post-Processing Custom Actions for Authentication Engines
12.1.2
Pre- and Post-Processing Custom Actions for SP Integration Engines
12.1.3
Custom Actions Architecture
12.1.3.1
Flow for Oracle Identity Federation as SP
12.1.3.2
Flow for Oracle Identity Federation Authenticating User
12.2
Pre-processing Custom Action for Authentication Engine
12.2.1
Implementing the Pre-processing Custom Action
12.2.2
Configuring Oracle Identity Federation for the Custom Action
12.3
Post-processing Custom Action for Authentication Engine
12.3.1
Implementing the Post-processing Plug-in
12.3.2
Configuring Oracle Identity Federation for the Plug-in
12.3.3
Example of a Post-processing Custom Action
12.3.3.1
Set-up
12.3.3.2
Packaging
12.3.3.3
Oracle Identity Federation Configuration
12.3.3.4
Implementation of cookieextract.jsp
12.4
Pre-processing Custom Action for SP Integration Engine
12.4.1
Implementing the Pre-processing Plug-in
12.4.2
Configuring Oracle Identity Federation for the Plug-in
12.4.3
Example of a Pre-processing Plug-in
12.4.3.1
Setup
12.4.3.2
Packaging
12.4.3.3
Configuring Oracle Identity Federation
12.5
Post-processing Custom Action for SP Engine
12.5.1
Implementing the Post-processing Plug-in
12.5.2
Configuring Oracle Identity Federation for the Plug-in
12.5.3
Example of a Post-processing Plug-in
12.5.3.1
Set-up
12.5.3.2
Packaging
12.5.3.3
Oracle Identity Federation Configuration
12.5.3.4
Implementation of fedusercheck.jsp
Part IV Appendices
A
Oracle Identity Federation MBeans
A.1
Server-wide Configuration (config.xml)
A.1.1
FederationConfig
A.1.1.1
FederationConfigMXBean
A.1.1.2
The FederationConfig Element
A.1.2
Config
A.1.2.1
ConfigMXBean
A.1.2.2
The Config Element
A.1.3
PropertiesList
A.1.3.1
PropertiesListMXBean
A.1.3.2
The PropertiesList Element
A.1.4
PropertiesMap
A.1.4.1
PropertiesMapMXBean
A.1.4.2
The PropertiesMap Element
A.2
Provider-specific Configuration
A.2.1
CircleOfTrust
A.2.1.1
CircleOfTrustMXBean
A.2.1.2
The CircleOfTrust Element
A.2.2
PeerProvider
A.2.2.1
PeerProviderMXBean
A.2.2.2
The PeerProvider Element
A.3
Data-store Configuration
A.3.1
Datastore
A.3.1.1
DatastoreMXBean
A.3.1.2
The datastore Element
A.3.2
DiscoveryProvider
A.3.2.1
DiscoveryProviderMXBean
A.3.2.2
The DiscoveryProvider Element
A.4
Oracle Identity Federation Schema
A.5
Programmatic Access to Oracle Identity Federation MBeans
A.5.1
Access the MBean Server
A.5.2
Access Oracle Identity Federation MBeans
A.6
Oracle Identity Federation MBeans API
B
Using Oracle HTTP Server as a Proxy for Oracle Identity Federation
B.1
Configuring Oracle HTTP Server as Proxy
B.2
SSL Configuration for Oracle HTTP Server
C
Troubleshooting Oracle Identity Federation
C.1
Problems and Solutions
C.1.1
General Issues
C.1.1.1
Attribute Sharing with the Microsoft Internet Information Server Cannot Retrieve X.509 Certificate SubjectDN
C.1.1.2
Signed SAML 1.0 Assertions Can Cause SSO Failures
C.1.1.3
Encrypting Network Connections
C.1.1.4
Connecting to an LDAP Server over SSL
C.1.1.5
thread interrupt Messages for RDBMS Message Store
C.1.1.6
Metadata File is Unusable when Oracle Identity Federation is Configured for SSL
C.1.1.7
ParseException Message in Diagnostic Log
C.1.2
Oracle Identity Federation Configuration Issues
C.1.2.1
Assertions Using SAML 1.x POST Method Fail in Japanese Locale
C.1.2.2
Failed to find orclfednamevalue Error
C.1.2.3
Configuring Audit Policies for Oracle Identity Federation Events
C.1.2.4
Empty JNDI Name Message
C.1.2.5
Database Column Too Short error for IDPPROVIDEDNAMEIDVALUE
C.1.3
Oracle Single Sign-On Login Issues
C.1.3.1
Incorrect Login Page Appears
C.1.3.2
Bookmarked Login Pages
C.1.3.3
Unable to Modify File Used to Upload Provider Metadata
C.1.4
Oracle Access Manager Configuration Issues
C.1.4.1
AccessGate Permission Error
C.1.4.2
Non-ASCII AccessGate ID
C.1.4.3
Setting LD_ASSUME_KERNEL Value
C.1.4.4
Using the Same Cookie Domain for Two Back-ends
C.1.4.5
Oracle Access Manager Integration Issues
C.1.5
Operating System Configuration Issues
C.1.5.1
File Descriptors on Linux
C.1.6
Runtime/Single Sign-On Issues
C.1.6.1
Bookmarking a WS-Federation Protected Resource
C.1.6.2
SP Unable to Map NameID to Local User
C.1.7
Performance Issues
C.1.7.1
Internal Error 500 when Using LDAP Store
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.