3 Identity Federation WLST Commands
The Identity Federation WLST commands are organized into two categories.
Note:
Identity Federation WLST commands take attributes specified as key-value pairs or only the value; Oracle Access Management Access Manager takes only key-value pairs. Thus, WLST examples in this document might be defined in either manner. This WLST example uses key-value pairs.
setIdPPartnerAttributeProfileEntry(attrProfileID="openid-idp-attribute-profile", messageAttributeName="http://axschema.org/namePerson", oamSessionAttributeName="name", requestFromIdP="true")
3.1 Identity Federation Commands
Use the WLST commands listed in Table 3-1 to configure federation partners and partner profiles.
Note:
The Identity Federation command definitions begin with "addWSFed11IdPFederationPartner."
Table 3-1 WLST Commands for Identity Federation
Use this command... | To... | Use with WLST... |
---|---|---|
Create a WS-Fed 1.1 IdP partner. |
Online |
|
Create a WS-Fed 1.1 SP partner. |
Online |
|
Create an OpenID 2.0 IdP partner. |
Online |
|
Create an OpenID 2.0 SP partner. |
Online |
|
Create a Google OpenID 2.0 IdP partner. |
Online |
|
Create a Yahoo OpenID 2.0 IdP partner. |
Online |
|
Create an IdP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an SP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an SP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Create an SP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored. |
Online |
|
Configure global federation logout for a SAML 2.0 federation partner. |
Online |
|
Configure the preferred binding for a SAML federation partner. |
Online |
|
Enable user self registration. |
Online |
|
Sets which attributes from the assertion should be used as email, first name, last name or username during self registration. |
Online |
|
Create an authentication scheme and module for an IdP partner. |
Online |
|
Create an IdP partner attribute profile for a federation partner. |
Online |
|
Create an SP partner attribute profile for a federation partner. |
Online |
|
Delete an authentication scheme and module for an IdP partner. |
Online |
|
Delete a specific federation partner. |
Online |
|
Delete the encryption certificate of a federation partner. |
Online |
|
Delete the signing certificate of a federation partner. |
Online |
|
Delete the attribute profile of an IdP federation partner. |
Online |
|
Delete the attribute profile of an SP federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete a partner-specific property that was added to the partner's configuration. |
Online |
|
Display an IdP federation partner's attribute profile. |
Online |
|
Display an SP federation partner's attribute profile. |
Online |
|
List all IdP federation partners. |
Online |
|
Retrieve the encryption certificate for a federation partner. |
Online |
|
Retrieve the signing certificate for a federation partner |
Online |
|
Retrieve the HTTP basic authentication username for a federation partner. |
Online |
|
Retrieve a property for a federation partner. |
Online |
|
Retrieve a string property from a federation partner profile. |
Online |
|
Check whether a partner is configured. |
Online |
|
List an IdP partner's attribute profiles. |
Online |
|
List an SP partner's attribute profiles. |
Online |
|
Sets an OpenID partner as the default Federation IdP. |
Online |
|
Set an IdP partner as the default identity provider for a federation single sign-on. |
Online |
|
Set the encryption certificate for a federation partner. |
Online |
|
Set the signing certificate for a federation partner. |
Online |
|
Set the attribute profile to use during federated single sign-on with an IdP partner. |
Online |
|
Sets the default OAM Authentication Scheme. |
Online |
|
Set the attribute profile to use during federated single sign-on with an SP partner. |
Online |
|
Set an entry in an IdP federation partner's profile. |
Online |
|
Set an entry in an SP federation partner's profile. |
Online |
|
setSPPartnerAttributeValueMapping | add or update an outgoing attribute value mappings in an SP profile. |
Online |
deleteSPPartnerAttributeValueMapping | delete one or all the value mappings of an outgoing attribute configured in an SP profile. |
Online |
displaySPPartnerAttributeValueMapping | display the value mappings of one or all outgoing attributes configured in an SP profile. |
Online |
setIdPPartnerAttributeValueMapping | add or update an incoming attribute value mappings in an IdP profile. |
Online |
deleteIdPPartnerAttributeValueMapping | delete one or all the value mappings of an incoming attribute configured in an IdP profile. |
Online |
displayIdPPartnerAttributeValueMapping | display the value mappings of one or all incoming attributes configured in an IdP profile. |
Online |
setSPPartnerAttributeValueFilter | add or update an attribute value filter in an SP profile. |
Online |
deleteSPPartnerAttributeValueFilter | delete one or all the value filters of an attribute configured in an SP profile. |
Online |
displaySPPartnerAttributeValueFilter | display the value filters of one or all attributes configured in an SP profile. |
Online |
Update a federation partner's HTTP basic auth credential. |
Online |
|
Set the attribute used for assertion mapping for a federation partner. |
Online |
|
Set the attribute query used for assertion mapping for a federation partner. |
Online |
|
Set the assertion mapping nameID value for an IdP federation partner |
Online |
|
Update a federation partner's alias name. |
Online |
|
Set a federation partner's identity store and base DN. |
Online |
|
Configure an alternate Authentication Scheme. |
Online |
|
Configure a default Authentication Scheme. |
Online |
|
Configure the profile with a default Authentication Scheme. |
Online |
|
Configure the profile for an alternate Authentication Scheme. |
Online |
|
Update a federation partner's metadata. |
Online |
|
Update a property for a federation partner. |
Online |
3.1.1 addWSFed11IdPFederationPartner
The addWSFed11IdPFederationPartner command is an online command that creates a WS-Federation 1.1 IdP partner.
Description
Creates an IdP partner under the WS-Federation 1.1 protocol. The NameID will be mapped to the LDAP user mail attribute.
Syntax
addWSFed11IdPFederationPartner(partnerName,ssoURL, providerID, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The Identity Realm Secure Token URL where users will be redirected at the IdP for WS-Federation 1.1 operations. |
|
Provider ID/Issuer used in the SAML Assertion. |
|
The description of the partner. Optional. |
Example
addWSFed11IdPFederationPartner("testpartner1", "http://idp.com/wsfed11", "http://idp.com", description="WS-Fed IdP1")
3.1.2 addWSFed11SPFederationPartner
The addWSFed11SPFederationPartner command is an online command that creates a WS-Federation 1.1 SP partner.
Description
Creates an SP partner under the WS-Federation 1.1 protocol.
Syntax
addWSFed11SPFederationPartner(partnerName, realm, ssoURL, samlVersion, msftADFSCompatible, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The realm identifier for this SP partner. It will be used in the WS-Federation 1.1 protocol exchange. |
|
The Identity Realm Secure Token URL where users will be redirected at the SP for WS-Federation 1.1 operations. |
|
The optional SAML version indicating what kind of Assertion to issue. Takes a value of saml11 (default) or saml20. |
|
An optional boolean indicating if the issued SSO Response should be in the Microsoft ADFS compatible format WS-Trust 1.2 or WS-Trust 1.3. |
|
The description of the partner. Optional. |
Example
addWSFed11SPFederationPartner("testpartner1", "http://sp.com", "http://sp.com/wsfed11", description="Test SP1")
3.1.3 addOpenID20IdPFederationPartner
The addOpenID20IdPFederationPartner command is an online command that creates an OpenID 2.0 IdP partner.
Description
Creates an IdP partner under the OpenID 2.0 protocol.
Syntax
addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used. |
|
The OpenID discovery URL of the IdP. |
|
The description of the partner. Optional. |
Example
addOpenID20IdPFederationPartner("testpartner1", "", "http://host:port/discoveryurl", description="Test IdP1")
3.1.4 addOpenID20SPFederationPartner
The addOpenID20SPFederationPartner command is an online that creates an OpenID 2.0 SP partner.
Description
Creates an SP partner under the OpenID 2.0 protocol.
Syntax
addOpenID20SPFederationPartner(partnerName, realm, ssoURL, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The realm for the SP (RP). |
|
The endpoint URL of the SP (RP). |
|
The description of the partner. Optional. |
Example
addOpenID20SPFederationPartner(partnerName="partnerID", realm="http://realm.domain.com", ssoURL="http://host:port/endpoint", description="some description")
3.1.5 addOpenID20GoogleIdPFederationPartner
The addOpenID20GoogleIdPFederationPartner command is an online command that creates an IdP partner with the name google
.
Description
Creates an IdP partner with the name google
using a discovery URL https://www.google.com/accounts/o8/id
.
Syntax
addOpenID20GoogleIdPFederationPartner()
Example
addOpenID20GoogleIdPFederationPartner()
3.1.6 addOpenID20YahooIdPFederationPartner
The addOpenID20YahooIdPFederationPartner command is an online command that creates an IdP partner with the name yahoo
.
Description
create an IdP partner with the name yahoo
using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds
.
Syntax
addOpenID20YahooIdPFederationPartner()
Example
addOpenID20YahooIdPFederationPartner()
3.1.7 addSAML11IdPFederationPartner
The addSAML11IdPFederationPartner command is an online command that creates a SAML 1.1 IdP federation partner.
Description
Creates a SAML 1.1 IdP federation partner.
Syntax
addSAML11IdPFederationPartner(partnerName,providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The providerID of the partner. |
|
The initiate SSO URL of the IdP. |
|
The artifact resolution SOAP endpoint URL of the IdP. |
|
The succinctID of the provider. |
|
The description of the partner. Optional. |
Example
addSAML11IdPFederationPartner(partnerName="partnerID", providerID="providerA", ssoURL="http://host:port/saml11sso", soapURL="http://host:port/soapurl", succinctID="1234", description="somedescription")
3.1.8 addSAML11SPFederationPartner
The addSAML11SPFederationPartner command is an online command that creates a SAML 1.1 SP federation partner.
Description
Creates a SAML 1.1 SP federation partner.
Syntax
addSAML11SPFederationPartner(partnerName,providerID, ssoURL, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The providerID of the partner. |
|
The initiate SSO URL of the IdP. |
|
The description of the partner. Optional. |
Example
addSAML11SPFederationPartner(partnerName="partnerID", providerID="providerA", ssoURL="http://host:port/saml11sso", description="somedescription")
3.1.9 addSAML20IdPFederationPartner
The addSAML20IdPFederationPartner command is an online command that creates a SAML 2.0 IdP Federation partner.
Description
Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
Syntax
addSAML20IdPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The location of the metadata file (full path). |
|
The description of the partner. Optional. |
Example
addSAML20IdPFederationPartner(partnerName="partnerID", metadataFile="location_metadata_file", description="somedescription")
3.1.10 addSAML20SPFederationPartner
The addSAML20SPFederationPartner command is an online command that creates a SAML 2.0 SP Federation partner.
Description
Creates a federation partner as a service provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
Syntax
addSAML20SPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
|
The name of the partner to be created. |
|
The location of the metadata file (full path). |
|
The description of the partner. Optional. |
Example
addSAML20SPFederationPartner(partnerName="partnerID", metadataFile="location_metadata_file", description="somedescription")
3.1.11 addSAML20IdPFederationPartnerWithoutMetadata
The addSAML20IdPFederationPartnerWithoutMetadata command is an online command that creates a SAML20 IdP federation partner without SAML 2.0 metadata.
Description
Creates a SAML20 IdP federation partner without loading SAML 2.0 metadata.
Syntax
addSAML20IdPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
|
The name of the federation partner to be created. |
|
The providerID of the partner. |
|
The initiate SSO URL of the IdP. |
|
The artifact resolution SOAP endpoint URL of the IdP. |
|
The succinctID of the provider. |
|
The description of the partner. Optional. |
Example
addSAML20IdPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", soapURL="http://host:port/saml/soap",description="some description")
3.1.12 addSAML20SPFederationPartnerWithoutMetadata
The addSAML20SPFederationPartnerWithoutMetadata command is an online command that creates a SAML20 SP federation partner without SAML 2.0 metadata.
Description
Creates a SAML20 SP federation partner without loading SAML 2.0 metadata.
Syntax
addSAML20SPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, description)
Argument | Definition |
---|---|
|
The name of the federation partner to be created. |
|
The providerID of the partner. |
|
The initiate SSO URL of the IdP. |
|
The description of the partner. Optional. |
Example
addSAML20SPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", description="somedescription")
3.1.13 configureIdPPartnerAttributeProfile
The configureIdPPartnerAttributeProfile command is an online command that configures an IdP partner attribute profile to process incoming attributes.
Description
Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.
Syntax
configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)
Argument | Definition |
---|---|
|
The identifier referencing the IdP partner attribute profile to configure. |
|
Determines whether incoming attributes that are not defined in the profile should be ignored. Valid values are true (ignore) or (the default) false (process). |
Example
configureIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile", ignoreUnmappedAttributes="false")
3.1.14 configureSAML20Logout
The configureSAML20Logout command is an online command that configures global federation logout for a SAML 2.0 partner.
Description
Configures global federation logout for a SAML 2.0 federation partner.
Syntax
configureSAML20Logout(partnerName, partnerType, enable, saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
Whether the partner is a service provider or identity provider. Valid values are sp, idp. |
|
Enable or disable global logout for that partner. Valid values true (enable), false (disable) |
|
The SAML 2.0 logout request service URL. Optional if the partner was created using metadata, or if logout is disabled. |
|
The SAML 2.0 logout response service URL. This is optional if the partner was created using metadata, or if logout is disabled. |
|
The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported. |
Example
configureSAML20Logout(partnerName="partnerID", partnerType="sp", enable="true", saml20LogoutRequestURL="http://host:port/saml/logoutrequest", saml20LogoutResponseURL="http://host:port/saml/logoutresponse", soapURL="http://host:port/saml/soap")
3.1.15 configureSAMLBinding
The configureSAMLBinding command is an online command that specifies the binding for a SAML partner.
Description
Configures the preferred binding for a SAML Partner.
Syntax
configureSAMLBinding(partnerName, partnerType, binding, ssoResponseBinding="httppost")
Argument | Definition |
---|---|
|
The name of the partner to be configured. |
|
Indicates whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
|
Specifies the binding to use for messages other than SSO responses (authentication requests, logout messages). Valid options are httppost for HTTP-POST binding and httpredirect for HTTP-Redirect binding. |
|
This optional attribute defines the binding to use for an SSO response. Valid options are httppost for HTTP-POST binding (the default value), httpredirect for HTTP-Redirect binding or artifact for Artifact binding. |
Example
configureSAMLBinding(partnerName="partnerID", partnerType="sp", binding="httpredirect", ssoResponseBinding="httppost")
3.1.16 configureUserSelfRegistration
The configureUserSelfRegistration command is an online command that enables the user self-registration module.
Description
Enables the user self-registration module.
Syntax
configureUserSelfRegistration(<enabled>, <registrationURL>, <regDataRetrievalAuthnEnabled>, <regDataRetrievalAuthnUsername>, <regDataRetrievalAuthnPassword>, <partnerName>)
Argument | Definition |
---|---|
|
Indicates if the user self-registration module is enabled. Takes a value of true or false. |
|
The location to which the user will be redirected for self-registration. If partnerName is not specified, and if registrationURL is empty or missing, the current property will be unchanged. If partnerName is specified, and if registrationURL is empty or missing, this property will be removed from the partner's configuration. |
|
Indicates if authentication of the registration page is enabled when contacting the server to retrieve registration data. |
|
Specifies the username the registration page will send to the server when retrieving the registration data from the server. |
|
Specifies the password the registration page will send to the server when retrieving the registration data from the server. |
|
Indicates the IdP partner for which to enable user self-registration. If missing, the configuration operation will be global. |
Example
configureUserSelfRegistration("true", regDataRetrievalAuthnEnabled="true", regDataRetrievalAuthnUsername="username", regDataRetrievalAuthnPassword="password")
3.1.17 configureUserSelfRegistrationAttr
The configureUserSelfRegistrationAttr command is an online command that sets the attributes in an assertion that will be used as email, first name, last name, and username.
Description
Sets the attributes in an assertion that will be used as email, first name, last name and username.
Syntax
configureUserSelfRegistration(<registrationAttrName>, <assertionAttrNames>, <partnerName>)
Argument | Definition |
---|---|
|
The self-registration page attribute to set. Can be one of the following values: email, firstname, lastname or username. |
|
The possible attributes from the assertion that can be used to populate the self-registration page field specified as the registrationAttrName. |
|
Indicates the IdP partner for which to configure user self-registration. If missing, the configuration operation will be global. |
Example
configureUserSelfRegistrationAttr("email", "mail,fed.nameidvalue")
The second parameter means that mail or fed.nameidvalue from the assertion can be used to populate the email attribute in the user's self registration page.
3.1.18 createAuthnSchemeAndModule
The createAuthnSchemeAndModule command is an online command that creates an authentication scheme that uses an OpenD IdP.
Description
Creates an authentication scheme that uses an OpenD IdP to protect resources in Access Manager.
Syntax
createAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
|
The name of the partner for whom the scheme is to be created. |
Example
createAuthnSchemeAndModule("testpartner")
3.1.19 createIdPPartnerAttributeProfile
The createIdPPartnerAttributeProfile command is an online command that creates an IdP attribute profile. This will contain name mapping rules used to process attributes in incoming SAML assertions.
Description
Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions.
Syntax
createIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
|
The identifier of the IdP attribute profile. |
Example
createIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")
3.1.20 createSPPartnerAttributeProfile
The createSPPartnerAttributeProfile command is an online command that creates an SP attribute profile. This will contain name mapping rules used to process attributes in incoming SAML Assertions.
Description
Creates an SP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions.
Syntax
createSPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
|
The identifier of the SP attribute profile. |
Example
createSPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")
3.1.21 deleteAuthnSchemeAndModule
The deleteAuthnSchemeAndModule command is an online command that deletes an authentication scheme for an IdP partner.
Description
Deletes an authentication scheme for an IdP partner.
Syntax
deleteAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
|
The name of the partner whose scheme is to be deleted. |
Example
deleteAuthnSchemeAndModule("testpartner")
3.1.22 deleteFederationPartner
The deleteFederationPartner command is an online command that deletes a federation partner from Access Manager.
Description
Deletes a federation partner from Access Manager.
Syntax
deleteFederationPartner(partnerName, partnerType)
Argument | Definition |
---|---|
|
The ID of the partner to be deleted. |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Example
deleteFederationPartner(partnerName="partnerID", partnerType="idp")
3.1.23 deleteFederationPartnerEncryptionCert
The deleteFederationPartnerEncryptionCert command is an online command that deletes the encryption certificate of a federation partner.
Description
Deletes the encryption certificate of a federation partner.
Syntax
deleteFederationPartnerEncryptionCert(partnerName, partnerType)
Argument | Definition |
---|---|
|
The ID of the partner whose encryption certificate is to be deleted. |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Example
deleteFederationPartnerEncryptionCert(partnerName="customPartner", partnerType="idp")
3.1.24 deleteFederationPartnerSigningCert
The deleteFederationPartnerSigningCert command is an online command that deletes the signing certificate of a federation partner.
Description
Deletes the signing certificate of a federation partner.
Syntax
deleteFederationPartnerSigningCert(partnerName, partnerType)
Argument | Definition |
---|---|
|
The ID of the partner whose signing certificate is to be deleted. |
|
Specifies whether the partner is a service provider or identity provider. Valid values are sp, idp. |
Example
deleteFederationPartnerSigningCert(partnerName="customPartner",partnerType="idp")
3.1.25 deleteIdPPartnerAttributeProfile
The deleteIdPPartnerAttributeProfile command is an online command that deletes an IdP partner attribute profile.
Description
Deletes an IdP partner attribute profile.
Syntax
deleteIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
|
The identifier referencing the IdP partner attribute profile. |
Example
deleteIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")
3.1.26 deleteSPPartnerAttributeProfile
The deleteSPPartnerAttributeProfile command is an online command that deletes an SP partner attribute profile.
Description
Deletes an SP partner attribute profile.
Syntax
deleteSPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
|
The identifier referencing the SP partner attribute profile. |
Example
deleteSPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")
3.1.27 deleteIdPPartnerAttributeProfileEntry
The deleteIdPPartnerAttributeProfileEntry command is an online command that deletes an entry from the IdP partner attribute profile.
Description
Deletes an attribute from the attribute profile.
Syntax
deleteIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
|
The identifier referencing the IdP partner attribute profile. |
|
The name of the attribute to delete, as it appears in the outgoing message. |
Example
deleteIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", messageAttributeName="first_name")
3.1.28 deleteSPPartnerAttributeProfileEntry
The deleteSPPartnerAttributeProfileEntry command is an online command that deletes an entry from the SP Partner attribute profile.
Description
Deletes an attribute from the attribute profile.
Syntax
deleteSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
|
The identifier referencing the IdP partner attribute profile. |
|
The name of the attribute to delete, as it appears in the outgoing message. |
Example
deleteSPPartnerAttributeProfileEntry(attrProfileID="sp-attribute-profile", messageAttributeName="first_name")
3.1.29 deletePartnerProperty
The deletePartnerProperty command is an online command that deletes a partner-specific property.
Description
Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.
See Advanced Identity Federation Commands for information regarding SAML 1.1.
Syntax
deletePartnerProperty(partnerName,partnerType,propName)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. By replacing the value of <partnerName> with the partner ID and including the |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
|
The name of the configured property to be removed. |
Example
deletePartnerProperty(partnerName="partner1025", partnerType="sp/idp", propName="includecertinsignature")
3.1.30 displayIdPPartnerAttributeProfile
The displayIdPPartnerAttributeProfile command is an online command that displays a partner attribute profile.
Description
Display the content of an IdP Partner Attribute Profile.
Syntax
displayIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
|
The identifier referencing the IdP partner attribute profile to be displayed. |
Example
displayIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")
3.1.31 displaySPPartnerAttributeProfile
The displaySPPartnerAttributeProfile command is an online command that displays an SP partner attribute profile.
Description
Display the content of an SP Partner Attribute Profile.
Syntax
displaySPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
|
The identifier referencing the SP partner attribute profile to be displayed. |
Example
displaySPPartnerAttributeProfile(attrProfileID="sp-attribute-profile")
3.1.32 getAllFederationIdentityProviders
The getAllFederationIdentityProviders command is an online command that lists all federation identity providers.
Description
Displays a list of all federation identity providers for Access Manager.
Syntax
getAllFederationIdentityProviders()
Example
getAllFederationIdentityProviders()
3.1.33 getAllFederationServiceProviders
The getAllFederationServiceProviders command is an online command that lists all federation service providers.
Description
Displays a list of all federation service providers for Access Manager.
Syntax
getAllFederationServiceProviders()
Example
getAllFederationServiceProviders()
3.1.34 getFederationPartnerEncryptionCert
The getFederationPartnerEncryptionCert command is an online command that retrieves the encryption certificate for a partner.
Description
Retrieves the encryption certificate for a federation partner.
Syntax
Argument | Definition |
---|---|
|
The ID of the partner for which the encryption certificate will be retrieved. |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Example
getFederationPartnerEncryptionCert(partnerName="customPartner",partnerType="idp")
3.1.35 getFederationPartnerSigningCert
The getFederationPartnerSigningCert command is an online command that retrieves the signing certificate for a partner.
Description
Retrieves the signing certificate for a federation partner.
Syntax
Argument | Definition |
---|---|
|
The ID of the partner for which the signing certificate will be retrieved. |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Example
getFederationPartnerSigningCert(partnerName="partnerID1", partnerType="idp")
3.1.36 getIdPPartnerBasicAuthCredentialUsername
The getIdPPartnerBasicAuthCredentialUsername command is an online command that gets a partner's basic authentication username.
Description
Retrieves the HTTP basic authentication username for a federation partner.
Syntax
getIdPPartnerBasicAuthCredentialUsername(partnerName)
Argument | Definition |
---|---|
|
The ID of the partner for which the username will be retrieved and displayed. |
Example
getIdPPartnerBasicAuthCredentialUsername(partnerName="partnerID5")
3.1.37 getPartnerProperty
The getPartnerProperty command is an online command that retrieves a partner property.
Description
Retrieves a property for a federation partner.
Syntax
getPartnerProperty(partnerName, partnerType, propName)
Argument | Definition |
---|---|
|
The ID of the partner for which the proeprty will be retrieved. By replacing the value of <partnerName> with the partner ID and including the |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
|
The name of the property to configure. |
Example
getPartnerProperty(partnerName="partnerID4", partnerType="sp", propName="providertrusted")
3.1.38 getStringProperty
The getStringProperty command is an online command that retrieves a string property for a federation partner profile.
Description
Retrieves a string property for a federation partner profile.
If a Partner does not have an Attribute Profile assigned to it, the default Attribute Profile (based on whether the partner is an IdP or SP) will be used. The defaultattributeprofileidp
and defaultattributeprofilesp
properties in the fedserverconfig
file reference the default profiles.
Syntax
getStringProperty("/fedserverconfig/<propertyName>")
Argument | Definition |
---|---|
|
The name of the property to be retrieved. Default Partner Profiles are available after installation and the following properties reference them. Default property values can be retrieved by replacing propertyName with one of the following:
|
Example
getStringProperty("/fedserverconfig/defaultpartnerprofileidpopenid20")
3.1.39 isFederationPartnerPresent
The isFederationPartnerPresent command is an online command that verifies if the partner is configured in Access Manager.
Description
Checks whether the specified federation partner is defined in Access Manager.
Syntax
isFederationPartnerPresent(partnerName, partnerType)
Argument | Definition |
---|---|
|
The partner ID. |
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Example
isFederationPartnerPresent(partnerABC, SP)
3.1.40 listIdPPartnerAttributeProfileIDs
The listIdPPartnerAttributeProfileIDs command is an online command that lists the IdP partner attribute profiles.
Description
List the identifiers of the existing IdP Partner Attribute Profiles.
Syntax
listIdPPartnerAttributeProfileIDs()
Example
listIdPPartnerAttributeProfileIDs()
3.1.41 listSPPartnerAttributeProfileIDs
The listSPPartnerAttributeProfileIDs command is an online command that lists the SP partner attribute profiles.
Description
List the identifiers of the existing SP Partner Attribute Profiles.
Syntax
listSPPartnerAttributeProfileIDs()
Example
listSPPartnerAttributeProfileIDs()
3.1.42 putStringProperty
The putStringProperty command is an online command that puts a string value under a designated path in the OSTS configuration.
Description
Puts a string value under a designated path in the OSTS configuration.
Syntax
putStringProperty(path="/validationtemplates/username-wss-validation-template/StringNAME",value="TestString")
Argument | Definition |
---|---|
|
Path inside the configuration where the String property will be put. |
|
The string. |
Example
putStringProperty("/spglobal/defaultssoidp", "testpartner")
3.1.43 setDefaultSSOIdPPartner
The setDefaultSSOIdPPartner command is an online command that sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).
Description
If not set by the federation authentication plugin at run time, sets the IdP partner to serve as the default IdP during federated SSO.
Syntax
setDefaultSSOIdPPartner(partnerName)
Argument | Definition |
---|---|
|
ID of the partner which will serve as the default IdP for federated SSO. |
Example
setDefaultSSOIdPPartner(partnerName="partner25")
3.1.44 setFederationPartnerEncryptionCert
The setFederationPartnerEncryptionCert command is an online command that sets the encryption certificate for a partner.
Description
Sets the encryption certificate for a federation partner.
Syntax
setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
|
The ID of the partner to be updated |
|
The partner type. Valid values are idp, sp. |
|
The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format. |
Example
setFederationPartnerEncryptionCert (partnerName="customPartner",partnerType="idp", certFile="/temp/encryption_cert")
3.1.45 setFederationPartnerSigningCert
The setFederationPartnerSigningCert command is an online command that sets the signing certificate for a federation partner.
Description
Sets the signing certificate for a federation partner.
Syntax
setFederationPartnerSigningCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The partner type. Valid values are idp, sp. |
|
Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format. |
Example
setFederationPartnerSigningCert (partnerName="customPartner", partnerType="idp", certFile="/temp/signing_cert")
3.1.46 setIdPPartnerAttributeProfile
The setIdPPartnerAttributeProfile command is an online command that sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.
Description
Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.
Syntax
setIdPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The IdP partner attribute profile ID to be set. |
Example
setIdPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="idp-attribute-profile")
3.1.47 setIdPDefaultScheme
The setIdPDefaultScheme command is an online command that sets the default OAM Authentication Scheme to be used to challenge a user.
Description
Sets the default OAM Authentication Scheme that will be used to challenge a user.
Syntax
setIdPDefaultScheme(authnScheme, appDomain, hostID, authzPolicy="ProtectedResourcePolicy")
Argument | Definition |
---|---|
|
The OAM Authentication Scheme. |
|
Optional. The application domain in which the underlying policy components will be created. |
|
Optional. The HostID to be used when creating the underlying resource policy object. |
|
Optional. The name of the Authorization Policy to be used to protect underlying resource policy object being created. |
Example
setIdPDefaultScheme('LDAPScheme')
Prepend the command with "fed." if running on the WebSphere platform.
3.1.48 setSPPartnerAttributeProfile
The setSPPartnerAttributeProfile command is an online command that sets an SP partner attribute profile to an SP partner.
Description
Sets the SP partner attribute profile to use with an SP partner.
Syntax
setSPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The ID of the SP partner attribute profile to be set. |
Example
setSPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="sp-attribute-profile")
3.1.49 setIdPPartnerAttributeProfileEntry
The setIdPPartnerAttributeProfileEntry command is an online command that sets the IdP federation partner profile.
Description
Update an entry in the IdP Partner Attribute Profile.
Syntax
setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, oamSessionAttributeName, requestFromIdP)
Argument | Definition |
---|---|
|
The IdP partner attribute profile. |
|
The name of the message attribute. |
|
The name of the attribute as it will appear in the Access Manager session. |
|
Determines whether this attribute should be requested from the IdP partner. Valid values are true, false. |
Example
setIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", messageAttributeName="first_name", oamSessionAttributeName="first_name", requestFromIdP="true")
3.1.50 setSPPartnerAttributeProfileEntry
The setSPPartnerAttributeProfileEntry command is an online command that sets the SP federation partner profile.
Description
Sets an entry in the SP Partner Attribute Profile.
Syntax
setSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, value, alwaysSend)
Argument | Definition |
---|---|
|
The identifier referencing the SP Partner Attribute Profile in which the entry will be set. |
|
The name of the attribute as it will appear in the outgoing message. |
|
Value of the attribute element. It can be a static string, user attribute, session attribute or a combination of those types. |
|
Signifies whether or not this attribute should always be sent to the SP Partner. Valid values are true, false. If false it will only be sent if the SP Partner requests it (OpenID supports this). |
Example
setSPPartnerAttributeProfileEntry(attrProfileID="sp-attribute-profile", messageAttributeName="first_name", value="$user.attr.givenname", alwaysSend="true")
3.1.51 setSPPartnerAttributeValueMapping
The setSPPartnerAttributeValueMapping command is an online command that adds or updates an outgoing attribute value mappings in an SP profile.
Description
Adds or updates an outgoing attribute value mappings in an SP profile.
Syntax
setSPPartnerAttributeValueMapping(attrProfileID, messageAttributeName, sendUnmappedValues, localValue, externalValue, default, ignoreCase, localNull, externalNull)
Argument | Definition |
---|---|
|
Id of the SP profile |
|
Message attribute name as defined in the attribute name mappings. |
|
Optional If set to true, values, for which a mapping is not defined is sent. This setting applies to the attribute itself and not to a particular mapping. Default is false for the first mapping. For the following mappings, the sendUnmappedValues value is not changed if not set. |
|
Optional The local value of the attribute. Default is empty string. |
|
Optional The corresponding value to send in external messages. Default is empty string. |
|
Optional If set to true, indicates that the external value is used if a local value can be mapped to different external values. Only one mapping can have default set to true. Default is false. |
|
Optional If set to true, indicates that the string comparison must be case-sensitive when matching the attribute values. Default is false. |
|
Optional If set to true, indicates that the local value equals a null string (this is
different from an empty string Default is false. |
|
Optional If set to true, indicates that the external value equals a null string (this
is different from an empty string Default is false. |
Example
setSPPartnerAttributeValueMapping(attrProfileID='idp-attribute-profile', messageAttributeName='TITLE',sendUnmappedValues='true',localValue='Doctor',externalValue='Dr',ignoreCase="true")
3.1.52 deleteSPPartnerAttributeValueMapping
The deleteSPPartnerAttributeValueMapping command is an online command that deletes one or all the value mappings of an outgoing attribute configured in an SP profile.
Description
Deletes one or all the value mappings of an outgoing attribute configured in an SP profile
Syntax
deleteSPPartnerAttributeValueMapping(attrProfileID, messageAttributeName, localValue, externalValue)
Argument | Definition |
---|---|
|
Id of the SP profile |
|
Message attribute name as defined in the attribute name mappings. |
|
Optional The local value of the mapping that needs to be deleted. If both
|
|
Optional The external value of the mapping that needs to be deleted. If both
|
Example 1
To delete all the value mappings of attribute TITLE
:
deleteSPPartnerAttributeValueMapping(attrProfileID='sp-attribute-profile', messageAttributeName='TITLE')
Example 2
To delete a value mapping of attribute TITLE
identified by its local and
external values:
deleteSPPartnerAttributeValueMapping(attrProfileID='sp-attribute-profile', messageAttributeName='TITLE', localValue='Doctor', externalValue='Dr')
3.1.53 displaySPPartnerAttributeValueMapping
The displaySPPartnerAttributeValueMapping command is an online command that displays the value mappings of one or all outgoing attributes configured in an SP profile.
Description
Displays the value mappings of one or all outgoing attributes configured in an SP profile.
Syntax
displaySPPartnerAttributeValueMapping(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
|
Id of the SP profile |
|
Optional Message attribute name as defined in the attribute name mappings. If set, only the value mappings for the specified attribute are displayed. If not set, the value mappings for all attributes are displayed. |
Example 1
To display the value mappings of all attributes:
displaySPPartnerAttributeValueMapping(attrProfileID='sp-attribute-profile')
Example 2
To display the value mappings of attribute TITLE
:
displaySPPartnerAttributeValueMapping(attrProfileID='sp-attribute-profile', messageAttributeName='TITLE')
3.1.54 setIdPPartnerAttributeValueMapping
The setIdPPartnerAttributeValueMapping command is an online command that adds or updates an incoming attribute value mappings in an IdP profile.
Description
Adds or updates an incoming attribute value mappings in an IdP profile.
Syntax
setIdPPartnerAttributeValueMapping(attrProfileID, oamSessionAttributeName, receiveUnmappedValues, receivedValue, externalValue, default, ignoreCase, receivedNull, externalNull)
Argument | Definition |
---|---|
|
Id of the IdP profile |
|
OAM session attribute name, as defined in the attribute name mappings. |
|
Optional If set to true, values for which a mapping is not defined is received. This setting applies to the attribute itself and not to a particular mapping. Default is false for the first mapping. For the subsequent mappings, the receiveUnmappedValues value is not changed if not set. |
|
Optional The value received in the message. Default is empty string. |
|
Optional The corresponding value to be saved in the session. Default is empty string. |
|
Optional If set to true, indicates that the external value is used if a received value can be mapped to different external values. Only one mapping can have default set to true. Default is false. |
|
Optional If set to true, indicates that the string comparison must be case-sensitive when matching the attribute values. Default is false. |
|
Optional If set to true, indicates that the received value equals a null string (this
is different from an empty string Default is false. |
|
Optional If set to true, indicates that the external value equals a null string (this
is different from an empty string Default is false. |
Example
setIdPPartnerAttributeValueMapping(attrProfileID='idp-attribute-profile', oamSessionAttributeName='title', receiveUnmappedValues='true', localValue='Doctor', externalValue='Dr', ignoreCase="true")
3.1.55 deleteIdPPartnerAttributeValueMapping
The deleteIdPPartnerAttributeValueMapping command is an online command that deletes one or all the value mappings of an incoming attribute configured in an IdP profile.
Description
Deletes one or all the value mappings of an incoming attribute configured in an IdP profile.
Syntax
deleteSPPartnerAttributeValueMapping(attrProfileID, oamSessionAttributeName, receivedValue, externalValue)
Argument | Definition |
---|---|
|
Id of the IdP profile |
|
OAM session attribute name, as defined in the attribute name mappings. |
|
Optional The received value of the mapping that needs to be deleted. If both
|
|
Optional The external value of the mapping that needs to be deleted. If both
|
Example 1
To delete all the value mappings of attribute TITLE
:
deleteIdPPartnerAttributeValueMapping(attrProfileID='idp-attribute-profile', oamSessionAttributeName='TITLE')
Example 2
To delete a value mapping of attribute TITLE
identified by
its received and external values:
deleteIdPPartnerAttributeValueMapping(attrProfileID='idp-attribute-profile', oamSessionAttributeName='TITLE', receivedValue='Doctor', externalValue='Dr')
3.1.56 displayIdPPartnerAttributeValueMapping
The displayIdPPartnerAttributeValueMapping command is an online command that displays the value mappings of one or all incoming attributes configured in an IdP profile.
Description
Displays the value mappings of one or all incoming attributes configured in an IdP profile.
Syntax
displayIdPPartnerAttributeValueMapping(attrProfileID, oamSessionAttributeName)
Argument | Definition |
---|---|
|
Id of the IdP profile |
|
Optional OAM session attribute name, as defined in the attribute name mappings. If set, only the value mappings for the specified attribute are displayed. If not set, the value mappings for all attributes are displayed. |
Example 1
To display the value mappings of all attributes:
displayIdPPartnerAttributeValueMapping(attrProfileID='idp-attribute-profile')
Example 2
To display the value mappings of attribute TITLE
:
displayIdPPartnerAttributeValueMapping(attrProfileID='idp-attribute-profile', oamSessionAttributeName='TITLE')
3.1.57 setSPPartnerAttributeValueFilter
The setSPPartnerAttributeValueFilter command is an online command that adds or updates an attribute value filter in an SP profile.
Description
Adds or updates an attribute value filter in an SP profile.
Syntax
setSPPartnerAttributeValueFilter(attrProfileID, messageAttributeName, conditionOperator, condition, expression, ignoreCase)
Argument | Definition |
---|---|
|
Id of the SP profile |
|
Message attribute name as defined in the attribute name mapping. |
|
Optional If set to If set to This setting applies to the attribute itself and not to a particular mapping.
Default is |
|
Mandatory The condition that is used to evaluate the attribute value. Following are the
values that can be set:
Default is empty string. |
|
Optional The value or regular expression that is used to evaluate the attribute value. Default is empty string. |
|
Optional If set to true, indicates that the string comparison must be case-sensitive when matching the attribute values. Default is false. |
Example
setSPPartnerAttributeValueFilter(attrProfileID='sp-attribute-profile', messageAttributeName='GROUP', conditionOperator='and', condition='contains', expression='Sale', ignoreCase="true")
3.1.58 deleteSPPartnerAttributeValueFilter
The deleteSPPartnerAttributeValueFilter command is an online command that deletes one or all the value filters of an attribute configured in an SP profile.
Description
Deletes one or all the value filters of an attribute configured in an SP profile
Syntax
deleteSPPartnerAttributeValueFilter(attrProfileID, attributeName, condition, expression)
Argument | Definition |
---|---|
|
Id of the SP profile |
|
Message attribute name as defined in the attribute name mapping. |
|
Optional The condition of the filter to be deleted. To delete a specific filter, the values of both the condition and expression parameters must be set. If both condition and expression parameters are not set, all value filters of the attribute are deleted. |
|
Optional The expression of the filter to be deleted. To delete a specific filter, the values of both the condition and expression parameters must be set. If both condition and expression parameters are not set, all value filters of the attribute are deleted. |
Example 1
To delete all the value filters of attribute GROUP
:
deleteSPPartnerAttributeValueFilter(attrProfileID='idp-attribute-profile', messageAttributeName='GROUP')
Example 2
To delete a value filter of attribute GROUP
identified by its
condition and expression values:
deleteSPPartnerAttributeValueFilter(attrProfileID='idp-attribute-profile', messageAttributeName='GROUP', condition='contains', expression='Sale')
3.1.59 displaySPPartnerAttributeValueFilter
The displaySPPartnerAttributeValueFilter command is an online command that displays the value filters of one or all attributes configured in an SP profile.
Description
Displays the value filters of one or all attributes configured in an SP profile.
Syntax
displaySPPartnerAttributeValueFilter(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
|
Id of the SP profile |
|
Optional Message attribute name as defined in the attribute name mappings. If set, only the value filters for the specified attribute are displayed. If not set, the value filters for all attributes are displayed. |
Example 1
To display the value filters of all attributes:
displaySPPartnerAttributeValueFilter(attrProfileID='idp-attribute-profile')
Example 2
To display the value filters of attribute GROUP
:
displaySPPartnerAttributeValueFilter(attrProfileID='idp-attribute-profile', messageAttributeName='GROUP')
3.1.60 setIdPPartnerBasicAuthCredential
The setIdPPartnerBasicAuthCredential command is an online command that sets a partner's basic authentication credentials.
Description
Sets or updates a federation partner's HTTP basic authentication credentials.
Syntax
setIdPPartnerBasicAuthCredential(partnerName,username,password)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The user ID of the user. |
|
The password corresponding to the username. |
Example
setIdPPartnerBasicAuthCredential(partnerName="partnerID4", username="user1")
3.1.61 setIdPPartnerMappingAttribute
The setIdPPartnerMappingAttribute command is an online command that sets a partner's assertion mapping attribute.
Description
Specify that an attribute from the OpenID assertion received from the IdP be mapped to a given data store attribute in order to identify the user.
Syntax
setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The attribute name in the assertion used to map the user to the identity store. |
|
The name of the attribute in the identity store to which to map the assertion attribute value. |
Example
setIdPPartnerMappingAttribute(partnerName="partnerID", assertionAttr="email", userstoreAttr="mail")
3.1.62 setIdPPartnerMappingAttributeQuery
The setIdPPartnerMappingAttributeQuery command is an online command that updates a partner for assertion mapping of user with attribute query.
Description
Sets or updates a partner to specify the attribute query to map an assertion to the user store.
Syntax
setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)
Argument | Definition |
---|---|
|
The ID of the partner to be updated |
|
The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%. |
Example
setIdPPartnerMappingAttributeQuery(partnerName="partnerID", attrQuery="(&(sn=%Userlastname%)(givenname=%Userfirstname%))")
3.1.63 setIdPPartnerMappingNameID
The setIdPPartnerMappingNameID command is an online command that sets the assertion mapping nameID value for an IdP federation partner.
Description
Sets the assertion mapping nameID value for an IdP federation partner.
Syntax
setIdPPartnerMappingNameID(partnerName,userstoreAttr)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The attribute name in the identity store to which the assertion nameID is to be mapped. |
Example
setIdPPartnerMappingNameID (partnerName="partnerID", userstoreAttr="ldapattr")
3.1.64 setPartnerAlias
The setPartnerAlias command is an online command that sets a federation partner's alias.
Description
Sets or updates a federation partner's alias.
Syntax
setPartnerAlias(partnerName,partnerType,partnerAlias)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
Specifies the partner type. Valid values are sp or idp. |
|
The partner's alias. |
Example
setPartnerAlias(partnerName="partnerID", partnerType="sp", partnerAlias="tenant1")
3.1.65 setPartnerIDStoreAndBaseDN
The setPartnerIDStoreAndBaseDN command is an online command that sets a partner's identity store and base DN of a federation partner.
Description
Sets or updates the identity store and base DN of a federation partner.
Syntax
setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
The partner type. Valid values are sp or idp. |
|
The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional) |
|
The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional) |
Example
setPartnerIDStoreAndBaseDN(partnerName="partnerID", partnerType="sp/idp", storeName="testldap", searchBaseDN="dc=company,dc=com")
3.1.66 setSPSAMLPartnerNameID
The setSPSAMLPartnerNameID command is an online command that updates a partner by setting the NameID during assertion issuance.
Description
Sets the NameID for a SAML partner.
Syntax
setSPSAMLPartnerNameID(<partnerName>, <nameIDFormat>, <nameIDValue>)
Argument | Definition |
---|---|
|
The name of the partner to be configured. |
|
The NameID format to be used. Possible values include:
|
|
Value of the NameID element. It can be a static string, user attribute, session attribute or a combination of those types. |
Example
setSPSAMLPartnerNameID(partnerName="partnerID", nameIDFormat="emailAddress", nameIDValue="$user.attr.mail")
3.1.67 setSPPartnerAlternateScheme
The setSPPartnerAlternateScheme command is an online command that provides a way to authenticate clients with an alternate Authentication Scheme.
Description
Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for this Partner.
Syntax
setSPPartnerAlternateScheme(<partner>, <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, <remove="false">)
Argument | Definition |
---|---|
|
The ID of the partner. |
|
Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client |
|
Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners. |
|
Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header. |
|
Required if enabled is true, the alternate Authentication Scheme to be used instead of the default. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
|
Optional. If set to true, removes the properties for the alternate scheme in the partner configuration. |
Note:
ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.
Example
In this example, Identity Federation is configured to enable the alternate Authentication Scheme at a partner level for the SP partner Acme because the user's browser sends the HTTP Header "User-Agent" with the iPhone string in it. The string triggers the BasicScheme for authentication rather than the default Authentication Scheme.
setSPPartnerAlternateScheme("acmeSP", "true", httpHeaderName="User-Agent", httpHeaderExpression=".*iPhone.*", authnScheme="BasicScheme")
3.1.68 setSPPartnerDefaultScheme
The setSPPartnerDefaultScheme command is an online command that defines the default Authentication Scheme for the SP partner.
Description
Defines the default Authentication Scheme for the SP partner.
Syntax
setSPPartnerDefaultScheme(<partner>, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
|
The ID of the partner. |
|
The OAM Authentication Scheme to be used. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Example
setSPPartnerDefaultScheme(partnerProfile="acmeSP", authnScheme="BasicScheme")
3.1.69 setSPPartnerProfileAlternateScheme
The setSPPartnerProfileAlternateScheme command is an online command that provides a way to authenticate clients with an alternate Authentication Scheme.
Description
Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for partners assigned to this Partner Profile.
Syntax
setSPPartnerProfileAlternateScheme(<partnerProfile>, <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, <remove="false">)
Argument | Definition |
---|---|
|
The ID of the partner profile. |
|
Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client |
|
Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners. |
|
Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header. |
|
Required if enabled is true, the alternate Authentication Scheme to be used instead of the default. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Note:
ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.
Example
setSPPartnerProfileAlternateScheme("acmeSP", "true", httpHeaderName="User-Agent", httpHeaderExpression=".*iPhone.*", authnScheme="BasicScheme")
3.1.70 setSPPartnerProfileDefaultScheme
The setSPPartnerProfileDefaultScheme command is an online command that sets the default OAM authentication scheme to be used to challenge a user for a specific SP partner profile.
Description
Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.
Syntax
setSPPartnerProfileDefaultScheme(<partnerProfile>, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
|
The ID of the partner profile. |
|
The OAM Authentication Scheme to be used. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Example
setSPPartnerProfileDefaultScheme("saml20-sp-partner-profile", "LDAPScheme")
3.1.71 updatePartnerMetadata
The updatePartnerMetadata command is an online command that updates federation partner metadata.
Description
Updates the metadata for a federation partner.
Syntax
updatePartnerMetadata(partnerName,partnerType,metadataFile)
Argument | Definition |
---|---|
|
The ID of the partner to be updated |
|
Specifies the partner type. Valid values are sp or idp. |
|
The location of the metadata file. Specify the complete path and name. |
Example
updatePartnerMetadata(partnerName="partnerID", partnerType="sp", metadataFile="/common/idm/abc_metadata_file")
3.1.72 updatePartnerProperty
The updatePartnerProperty command is an online command that updates a partner property.
Description
Configures or updates the specified property for a federation partner.
See Advanced Identity Federation Commands for information regarding SAML 1.1.
Syntax
updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. By replacing the value of <partnerName> with the partner ID and including the |
|
Specifies the partner type. Valid values are sp or idp. |
|
The name of the property to configure. |
|
The property value to be set. |
|
The data type of the property. Valid values are string, long, or boolean. |
Example
updatePartnerProperty(partnerName="partnerID", partnerType="idp", propName="providertrusted", propValue="true",type="boolean")
3.2 Advanced Identity Federation Commands
The Advanced Identity Federation WLST commands do not have applicable administrative fields for configuration in the Access Management console. Administration for Authentication mappings and partner profiles are available using WLST commands only. Table 3-2 lists the Advanced Identity Federation commands documented in this section. The commands are organized as follows.
-
Federation Service and Datastore
-
Federation Access Configuration
-
Attribute Sharing Configuration
-
Authentication Method Mapping Management - All Authentication Method/Scheme/Level mappings are configured using WLST at the partner level or, if not defined at the partner level, at the partner profile level.
-
Partner Profile Management - All Partner Profile management is done with WLST.
-
Using WLST with SAML 1.1
Note:
The Advanced Identity Federation command definitions begin with "configureFederationService."
Table 3-2 Advanced Identity Federation WLST Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Federation Service and Datastore |
||
Enable or disable Federation Service features. |
||
Enables and configures the federation store. |
||
Federation Access Configuration |
||
Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive. |
||
Enables or disables Authorization for Federation SSO. |
||
Configure the Hashing algorithm used in digital signatures. |
||
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations. |
||
Attribute Sharing Configuration |
||
Configures the NameID to user store attribute mapping to be used during Attribute Sharing. |
||
Configures the default attribute sharing nameid and nameid format for the IdP Partner. |
||
Configures Attribute Sharing DN to IdP Mappings. |
||
Configures the Attribute Sharing feature by setting a default attribute authority. |
||
Removes the Attribute Sharing plug-in from the Authentication Module. |
||
Lists the Federated Authentication Method mappings for a specific Partner Profile. |
||
Inserts the attribute sharing step into the Authentication Module flow. |
||
Authentication Method Mapping Management |
||
Provides a way to authenticate clients with an alternate Authentication Scheme (Partner). |
||
Defines the default Authentication Scheme for the SP partner. |
||
Provides a way to authenticate clients with an alternate Authentication Scheme (Partner Profile). |
||
Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile. |
||
Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner. |
||
Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile. |
||
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner. |
||
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile. |
||
Lists the Federated Authentication Method mappings for a specific Partner. |
||
Lists the Federated Authentication Method mappings for a specific Partner Profile. |
||
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner. |
||
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner. |
||
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner. |
||
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile. |
||
Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO. |
||
Partner Profile Management |
||
Creates a Federation Partner Profile based on the specified existing one. |
||
Deletes the specified Federation Partner Profile. |
||
Displays the properties defined in the specified Federation Partner Profile. |
||
Lists all of the existing Federation Partner Profiles. |
||
Lists the partners bound to the specified Federation Partner Profile. |
||
Gets the ID of the Partner Profile bound to the specified partner. |
||
Sets the Federation Partner Profile ID for the specified partner. |
Using WLST with SAML 1.1
When an IDP partner is configured for SAML 1.1, the following URL is used by the SP to start the SSO process.
http://idphost:idpport/ssourl?TARGET=targeturl&providerid=http://spproviderid
By using these WLST commands, the URL can be populated with the applicable information.
Use this command... | To... | Use with WLST... |
---|---|---|
Value is used by the peer provider to identify the provider ID of the SP. |
||
Sets the target URL for the specified SP partner. |
The following SAML 1.1 configuration parameters are not exposed through the Oracle Access Management Console. The values of these parameters can be modified using WLST.
Use this command... | To... | Use with WLST... |
---|---|---|
Delete a partner property. |
||
Retrieve a partner property. |
||
Update a partner property. |
||
Subject Confirmation Check |
||
Enables or Disables the subject confirmation data check in SAML assertion. |
3.2.1 configureFederationService
The configureFederationService command enables or disables the Federation Service AttributeRequester or AttributeResponder.
Description
Enable or disable Federation Service features.
Syntax
configureFederationService(<serviceType>,<enabled>)
Argument | Definition |
---|---|
|
Takes as a value IDP, SP, AttributeResponder or AttributeRequester. |
|
Takes as a value either true or false. |
Example
configureFederationService("idp", "true") configureFederationService("AttributeResponder", "true")
3.2.2 setFederationStore
The setFederationStore command enables and configures for the use of the federation store.
Description
This will set the jndiname of the datastore to be used to store federation records and will set the store as a RDBMS.
Syntax
setFederationStore (<enable>, <jndiname>)
Argument | Definition |
---|---|
|
Enable or disable the Federation data store. |
|
Indicates the JNDI name of the datastore. |
Example
setFederationStore(enable="true", jndiname="jdbc/oamds")
3.2.3 configureIdPAuthnRequest
The configureIdPAuthnRequest command configures an IdP partner or an IdP partner profile for Force Authentication and/or IsPassive.
Description
Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.
Syntax
configureIdPAuthnRequest(<partner="">, <partnerProfile="">, <partnerType="">, <isPassive="false">, <forceAuthn="false">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
|
Indicates the IdP partner to be configured. partner and partnerProfile are exclusive, with one of the two required. |
|
Indicates the IdP partner profile to be configured. partner and partnerProfile are exclusive, with one of the two required. |
|
The type of partner (sp or idp). |
|
Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should not interact with the user during Federation SSO. True indicates that the IdP should not interact with the user. Optional. |
|
Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should challenge the user even if a valid session exists. True indicates that the user will be challenged. Optional. |
|
Indicates whether or not this command should display the Is Passive and Force Authn settings. Default is false. Optional. |
|
Indicates whether or not this command should delete the Is Passive and Force Authn settings from the specified partner or partner profile. Default is false. Optional. |
Example
configureIdPAuthnRequest(partner="acme", isPassive="false", forceAuthn="true")
3.2.4 configureFedSSOAuthz
The configureFedSSOAuthz command enables or disables Authorization for Federation SSO.
Description
Enables or disables Authorization for Federation SSO. By default, the authorization feature for Federation SSO will be turned off.
Syntax
configureFedSSOAuthz(enabled)
Argument | Definition |
---|---|
|
Takes as a value true or false. |
Example
configureFedSSOAuthz("true")
3.2.5 configureFedDigitalSignature
The configureFedDigitalSignature command configures the Hashing algorithm used in digital signatures.
Description
If the displayOnly and delete parameters are false, this command will set the algorithm.
Syntax
configureFedDigitalSignature(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <algorithm="SHA-256">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
|
The ID of the SP partner profile |
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
|
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
|
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
Example
configureFedDigitalSignature(default="true", algorithm="SHA-256")
3.2.6 configureFedSignEncKey
The configureFedSignEncKey command configures the signing and/or encryption key alias to be used for digital signature and encryption operations.
Description
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.
Syntax
configureFedSignEncKey(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <signAlias="">, <encAlias="">, <displayOnly="false">, <delete="false">
Argument | Definition |
---|---|
|
Indicates the partner for which the signing and/or encryption key alias is to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required |
|
Indicates the partner profile for which the signing and/or encryption key alias is configured for. partner, partnerProfile and default parameters are exclusive, with one of the three required. |
|
Indicates the partner type for which the signing and/or encryption key alias is to be configured. Required when specifying partner or partnerProfile. Valid values are sp or idp. |
|
Indicates the global default signing and/or encryption key alias to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required. |
|
The signing key alias. Required when setting the value. |
|
The encryption key alias. Required when setting the value. |
|
Indicates whether or not this command should display the signing and encryption key aliases. Default is false. Optional. |
|
Indicates whether or not this command should delete the signing and/or encryption key alias from the specified partner or partner profile. Default is false. Optional. |
Example
configureFedSignEncKey(default="true", signAlias="osts_signing")
3.2.7 configureAttributeSharingSPPartnerNameIDMapping
The configureAttributeSharingSPPartnerNameIDMapping command configures the NameID to user store attribute mapping to be used during Attribute Sharing.
Description
If displayOnly is true the command displays the NameID to userstore attribute mapping. Else if delete is true the command deletes the specified mapping. Else it sets the enabled flag to the given value and the sets a nameid to userstore attribute mapping.
Syntax
configureAttributeSharingSPPartnerNameIDMapping(<partner="">, <partnerProfile="">, <enabled="true">, <nameidformat="">, <userStoreAttribute="">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
|
ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required. |
|
Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required |
|
Boolean indicating if the nameID to userstore attribute mapping is enabled/disabled. Optional. Default value is true. |
|
The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:
If the format is set to any other value, the Assertion will be populated with that value. |
|
The userstore attribute to which the specified NameID Format is mapped. Optional. Needs to be specified only for a create or update operation. |
|
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
|
Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional. |
Examples
configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", userStoreAttribute="mail") configureAttributeSharingSPPartnerNameIDMapping(partnerProfile="saml20-idp-partner-profile", nameidformat="orafed-emailaddress", userStoreAttribute="mail") configureAttributeSharingSPPartnerNameIDMapping(partner="acme") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", enabled="false") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", displayOnly="true") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", delete="true") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", displayOnly="true")
3.2.8 configureAttributeSharingIdPPartner
The configureAttributeSharingIdPPartner command configures the default attribute sharing nameid and nameid format for the IdP Partner.
Description
Configures the default attribute sharing nameid and nameid format for the IdP Partner.
Syntax
configureAttributeSharingIdPPartner(<partner="">, <partnerProfile="">,<nameidformat="">, <nameidattribute="">)
Argument | Definition |
---|---|
|
ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required. |
|
Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required |
|
The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:
|
|
The attribute in the userstore that should be used as the nameid. Optional. |
|
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
Example
configureAttributeSharingIdPPartner(partner="acme", nameidformat="orafed-emailaddress", nameidattribute="mail")
3.2.9 configureAttributeSharingUserDNToIdPPartnerMapping
The configureAttributeSharingUserDNToIdPPartnerMapping command configures Attribute Sharing DN to IdP Mappings.
Description
If displayOnly is set to true the configuration is displayed. If delete is set to true the command deletes a specified mapping; otherwise, a mapping is created or updated.
Syntax
configureAttributeSharingUserDNToIdPPartnerMapping(<dn="">, <idp="">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
|
The DN string to map to the given IdP. Optional. Needs to be specified to delete a mapping and set a mapping. If specified for a display operation the mapping for this DN only is displayed. |
|
The partner ID of the IdP to use as Attribute Authority for the given DN. Optional. Needs to be specified only when creating or updating a mapping. |
|
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
|
Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional. |
Examples
configureAttributeSharingUserDNToIdPPartnerMapping (dn="dc=us,dc=oracle, dc=com", displayOnly="true") configureAttributeSharingUserDNToIdPPartnerMapping(displayOnly="true") configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", delete="true") configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", idp="acme")
3.2.10 configureAttributeSharing
The configureAttributeSharing command configures the Attribute Sharing feature by setting a default attribute authority.
Description
Configures the Attribute Sharing feature by setting a default attribute authority.
Syntax
configureAttributeSharing(<defaultAttributeAuthority="">)
Argument | Definition |
---|---|
|
ID of the partner to use as the default Attribute Authority. Only used when this server is functioning in the SP mode. |
Example
configureAttributeSharing(defaultAttributeAuthority="acme") configureAttributeSharing("acme")
3.2.11 removeAttributeSharingFromAuthnModule
The removeAttributeSharingFromAuthnModule command removes the Attribute Sharing plug-in from the Authentication Module.
Description
Lists the Federated Authentication Method mappings for the specified Partner.
Syntax
removeAttributeSharingFromAuthnModule(<authnModule>, <stepName="">)
Argument | Definition |
---|---|
|
The name of the authnModule from which to delete Attribute Sharing plugin. |
|
The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional. |
Example
removeAttributeSharingFromAuthnModule(authnModule="LDAPPlugin") removeAttributeSharingFromAuthnModule(authnModule="LDAPPlugin", stepName="FedAttributeSharing")
3.2.12 configureAttributeSharingPlugin
The configureAttributeSharingPlugin command lists the Federated Authentication Method mappings for a specific Partner Profile.
Description
Configures the input parameters of the Attribute Sharing plugin.
Syntax
configureAttributeSharingPlugin(<authnModule>, <stepName=None>, <nameIDVariable=None>, <idpVariable=None>, <defaultIdP=None>, <nameIDFormatVariable=None>, <defaultNameIDFormat=None>, <requestedAttributes=None>)
Argument | Definition |
---|---|
|
The name of the authnModule from which to delete Attribute Sharing plugin. |
|
The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional. |
|
The name of the variable in the session or context that contains the nameID of the user. |
|
The name of the variable in the session or context that contains the idp name to which to send the attribute request. |
|
The name of the default IdP to send the attribute request to if no IdP can be determined from the session or context. |
|
The name of the variable in the session or context that contains the nameID format to use in the attribute request. |
|
The default NameID format to use if no nameid format could be determined from the session or context. Allowed NameID formats are:
If the format is set to any other value, the Assertion will be populated with that value. |
|
The attributes to request from the IdP. This string is in the URL query string format. |
Example
configureAttributeSharingPlugin(authnModule="LDAPPlugin", nameIDVariable="dn", idpVariable="attr.idpname", defaultIdP="acme", nameIDFormatVariable="attr.nameidformat", defaultNameIDFormat="orafed-x509", requestedAttributes="mail&accessAllowed=allowed")
3.2.13 insertAttributeSharingInToAuthnModule
The insertAttributeSharingInToAuthnModule command inserts the attribute sharing step into the Authentication Module flow.
Description
Can also be used to remove the attribute sharing step from the Authentication Module flow.
Syntax
insertAttributeSharingInToAuthnModule(<authnModule>, <fromStep=None>, <fromCond=None>, <toStep=None>, <toCond=None>, <stepName=None>)
Argument | Definition |
---|---|
|
The name of the authnModule into which the Attribute Sharing plugin is inserted. |
|
The name of the step after which the Attribute Sharing Step (or the step of given name) should be inserted. |
|
The condition under which the Attribute Sharing (or step of given name) is called after the fromStep. It has to be one of OnSuccess, OnFailure or OnError. |
|
The name of the step to go to after the attribute sharing step (or step of given name). |
|
The condition under which the toStep is called after the Attribute Sharing step (or step of given name). |
|
The name of the step being added to the flow. |
Example
insertAttributeSharingInToAuthnModule(authnModule="LDAPPlugin", fromStep="stepUA", fromCond="OnSuccess") insertAttributeSharingInToAuthnModule(authnModule="LDAPPlugin", fromStep="stepUA", fromCond="OnSuccess", stepName="success")
3.2.14 addSPPartnerAuthnMethod
The addSPPartnerAuthnMethod command defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.
Description
Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner.
Syntax
addSPPartnerAuthnMethod(partner, authnMethod, authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
|
The ID of the SP partner. |
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
|
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
|
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
Example
addSPPartnerAuthnMethod("acmeSP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "LDAPScheme")
3.2.15 addSPPartnerProfileAuthnMethod
The addSPPartnerProfileAuthnMethod command defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.
Description
Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner Profile.
Syntax
addSPPartnerProfileAuthnMethod(partnerProfile, authnMethod, authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
|
The ID of the SP partner profile |
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
|
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
|
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
|
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
Example
addSPPartnerProfileAuthnMethod("saml20-sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "LDAPScheme")
3.2.16 addIdPPartnerAuthnMethod
The addIdPPartnerAuthnMethod command sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.
Description
Defines the level to which to which users from this IdP partner are authenticated.
Syntax
addIdPPartnerAuthnMethod(partner, authnMethod, authnLevel)
Argument | Definition |
---|---|
|
The ID of the SP partner profile |
|
The Federated Authentication Method |
|
The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method |
Example
addIdPPartnerAuthnMethod("acmeIdP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "1")
3.2.17 addIdPPartnerProfileAuthnMethod
The addIdPPartnerProfileAuthnMethod command sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.
Description
Defines the level to which to which users from this IdP partner profile are authenticated.
Syntax
addIdPPartnerProfileAuthnMethod(partnerProfile, authnMethod, authnLevel)
Argument | Definition |
---|---|
|
The ID of the SP partner profile |
|
The Federated Authentication Method |
|
The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method |
Example
addIdPPartnerProfileAuthnMethod("saml20-idp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "1")
3.2.18 listPartnerAuthnMethods
The listPartnerAuthnMethods command lists the Federated Authentication Method mappings for a specific Partner.
Description
Lists the Federated Authentication Method mappings for the specified Partner.
Syntax
listPartnerAuthnMethods(partner, partnerType)
Argument | Definition |
---|---|
|
The ID of the partner |
|
The type of the partner (SP or IdP) |
Example
listPartnerAuthnMethods("acmeSP", "SP")
3.2.19 listPartnerProfileAuthnMethods
The listPartnerProfileAuthnMethods command lists the Federated Authentication Method mappings for a specific Partner Profile.
Description
Lists the Federated Authentication Method mappings for the specified Partner Profile.
Syntax
listPartnerProfileAuthnMethods(partnerProfile, partnerType)
Argument | Definition |
---|---|
|
The ID of the partner profile |
|
The type of the partner (SP or IdP) |
Example
listPartnerProfileAuthnMethods("saml20-sp-partner-profile", "SP")
3.2.20 removePartnerAuthnMethod
The removePartnerAuthnMethod command removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
Description
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.
Syntax
removePartnerAuthnMethod(<partner>, <partnerType>, <authnMethod>)
Argument | Definition |
---|---|
|
The ID of the partner |
|
The type of the partner (SP or IdP) |
|
The Access Manager Authentication Scheme |
Example
removePartnerAuthnMethod("acmeSP", "SP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
3.2.21 removePartnerProfileAuthnMethod
The removePartnerProfileAuthnMethod command removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
Description
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.
Syntax
removePartnerProfileAuthnMethod(<partnerProfile>, <partnerType>, <authnMethod>)
Argument | Definition |
---|---|
|
The ID of the partner profile |
|
The type of the partner (SP or IdP) |
|
The Federated Authentication Method |
Example
removePartnerProfileAuthnMethod("saml20-sp-partner-profile", "SP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
3.2.22 setIdPPartnerRequestAuthnMethod
The setIdPPartnerRequestAuthnMethod command sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.
Description
Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner.
Syntax
setIdPPartnerRequestAuthnMethod(<partner>, <authnMethod>)
Argument | Definition |
---|---|
|
The ID of the IdP partner |
|
The Federated Authentication Method |
Example
setIdPPartnerRequestAuthnMethod("acmeIdP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
3.2.23 setIdPPartnerProfileRequestAuthnMethod
The setIdPPartnerProfileRequestAuthnMethod command sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.
Description
Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner Profile.
Syntax
setIdPPartnerProfileRequestAuthnMethod(<partnerProfile>, <authnMethod>)
Argument | Definition |
---|---|
|
The ID of the IdP partner profile |
|
The Federated Authentication Method |
Example
setIdPPartnerProfileRequestAuthnMethod("saml20-idp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
3.2.24 useProxiedFedAuthnMethod
The useProxiedFedAuthnMethod command configures the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.
Description
If the server acts as an SP with a remote IdP to authenticate the user, when acting as an Identity Provider in a different Federation SSO operation, the server can use the Federation Authentication Method sent by the remote Identity Provider. The server will send the proxied Federation Authentication Method for the list of specified Federation Authentication Schemes. The server will only send the proxied Federation Authentication Method if the Federation protocol used between the server and the Service Provider is the same Federation protocol as the one used between the server and the Identity Provider.
Syntax
useProxiedFedAuthnMethod(<enabled="false">, <displayOnly="false">, <authnSchemeToAdd="">, <authnSchemeToRemove="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
|
Indicates whether or not the proxied Federation Authentication Method should be used. Default is to disable the feature. Optional. |
|
Indicates whether or not this command should display the list of Federation Schemes for which the server should send the proxied Federation Authentication Method. Default is false. Optional. |
|
The OAM Federation Authentication Scheme to be added to the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive. |
|
The OAM Federation Authentication Scheme to be removed from the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive. |
|
The application domain in which the underlying policy components will be created. Optional. |
|
The HostID that will be used when creating the underlying resource policy object. Optional. |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Example
useProxiedFedAuthnMethod(enabled="true", authnSchemeToAdd="FederationScheme")
3.2.25 createFedPartnerProfileFrom
The createFedPartnerProfileFrom command creates a Federation Partner Profile based on the specified existing one.
Description
Creates a new partner profile based on the specified existing partner profile.
Syntax
createFedPartnerProfileFrom(<newPartnerProfile>, <existingPartnerProfile>)
Argument | Definition |
---|---|
|
The ID of the new partner profile. |
|
The ID of the existing partner profile |
Example
createFedPartnerProfileFrom("newAcmeSPProfile", "acmeSPProfile")
3.2.26 deleteFedPartnerProfile
The deleteFedPartnerProfile command deletes the specified Federation Partner Profile.
Description
Removes the specified partner profile.
Syntax
deleteFedPartnerProfile(<PartnerProfile>)
Argument | Definition |
---|---|
|
The ID of the partner profile being deleted. |
Example
deleteFedPartnerProfile("acmeSPProfile")
3.2.27 displayFedPartnerProfile
The displayFedPartnerProfile command displays the properties defined in the specified Federation Partner Profile.
Description
Displays the properties in the specified Federation Partner Profile.
Syntax
displayFedPartnerProfile(<PartnerProfile>)
Argument | Definition |
---|---|
|
The ID of the partner profile. |
Example
displayFedPartnerProfile("saml20-idp-partner-profile")
3.2.28 listFedPartnerProfiles
The listFedPartnerProfiles command lists all of the existing Federation Partner Profiles.
Description
Lists the existing Federation Partner Profiles.
Syntax
listFedPartnerProfiles()
This command has no arguments.
Example
listFedPartnerProfiles()
3.2.29 listFedPartnersForProfile
The listFedPartnersForProfile command lists the partners bound to the specified Federation Partner Profile.
Description
Lists all the partners bound to the specified Federation Partner Profile.
Syntax
listFedPartnersForProfile(<PartnerProfile>)
Argument | Definition |
---|---|
|
The ID of the partner profile. |
Example
listFedPartnersForProfile("acmeSPProfile")
3.2.30 getFedPartnerProfile
The getFedPartnerProfile command retrieves the ID of the Partner Profile bound to the specified partner.
Description
Retrieves the ID of the Partner Profile bound to the specified partner.
Syntax
getFedPartnerProfile(<partner>, <partnerType>)
Argument | Definition |
---|---|
|
The ID of the partner. |
|
The type of the partner (sp or idp). |
Example
getFedPartnerProfile("acmeIDP", "idp")
3.2.31 setFedPartnerProfile
The setFedPartnerProfile command sets the Federation Partner Profile ID for the specified partner.
Description
Sets the partner profile for the specified partner profile based on the specified partner profile ID.
Syntax
setFedPartnerProfile(<partner>, <partnerType>, <partnerProfile>)
Argument | Definition |
---|---|
|
The ID of the partner. |
|
The type of the partner (sp or idp). |
|
The ID of the partner profile. |
Example
setFedPartnerProfile("acmeIDP", "idp", "saml20-idp-partner-profile")
3.2.32 idpinitiatedssoprovideridparam
The idpinitiatedssoprovideridparam command sets the value to identify the provider ID for the SP.
Description
The value held by idpinitiatedssoprovideridparam
is used by the peer provider to identify the provider ID of the SP.
Syntax
updatePartnerProperty(partnerName, partnerType, "idpinitiatedssoprovideridparam","providerid", "string")
Argument | Definition |
---|---|
partnerName |
The ID of the partner |
partnerType |
Takes as a value either idp or sp |
propName |
Name of the property being configured or modified |
propValue |
The value of the property being configured. For an OIF peer IDP, the parameter name must be "providerid". Changing this property will change the parameter name used in the above URL. |
type |
The data type of the property value. Valid values are string, long, or boolean. |
Example
updatePartnerProperty(partnerName, "idp", "idpinitiatedssoprovideridparam","providerid", "string")
3.2.33 idpinitiatedssotargetparam
The idpinitiatedssotargetparam command sets the target URL for the specified SP partner.
Description
Identifies the target resource. The value held by idpinitiatedssotargetparam
is used by the peer provider to identify the desired resource; TARGET in the case of Oracle Identity Federation.
Syntax
updatePartnerProperty(partnerName, partnerType, "idpinitiatedssotargetparam", "TARGET", "string")
Argument | Definition |
---|---|
partnerName |
The ID of the partner |
partnerType |
Takes as a value either idp or sp |
propName |
Name of the property being configured or modified |
propValue |
The location of the resource. The default value is |
type |
The data type of the property value. Valid values are string, long, or boolean. |
Example
updatePartnerProperty(partnerName, "idp", "idpinitiatedssotargetparam", "TARGET", "string")
Note:
A certificate can be included in a SAML 1.1 signature. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature
parameter, the certificate will be included with the signature. For example:
updatePartnerProperty("<partnerName>", "sp", "includecertinsignature", "true", "boolean") getPartnerProperty("<partnerName>", "sp", "includecertinsignature") deletePartnerProperty("<partnerName>", "sp", "includecertinsignature")
3.2.34 subjectconfirmationcheck
The subjectconfirmationcheck command enables or disables the Subject Confirmation Data check.
Description
Enable or disable the Subject Confirmation Data check in SAML assertion.
Syntax
updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument | Definition |
---|---|
|
The ID of the partner to be updated. |
|
Specifies the partner type. Valid values are sp or idp. |
|
Set the property name as 'subjectconfirmationcheck'. |
|
Specify the property value. Valid values are true or false. |
|
Data type of the property. It can only be boolean. |
Example
updatePartnerProperty(partnerName="testIDP", partnerType="IDP", propName="subjectconfirmationcheck", propValue="true",type="boolean")