| Oracle® Identity Federation Administrator's Guide 10g (10.1.4.0.1) Part Number B25355-01 |
|
|
View PDF |
| Oracle® Identity Federation Administrator's Guide 10g (10.1.4.0.1) Part Number B25355-01 |
|
|
View PDF |
Additional topics pertinent to Oracle Identity Federation server configuration and management are described here. This includes:
There are several ways to perform a federated single sign-on (SSO) operation, depending on the back-end in use and where the flow will be initialized. Table 6-1 shows the possible combinations:
Table 6-1 Federated Single Sign-On Combinations
| Combination | Flow |
|---|---|
|
OracleAS Single Sign-On with Liberty 1.x/SAML 2.0 |
User accesses a resource protected by |
|
Oracle Access Manager with Liberty 1.x/SAML 2.0 |
User accesses a resource protected by webgate, triggering SAML 2.0/Liberty 1.x single sign-on, with Oracle Identity Federation acting as SP. |
|
Oracle Access Manager with SAML 1.x/WS-Federation |
User accesses a resource protected by webgate, triggering SAML 1.x/WS-Federation single sign-on, with Oracle Identity Federation acting as SP. |
|
eTrust SiteMinder with SAML 2.0/Liberty 1.x |
User accesses a resource protected by eTrust SiteMinder Agent, triggering SAML 2.0/Liberty 1.x single sign-on, with Oracle Identity Federation acting as SP. |
|
eTrust SiteMinder with SAML 1.x/WS-Federation |
User accesses a resource protected by eTrust SiteMinder Agent, triggering SAML 1.x/WS-Federation single sign-on, with Oracle Identity Federation acting as SP. |
|
SP-initiated single sign-on with SAML 2.0/Liberty 1.x |
User initiates a Liberty 1.x/SAML 2.0 single sign-on by directly accessing an Oracle Identity Federation URL, with Oracle Identity Federation acting as SP. |
|
SP-initiated single sign-on with SAML 1.x |
User initiates a SAML 1.x single sign-on by directly accessing an Oracle Identity Federation URL, with Oracle Identity Federation acting as SP. |
|
SP-initiated single sign-on with WS-Federation |
User initiates a WS-Federation single sign-on by directly accessing an Oracle Identity Federation URL, with Oracle Identity Federation acting as SP. |
|
IdP-initiated single sign-on with SAML 2.0/Liberty 1.x |
User initiates a SAML 2.0/Liberty 1.x single sign-on by directly accessing an Oracle Identity Federation URL, with Oracle Identity Federation acting as IdP. |
|
IdP-initiated single sign-on with SAML 1.x |
User initiates a SAML 1.x single sign-on by directly accessing an Oracle Identity Federation URL, with Oracle Identity Federation acting as IdP. |
|
IdP-initiated single sign-on with WS-Federation |
User initiates a WS-Federation single sign-on by directly accessing an Oracle Identity Federation URL, with Oracle Identity Federation acting as IdP. |
This section explains how to configure the different combinations:
OracleAS Single Sign-On can be configured to trigger a Liberty 1.x or SAML 2.0 SSO operation when requesting a resource protected by mod_osso.
|
Note: This feature is not supported with SAML 1.x and WS-Federation protocols. |
To achieve this, the OracleAS Single Sign-On partner application must be defined and must be protected by mod_osso. The partner application must also be configured to use the SSO Security level associated with the SASSO Authentication plug-in. You do this by editing the ORACLE_HOME/sso/conf/policy.properties file of the Oracle SSO deployment, and setting the partner application (defined by its hostname and port) to the same security level as the SASSOAuthLevel property.
For example:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SASSOAuth MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth ... www.app.com\:7890 = MediumHighSecurity ... SASSOAuthnUrl = http\://oif_host\:oif_port/sso/authn SASSOLogoutUrl = http\://oif_host\:oif_port/sso/jsp/sasso_logout_success.jsp SASSOAuthLevel = MediumHighSecurity
Save the file and restart OC4J_SECURITY to apply the changes.
The next time a user attempts an unauthenticated access to the protected resource, the user is redirected to Oracle Identity Federation where a Liberty 1.x/SAML 2.0 SSO operation occurs.
When requesting the protected resource, it is possible to specify URL query parameters that Oracle Identity Federation can use to perform the SSO operation. The parameters are:
providerid - This is the identifier of the Liberty 1.x or SAML 2.0 IdP to use to perform the SSO operation (optional). If missing, the default SSO provider, set in the Oracle Identity Federation administration console at Service Provider -> Global Settings -> Default SSO Identity Provider, will be used.
federationid - This is the identifier of the affiliation to use for the SSO (optional). An example of such a URL is:
http://protected_app:port/path?providerid=http://idp.com
See "Working with Affiliations" for more information.
|
Note: Check that the URL query parameter values are correctly encoded. |
Refer to the Oracle SSO documentation for details about OracleAS Single Sign-On configuration.
Oracle Access policies can be set up to initiate a Liberty 1.x/SAML 2.0 SSO when the user requests a resource protected by the Oracle Access Manager WebGate agent.
To do this, use the Oracle Access Policy Manager to set up a policy domain or policy that protects the resource. When creating the authentication rule for the policy domain or policy, select the Fed SSO – SAML 2.0/Liberty 1.x authentication scheme. Oracle Identity Federation automatically creates this authentication scheme when it is configured to use Oracle Access. The scheme initiates the Liberty 1.x or SAML 2.0 single sign-on when the resource is accessed, resulting in a session for the local user associated with the federated user. Set up the authorization rules and expression for the policy domain or policy to allow access for the resulting local user.
When requesting the protected resource, it is possible to specify URL query parameters that Oracle Identity Federation can use to perform the SSO operation. The parameters are:
providerid - This is the identifier of the Liberty 1.x or SAML 2.0 IdP to use to perform the SSO operation (optional). If missing, the default SSO provider, set in the Oracle Identity Federation administration console at Service Provider -> Global Settings -> Default SSO Identity Provider, will be used.
federationid - This is the identifier of the affiliation to use for the SSO (optional). An example of such a URL is:
http://protected_app:port/path?providerid=http://idp.com
See "Working with Affiliations" for more information.
|
Note: Check that the URL query parameter values are correctly encoded. |
Refer to the Oracle Access Manager Identity and Common Administration Guide for configuration details.
Oracle Access Manager policies can be set up to initiate a SAML 1.x or WS-Federation SSO when a user requests a resource protected by the Oracle Access Manager WebGate agent.
To do this, use the Oracle Access Policy Manager to set up a policy domain or policy that protects the resource. When creating the authentication rule for the policy domain or policy, select the Fed SSO – SAML 1.x or Fed SSO – WS-Federation authentication scheme. Oracle Identity Federation automatically creates these authentication schemes when it is configured to use Oracle Access Manager. The schemes use SAML 1.x or WS-Federation to initiate a federated SSO when the resource is accessed, resulting in a session for the local user associated with the federated user. Set up the authorization rules and expression for the policy domain or policy to allow access for the resulting local user.
This section contains these topics:
When the Fed SSO – SAML 1.x authentication scheme is in use, Oracle Identity Federation will look for a cookie named ObSAMLDomain in the HTTP request which indicates the IdP that is to be used for the SSO. Oracle Identity Federation automatically sets this persistent cookie to the name of the IdP's configured domain at the end of a SAML 1.x SSO. Consequently, the user must have performed at least one successful SAML 1.x SSO for this feature to work. If Oracle Identity Federation does not find the ObSAMLDomain cookie, it assumes the user is local and performs a local Access Manager login.
|
Note: This feature was known as SmartMarks in Oracle COREid Federation. |
Some additional Oracle Identity Federation configuration is needed at the SP for the SAML 1.x authentication scheme to work. In the SAML 1.x or WS-Federation Domain configuration for the IdP, SmartMarks must be enabled and the Transfer URL and Transfer Query String fields must be set. The Transfer URL is the URL used at the IdP to initiate a SAML 1.x SSO, and the Transfer Query String provides the parameters for the SSO to be directed back to the SP.
|
Note: This URL and query string are not specified by the SAML 1.x specifications, so they will depend on the SAML implementation used by the IdP. When Oracle Identity Federation processes the SSO, it will concatenate the Transfer URL, the Transfer Query String, and the URL for the requested resource (the target) to be used in a redirection to the IdP. This requires that any target URL parameter be the last parameter in the Transfer Query String, as demonstrated the Oracle Identity Federation example which follows. |
When the IdP is another Oracle Identity Federation installation, the Transfer URL and Transfer Query String are partially set according to Oracle Identity Federation conventions. The Transfer Query String needs to be completed with information specific to the IdP configuration for the SP: the SP domain name as configured at the IdP and the SSO method to be used.
Example
Consider an IdP named Acme and an SP named Zenith, both using Oracle Identity Federation. In the Acme domain configured at Zenith:
Transfer URL = https://fed.acme.com/shareid/saml/ObSAMLTransferService
Transfer Query String = DOMAIN=Zenith&METHOD=post&TARGET=
If the target URL is https://www.acme.com/, then the complete redirection URL is:
https://fed.acme.com/shareid/saml/ObSAMLTransferService?DOMAIN=Zenith&METHOD=post&TARGET=https://www.zenith.com/
|
Note: This is the Oracle Identity Federation URL for IdP-initiated SSO with SAML 1.x as discussed in "SP-initiated SSO with SAML 1.x". |
When the Fed SSO – WS-Federation authentication scheme is in use, Oracle Identity Federation uses the ObSAMLDomain cookie to determine the IdP as described earlier for SAML 1.x. However, unlike SAML 1.x, if the ObSAMLDomain cookie is not found, Oracle Identity Federation will display an IdP selection page listing the configured IdPs that can be used for WS-Federation. If there is only one such IdP, Oracle Identity Federation skips the selection page and immediately uses that IdP. Once the WS-Federation SSO has completed successfully, Oracle Identity Federation will set the ObSAMLDomain cookie to the IdP domain. So the user only has to select the IdP on the first access to the SP.
Since the WS-Federation Passive Requester Profile specifies how to perform SP-initiated SSO, no additional Oracle Identity Federation configuration is required to make the WS-Federation authentication scheme work.
Like all Access authentication schemes, the Fed SSO – SAML 1.x and Fed SSO – WS-Federation schemes have authentication levels that represent the strength of the authentication method. The default authentication level for the Fed SSO schemes is 1 (the lowest strength), but these levels may be adjusted using the Access System Console.
|
Note: Oracle Identity Federation also creates other authentication schemes for the configured assertion mappings, and the authentication level of the assertion mapping scheme used to create the local session must be equal to or greater than the WS-Federation SSO scheme levels. |
Liberty 1.x/SAML 2.0 SSO can be triggered by requesting a resource protected by eTrust SiteMinder policy.
To do this, create a policy under eTrust SiteMinder, which will protect a resource using the Form Authentication scheme. You will need to add a Form Authentication scheme through the eTrust SiteMinder Admin Console. While adding the Authentication scheme, select the scheme type as HTML Form Template, then make these changes:
Set Protection level to 1.
Under the Scheme Setup tab:
Set Server name to CASiteMinderHost.domain:Port
Set Target to /siteminderagent/forms/login.fcc.redirect.html
Under the Advance tab, set Library to smauthhtml.
After configuring the Form Authentication scheme, add the HTML file shown here under <NetegritySMInstallArea>\SMWebAgent\Samples\Forms, naming it login.fcc.redirect.html.
<html>
<!--Redirect to OIF-->
<body onload="setTimeout(location.href=getRedirectURL(), 1);"/>
<script>
//<!--
function getRedirectURL ()
{
var targetParam = getQueryParam("TARGET");
if (targetParam.indexOf("$SM$") == 0)
targetParam = targetParam.substring
(4, targetParam.length);
// Redirect
var redirectURL =
"http://<SPHost.Domain>:<Port>/fed/sp/smredirect?providerid="
+ escape("http://<idPHost.Domain>:<Port>/fed/idp")
+"&targetURL=" + targetParam;
return redirectURL;
}
function getQueryParam (param)
{
var result = "";
var url = location.href;
var qIndex = url.indexOf("?");
if (qIndex > -1)
{
var queryString = url.substring(qIndex + 1, url.length);
var params = queryString.split("&");
for (var i = 0, n = params.length; i < n; ++i)
{
var nvPair = params[i].split("=");
if (nvPair[0] == param)
{
result = nvPair[1];
break;
}
}
}
return result;
}
//-->
</script>
</html>
This form redirects the user to a servlet on the SP that will:
process the targetURL query parameter
initiate a flow that results in the user being ultimately redirected to the URL specified by this parameter once single sign-on completes
When requesting the protected resource, it is possible to specify URL query parameters that Oracle Identity Federation can use to perform the SSO operation. The parameters are:
providerid - This is the identifier of the Liberty 1.x or SAML 2.0 IdP to use to perform the SSO operation (optional). If missing, the default SSO provider, set in the Oracle Identity Federation administration console at Service Provider - > Global Settings - > Default SSO Identity Provider, will be used.
federationid - This is the identifier of the affiliation to use for the SSO (optional). An example of such a URL is:
http://protected_app:port/path?providerid=http://idp.com
See "Working with Affiliations" for more information.
|
Note: Check that the URL query parameter values are correctly encoded. |
Refer to the eTrust SiteMinder documentation for configuration details.
SAML 1.x/WS-Federation SSO can be triggered by requesting URLs in a specific format.
To trigger SAML 1.x SSO from the IdP, use a URL in the following format:
http(s)://<idPHost.Domain>:<Port>/shareid/saml/ObSAMLTransferService?DOMAIN=<SP-DomainName>&METHOD=POST&TARGET=<Resource-protected-by-CASiteMinder>
where Resource-protected-by-CASiteMinder is any resource protected by eTrust SiteMinder.
To initiate SAML 1.x SSO from the SP, protect the resource at eTrust SiteMinder by a Form Authentication scheme as described earlier in "eTrust SiteMinder with Liberty 1.x/SAML 2.0". Use a form that looks something like this:
<html>
<!--Redirect to OSFS-->
<body onload="setTimeout(location.href=getRedirectURL(), 1);"/>
<script>
//<!--
function getRedirectURL ()
{
var targetParam = getQueryParam("TARGET");
if (targetParam.indexOf("$SM$") == 0)
targetParam = targetParam.substring(4, targetParam.length);
// Redirect
var redirectURL =
"http://<SPHost.Domain>:<Port>/shareid/saml/ObSAMLTransferForm?"+
"&TARGET=" + targetParam;
return redirectURL;
}
function getQueryParam (param)
{
var result = "";
var url = location.href;
var qIndex = url.indexOf("?");
if (qIndex > -1)
{
var queryString = url.substring(qIndex + 1, url.length);
var params = queryString.split("&");
for (var i = 0, n = params.length; i < n; ++i)
{
var nvPair = params[i].split("=");
if (nvPair[0] == param)
{
result = nvPair[1];
break;
}
}
}
return result;
}
//-->
</script>
</html>
Accessing the SP resource redirects the user to an Oracle Identity Federation servlet, which looks for a cookie (named ObSAMLDomain) in the HTTP request that indicates which IdP to use for the SSO, and then redirects the user for authentication to that IdP. Oracle Identity Federation automatically sets this persistent cookie to the name of the IdP's configured domain at the end of an idP-initiated SAML 1.x single sign-on. This means that the user must have done at least one successful SAML 1.x SSO for the feature to work. If Oracle Identity Federation does not find the ObSAMLDomain cookie, it assumes the user is local and performs a local login at the Service Provider domain.
|
Note: This feature was known as SmartMarks in Oracle COREid Federation. |
Some additional Oracle Identity Federation configuration is needed at the SP for the SAML 1.x authentication scheme to work. In the SAML 1.x/WS-Federation Domain configuration for the IdP, SmartMarks must be enabled and the Transfer URL and Transfer Query String fields must be set. The Transfer URL is the URL used at the IdP to initiate a SAML 1.x SSO, and the Transfer Query String provides the parameters for the SSO to be directed back to the SP.
|
Note: This URL and query string are not specified by the SAML 1.x specifications, so they will depend on the SAML implementation used by the IdP. When Oracle Identity Federation processes the SSO, it will concatenate the Transfer URL, the Transfer Query String, and the URL for the requested resource (the target) to be used in a redirection to the IdP. This requires that any target URL parameter be the last parameter in the Transfer Query String. |
When the IdP is another Oracle Identity Federation installation, the Transfer URL and Transfer Query String are partially set according to Oracle Identity Federation conventions. The Transfer Query String must be completed with information specific to the IdP configuration for the SP: the SP domain name as configured at the IdP, and the SSO method to be used.
To trigger WS-Federation SSO, use URLs in the following format:
http(s)://<SPHost.Domain>:<Port>/shareid/wsfederation/ObWSFedResourceSTS?wa=wsignin1.0&wctx=<Resource-Protected-by-CASiteMinder>
Here Resource-protected-by-CASiteMinder is any resource protected by eTrust SiteMinder.
Oracle Identity Federation uses the ObSAMLDomain cookie in the HTTP request, which indicates the IdP to be used for authentication. If the ObSAMLDomain cookie is not found, Oracle Identity Federation displays an IdP selection page listing the configured IdPs that can be used for WS-Federation. If there is only one such IdP, Oracle Identity Federation skips the selection page and immediately uses that IdP. Once the WS-Federation SSO has completed successfully, Oracle Identity Federation sets the ObSAMLDomain cookie to the IdP domain. The user only needs to select the IdP on the first access to the SP.
Here is an example URL:
http://costarica.myorg.co.in:7779/shareid/wsfederation/ObWSFedResourceSTS?wa=wsignin1.0&wctx=http://mulshi.myorg.co.in/mytest/index.html
When Oracle Identity Federation server is integrated with OracleAS Single Sign-On, Oracle Access Manager or Entrust eTrust SiteMinder, a user can initiate a Liberty 1.x/SAML 2.0 SSO operation by directly requesting a service at the Oracle Identity Federation/SP instance.
The URL to be requested on the Oracle Identity Federation server is:
http(s)://Oracle Identity Federation_host:Oracle Identity Federation_port/fed/sp/initiatesso
It is possible to specify query parameters when requesting that URL:
providerid - This is the identifier of the Liberty 1.x or SAML 2.0 IdP to use to perform the SSO operation (optional). If missing, the default SSO provider, set in the Oracle Identity Federation administration console at Service Provider - > Global Settings - > Default SSO Identity Provider, will be used.
federationid - This is the identifier of the affiliation to use for the SSO (optional).
See "Working with Affiliations" for more information.
returnurl - This is the URL to which the user is sent after a successful SSO operation. It is required if the Unsolicited Relay State property, set in the Oracle Identity Federation administration console at Server Properties - > Circle Of Trust - > Settings for the IdP, is empty.
An example of such a URL is:
http://oif_host:oif_port/fed/sp/initiatesso?providerid=http://idp.com&returnurl=ProtectedAppURL
Check that the query parameter values are correctly URL-encoded.
When Oracle Identity Federation is integrated with OracleAS Single Sign-On, Oracle Access Manager, or eTrust SiteMinder, it is possible to initiate a SAML 1.x SSO operation by directly requesting a service at the Oracle Identity Federation/SP instance using the following URL:
http(s)://oif_host:oif_port/shareid/saml/ObSAMLTransferForm?TARGET=targetURL
where targetURL is the URL of the requested resource. The ObSAMLTransferForm service follows the same rules as the Fed SSO – SAML 1.x authentication scheme discussed in "Using the Fed SSO - SAML 1.x Authentication Scheme". It looks for the ObSAMLDomain cookie to specify the IdP to be used. If the ObSAMLDomain cookie is not found, a local login is performed.
For example:
http://oif_host:oif_port/shareid/saml/ObSAMLTransferForm? TARGEt=http://host:port/protected.html
|
Note: With Oracle Access Manager, you can protect the targetURL by a policy domain using any authentication scheme, as long as the authentication level of the scheme is less than or equal to the authentication level of the assertion mapping authentication scheme used to create the local user. |
When Oracle Identity Federation is integrated with OracleAS Single Sign-On, Oracle Access Manager, or eTrust SiteMinder, you can initiate a WS-Federation SSO request from the SP with a URL with the format:
http(s)://oif_host:oif_port/shareid/wsfederation/ObWSFedResourceSTS?wa=wsignin1.0& wctx=targetURL
where targetURL is the URL of the requested resource. The ObWSFedResourceSTS service follows the same rules as the Fed SSO – WS-Federation authentication scheme discussed in "Using the Fed SSO - WS-Federation Authentication Scheme". If the ObSAMLDomain cookie is present, it is used to determine the IdP. If there is only one IdP configured for WS-Federation, that IdP is used. Otherwise an IdP selection page is displayed.
Here is an example URL:
http://host:port/shareid/wsfederation/ObWSFedResourceSTS? wa=wsignin1.0&wctx=http://host:port/protected.html
|
Note: With Oracle Access Manager, you can protect the targetURL by a policy domain using any authentication scheme, as long as the authentication level of the scheme is less than or equal to the authentication level of the assertion mapping authentication scheme used to create the local user. |
For the Liberty 1.x and SAML 2.0 protocols, Oracle Identity Federation provides the ability to initiate an SSO operation by directly requesting a URL at the Oracle Identity Federation instance acting as an IdP; this is called an SSO IdP-initiated operation.
The url to be requested on the Oracle Identity Federation server is of the form:
http(s)://oif_host:oif_port/fed/idp/initiatesso
It is possible to specify query parameters when requesting that URL:
providerid - This is the identifier of the Liberty 1.x or SAML 2.0 IdP to use to perform the SSO operation (required).
federationid - This is the identifier of the affiliation to use for the SSO (optional).
See "Working with Affiliations" for more information.
returnurl - This is the url to which the user is sent after a successful SSO operation (optional).
An example of such a URL is:
http://oif_host:oif_port/fed/idp/initiatesso?providerid=http://sp.com&returnurl=ProtectedAppURL
|
Note: Check that the query parameter values are correctly URL-encoded. |
When Oracle Identity Federation is enabled for SSO with SAML1.x, it is possible to initiate an SSO request from the IdP. The URL for the request is of the form:
http(s)://oif_host:oif_port/shareid/saml/ObSAMLTransferService
with these parameters:
DOMAIN is the domain name configured for the SP
METHOD is POST or ARTIFACT
TARGET is the target URL that is to be accessed
For example:
http://oif_host:oif_port/shareid/saml/ObSAMLTransferService?DOMAIN=SP_domain&METHOD=post&TARGET=http://host2:port/protected.html
When Oracle Identity Federation is enabled for SSO with WS-Federation, it is possible to initiate an SSO request from the IdP, using a URL in the following format:
http(s)://oif_host:oif_port/shareid/wsfederation/ObWSFedIdentitySTS
with these parameters:
wa is wsignin1.0
wtrealm is the request realm URI defined by the SP
wctx is the target URL to be accessed
For example:
http://oif_host:oif_port/shareid/wsfederation/ObWSFedIdentitySTS?wa=wsignin1.0& wtrealm=http://sp_host/&wctx=http://sp_host:port/protected.html
The run-time functioning of affiliations depend on whether the Oracle Identity Federation server is acting as an IdP or an SP.
Oracle Identity Federation Acting as IdP
When Oracle Identity Federation is an IdP, provided the affiliation/SP is present and enabled in the circle of trust, the Oracle Identity Federation server is ready to process any requests originating from service providers using the affiliation.
Oracle Identity Federation Acting as SP
As an SP, you can trigger a single sign-on operation with an IdP using an affiliation to which the SP belongs. To do so, just include a federationid query parameter in the URL protected by the IdM back-end, and set the parameter value to the affiliation ID.
For example with an OracleAS Single Sign-On back-end, assuming that a resource is protected by mod_osso and configured for Oracle Identity Federation authentication, requesting the URL of this resource with the federationid query parameter will instruct Oracle Identity Federation to use an affiliation when performing single sign-on with a peer IdP. Here is an example of such a URL:
http://protected_res_host:protected_res_port/path?federationid=http://affiliationid
It is also possible to directly access the http://oif_host:oif_port/fed/sp/initiatesso URL with the same federationid query parameter. In this case, Oracle Identity Federation will trigger a single sign-on operation, and will use the Unsolicited SSO RelayState for the peer IdP as the URL to which the user is redirected after successful authentication.
|
Note: The Unsolicited SSO RelayState is set on the Server Configuration -> Circle of Trust -> Edit Trusted Provider page of the Oracle Identity Federation administration console. |
Take these steps to export an identity provider's self-signed certificate into the service provider's keystore. This procedure is utilized in SAML 1.x and WS-Federation configurations.
At the Identity Provider, export the self-signed certificate from the keystore by running the keytool utility in the Oracle Identity Federation home directory:
C:\<OIFHome>\jdk\jre\lib\security>keytool -keystore C:\<OIFHome>\fed\shareid\oblix\config\keystore -storepass <password> -export -alias shareid -file <myfile>
where storepass is the password that was specified when Oracle Identity Federation was installed.
Copy the certificate file to a location that can be accessed by the service provider.
At the service provider, import the IdP's certificate into the keystore:
C:\<OIFHome>\jdk\jre\lib\security>keytool -keystore C:\<OIFHome>\fed\shareid\oblix\config\keystore -storepass <password> -import -alias <anyName>-file <myfile>
Restart the Oracle Identity Federation service provider from the Oracle Enterprise Manager console.
The transient/one-time identifier, commonly referred as the anonymous identifier, is used when the Service Provider (SP) only requires the user to be authenticated by the Identity Provider (IdP) but does not need to know the user's identity.
The IdP typically knows the user's identity, since it will have authenticated the user, but the SP will have no knowledge of any aspects of the identity, except the fact that the user has been authenticated at the IdP.
Transient/one-time identifiers must be configured at both the SP and the IdP.
Take these configuration steps at the service provider:
Log on to the Oracle Identity Federation administration console.
Go to Server Configuration - > Service Provider.
In the Anonymous User Identifier field, enter the User ID of an account from the user data store that will be used to identify anonymous users. This User ID should be of the same type as the one used to reference users (that is, corresponding to the User ID Attribute or Login ID Column on the User Data Store page).
Click Save.
Go to Server Configuration - > Service Provider, then choose Liberty 1.2 or SAML 2.0 as appropriate.
|
Note: Transient identifiers are not supported for Liberty 1.1. |
For the Default Authn Request NameID Format, select Transient/One-time Identifier.
Click Save, then Refresh Server.
Take these configuration steps at the identity provider:
Log on to the Oracle Identity Federation administration console.
Go to Server Configuration - > Identity Provider, then choose Liberty 1.2 or SAML 2.0 as appropriate.
|
Note: Transient identifiers are not supported for Liberty 1.1. |
Click the Select button for Assertion NameID Formats.
Check the box to enable the Transient/One-time Identifier Name ID format.
Click Apply, then Refresh Server.
Typically, when performing a single sign-on operation, the service provider specifies the Name ID format for the identity provider to use when it sends the Assertion containing the user information; this is done by selecting the Default Authn Request NameID Format in the Service Provider configuration.
However, you can configure the service provider not to specify any Name ID format. To achieve this:
Log on to the Oracle Identity Federation administration console.
Go to Server Configuration - > Service Provider, then choose Liberty 1.2 or SAML 2.0 as appropriate.
|
Note: Unspecified format is not supported for Liberty 1.1. |
Select Unspecified as the Default Authn Request NameID Format.
Click Save, then Refresh Server.
When the IdP receives a single sign-on request from an SP without any requested Name ID Format, the IdP will use an existing federation to perform the single sign-on operation. If no federation exists, the IdP will create a new federation based on the default Assertion Name ID Format configured at the IdP. To configure this format:
Log on to the Oracle Identity Federation administration console.
Go to Server Configuration - >Identity Provider, then choose Liberty 1.2 or SAML 2.0 as appropriate.
|
Note: Unspecified format is not supported for Liberty 1.1. |
Click Assertion NameID Formats.
Select the Default Assertion NameID Format.
Click Apply, then Refresh Server.
This section explains automatic account linking at a service provider and how to use the feature. It contains these topics:
Automatic account linking at the SP allows the service provider to directly map an identity contained in an assertion to a user. With this feature:
a new federation can be created, when none exists for the user and the peer IdP, without having to prompt the user for credentials. This is achieved in conjunction with a federation data store.
the Oracle Identity Federation server is not required to use a federation data store to persist federation records.
Automatic account linking is supported for SAML 2.0 SSO operations with non-opaque name identifiers, when enabled:
X.509
e-mail address
Kerberos principal name
Windows domain qualified name
This feature is not supported for:
Liberty 1.x SSO
SAML 2.0 SSO operations using persistent and transient name identifiers
Make sure that federation creation is allowed when using this feature (see "Service Provider - Global Settings").
Take these steps to configure automatic account linking at the SP:
Configure the Service Provider to request a non-opaque SAML 2.0 Name ID:
Go to the Oracle Identity Federation administration console.
Go to Server Configuration - > Service Provider, then SAML 2.0.
Select the Default Authn Request NameID Format to be one of: X.509, Email Address, Kerberos Principal Name or Windows Domain Qualified Name.
|
Note: You can select Unspecified - in that case, the IdP will decide the Name ID format, which must be non-opaque. |
Click Apply.
Map the selected Name ID format to a user attribute that uniquely reference a user record:
Go to Server Configuration - > Service Provider, then SAML 2.0.
Click Account Linking NameID Formats.
Check which Name ID formats are to be enabled, and the attribute name that will contain the user information for the specified name IDs.
|
Note: dn references the DN of an LDAP entry. |
Click Apply.
Enable the automatic account linking feature:
Go to Server Configuration - > Service Provider, then SAML 2.0.
Check the Auto Account Linking Enabled property.
Click Apply, then Refresh Server.
This section explains automatic account linking at an identity provider and how to use the feature. It contains these topics:
Automatic account linking at the identity provider allows the IdP to create a federation automatically, if no federation exists and if the SP did not request that one be created. With this feature:
a new federation can be created, when none exists for the user and the peer SP, without the SP having to request it. This is achieved in conjunction with a federation data store.
the Oracle Identity Federation server is not required to use a federation data store to persist federation records.
Automatic account linking is supported for SAML 2.0 SSO operations with non-opaque name identifiers, when enabled:
X.509
e-mail address
Kerberos principal name
Windows domain qualified name
This feature is not supported for:
Liberty 1.x SSO
SAML 2.0 SSO operations using persistent and transient name identifiers
Take these steps to configure the IdP for automatic account linking:
Specify the Name ID format mappings:
Go to Server Configuration - > Identity Provider, then SAML 2.0.
Click Assertion NameID Formats.
Check which Name ID formats are to be enabled, and the attribute name that will contain the user information for the specified name IDs.
|
Note: dn references the DN of an LDAP entry. |
Click Apply.
Optionally, configure the Default Assertion Name ID Format to use a non-opaque Name ID.
Enable the automatic account linking feature:
Go to Server Configuration - > Identity Provider, then SAML 2.0.
Check the Auto Account Linking Enabled property.
Click Apply, then Refresh Server.
