Skip Headers
Oracle® Identity Federation Administrator's Guide
10g (10.1.4.0.1)
Part Number B25355-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

3 Installing Oracle Identity Federation

This chapter details the steps required to install Oracle Identity Federation. As we shall see, there are two installation modes: a basic mode which requires little input and a simpler installation, and an advanced mode which provides more flexibility.

Key deployment scenarios are also described; for example, there is a section explaining how to install and integrate Oracle Identity Federation with Oracle Application Server Single Sign-On.

The chapter contains these sections:

3.1 Prerequisites

This discussion assumes that you have an understanding of Oracle Identity Federation concepts and features, and have collected the information necessary for installation.


See Also:

Chapter 2, "Planning Oracle Identity Federation Deployment" for a checklist of information necessary for deployment.

3.2 Overview of Installation Steps

This section explains briefly the steps involved in Oracle Identity Federation installation.


Note:

There are two installation modes, Basic and Advanced. Table 3-1 covers both modes, and each mode is subsequently discussed in its own section.

Table 3-1 Oracle Identity Federation Installation Steps

# Step Description

1

Welcome screen

2

Step for Unix platforms

Run OrainstRoot.sh.

3

File locations

Supply source and destination files, paths.

4

Product selection

Choose the product to install.

5

Type of install

Choose between default and advanced options. If you select the default option, you are directed to Step 11.

6

Pre-install checklist

A screen displays pre-installation requirements for confirmation.

7

Port configuration

Choose between manual and automatic configuration.

8

Virtual host

Select virtual addressing option.

9

Record store

Decide how the record store should be updated.

10

Transient session store

Specify where transient session data will be stored.

11

Server instance creation

Specify a server name and administrator password.

12

Summary screen

Displays install options, settings and requirements.

13

Progress

14

Run root.sh

This step applies only to Unix/Linux platforms.

15

Post-installation

Run the Configuration Assistant to deploy Oracle Identity Federation.

3.3 Basic Installation Procedure

Take the following steps to install Oracle Identity Federation:

  1. Run the Oracle Universal Installer. The welcome screen appears.

    Description of defaultscrn1.gif is in the surrounding text

    No input is required on this screen. Click Next to continue.

  2. If you are installing on a Unix platform, and this is the first install, you must:

    • specify the inventory directory

    • run the OrainstRoot.sh shell script

  3. Specify the path and filename for the install file, a name for the installation, and the complete path to the location where you want to install.

    Description of defaultscrn2.gif is in the surrounding text

    Note:

    The source file path shown in this screen is for illustration purposes only. The actual path you see will depend on your installation source file.

  4. Select Oracle Identity Federation as the product to install.

    Description of defaultscrn3.gif is in the surrounding text

  5. Select the Basic installation method.

    Description of defaultscrn4.gif is in the surrounding text

    When you choose the basic installation, Oracle Universal Installer makes the following assumptions:

    • pre-installation requirements such as root privileges for the host have been met

    • ports used by components and services will be configured automatically, using a pre-allotted port range for each component


      Note:

      You can find port information post-install by checking the $ORACLE_HOME/staticports.ini file.

    • virtual addressing is not required

    • your LDAP directory server will not be automatically updated with the federation record schema

    • no federation data store information will be collected

  6. Confirm pre-installation requirements have been met by checking the box(es).

    Description of defaultscrn5.gif is in the surrounding text

  7. Specify Oracle Application Server hostnames and the administrator password for this instance of Oracle Identity Federation.

    Description of defaultscrn6.gif is in the surrounding text

    Note:

    The Oracle Identity Federation administrator username is oif_admin.


    Note:

    This step sets both the ias_admin password and the oif_admin password. The password field cannot be left blank.

  8. Review the summary screen. To revise any information, press the Back button. To continue with the installation, press Install.

    Description of defaultscrn7.gif is in the surrounding text

  9. Oracle Universal Installer creates an instance of Oracle Containers for J2EE (OC4J) and Oracle Identity Federation.

  10. The installer next directs you to the configuration assistant for default settings.

  11. The Configuration Assistant configures and deploys the EAR file and modifies configuration files. After configuration is complete, a configuration summary screen appears.

  12. The Oracle Universal Installer wizard prompts you to exit the session.

3.4 Advanced Installation Procedure

The advanced installation procedure contains several steps that are bypassed in the basic procedure. See Table 3-1 for a description of all the steps.

Take the following steps to install Oracle Identity Federation in the advanced mode:

  1. Run the Oracle Universal Installer. The welcome screen appears.

    Description of advscrn1.gif is in the surrounding text

    No input is required on this screen. Click Next to continue.

  2. If you are installing on a Unix platform, and this is the first install, you must:

    • specify the inventory directory

    • run the OrainstRoot.sh shell script

  3. Specify the path and filename for the install file, a name for the installation, and the complete path to the location where you want to install.

    Description of advscrn2.gif is in the surrounding text

    Note:

    The source file path shown in this screen is for illustration purposes only. The actual path you see will depend on your installation source file.

  4. Select Oracle Identity Federation as the product to install.

    Description of advscrn3.gif is in the surrounding text

  5. Select the Advanced installation method.

    Description of advscrn4.gif is in the surrounding text

    When you select the Advanced option, the installer continues with Step 6 to collect this information:

    • confirmation of pre-installation requirements such as root privileges for the host

    • port configurations

    • virtual addressing

    • LDAP directory server information for the federation record schema

    • federation data store information

  6. Confirm pre-installation requirements have been met by checking the box(es).

    Description of advscrn5.gif is in the surrounding text

  7. Choose how the port configuration will be determined. Oracle Universal Installer can configure the ports automatically, or you can specify a file, called the staticports.ini file, listing port numbers for the server.

    This is a sample staticports.ini file showing the file format. Replace port numbers with the values that you want to use for the component in question.

    [System] 
@ Host Name = sys04.my.company.com 
 
[Ports] 
Oracle HTTP Server port =  7778 
Oracle HTTP Server Listen port = 7778 
Oracle HTTP Server SSL port = 4444 
Oracle HTTP Server Listen (SSL) port = 4444 
Oracle Notification Server Request port = 6004 
Oracle Notification Server Local port = 6102 
Oracle Notification Server Remote port = 6201 
Oracle HTTP Server Diagnostic port = 7201 
Java Object Cache port = 7001 
Oracle Management Agent Port = 1831 
Application Server Control RMI port = 1851 
Log Loader port = 44001 
DCM Discovery port = 7101 
Application Server Control port = 1810
    Description of advscrn6.gif is in the surrounding text

    Note:

    The staticports.ini file contains Federation, Apache, Opmn, DCM, and EM ports. See Using Custom Port Numbers (the "Static Ports" Feature) in the Oracle Application Server Installation Guide for your platform for additional details about the staticports.ini file.

  8. Select configuration options to be implemented post-installation:

    • Federation record store - update the LDAP schema of the server where federation records will be stored.

    • Transient data store - transient data can be stored in a relational database; you will be presented with a second screen to provide the database information.

    • Virtual addressing - all components in the installation can be configured to use a virtual hostname; you will be presented with a second screen to specify a virtual hostname.

    Description of advscrn7.gif is in the surrounding text

    • If you elected to update an LDAP schema for your federation records, the installer now prompts you for details. You can choose between Oracle Internet Directory, Sun Java System Directory, and Microsoft Active Directory:

      Description of advscrn8.gif is in the surrounding text

      If the directory server is Oracle Internet Directory or Sun Java System Directory, specify:

      • the server hostname

      • the port on which the server listens

      • whether SSL is enabled or disabled

      • the Oracle Internet Directory superuser name, or a single sign-on username with appropriate install privileges

      • the password

      Description of advscrn8b.gif is in the surrounding text

      If the directory server is Microsoft Active Directory, also specify the Domain Suffix.

    • If you elected to store transient data in a relational database, the installer prompts you for details:

      Description of advscrn9.gif is in the surrounding text

      If you specified RDBMS storage for one or more types of transient data in Step 8, Oracle Universal Installer requests connection details for the database:

      • the username and password of a non-administrator account that has connect and resource roles

      • the hostname and the port number at which the server listens

      • the Web service name


      Note:

      Whether you can share an RDBMS transient store depends on how your Oracle Identity Federation server is deployed:

      • If the Oracle Identity Federation server will function as a standalone server, the database instance/database username combination must only be used by this Oracle Identity Federation instance; attempts to use the same RDBMS server/username to persist data for two Oracle Identity Federation servers will cause runtime conflicts around configuration and user session data.

      • If the Oracle Identity Federation Server is deployed in a clustered or load balanced environment, the same database instance/database username combination can be used for all Oracle Identity Federation servers that are part of the cluster/load balancing group. In this case all the Oracle Identity Federation instances will use the same configuration and back end user session store.

    • If you elected to designate a virtual hostname, enter that information now.

    Description of advscrn10.gif is in the surrounding text

  9. Specify Oracle Application Server hostnames, and the administrator password for this instance of Oracle Identity Federation.

    Description of advscrn11.gif is in the surrounding text

    Note:

    The administrator username is oif_admin.


    Note:

    This step sets both the ias_admin password and the oif_admin password. The password field cannot be left blank.

  10. Review the summary screen. To revise any information, press the Back button. To continue with the installation, press Install.

    Description of advscrn12.gif is in the surrounding text

  11. Oracle Universal Installer creates an instance of Oracle Containers for J2EE (OC4J) and Oracle Identity Federation.

  12. The installer next directs you to the configuration assistant for default settings.

  13. The Configuration Assistant configures and deploys the EAR file, modifies configuration files, and creates the federation data LDAP schema if this was requested.

  14. The Oracle Universal Installer wizard exits.

3.4.1 Enabling SSL

When you install Oracle Identity Federation, the procedure also installs SSLConfigTool in the $ORACLE_HOME/bin directory. However, this does not configure SSL for the server. Note that:

  • SSLConfigTool cannot be used to affect or modify Oracle Identity Federation SSL configuration. You use the Oracle Identity Federation administration console to configure the server to allow it to communicate with other components over SSL. See "Using SSL with Oracle Identity Federation" for details.

  • To enable SSL on the Oracle Application Server instance where Oracle Identity Federation is running, you must use SSLConfigTool to configure SSL communications for Oracle HTTP Server. For more information, see the Oracle Application Server Administrator's Guide, chapter titled "Enabling SSL in the Infrastructure."

3.5 Testing Your Installation

To check that the Oracle Identity Federation server installed correctly, you can access the Oracle Identity Federation administration console at http://hostname:port/fedadmin.

3.6 What To Do Next

After installation is complete, the Oracle Identity Federation administration console starts up automatically so that you can configure operational details such as:

For detailed information on these and other topics, refer to:

3.6.1 Reassociating the Server

You may need to change the network configuration to point your Oracle Identity Federation server to a different Infrastructure instance. This process (also referred to as reassociation) is necessary, for example, when Oracle Identity Federation server is ready to move from a test environment to a production Infrastructure.

For details of the reassociation procedure, see the Oracle Application Server Administrator's Guide. In Task 8: Update Oracle Identity Federation, Steps 1 and 2 explain how to perform the Infrastructure change. The remaining steps apply if you reassociate Oracle Identity Federation with a different Oracle Internet Directory or OracleAS Single Sign-On.

3.7 Deployment Scenarios

This section describes the steps needed to implement common Oracle Identity Federation deployment scenarios. It contains these sections:

3.7.1 Deploying Oracle Identity Federation with OracleAS Single Sign-On

This section describes the steps needed to install and deploy Oracle Identity Federation so that it is integrated with OracleAS Single Sign-On.

Deployed in this manner, Oracle Identity Federation can leverage the authentication capabilities offered by OracleAS Single Sign-On when local user authentication is required. Oracle Identity Federation can:

  • act as an identity provider to authenticate a user and provide the user's authentication information to any third party, or

  • act as a service provider that consumes authentication data from an identity provider in order to authenticate a user.

Briefly, the steps to achieve this deployment are:

  • Install Oracle Identity Federation using the advanced installation mode, electing to store federation data in Oracle Internet Directory. Optionally, store transient data in a database.

  • Integrate Oracle Identity Federation with OracleAS Single Sign-On. This involves, among other things, updating the OracleAS Single Sign-On environment to add Oracle Identity Federation as an authentication mechanism, and associating the server instance with OracleAS Single Sign-On.

  • Update Oracle Identity Federation configuration to provide connection details for the OracleAS Single Sign-On and Oracle Internet Directory servers, and exchange metadata with peer providers in the Circle of Trust.

Detailed instructions for these steps follow.

Install Oracle Identity Federation

Perform these installation steps:

  1. Launch Oracle Universal Installer. Select the Oracle Identity Federation 10g product, and choose the Advanced installation method.

  2. On the Specify Federation Data Store screen, select Oracle Internet Directory as the directory server type, and enter information about the server in the input fields. In this example, the Oracle Internet Directory server hostname and port, respectively, are infra.example.com and 389:

    Field Sample Value
    Host infra.example.com
    Port 389
    Bind DN cn=orcladmin
    Password password for orcladmin


    Note:

    These LDAP connection credentials are used only to update the directory with the federation data schema. Different credentials are typically configured later for runtime directory access.

  3. If you selected the Federation Transient Data in Database option, a database user must be available with privileges to create tables.

    Rather than using system table space for the transient data, it is recommended that table space be allocated to this user. For example, using SQL*Plus and connecting to the database as user sysdba, the following commands create a user named oifdb and allocate table space for that user:

    create tablespace ts_oifdb
   logging
   datafile '/scratch/Oracle/i0120/oradata/i0120/ts_oifdb.dbf' 
   size 512m
   autoextend on extent management local;
 
create user oifdb
   identified by oifdb
   default tablespace ts_oifdb;
 
grant connect,resource to oifdb;
 
alter user oifdb account unlock;

  4. On the Specify Federation Transient Data Store screen, enter your database connection information - username, password, host, port, and Web service name.

  5. Complete the remainder of the Oracle Identity Federation installation, specifying the federation server ID, instance name, and administrator password.


Note:

For installation details, see "Advanced Installation Procedure".

Integrate Oracle Identity Federation and OracleAS Single Sign-On

These steps 1) make the Oracle Identity Federation server host known to OracleAS Single Sign-On, and 2) associate the Oracle Identity Federation instance with OracleAS Single Sign-On.

  1. In the Oracle IdM/Infrastructure home, edit the sso/conf/policy.properties file by uncommenting and modifying the following lines, where oif.example.com:7780 is the host and port of the Oracle Identity Federation server:

    SASSOAuthnUrl = http\://oif.example.com\:7780/sso/authn

SASSOLogoutUrl = 
   http\://oif.example.com\:7780/sso/jsp/sasso_logout_success.jsp
SASSOAuthLevel = MediumHighSecurity

  2. Add the following lines to the sso/conf/policy.properties file, where content.example.com:8888 is the host and port of the resource server:

    content.example.com\:8888 = MediumHighSecurity
 
MediumHighSecurity_AuthPlugin =
    oracle.security.sso.server.auth.SASSOAuth

  3. Copy the SSO keystore from the Oracle Identity Federation home to the Infrastructure home. For example:

    cp OIF_HOME/sso/conf/keystore INFRA_HOME/sso/conf/

  4. Register partner applications with OracleAS Single Sign-On as usual. For example, if you have a resource at /scratch/protected/index.html, with a virtual host on 140.87.26.53:8888, make these edits to the Apache/Apache/conf/httpd.conf file in the Infrastructure home:

    • Add one of these lines before <IfDefine SSL>, at the end of the LoadModule section:

      For Linux:

      LoadModule osso_module libexec/mod_osso.so

      For Windows:

      LoadModule osso_module modules/ApacheModuleOSSO.DLL

    • Also for Windows, at the end of the AddModule section, before <IfDefine SSL>, add the following line:

      AddModule mod_osso.c

    • Add these lines before "# Include the configuration files needed for mod_oc4j":

      Listen 8888
NameVirtualHost 140.87.26.53:8888
<VirtualHost 140.87.26.53:8888>
   ServerName content.example.com
   DocumentRoot "/scratch/protected"
   OssoConfigFile 
      "/scratch/Oracle/i0120/Apache/Apache/conf/osso/osso-app.conf"
   OssoIpCheck off
   <Location /index.html>
      AuthType basic
      Require valid-user
   </Location>
</VirtualHost>

    • Run the ssoreg script, which is ssoreg.sh on Linux, and ssoreg.bat on Windows. For example:

      sso/bin/ssoreg.sh -oracle_home_path /scratch/Oracle/i0120 
   –site_name content.example.com –config_mod_osso TRUE 
   –mod_osso_url http://content.example.com:8888 –virtualhost 
   –config_file 
      /scratch/Oracle/i0120/Apache/Apache/conf/osso/osso-app.conf

  5. Restart Infrastructure:

    opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
opmn/bin/opmnctl restartproc process-type=HTTP_Server

  6. To associate the Oracle Identity Federation instance with OracleAS Single Sign-On, open the Oracle Identity Federation Enterprise Manager console in a web browser. For example:

    http://infra.example.com:1810/emd/console

    Perform these steps:

    • Go to Infrastructure -> Identity Management and click the Change button.

    • Enter the Oracle Internet Directory host and port, and click Next.

    • Enter the Oracle Internet Directory username (for example cn=orcladmin) and password, and click Next, then Finish.

    • From the Enterprise Manager main page, restart Oracle HTTP Server, Home, and OC4J_FED.

Configure Oracle Identity Federation

These steps 1) provide Oracle Identity Federation with the information needed to connect to data stores, and 2) update and distribute the Oracle Identity Federation metadata to peer providers.

  1. Open the Oracle Identity Federation administration console in a web browser:

    http://oif.example.com:7780/fedadmin

    Log in as oif_admin.

  2. On the IdM Data Stores -> User Data Store screen, select OracleAS Single Sign-On and enter the connection information. For example:

    Field Example Value
    Connection URL(s): ldap://infra.example.com:389

    This is the Oracle Internet Directory instance used by OracleAS Single Sign-On.
    Bind DN: cn=orcladmin
    Password: the password for orcladmin
    User ID Attribute: uid
    User Description Attribute: uid
    Person Object Class: inetorgperson
    Base DN: dc=example,dc=com
    Other properties' default values
    OSSO Login URL: http://infra.example.com:7777/sso/auth
    OSSO Logout URL: http://infra.example.com:7777/sso/logout

  3. On the IdM Data Stores -> Federation Data Store screen, select LDAP Directory and enter the connection information. For example:

    Field Sample Value
    Connection URL(s): ldap://infra.example.com:389

    This is the Oracle Internet Directory instance used by OracleAS Single Sign-On.
    Bind DN: cn=orcladmin
    Password: the password for orcladmin
    User Federation Record Context: cn=fed,dc=example,dc=com
    LDAP Container Object Class: <blank>
    Unique Federation ID Attribute: <blank>

  4. Click Save.

  5. Go to the Oracle Identity Federation Enterprise Manager console and restart OC4J_FED.

  6. Go to the Oracle Identity Federation administration console, and navigate to the Server Configuration -> Circle of Trust screen.

    In the Add Trusted Provider section, browse to the file system location of a peer provider's metadata XML document, and enter descriptive text for that provider. Click Add, then click Done.Click Refresh Server.

  7. If configuring Oracle Identity Federation to be a service provider, go to the Server Configuration -> Service Provider -> Global Settings screen, and select a Default SSO Identity Provider from the list box.

    Click Save, then Refresh Server.

  8. Each peer provider in the circle of trust will need a copy of the Oracle Identity Federation metadata XML document. Start by accessing the metadata URL for the particular server role (SP or IdP) and the federation protocol version (Liberty 1.1, 1.2 or SAML 2.0) in question. For example:

    http://oif.example.com:7780/fed/sp/metadatav20

    http://oif.example.com:7780/fed/idp/metadatav20

  9. Save the XML file retrieved from the URL, and distribute it to the other providers in the circle of trust. If setting up another Oracle Identity Federation instance as part of the circle of trust, this is the file you would load using Add Trusted Provider on the Circle of Trust screen.

3.7.1.1 Testing Federated Single Sign-On

Take these steps to test your federated single sign-on setup:

  1. Use a web browser to access a protected resource. When prompted by the Identity Provider, log in using credentials in the IdP's domain. When prompted by the Service Provider, log in using credentials in the SP's domain. You should now be redirected to the protected resource.

  2. Log out, and then try to access the protected resource again. You should be prompted for login only by the Identity Provider.

3.7.2 Deploying Oracle Identity Federation with Oracle Access Manager

This section describes the steps needed to install and deploy Oracle Identity Federation so that it is integrated with Oracle Access Manager. The steps illustrate a deployment scenario consisting of two nodes:

  • Node A, referred to as host_a (and with an associated URL of the type host-a.us.oracle.com), is a service provider (SP) type server.

  • Node B, referred to as host_b (and with an associated URL of the type host-b.us.oracle.com), is an identity provider (IdP) type server.

The section is broken out into separate instructions for the different component installation and deployment tasks:

3.7.2.1 Install OracleAS Infrastructure

This section explains how to install OracleAS Infrastructure.


Note:

You only need to install the OracleAS Infrastructure with Oracle Access Manager if Oracle Access Manager is going to use Oracle Internet Directory as its directory. Otherwise, the OracleAS Infrastructure does not need to be installed.

  1. Launch Oracle Universal Installer, and select the Oracle Application Server Infrastructure 10g installation option.

  2. Select Identity Management and Metadata Repository.

  3. Use the default configuration options.

  4. After installation is completed, establish database connection.

    • Run the coraenv script to set the proper values of the ORACLE_SID and ORACLE_HOME variables.

    • Connect to the database:

      sqlplus '/ as sysdba'

  5. Run the following SQL commands:

    create tablespace ts_fd
   logging
   datafile '/scratch/aswu/Oracle/i0120/oradata/i0120/ts_fd01.dbf' 
      size 512m autoextend off,
   '/scratch/aswu/Oracle/i0120/oradata/i0120/ts_fd02.dbf' 
      size 512m autoextend off
   extent management local;
 

    create user fd identified by fd default tablespace ts_fd;
grant connect,resource to fd;
alter user fd account unlock;

3.7.2.2 Install Oracle Access Manager

Several Oracle Access Manager components must be installed for use with Oracle Identity Federation:

  • Identity Server

  • WebPass installed in a Web server

  • Access Server

  • Oracle Access Manager (administration UI) installed on the same Web server as WebPass

  • if the Oracle Identity Federation or Oracle Access Manager site is a service provider (SP), WebGate agents installed on each Web server providing resources or services that are available to federated users

Refer to the Oracle Access Manager Installation Guide for details.

Considerations for Oracle Access Manager Installation

When installing and deploying Oracle Access Manager, pay special attention to issues critical for integration with Oracle Identity Federation:

  • When configuring the Access Server entry in the Access Manager console, set Access Management Service to On.


    Note:

    By default, Access Management Service is set to Off. Oracle Identity Federation requires that this field be set to On.

    See the Oracle Access Manager Access Administration Guide for details.

  • When enabling default policies, it is highly recommended that you set up the Oracle Access and Identity Basic Over LDAP authentication scheme (previously known as the NetPoint Basic Over LDAP authentication scheme). If this is not done, you will need to configure a basic scheme manually.

    See the Oracle Access Manager Access Administration Guide for details.

  • As mentioned earlier, WebGate agents must be installed on each Web server providing resources or services available to federated users if the Oracle Identity Federation or Oracle Access Manager site is a service provider (SP). Note the following when configuring Webgates:

    • The Access Management Service setting must match the setting for the Access Server(s) used by the WebGate. So, if the WebGate uses the same Access Server(s) as Oracle Identity Federation will use, then it must be configured with the Access Management Service set to On. It is also possible for a WebGate to use a different Access Server instance(s) (in the same domain) with the Access Management Service set to Off, in which case the Web setting would be Off as well.

    • It is normal practice to set the Primary HTTP Cookie Domain to enable Oracle Access Manager single sign-on across web servers with installed WebGates. At a minimum, the cookie domain must include the Oracle Identity Federation host and at least one WebGate-protected web server. For example, if Oracle Identity Federation is on the host oif.us.company.com and the Web server is www.us.company.com, the domain setting should be.us.company.com or .company.com. If the Web server is www.company.com, the domain setting should be .company.com. Note: The default AccessGate setting for the cookie domain is empty (no domain), which will only work in a very atypical deployment where Oracle Identity Federation and all protected resources reside on the same host.

3.7.2.3 Install Oracle Identity Federation

This section explains how to install Oracle Identity Federation for use with Oracle Access Manager. This is a brief summary of the necessary steps. For details, see "Advanced Installation Procedure".

  1. Launch Oracle Universal Installer, and select the Oracle Identity Federation 10g installation option.

  2. Select the Advanced installation method.

  3. In Select Configuration Options, select Federation Data in LDAP Server and Federation Transient Data in Database.

  4. In Specify Federation Data Store, provide this information:

    • Server Type - Oracle Internet Directory

    • Host/Port - the LDAP server host and port

    • Bind DN - cn=orcladmin

  5. In Specify Federation Transient Data Store, provide this information:

    • Username

    • Password

    • Host, Port and Service Name - the database for transient data

3.7.2.4 Integrate Oracle Identity Federation and Oracle Access Manager

This section explains how to integrate Oracle Identity Federation and Oracle Access Manager. This includes certain steps in both environments, such as configuring an AccessGate for Oracle Identity Federation (in Oracle Access Manager) and setting data store and other configuration parameters (in Oracle Identity Federation).


See Also:

See the Oracle Access Manager Access Administration Guide for details.

  1. Use the Access System Console http://AMhost:AMport/access/oblix (where AMhost:AMport is the web server where you installed WebPass and Access Manager) to configure an AccessGate for Oracle Identity Federation.

    1. Select the Access System Configuration tab.

    2. Select the Add New AccessGate link from the console panel.

    3. Configure the AccessGate as follows, replacing the values in italics with your own values:

      AccessGate Name: OIF
Password: OIF-PASSWORD
Hostname: OIF-HOST
Port: OIF-PORT
Transport Security: Match the Access Servers to be configured in Step d. 
Access Management Service: On 
Primary HTTP Cookie Domain: .company.com (Note: As noted in the WebGate configuration, the Primary HTTP Cookie Domain configured for Oracle Identity Federation must match the Primary HTTP Cookie Domains configured for the WebGates protecting the content to be accessed by federated users.)
Preferred HTTP Host: OIF-HOST

      Click Save.

    4. Click List Access Server.

      Click Add.

      Select one or more servers from drop-down menu. Note: All selected Access Servers must have Access Management Service On.

      Number of connections: 1

      Click Add.

  2. Use the Access System Console to configure the Fed HostID, if required.

    1. Select the Access System Configuration tab.

    2. Select the Host Identifiers link from the console panel.

    3. If no host identifiers are defined, you do not need the Fed HostID. Skip to Step 3.

    4. If host identifiers are defined, click the Add button.

      Name: Fed HostID

      Note: Enter the same fixed value for all supported languages.

      Hostname variables: OIF-HOST:OIF-PORT

      Note: If OIF-PORT is 80 or 443, also include OIF-HOST.

      Click Save.

  3. Install the Access Server SDK:

    1. Run the AccessServerSDK installer (for example, Oracle_Access_Manager10_1_4_0_1_linux_AccessServerSDK) under OIF_HOME/fed/shareid/.

    2. If installing on Linux, set the LD_ASSUME_KERNEL environment variable.

      Open the Enterprise Manager console for the Oracle Identity Federation installation in a web browser. For example:

      http://oif.example.org:1810/emd/console

      Perform these steps:

      - Under System Components, click the link for OC4J_FED.

      - Go to Administration - > Server Properties and, under Environment Variables, click Add Environment Variable.

      - In the new entry, enter LD_ASSUME_KERNEL in the Name field, and enter 2.4.19 in the Value field. Leave the Append checkbox unchecked.

      - Click Apply.

      - Click OK to restart the OC4J_FED container.

  4. Go to the Oracle Identity Federation administration console at http://OIF-HOST:OIF-PORT/oifadmin. Click on the IdM Data Stores tab.


    Note:

    Substitute parameter values (bind DN, password, DNs, and so on) as required for your directory.

    For the federation data store:

    Bind DN: cn=orcladmin
Password: your-password
User Federation Record Context: cn=fed,dc=us,dc=oracle,dc=com

    For the user data store:

    Active Repository: Oracle Access Manager
Connection URL(s):  ldap://LDAP-Server-Host:Port
Bind DN: cn=orcladmin
Password: your-password
User ID Attribute: uid
User Description Attribute: uid
Person Object Class: inetOrgPerson
Base DN: dc=us,dc=oracle,dc=com

    For Oracle Access Manager configuration parameters:

    Master Admin Login ID: orcladmin
Master Admin Password: your-password
Authorization result for unprotected resources: Allow
Oracle Access Manager Cookie Domain: .company.com 
Basic Authentication Scheme Name: Oracle Access and Identity authentication scheme

    Note:

    • Oracle Access Manager Cookie Domain: As noted in the WebGate configuration, the Primary HTTP Cookie Domain configured for Oracle Identity Federation must match the Primary HTTP Cookie Domains configured for the WebGates protecting content to be accessed by federated users.

    • Basic Authentication Scheme Name: Use the Access System Console (http://AMhost:AMport/access/oblix) to find a suitable basic authentication scheme. If you enabled the default policies when you installed Oracle Access Manager (by selecting Access Manager in the Oracle Access Manager console, checking the two policies and clicking Enable), you can use the basic scheme created for those policies:

      • For Oracle Access Manager 10.1.4: Oracle Access and Identity Basic Over LDAP authentication scheme

      • For COREid 7.0.4: NetPoint Basic Over LDAP

      If no basic schemes are configured, you must set one up following instructions in the Oracle Access Manager Access Administration Guide. You can cut and paste the display name for the chosen basic scheme from the Access System Console to the Oracle Identity Federation User Data Store page.

    Click Apply.

    Use these credentials for the Access Server:

    • Access Server Host Name: access-server-host


      Note:

      This must be one of the servers configured in step 1d.

    • Access Server Port: access-server-port

    • Access Gate ID: OIF

    • Access Gate Password: OIF-password

    • Connection Type: must match the access servers

    Restart the Oracle Identity Federation server.

  5. To make sure that the integration is complete:

    • Log into the Access System Console http://AMhost:AMport/access/oblix/.

    • Click Access Manager.

    • Check Fed Domain created in My Policy Domains.

  6. To create a resource protected by Oracle Identity Federation (as a service provider):

    1. Follow the steps for protecting resources in the Oracle Access Manager Access Administration Guide, in the chapter Protecting Resources with Policy Domains.

    2. Change the authentication scheme to one of:

      Fed SSO - SAML2.0/Liberty 1.x – to use SAML 2 or Liberty 1.1 or 1.2 SSO profiles

      Fed SSO - WS-Federation – to use the WS-Federation Passive Requester SSO profile

      Fed SSO - SAML 1.x – to use SAML 1.0 or 1.1 SSO profiles


      Note:

      The choice is determined by the protocols that the partner identity providers support. If the same resource will be accessed by partners requiring different protocols, you must set up separate policies with different resource URLs to map the requests to the appropriate authentication scheme. For example, to provide access to a resource /my-resource using both SAML 2 and WS-Federation, you can set up:

      • a policy for a resource /my-resource-saml2 that uses the Fed SSO – SAML2.0/Liberty 1.x scheme, and

      • a policy for a resource /my-resource-wsfed that uses the Fed SSO – WS-Federation scheme.

      You must then configure the web server to map these pseudonymous URLs to the actual /my-resource URL.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us