Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Introduction to Oracle Identity Federation

• 1.1 Federated Identity Management
  • 1.1.1 Challenges of User Identity Management
  • 1.1.2 Federation Use Cases
  • 1.1.3 Concepts and Terminology
  • 1.1.4 Federation Protocols
    • 1.1.4.1 SAML Basics
    • 1.1.4.2 Evolution of the Federated Identity Standards
    • 1.1.4.3 SAML 1.x
    • 1.1.4.4 Liberty ID-FF 1.1
    • 1.1.4.5 Liberty ID-FF 1.2
    • 1.1.4.6 SAML 2.0
    • 1.1.4.7 WS-Federation
• 1.2 About Oracle Identity Federation
  • 1.2.1 Features and Benefits of Oracle Identity Federation
  • 1.2.2 Architecture
  • 1.2.3 Federation Protocol Profiles
    • 1.2.3.1 Browser POST Profile
    • 1.2.3.2 Browser Artifact Profile
    • 1.2.3.3 SOAP Binding
    • 1.2.3.4 Browser HTTP Redirect Profile
    • 1.2.3.5 Name Identifier Profiles
    • 1.2.3.6 SAML Attribute Sharing Profile
    • 1.2.3.7 WS-Federation Passive Requester Profile
    • 1.2.3.8 Federation Termination Profile
    • 1.2.3.9 Global Logout Profile
  • 1.2.4 Affiliations
  • 1.2.5 Example of Federation Event Flow
  • 1.2.6 Supported Standards and Applications

2 Planning Oracle Identity Federation Deployment

• 2.1 Architecture Options
  • 2.1.1 Role in Federation
  • 2.1.2 Topology
    • 2.1.2.1 Hub-and-Spoke
    • 2.1.2.2 Peer-to-Peer
  • 2.1.3 Proxy Server
  • 2.1.4 Server Security
    • 2.1.4.1 SSL Encryption
    • 2.1.4.2 Certificate-based Authentication
    • 2.1.4.3 Certificate Repository and Validation
  • 2.1.5 Protocol
• 2.2 Profiles and Bindings
  • 2.2.1 Supported Protocols
  • 2.2.2 Choosing a Profile
    • 2.2.2.1 Using the Artifact Profile
    • 2.2.2.2 Using the POST Profile
    • 2.2.2.3 SAML Security Considerations
    • 2.2.2.4 Using the SAML Attribute Sharing Profile
    • 2.2.2.5 Using the WS-Federation Logout Profile
• 2.3 Authentication Engines
  • 2.3.1 Authentication Methods in Oracle Identity Federation
  • 2.3.2 Authenticating with a Repository in IdP Mode
  • 2.3.3 Authenticating with an IdM Solution in IdP Mode
  • 2.3.4 Authenticating with Oracle Access Manager or eTrust SiteMinder in SP Mode
  • 2.3.5 Authenticating with OracleAS Single Sign-On in SP Mode
• 2.4 Data Repositories
  • 2.4.1 Federation Data Store
  • 2.4.2 User Data Store
  • 2.4.3 Transient Data Store
• 2.5 Installation Requirements
  • 2.5.1 Required Components
  • 2.5.2 Supported platforms
• 2.6 Implementation Checklist

3 Installing Oracle Identity Federation

• 3.1 Prerequisites
• 3.2 Overview of Installation Steps
• 3.3 Basic Installation Procedure
• 3.4 Advanced Installation Procedure
  • 3.4.1 Enabling SSL
• 3.5 Testing Your Installation
• 3.6 What To Do Next
  • 3.6.1 Reassociating the Server
• 3.7 Deployment Scenarios
  • 3.7.1 Deploying Oracle Identity Federation with OracleAS Single Sign-On
    • 3.7.1.1 Testing Federated Single Sign-On
  • 3.7.2 Deploying Oracle Identity Federation with Oracle Access Manager
    • 3.7.2.1 Install OracleAS Infrastructure
    • 3.7.2.2 Install Oracle Access Manager
    • 3.7.2.3 Install Oracle Identity Federation
    • 3.7.2.4 Integrate Oracle Identity Federation and Oracle Access Manager

4 Server Administration

• 4.1 Basic Administration
  • 4.1.1 Role of the Federation Server Administrator
    • 4.1.1.1 Deployment Planning
    • 4.1.1.2 Other Planning Tasks
  • 4.1.2 Logging into Oracle Identity Federation
  • 4.1.3 Starting and Stopping the Server
  • 4.1.4 Changing your Administrator Password
  • 4.1.5 Oracle Identity Federation Log Files
• 4.2 Managing Identity Federations
  • 4.2.1 Edit Trusted Provider Configuration
  • 4.2.2 Federations for [Provider]
  • 4.2.3 Users
  • 4.2.4 Federations for a User
• 4.3 Reassociation
  • 4.3.1 Changing the Federation Data Store
  • 4.3.2 Changing the User Data Store
  • 4.3.3 Changing the RDBMS Data Store
  • 4.3.4 Deleting Federation Data
  • 4.3.5 Changing the Oracle Access Manager Instance
  • 4.3.6 Deleting Policy Objects from Oracle Access Manager
• 4.4 Uninstalling Oracle Identity Federation
  • 4.4.1 Overview of Uninstallation
  • 4.4.2 Uninstallation Steps
    • 4.4.2.1 Uninstall Error Messages
  • 4.4.3 Oracle Application Server Instance Deconfig Tool
    • 4.4.3.1 Deconfig Tool Syntax and Parameters
    • 4.4.3.2 Deconfig Tool Log Files
  • 4.4.4 Uninstalling OracleAS Cold Failover Cluster Installations
  • 4.4.5 Cleaning Up Oracle Application Server Processes
  • 4.4.6 Reinstallation

5 Configuring Oracle Identity Federation

• 5.1 Data Maintained by Oracle Identity Federation
  • 5.1.1 Server Configuration Data
  • 5.1.2 User Federation Data
• 5.2 Administration Console Overview
• 5.3 Basic Server Configuration
  • 5.3.1 Server Configuration Tab
  • 5.3.2 Editing Server Properties
  • 5.3.3 Editing Global Properties
    • 5.3.3.1 Identity Provider - Global Settings
    • 5.3.3.2 Identity Provider - Select Messages to Send Signed
    • 5.3.3.3 Identity Provider - Select Messages to Require Signed
    • 5.3.3.4 Service Provider - Global Settings
    • 5.3.3.5 Service Provider - Select Messages to Send Signed
    • 5.3.3.6 Service Provider - Select Messages to Receive Signed
  • 5.3.4 Editing Protocol-specific IdP Properties
    • 5.3.4.1 Identity Provider - Liberty 1.1 Properties
    • 5.3.4.2 Enable Liberty 1.1 Identity Provider Profiles
    • 5.3.4.3 Identity Provider - Liberty 1.2 Properties
    • 5.3.4.4 Enable Liberty 1.2 Identity Provider Profiles
    • 5.3.4.5 Select Liberty 1.2 Identity Provider NameID Formats
    • 5.3.4.6 Identity Provider - SAML 2.0 Properties
    • 5.3.4.7 Enable SAML 2.0 Identity Provider Profiles
    • 5.3.4.8 Select SAML 2.0 Identity Provider NameID Formats
  • 5.3.5 Editing Protocol-specific SP Properties
    • 5.3.5.1 Service Provider - Liberty 1.1 Properties
    • 5.3.5.2 Enable Liberty 1.1 Service Provider Profiles
    • 5.3.5.3 Service Provider - Liberty 1.2 Properties
    • 5.3.5.4 Enable Liberty 1.2 Service Provider Profiles
    • 5.3.5.5 Service Provider - SAML 2.0 Properties
    • 5.3.5.6 Enable SAML 2.0 Service Provider Profiles
    • 5.3.5.7 Select SAML 2.0 Service Provider NameID Formats
  • 5.3.6 Service Provider - Attribute Requester
  • 5.3.7 Editing Circles of Trust
    • 5.3.7.1 Circle of Trust
    • 5.3.7.2 Editing a Trusted Provider
    • 5.3.7.3 Edit Trusted Provider: Attribute Mappings
    • 5.3.7.4 Select Messages to Send Signed
    • 5.3.7.5 Select Messages to Require Signed
    • 5.3.7.6 Edit Trusted Provider: Select NameID Formats
  • 5.3.8 Configuring and Using Affiliations
    • 5.3.8.1 About Affiliations
    • 5.3.8.2 Affiliation Support in Oracle Identity Federation
    • 5.3.8.3 Configuring Affiliations
    • 5.3.8.4 Runtime Behavior of Affiliations
    • 5.3.8.5 How Affiliations are Displayed
  • 5.3.9 Editing the Certificate Validation Store
• 5.4 Configuring IdM Data Stores
  • 5.4.1 Edit Federation Data Store
  • 5.4.2 Edit User Data Store
    • 5.4.2.1 Configuring an RDBMS as the User Data Store
• 5.5 Configuring SAML 1.x and WS-Federation Properties
  • 5.5.1 Certificate Store
  • 5.5.2 Regenerate Encryption Key
  • 5.5.3 Audits and Logs
  • 5.5.4 Assertion Profiles
  • 5.5.5 Add Assertion Profile
  • 5.5.6 Edit Assertion Profile
  • 5.5.7 Destination Mappings
  • 5.5.8 Modify Destination Mappings
    • 5.5.8.1 The SmartWalls Feature
  • 5.5.9 Domains
  • 5.5.10 Update MyDomain
  • 5.5.11 Add Oracle Identity Federation Domain
  • 5.5.12 Add a Non-Oracle Identity Federation Domain
  • 5.5.13 Exchanging SAML 1.x and WS-Federation Configuration Data with Peers
    • 5.5.13.1 When Oracle Identity Federation is an IdP
    • 5.5.13.2 When Oracle Identity Federation is an SP
• 5.6 Configuring Attribute Sharing
  • 5.6.1 Components Used for Attribute Sharing
  • 5.6.2 Remote and Local Users
  • 5.6.3 Configuring the Oracle Access Manager Plugins
  • 5.6.4 Configuring Oracle Access Manager Schemes and Policies
    • 5.6.4.1 Configuring the Attribute Sharing Authentication Scheme
    • 5.6.4.2 Configuring the Attribute Sharing Authorization Scheme
    • 5.6.4.3 Configuring an Oracle Access Manager Policy using Attribute Sharing
  • 5.6.5 Configuring Oracle Identity Federation as an SP Attribute Requester
    • 5.6.5.1 If Using Basic Authentication
    • 5.6.5.2 If Using Client Certificate Authentication
  • 5.6.6 Configuring Oracle Identity Federation as an IdP Attribute Responder
  • 5.6.7 Configuring Oracle Identity Federation for SSL
• 5.7 Configuring the Logout Service
  • 5.7.1 WS-Federation Logout
• 5.8 Using SSL with Oracle Identity Federation
  • 5.8.1 SSL to Remote Providers
  • 5.8.2 SSL to Data Stores
  • 5.8.3 SSL with HTTP Endpoints

6 Additional Server Configuration

• 6.1 Setting up Single Sign-On Services
  • 6.1.1 OracleAS Single Sign-On with Liberty 1.x/SAML 2.0
    • 6.1.1.1 URL Query Parameters
  • 6.1.2 Oracle Access Manager with Liberty 1.x/SAML 2.0
    • 6.1.2.1 URL Query Parameters
  • 6.1.3 Oracle Access Manager with SAML 1.x/WS-Federation
    • 6.1.3.1 Using the Fed SSO - SAML 1.x Authentication Scheme
    • 6.1.3.2 Using the Fed SSO - WS-Federation Authentication Scheme
  • 6.1.4 eTrust SiteMinder with Liberty 1.x/SAML 2.0
    • 6.1.4.1 URL Query Parameters
  • 6.1.5 eTrust SiteMinder with SAML 1.x/WS-Federation
    • 6.1.5.1 Using SAML 1.x Authentication
    • 6.1.5.2 Using WS-Federation Authentication
  • 6.1.6 SP-initiated SSO with Liberty 1.x/SAML 2.0
    • 6.1.6.1 URL Query Parameters
  • 6.1.7 SP-initiated SSO with SAML 1.x
  • 6.1.8 SP-initiated SSO with WS-Federation
  • 6.1.9 IdP-initiated SSO with Liberty 1.x/SAML 2.0
    • 6.1.9.1 URL Query Parameters
  • 6.1.10 IdP-initiated SSO with SAML 1.x
  • 6.1.11 IdP-initiated SSO with WS-Federation
• 6.2 Working with Affiliations
• 6.3 Exporting the IdP's self-signed certificate to the SP
• 6.4 How to Use the Transient/One-time Identifier
• 6.5 How to Allow the IdP to Determine the Name ID Format
• 6.6 How to Use Automatic Account Linking at the SP
  • 6.6.1 What is Automatic Account Linking at the SP?
  • 6.6.2 Configuring Automatic Account Linking at the SP
• 6.7 How to Use Automatic Account Linking at the IdP
  • 6.7.1 What is Automatic Account Linking at the IdP?
  • 6.7.2 Configuring Automatic Account Linking at the IdP

7 Monitoring Oracle Identity Federation

• 7.1 About Oracle Identity Federation Monitoring
  • 7.1.1 Metrics
  • 7.1.2 Monitoring Components
  • 7.1.3 Monitoring Data Flow
• 7.2 Monitoring Console
  • 7.2.1 Accessing the Console
    • 7.2.1.1 Monitoring Agent Home Tab
    • 7.2.1.2 Monitoring Agent Configuration Tab
  • 7.2.2 Monitor Agent Home
  • 7.2.3 Monitor Agent IdP Statistics Home
  • 7.2.4 Monitor Agent IdP Statistics (SSO)
  • 7.2.5 Monitor Agent IdP Statistics (Identity Federation)
  • 7.2.6 Monitor Agent IdP Statistics (Peer Provider)
  • 7.2.7 Monitor Agent SP Statistics Home
  • 7.2.8 Monitor Agent SP Statistics (SSO)
  • 7.2.9 Monitor Agent SP Statistics (Identity Federation)
  • 7.2.10 Monitor Agent SP Statistics (Peer Provider)
  • 7.2.11 Metric Display at the Console
• 7.3 Managing Monitored Installations
  • 7.3.1 Monitored Installations
  • 7.3.2 Statistics Repository
• 7.4 Archiving Metrics

8 Advanced Topics

• 8.1 Configuration Assistants
  • 8.1.1 Prerequisites for the Configuration Assistants
  • 8.1.2 Configuration Assistant Operations
    • 8.1.2.1 Repository Maintenance
    • 8.1.2.2 Deployment
• 8.2 Command-line Tools
  • 8.2.1 Bulk Federation Utility
    • 8.2.1.1 The Create Mode
    • 8.2.1.2 The Read Mode
    • 8.2.1.3 Output Files Generated by Bulk Load
    • 8.2.1.4 Syntax and Examples
  • 8.2.2 Command-Line Configuration Assistant to Change the Transient Data Store
    • 8.2.2.1 Syntax and Examples
  • 8.2.3 Command-Line Configuration Assistant for Uninstallation
    • 8.2.3.1 Syntax and Examples
• 8.3 Managing Oracle Identity Federation Performance
  • 8.3.1 Setting Concurrent Connection Limits
  • 8.3.2 Setting JDBC Connection Limits
  • 8.3.3 Tuning Oracle HTTP Server
• 8.4 High Availability
  • 8.4.1 Web Application Session State Replication
  • 8.4.2 Centralized Storage of Configuration Information
  • 8.4.3 Data Tier
    • 8.4.3.1 Configuring Redundant LDAP Servers
  • 8.4.4 Additional Information
• 8.5 Setting Up a Load Balancer with Oracle Identity Federation
  • 8.5.1 Additional Considerations for SAML 1.x or WS-Federation
  • 8.5.2 Additional Steps for the Oracle Identity Federation Monitoring console
• 8.6 Setting Up a Proxy for Oracle Identity Federation

A Troubleshooting Oracle Identity Federation

• A.1 Problems and Solutions
  • A.1.1 Oracle Identity Federation Configuration Issues
    • A.1.1.1 Requester ID in SAML 1.x Artifacts
    • A.1.1.2 Logout Displays No Return Page
    • A.1.1.3 No JSESSIONID cookie Error
  • A.1.2 Oracle Single Sign-On Login Issues
    • A.1.2.1 Incorrect Login Page Appears
    • A.1.2.2 Bookmarked Login Pages
    • A.1.2.3 Error When Reissuing SAML 1.x URL After Timeout
  • A.1.3 Oracle Access Manager Configuration Issues
    • A.1.3.1 AccessGate Permission Error
    • A.1.3.2 Non-ASCII AccessGate ID
    • A.1.3.3 Setting LD_ASSUME_KERNEL Value
    • A.1.3.4 Using the Same Cookie Domain for Two Back-ends
  • A.1.4 Operating System Configuration Issues
    • A.1.4.1 File Descriptors on Linux
  • A.1.5 Runtime/Single Sign-On Issues
    • A.1.5.1 404 Error when Using Oracle SmartMarks
    • A.1.5.2 Incorrect Identity Provider for SAML 1.x or WS-Federation
    • A.1.5.3 Bookmarking a WS-Federation Protected Resource
  • A.1.6 Oracle Identity Federation Administration Console Issues
    • A.1.6.1 Cannot Log in to the Administration Console

Glossary

Index