7-10 Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management New Incoming Attributes Supported by Oracle Identity Federation 11g In addition to the changes described in Table 7–2 , the following new incoming attributes are available in Oracle Identity Federation 11g; these attributes have no equivalents in Oracle Identity Federation 10g, but are available to the authentication engine in 11g: ■ oracle.security.fed.authn.providerid ■ oracle.security.fed.authn.providerdescription ■ oracle.security.fed.authn.engineid ■ oracle.security.fed.authn.userid ■ oracle.security.fed.authn.forceauthn ■ oracle.security.fed.authn.passive ■ oracle.security.fed.authn.attributes ■ oracle.security.fed.sessionid For more information about these new attributes, see Implementing the Service the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. Changes to Parameters and Attributes Sent to Oracle Identity Federation 11g The following attribute names must be changed after you upgrade to Oracle Identity Federation 11g: ■ Change oracle.security.sso.sasso.uid to oracle.security.fed.authn.userid ■ Change oracle.security.sso.sasso.refID to oracle.security.fed.authn.refid ■ Change oracle.security.sso.sasso.authnMech to oracle.security.fed.authn.authnmech ■ Change oracle.security.sso.sasso.authnInst to oracle.security.fed.authn.authntime authnMech This 10g query parameter has been changed to the following attribute in 11g: oracle.security.fed.authn.authnmech As a result, any occurrences of request.getParameter“authnMech” in the custom engine will have to be changed to the following: request.getAttribute“oracle.security.fed.authn.authnmech” In 10g, the value of the authnMech parameter was always as follows: oracle:fed:authentication:password-protected In 11g, the oracle.security.fed.authn.authnmech attribute can have other values. For more information, see Configuring Authentication Mechanisms in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. refID This 10g query parameter has been changed to the following attribute in 11g: oracle.security.fed.authn.refid As a result, any occurrences of request.getParameterrefID in the custom engine will have to be changed to the following: request.getAttributeoracle.security.fed.authn.refid Table 7–2 Cont. Parameters and Attributes received from Oracle Identity Federation Parameter or Attribute Changes in Oracle Identity Federation 11g Upgrading Your Oracle Identity Federation Environment 7-11 For example, suppose you have the following attribute in Oracle Identity Federation 11g: request.setAttribute“oracle.security.sso.sasso.uid”, userID For Oracle Identity Federation 11g, you must change this attribute as follows: request.setAttribute“oracle.security.fed.authn.userid”. userID; For more information about the values that must be set by the authentication engine before doing an internal forward to Oracle Identity Federation 11g, see Implementing the Service the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. Additional Attributes to Include in a Request to Oracle Identity Federation 11g In addition to the existing 10g attributes, Oracle Identity Federation 11g expects the additional attributes shown in Table 7–3 in each request.

7.5.2.2 Modifying the SP Engine Code

Similar to the its affect on authentication engines, the HTTPServletRequestAttributes available to the SP engines in Oracle Identity Federation 11g are different from those in 10g. As a result, you must modify the SP engine code so it can read the attribute values from their new parameter names. Refer to the following sections for more information: ■ Initiating a Federation SSO Operation ■ Processing the Request from the Federation Server Initiating a Federation SSO Operation In Oracle Identity Federation 10g, if the Service Provider Engine did not find a valid user, then it initiated single sign-on by redirecting to the Oracle Identity Federation server function as the service provider. The URL it redirects to is as follows: http:SP_HOST_NAME:SP_PORTfedspinitiatesso The following values are set to Oracle Identity Federation as query parameters: Table 7–3 Additional Attributes to Include in a Request to Oracle Identity Federation 11g Attribute Description oracle.security.fed.authn.expirationtime Expiration time of the authenticated session as a Date Object oracle.security.fed.authn.engineid The identifier referencing the engine used to authenticate the user. The engine is created in the configuration of Oracle Identity Federation 11g. For more information, see Section 7.5.2.5, Creating the Authentication Engine in Oracle Identity Federation 11g . oracle.security.fed.authn.attributes This optional map of attributes is stored in the user session. It will have String objects as the keys and Set of Objects as values. oracle.security.fed.sessionid This optional string contains the Oracle Identity Federation session identifier that Oracle Identity Federation will need to use to reference the user session. This allows the engine and the Oracle Identity Federation server to share the same identifier to reference the user session. Later, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session.