Changes to the Logout Service for Authentication or SP Engines

Upgrading Your Oracle Identity Federation Environment 7-15 ■ Logout Enabled – select this check box if the engine needs to perform logout when a logout operation is performed. ■ Logout Relative Path – the relative path of the engine logout service.

4. Click Save.

The Oracle Identity Federation server generates an Engine ID for the new engine. The Engine ID is the value of the oracle.security.fed.sp.engineid attribute that the custom engine needs to send to the Oracle Identity Federation server after authenticating the user. 7.5.3 Reconfiguring Oracle Single Sign-On Server After Upgrade to Work with Oracle Identity Federation 11g If you are using Oracle Single Sign-On with Oracle Identity Federation 10g, then after you upgrade to Oracle Identity Federation 11g, you must reconfigure Oracle Single Sign-On. This step is necessary because the values required for the SASSOAuthnUrl and SASSOLogoutUrl properties have changed for Oracle Identity Federation 11g. For more information, see Configuring Single Sign-On in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation.

7.5.4 About Backwards Compatibility for ShareID Service URLs

Oracle Identity Federation 10g, as well as SHAREidCOREid Federation 2.x, provided service URLs for its SAML 1.x and WS-Federation protocol support, which were different from the SAML 2.0 and Liberty 1.x service URLs. These URLs have been modified in the 11g Oracle Identity Federation server for consistency with the SAML 2.0 and Liberty 1.x service URLs. This means that customers upgrading to Oracle Identity Federation 11g, who use SAML 1.x or WS-Federation, will need to inform their partner providers of the new single sign-on service URLs. To ease that transition, Oracle Identity Federation 11g provides a separate module that allows backwards compatibility with the SHAREid service URLs. This module is an installable J2EE application that is deployed alongside Oracle Identity Federation, which will handle requests for the ShareIDOracle Identity Federation 10g service URLs and redirect or forward them to the corresponding Oracle Identity Federation 11g service URLs. For information on how to set up this application, see Setting up Backwards Compatibility for Oracle Identity Federation 10g and ShareID service URLs in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation.

7.5.5 Upgrading Oracle Identity Federation SSL Configuration

If you are using a shareId keystore for SSL support in Oracle Virtual Directory 10g, then the Upgrade Assistant automatically imports the keystore into Oracle Identity Federation 10g. If the SSL identity and trust keystores you use in Oracle Virtual Directory 10g are stored in the following location, then there are no additional tasks to perform: ORACLE_HOME fedshareidoblixconfig keystore 7-16 Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management However, if the keystores are stored in any other location, then you must perform the following tasks: 1. Copy the identify and trust keystores to a subdirectory inside the following directory: WLS_HOME user_projectsdomainsdomain_nameserversserver_namestageOIF 2. Configure Oracle WebLogic Server to point to the new keystore location, as follows: a. Log in to the Oracle WebLogic Server Administration Console and select Environment , then Servers. b. Select the server for which you want to set up SSL.

c. In the Keystores section, select Custom Identity and Custom Trust.

d. In the Identity section, fill in the properties as follows: Custom Identity Keystore: location_of_keystore_containing_SSL_private key_ and_certificate Custom Identity Keystore type: jks Custom Identity Keystore Passphrase: storepassword e. In the Trust section, fill in properties as follows: Custom Identity Keystore: location_of_keystore_containing_the_trusted certificate_entries Custom Identity Keystore type: jks Custom Identity Keystore Passphrase: storepassword

7.5.6 Setting Oracle Identity Federation System Properties After Upgrade

If you configured Oracle Identity Federation 10g by setting system properties, then you will have to manually configure those properties in the upgraded Oracle Identity Federation 11g instance. The Upgrade Assistant does not apply these settings to your 11g instance. Table 7–4 lists the system properties that are not upgraded and explains how to set the equivalent properties in Oracle Identity Federation 11g. In many cases, the instructions refer to Oracle Enterprise Manager Fusion Middleware Control, the Oracle WebLogic Server Administration Console, or the WebLogic Scripting Tool WLST, which are used to manage Oracle Fusion Middleware11g components. For more information, see Overview of Oracle Fusion Middleware Administration Tools in the Oracle Fusion Middleware Administrators Guide. Note that these properties are documented in Section 9.3, Managing Oracle Identity Federation Performance, in the Oracle Identity Federation Administrators Guide for 10g 10.1.4.0.1. This document can be found in the Oracle Application Server 10g 10.1.4.0.1 documentation library on the Oracle Technology Network OTN: http:www.oracle.comtechnologydocumentation