7-8 Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management ■ Using a Custom Authentication Engine or Custom SP Engine with Oracle Identity Federation 11g ■ Reconfiguring Oracle Single Sign-On Server After Upgrade to Work with Oracle Identity Federation 11g ■ About Backwards Compatibility for ShareID Service URLs ■ Upgrading Oracle Identity Federation SSL Configuration ■ Setting Oracle Identity Federation System Properties After Upgrade ■ Updating the Configuration File ■ Additional Oracle Identity Federation Post-Upgrade Tasks

7.5.1 Integrating Oracle Identity Federation 11g with Oracle Access Manager 10g

If you were previously using Oracle Identity Federation 10g with Oracle Access Manager, you can use the following procedure to configure Oracle Identity Federation 11g so it can work successfully with your existing Oracle Access Manager 10g software. Note that the steps described here are based on the instructions available in the section, Deploying Oracle Identity Federation with Oracle Access Manager in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. To use Oracle Identity Federation 11g with Oracle Access Manager 10g: 1. Upgrade to Oracle Identity Federation 11g using the instructions in the previous sections of this chapter. Specifically, be sure you have installed and configured Oracle Identity Federation 11g and that you have used the Upgrade Assistant to upgrade the Oracle Identity Federation instance to 11g. 2. Optionally, use Oracle Access Manager 10g as the authentication engine for Oracle Identity Federation 11g. For specific instructions, refer to Integrate Oracle Access Manager as an Authentication Engine in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. 3. Optionally, integrate Oracle Access Manager 10g as an SP integration module. For specific instructions, refer to Integrate Oracle Access Manager as an SP Integration Module in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. 4. Optionally, configure Oracle Access Manager 10g so that protected resources are using the new Oracle Identity Federation 11g authentication schemes. To perform this task, use the instructions that help you verify the proper integration of Oracle Access Manager by allowing Oracle Identity Federation 11g to create policy objects and authentication schemes in Oracle Access Manager. These instructions are located in the section, Integrate Oracle Identity Federation with Oracle Access Manager in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. 5. When the integration with Oracle Access Manager is complete, delete any old access gates, authentication schemes, and policies for Oracle Identity Federation 10g from Oracle Access Manager 10g. Upgrading Your Oracle Identity Federation Environment 7-9 For more information, refer to the Oracle Access Manager documentation in the Oracle Identity Management 10g 10.1.4.0.1 documentation library, which is available on the Oracle Technology Network OTN: http:www.oracle.comtechnologydocumentation

7.5.2 Using a Custom Authentication Engine or Custom SP Engine with Oracle Identity Federation 11g

If your Oracle Identity Federation 10g instance is integrated with a custom authentication engine, then use the information in the following sections to configure the custom authentication engine with Oracle Identity Federation 11g: ■ Modifying the Authentication Engine Code ■ Modifying the SP Engine Code ■ Changes to the Logout Service for Authentication or SP Engines ■ Deploying the Authentication or SP Engine ■ Creating the Authentication Engine in Oracle Identity Federation 11g ■ Creating the SP Engine in Oracle Identity Federation 11g

7.5.2.1 Modifying the Authentication Engine Code

The HTTPServletRequestAttributes available to the authentication engines Oracle Identity Federation 11g are different from those in 10g. As a result, you must modify the authentication engine code so it can read the attribute values from their new parameter names. Refer to the following sections for more information: ■ Changes to Parameters and Attributes Received by Oracle Identity Federation 11g ■ New Incoming Attributes Supported by Oracle Identity Federation 11g ■ Changes to Parameters and Attributes Sent to Oracle Identity Federation 11g ■ Additional Attributes to Include in a Request to Oracle Identity Federation 11g Changes to Parameters and Attributes Received by Oracle Identity Federation 11g Table 7–2 shows the new and changed parameters used for authentication engines in Oracle Identity Federation 11g. Table 7–2 Parameters and Attributes received from Oracle Identity Federation Parameter or Attribute Changes in Oracle Identity Federation 11g doneURL getUsrSess These query parameters are not available in 11g. In 11g, there is no need to consult these parameters to find where the user has to be forwarded after being identified by the authentication engine. In 11g, after successful authentication, the engine must forward the user to Oracle Identity Federation. To do this use the root context, fed, and the relativePath, userloginsso.