Configuring Oracle Identity Federation 5-21 ■ Force User Consent to create new Federated Identity - Check this box to force consent for setting up a new federation. ■ Force User Consent for all Single Sign-On Operations - Check this box to force consent for SSO. ■ Force User Consent for Single Sign-On Operations with attributes exchange - Check this box to prompt the user for consent any time an SSO operation is being performed between Oracle Identity FederationIdP and the RP, where user attributes will be released to the RP. Related fields for this feature: – Force User Consent Web Context - Contains the Web Context of the OpenID consent page to be used instead of the Oracle Identity Federation OpenID built-in consent page. If filled, it will reference a user-implemented page on Oracle WebLogic Server. – Force User Consent Web Path ■ Enable Attribute Exchange AX 1.0 - Check this box to to enable the AX extension. ■ Enable PAPE 1.0 - Check this box to enable the PAPE 1.0 extension. With this feature you can specify one or more of: – US Government Level of Assurance Policy – PPID Policy – US Government OpenID Trust Level 1 Policy – US Government No PII Policy ■ Generic OpenID Service Provider Oracle Identity Federation lets you define the OpenID RP as: – a federated partner for which you can define specific settings – an unknown RP with general attribute mappings Click Create to define a generic OpenID RP.

5.5 Configuring Service Providers

This section describes how to edit and update the protocol-specific service provider SP properties in Oracle Identity Federation. It contains these sub-sections: ■ Configure Service Provider - Common Properties ■ Configure SAML 2.0 SP Properties ■ Configure SAML 1.x SP Properties ■ Configure WS-Federation 1.1 SP Properties ■ Configure OpenID SP Properties

5.5.1 Configure Service Provider - Common Properties

Use this table to configure SP properties common to all protocols. 5-22 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Assertion Settings ■ Enable Map Assertion to User Account - Check this box if you wish Oracle Identity Federation to map the assertion to a user account. Disable it if you wish to implement a custom SP Engine to do the mapping instead. ■ Anonymous User ID - Enter the User ID that will be passed to the SP engine if the assertion received cannot be mapped to a user account, either because mapping assertions to user accounts is disabled or the format of the Name ID in the assertion is transient. ■ Ignore Unknown Condition - Check this box to have the service provider ignore any conditions it does not recognize in the assertion sent by the identity provider. ■ Require Signed Assertions - Check this box to require assertions received from identity providers to be signed. Protocol Settings ■ Default SSO Identity Provider - Select the identity provider to which requests should be sent as a default when an SSO operation is initiated and no preferred identity provider is specified. ■ Unsolicited SSO RelayState - When an Oracle Identity Federation SP receives an unsolicited assertion, it sends the user to the relay state specified by the assertion following the SSO operation; if the relay state field in the assertion is empty, it will use the Unsolicited SSO RelayState to redirect the user. ■ Include Signing Certificate in XML Signatures - check this box to have Oracle Identity Federation include the signing certificate in the signature when signing XML messages. ■ Enable Identity Provider Discovery Service Oracle Identity Federation provides a service, called the Identity Provider Discovery Service, in which the user can be redirected to a custom page in which he can select the identity provider from which he wishes to authenticate. Check this box to enable the Identity Provider Discovery Service, and enter the Service URL of the custom page where the user can select the identity provider to be used. Configuring Oracle Identity Federation 5-23 ■ Enable Common Domain Cookie Service When an identity federation network contains multiple identity providers, a service provider needs to have a way to determine the identity providers in use by a principal. This is achieved by utilizing a domain that is common to IdPs and SPs in the federation network, and sending to the users browser a cookie, written in this domain, that lists all the IdPs where the user is logged in. Such a domain is known as a common domain, and the cookie identifying the IdPs is called a common domain cookie or introduction cookie. Check this box to specify that this SP should read the introduction cookie, and enter the Service URL where Oracle Identity Federation will read the introduction cookie. ■ Enable Attribute Requester Service - check this box to enable this service provider to act as an Attribute Requester. Configure Attribute Requester Service ■ Default Attribute Authority - Select the attribute authority to which Attribute Queries should be sent to as a default, when no attribute authority is specified in the request. ■ DN Pattern to Attribute Responder Mappings - Use this table to map User DN patterns to attribute authorities. When sending an attribute query for a given user, Oracle Identity Federation will look at the users DN, match it to a pattern on this table, and send the attribute query to the corresponding attribute authority. If no pattern matches the users DN, the default attribute authority is used. By default, the DN pattern is case-sensitive, and case is considered in comparing the user DN to the DN pattern. You can make the comparison case-insensitive by using the WLST configuration command: setConfigProperty dnidpmapping,caseinsensitive,true,boolean See Also: Section 6.11, Configuring the Identity Provider Discovery Service See Also: Section 6.10, Configuring the SAML 2.0 IdP Discovery Common Domain Cookie Profile See Also: Section 5.6.5, Configuring Oracle Identity Federation as an SP Attribute Requester Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers.