Planning Oracle Identity Federation Deployment 2-21 – Oracle Directory Server Enterprise Edition: empty – Microsoft Active Directory: container ■ Unique Federation ID Attribute This is the LDAP attribute to be used to uniquely identify a federation record. This attribute should be defined in the LDAP Object Class of the Federation Record type, or in its top parent. If it is empty, the default Federation ID attribute will be used as the DN of the Federation Record. Here are examples of the Unique Federation ID attribute for different types of directory servers: – Oracle Internet Directory: empty – Oracle Directory Server Enterprise Edition: empty – Microsoft Active Directory: empty ■ Maximum Connections. This is the maximum number of concurrent connections made by Oracle Identity Federation to the LDAP server. ■ Connection Wait Timeout. This is the maximum number in seconds to wait until a connection is available, when the maximum number of connections opened by Oracle Identity Federation to the LDAP server has been reached. Relationship of User Federation Record Context and LDAP Container Object Class The User Federation Record Context and LDAP Container Object Class must be compatible. In the User Federation Record Context, the administrator specifies the DN of the container where the federation records will be stored. That DN will contain the parent of the container that must already exist for example dc=us,dc=oracle,dc=com, and an attribute of the Federation Record Context that is part of its object class for example, cn=orclfed. An example of such DN would be cn=orclfed,dc=us,dc=oracle,dc=com. The requirement for that example is that cn must be an attribute of the Object Class set in the LDAP Container Object Class field or the applicationprocess object class if not set. If the administrator chooses to have the DN of the Federation Record Context like ou=fed,dc=us,dc=oracle,dc=com, she must set the LDAP Container Object Class field to an object class that has ou as an attribute, like organizationalUnit. To summarize, the User Federation Record Context references the LDAP container entry under which federation records are stored, and the LDAP Containers attribute used in the DN must be defined in the LDAP Container Object Class used. For example, if DN is ou=fed,dc=us,dc=oracle,dc=com, then the LDAP Container Object Class must define the ou attribute; if DN is cn=fed,dc=us,dc=oracle,dc=com, then the LDAP Container Object Class must define the cn attribute. A Note About the LDAP Schema The LDAP schema needs to be upgraded to include the attributes and object classes defined by Oracle Identity Federation, in order for the federation server to create records in the LDAP server. Upgrade the LDAP schema either at installation time with the Advanced Installation mode, or after installation. Upgrade Schema at Installation 2-22 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation To perform the upgrade at installation time, take these steps: 1. Choose the Advanced Installation mode. 2. On the Select Configuration Options page, check the Federation Data in LDAP Server box. This indicates that the federation records will be stored in an LDAP server whose schema must be upgraded. 3. On the Specify Federation Data Store page, enter the LDAP connection information. The schema is then upgraded as part of the installation process. Post-Installation Schema Upgrade To perform the upgrade post-installation, note that the Oracle Identity Federation installation includes LDIF files that you can execute using the ldapmodify tool to upgrade the schema of an LDAP server. The LDIF file to use depends on the type of LDAP server used: ■ Oracle_HomefedsetupldapuserFedSchemaOid.ldif if you use Oracle Internet Directory ■ Oracle_HomefedsetupldapuserFedSchemaSunOne5.ldif if you use the Oracle Directory Server Enterprise Edition 5.x ■ Oracle_HomefedsetupldapuserFedSchemaSunOne6.ldif if you use the Oracle Directory Server Enterprise Edition 6.x ■ Oracle_HomefedsetupldapuserFedSchemaAD.ldif if you use Microsoft Active Directory Server. In this case, you must edit the LDIF file to replace the string DOMAIN_DN with your active directory domain suffix. An example suffix is dc=mydomain,dc=mycompany,dc=com. ■ Oracle_HomefedsetupldapuserFedSchemaTivoli.ldif if you use the IBM Tivoli Directory Server IBM TDS 6.0 Using ldapmodify, you can upgrade the LDAP schema with the LDIF file. For example: ldapmodify -c -D BIND_DN_USERNAME -w PASSWORD -f Oracle_HomefedsetupldapuserFedSchemaOid.ldif -h LDAP_HOSTNAME -p LDAP_PORT -x

2.4.2 User Data Store

You must select a data repository for the user data store. Oracle Identity Federation works with industry-standard repositories including: ■ LDAP Oracle Internet Directory, Sun Java System Directory Server, and Microsoft Active Directory ■ RDBMS The role played by the data repository depends on whether Oracle Identity Federation will be configured as an identity provider IdP or a service provider SP: ■ As an IdP, Oracle Identity Federation uses the repository to verify user identities and to build protocol assertions. ■ As an SP: Planning Oracle Identity Federation Deployment 2-23 – Oracle Identity Federation uses the repository to map information in received assertions to user identities at the destination, and subsequently to authorize users for access to protected resources. – When creating a new federation, Oracle Identity Federation uses the repository to identify the user and link the new federation to that users account. Connection Information for LDAP Repositories Collect the following information about the repository prior to installing Oracle Identity Federation: ■ Connection URL - space delimited list of LDAP URLs ■ Bind DN ■ Password ■ User ID Attribute - the attribute name to use to map users during lookups or authentication procedures Here are examples of the User ID Attribute for different types of directory servers: – Oracle Internet Directory: uid – Oracle Directory Server Enterprise Edition: uid – Microsoft Active Directory: sAMAccountName ■ User Description Attribute This field references the user attribute to use as a human readable federation owner identifier. This information will be stored in the federation record. Here are examples of the User Description Attribute for different types of directory servers: – Oracle Internet Directory: uid – Oracle Directory Server Enterprise Edition: uid – Microsoft Active Directory: sAMAccountName ■ Person Object Class - the LDAP object class representing a user in the LDAP server Here are examples of the Person Object Class for different types of directory servers: – Oracle Internet Directory: inetOrgPerson – Oracle Directory Server Enterprise Edition: inetOrgPerson – Microsoft Active Directory: user ■ Base DN - the node under which LDAP user search will be performed. For example: dc=us,dc=oracle,dc=com ■ Maximum Connections - the maximum number of concurrent connections made by Oracle Identity Federation to the LDAP server ■ Connection Wait Timeout - the maximum number in seconds to wait until a connection is available, when the maximum number of connections opened by Oracle Identity Federation to the LDAP server has been reached