5-36 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation For example: https:fed1.company.com:7499fedarsoap – Local - if true, the matching users are local and an Attribute Requester Service is not used. If true, the URL parameter is ignored – DN - one or more elements specifying a DN pattern to match against the user Subject DN; the pattern is simply the right most components of the DN. For example: O=PeerA,C=US ■ Attribute query properties - The RequestFormat parameter determines the attributes and values returned in an attribute response. RequestFormat overrides authorization rules; for example, if an authorization rule specifies both attributes and values, but RequestFormat specifies names, the query omits values. RequestFormat can be specified with these options: – RequestFormat=values The AttributeQuery contains attribute names and values taken from the authorization rules ruleExpression. The Attribute Responder will only return user attributes and values that are in the AttributeQuery. This is the default setting. This setting minimizes the amount of memory used for cached attribute values values are only requested when needed for authorization, at the cost of more frequent attribute requests. – RequestFormat=names The AttributeQuery contains attribute names but not values taken from the ruleExpression. The Attribute Responder returns all the users values for the named attributes, subject to any Responder policies controlling access to the attributes values. This setting provides a trade-off between cache memory usage and attribute requests that is somewhere between the values and all setttings. Note: With this setting, the AttributeQuery does not disclose to the IdP what attribute values are required for authorization; for security reasons, this might be preferred over the values setting. – RequestFormat=all The AttributeQuery does not contain any attribute names or values. The Attribute Responder returns all the attributes and values for the user subject to any Responder policies controlling access to the attributes values. This setting minimizes the number of attribute requests only one request per user, at the cost of more memory used for caching attribute values before they are used and may never be used for authorization. This setting works best when the Attribute Responder policies have been reasonably configured to return only attributes that the SP might want. Note: With this setting, the AttributeQuery does not disclose to the IdP what attributes are required for authorization; for security reasons, you may prefer this over the values and names settings. As illustrated in the sample config.xml file, the RequestFormat parameter can appear in the Config element, where it sets the default request format, and in the Mapping elements, where it sets the request format for subject DNs covered by the mappings. Mapping Examples for the Sample Configuration Here are some mapping examples for the sample config.xml configuration file shown earlier.