10-12 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation When Oracle Identity Federation receives an SSO assertion, processes it and requests that the user be locally authenticated because the server was not able to map the assertion to a local user, the Map contains this data from the assertion: – orafed-nameid-value – the user’s Name ID value – orafed-nameid-qualifier – the user’s Name ID qualifier – orafed-nameid-format – the user’s Name ID format – orafed-providerid – the IdP’s ProviderID – orafed-assertionid - the ID of the assertion – orafed-xmlmessage - the optional XML message containing the assertion. See Section 6.13.2, Providing XML Message to SP Engine after SSO Completes for details. ■ Optionally, a String containing the Oracle Identity Federation session identifier, if the user has already an active session. Oracle Identity Federation is passing the sessionID of the already existing user session if one exists, to the authentication engine, so that the engine can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid. After successful authentication, the engine must forward the user to the federation server with the rootContext of the federation engine being fed, and the relativePath userloginsso. Oracle Identity Federation expects this data when processing the internal forward: ■ The identifier of the user as a String identified by oracle.security.fed.authn.userid ■ Authentication time as a Date object identified by oracle.security.fed.authn.authntime ■ Expiration time of the authenticated session as a Date object identified by oracle.security.fed.authn.expirationtime ■ The authentication mechanism used to identify the user as a String identified by oracle.security.fed.authn.authnmech ■ The identifier referencing the action that was being performed, from the request identified by oracle.security.fed.authn.refid ■ The identifier referencing the engine used to authenticate the user identified by oracle.security.fed.authn.engineid ■ Optionally, a Map of attributes that is stored in the user session. This map will have String objects as the keys and a set of objects as the values identified by oracle.security.fed.authn.attributes. ■ Optionally, a String containing the Oracle Identity Federation session identifier that Oracle Identity Federation will need to use to reference the Oracle Identity Federation user session. This allows the engine and Oracle Identity Federation to share the same identifier to reference the user session. Later on, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is See Also: Section 5.9.2.1, Configuring Attribute Name Mapping .