Configuring Audience Restrictions for Assertions

6-48 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation the spsaml10, spsaml11 or spsaml20 groups to the custom value that Oracle Identity Federation uses during the validation of AudienceRestrictionCondition when processing a SAML 1.0, SAML 1.1 or SAML 2.0 assertion respectively: setConfigPropertyspsaml11, audiencerestrictionvalue, someglobalvalue, string If you set the audiencerestrictionvalue to the empty string value, Oracle Identity FederationSP validates the AudienceRestrictionCondition element as shown above. To configure Oracle Identity Federation to use a specific Audience value when generatingvalidating the AudienceRestrictionCondition for a specific trusted provider, enter the WLST script environment for Oracle Identity Federation instance, and set the audiencerestrictionvalue string property for a trusted provider referenced by REMOTE_PROVIDER_ID to use a custom string to generate and validate the condition when creating and processing an assertion: setFederationPropertyREMOTE_PROVIDER_ID, audiencerestrictionvalue, customvalue, string If you set the audiencerestrictionvalue to the empty string value, Oracle Identity FederationSP populatesvalidates the AudienceRestrictionCondition element as shown above.

6.22 Certificate Path Validation

Oracle Identity Federation provides a certificate validation module described in Section 5.10.3, Security and Trust - Trusted CAs and CRLs that validates any certificate used for XML digital signature verification by using the certificates of the Trusted CAs and the CRLs uploaded by the administrator. The module integrates with the JRE CertPathValidation API to validate certificates using the default CertPathValidation module configured in the JVM. When the default CertPathValidation module is the Sun implementation, Oracle Identity Federation can leverage the Online Certificate Status Protocol OCSP and the CRL Distribution Point CDP features provided by the Sun module. You manage the certificate validation flow using the following properties: ■ In Fusion Middleware Control, navigate to the Oracle Identity Federation server instance, then Security and Trust, then Trusted CAs and CRLs section: – Checking the Enable Certificate Validation box enables certificate validation in Oracle Identity Federation – The Trusted Certificate Authorities table lists all the known and trusted certificates of the CAs – The Certificate Revocation Lists table contains the CRLs used to check the revocation status of certificates. ■ the certpathvalidationenabled boolean property in the serverconfig configuration group determines the validation module to be used: – false means that Oracle Identity Federation’s internal certificate validation module is used, based on the Trusted Certificate Authorities and Certificate Revocation Lists tables. Additional Server Configuration 6-49 – true means that the JRE CertPathValidation module is used. This module is bootstrapped with the contents of the Trusted Certificate Authorities table to serve as the basis for the trusted CAs. ■ the certpathvalidationcrlenabled boolean property in the serverconfig configuration group indicates whether the JRE CertPathValidation module should check for certificate revocation using the CRLs listed in the Certificate Revocation Lists table: – false disables CRL validation in the JRE CertPathValidation module – true enables CRL validation in the JRE CertPathValidation module ■ the certpathvalidationocspenabled boolean property in the serverconfig configuration group indicates whether the OCSP plugin of the Sun CertPathValidation implementation is enabled. – false disables OCSP validation – true enables OCSP validation ■ the certpathvalidationocspurl string property in the serverconfig configuration group contains the URL of the OCSP server where the Sun CertPathValidation module sends the request for validation. ■ the certpathvalidationocspcertsubject string property in the serverconfig configuration group contains the subject name of the OCSP servers certificate. ■ the certpathvalidationcdpenabled boolean property in the serverconfig configuration group indicates whether the Sun CertPathValidation module will use CDP extensions when performing a CRL revocation check operation. If the OCSP module is enabled, Oracle Identity Federation sets the following Java Security properties in the JVM: ■ ocsp.enable is set to true ■ ocsp.responderURL is set to the OCSP servers URL Notes: ■ The certpathvalidationcrlenabled must be set to true to enable the OCSP plugin. ■ Sun CertPathValidation module performs OCSP validation first and, if the operation is inconclusive, it performs a CRL revocation check operation. Note: To enable the OCSP functionality set the certpathvalidationocspenabled boolean property to true. Notes: ■ The matching certificate must also be added to the Oracle Identity Federation trusted CA certificate store. ■ Ensure the OCSP functionality is enabled with the certpathvalidationocspenabled boolean property set to true. 6-50 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ ocsp.responderCertSubjectName is set to the subject name of the OCSP servers certificate If the CDP functionality is enabled, the com.sun.security.enableCRLDP Java system property is set to true. See Also: The Java PKI Programmers Guide for more detail on these system properties: http:java.sun.comjavase6docstechnotesguidess ecuritycertpathCertPathProgGuide.htmlAppC Note: For the OCSP and CDP features to be enabled, it is important to set the default CertPathValidation module to the Sun implementation true by default in a standard installation.