Configuring Oracle Identity Federation for the Plug-in

12-12 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation

12.4 Pre-processing Custom Action for SP Integration Engine

The pre-processing plug-in is a module to which the user is directed, as part of an SP SSO flow from an SP integration module, instead of being redirected to the Oracle Identity Federation server to start the Federation SSO operation. The plug-in enables custom actions to be taken before the SSO flow. When the pre-processing plug-in is in use, the SP integration module internally forwards the user to the plug-in, supplying the runtime data to be used for the federated SSO operation. The plug-in performs custom operations, and forwards the user to Oracle Identity Federation - with the runtime data - to resume the Federation SP SSO flow.

12.4.1 Implementing the Pre-processing Plug-in

When the SP engine redirects a user to Oracle Identity Federation, it passes certain data to the server as attributes on the HttpServletRequest object. The same data is made available to the pre-processing plug-in. Here is the data passed to the plug-in: ■ An optional Provider ID referencing the IdP to use for the federated SSO. If missing, Oracle Identity Federation uses the IdP mapped for the specified authentication mechanism. If no IdP could be found, Oracle Identity Federation uses the IdP configured as the default SSO IdP String, identified by oracle.security.fed.sp.providerid ■ An optional federation ID referencing the affiliation to use to trigger the federated SSO String, identified by oracle.security.fed.sp.federationid ■ The relay state containing a small string, for example a reference to some data saved in a repository or a small URL pointing to the protected resource to which the user is redirected after completion of the SSO operation. String, identified by oracle.security.fed.sp.relaystate ■ The protected resource the user was trying to access, when the SP Engine is an out-of-the-box SP engine either Oracle Access Manager, Oracle Single Sign-On, or test SP engine. identified by oracle.security.fed.sp.returnurl ■ The identifier of the SP engine that started the SSO flow String, identified by oracle.security.fed.sp.engineid ■ An optional flag indicating if Oracle Identity Federation should authenticate the user locally using the authentication engines or if a federated SSO should be started by redirecting the user to an IdP for authentication Boolean, identified by oracle.security.fed.sp.localauthn; default is false ■ Whether to use the configuration stored in Oracle Identity Federation or to only start the SSO based on the information being passed by the SP engine, except the IdP Boolean, identified by oracle.security.fed.sp.usedefault. If missing, true is assumed. ■ Whether the SP should ask the IdP to challenge the user even if heshe is already authenticated Boolean, identified by oracle.security.fed.sp.forceauthn. This parameter is ignored if usedefault is true or missing. ■ Whether the SP should allow the IdP to create a federation record, if one does not yet exist, during the SSO operation Boolean, identified by oracle.security.fed.sp.allowfedcreation. This parameter is ignored if usedefault is true or missing. Custom Actions 12-13 ■ Whether the SP should ask the IdP not to interact with the user during the SSO operation Boolean, identified by oracle.security.fed.sp.passive. This parameter is ignored if usedefault is true or missing. ■ The binding to use when sending the AuthnRequest String, identified by oracle.security.fed.sp.requestbinding. This parameter is ignored if usedefault is true or missing. Acceptable values are httpredirect, httpost, and httppostsimple depending on the protocol. ■ The binding to use when sending the response with the assertion String, identified by oracle.security.fed.sp.responsebinding. This parameter is ignored if usedefault is true or missing. Acceptable values are artifact or httpost depending on the protocol. ■ An optional authentication mechanism comparison specifying to the SP which authentication context comparison to request the IdP to use during authentication. String, identified by oracle.security.fed.sp.authnmechcomparison. This parameter is ignored if usedefault is true or missing. ■ The NameID format the SP will issue to the IdP for the SSO operation String, identified by oracle.security.fed.sp.nameidformat. This parameter is ignored if usedefault is true or missing. ■ Optional attributes to be requested from the IdP during the Federation SSO operation, for example when interacting with an OpenID IdP. The data is passed as a Map with Strings as keys and set of Objects as values identified by oracle.security.fed.sp.attributes. The values are optional, while the keys contain the attribute names.

12.4.2 Configuring Oracle Identity Federation for the Plug-in

To configure Oracle Identity Federation to forward the user to a pre-processing plug-in at the start of the SP federated SSO flow, set the following properties: ■ Create or set the web context property, referencing the web context where the custom JSP Page or servlet resides. This property is located in the serverconfig group of the Oracle Identity Federation configuration. Set the spcontext string property in serverconfig, default missing. ■ Set the relative path property referencing the path in the web context where the custom JSP Page or servlet resides. Set the sppath string property in serverconfig, default spstartsso. See Also: Section 10.4.2, Developing and Implementing the Integration Module for details about the data provided by the SP integration engine. Notes: ■ The plug-in must provide Oracle Identity Federation server with the data that was passed to it as part of the SP federated SSO flow; this consists of attributes that were set on the HttpServletRequest object. ■ The plug-in can modify all attributes that were set on the HttpServletRequest object except the oracle.security.fed.sp.engineid attribute.