Integrating with Third-Party Identity and Access Management Modules 10-5 ■ The authentication mechanism used to identify the user ■ The identifier referencing the action that was being performed, from the request ■ The identifier referencing the engine used to authenticate the user ■ Optionally, a map of attributes that is stored in the user session. ■ Optionally, a String containing the Oracle Identity Federation session identifier that Oracle Identity Federation needs to use to reference the Oracle Identity Federation user session. This allows the engine and Oracle Identity Federation to share the same identifier to reference the user session. Later on, when the logout flow is being executed, Oracle Identity Federation passes the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. 8. Oracle Identity Federation performs these actions: ■ processes the incoming request ■ retrieves the data embedded as attributes in the HttpServletRequest ■ locates the user in the user data store ■ creates a session for the user ■ sets a cookie, and ■ resumes the SSO operation.

10.2.3 SP Integration Engine Framework

The SP integration engine included with Oracle Identity Federation consists of a servlet that processes requests from the server to create a user authenticated session at the IAM server. The engine includes several internal plug-ins that allow it to interact with different IAM servers, such as: ■ Oracle Single Sign-On ■ Oracle Access Manager ■ Oracle Identity Federation Test Application Additionally, Oracle Identity Federation provides a framework so that the server is able to be integrated with third party IAM frameworks: the customized SP integration Module interacts with Oracle Identity Federation using internal J2EE Servlet forwards, and it communicates with the third party IAM system to create the user authenticated session. Note: ■ If the user ID attribute is empty but the authentication time and authentication mechanism attributes are not empty, it tells Oracle Identity Federation that the authentication succeeded, but that the user is unknown on the server. This is useful when Oracle Identity Federation, acting as an IdP, is configured to use the attributes passed by the engine to create an assertion ■ If the authentication time or authentication mechanism attributes are empty, it tells Oracle Identity Federation that the authentication failed. 10-6 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Here is a step-by-step description of how an SP integration engine interacts with the Oracle Identity Federation Framework in a typical user flow: 1. The user attempts to access a resource protected by the IAM solution, and configured to use Federation SSO to authenticate the user. 2. The IAM deployment redirects the user to the corresponding SP integration Module on Oracle Identity Federation. 3. The SP integration Module decodes the information sent by the IAM deployment and internally forward the user to the Oracle Identity Federation server with the following information set as HttpServletRequest attributes: ■ An optional authentication mechanism specifying to the SP which authentication mechanism to request the IdP to use during authentication. ■ An optional Provider ID referencing the IdP to use for the Federation SSO. If missing, Oracle Identity Federation uses the IdP mapped for the specified authentication mechanism. If no IdP could be found, Oracle Identity Federation uses the IdP configured as the Default SSO IdP ■ An optional federation ID referencing the affiliation to use to trigger the Federation SSO ■ The relay state. It can contain a small string, for example a reference to some data saved in a repository or a small URL pointing to the protected resource to redirect the user to after completion of the SSO operation ■ The identifier of the SP engine that started the SSO flow ■ An optional boolean indicating if the Oracle Identity Federation server should authenticate the user locally using the authentication engines or if a Federation SSO should be started by redirecting the user to an IdP for authentication ■ A Boolean object indicating whether to use the configuration stored in Oracle Identity Federation or to only start the SSO operation based on the information being passed by the SP engine, except for the IdP ■ A Boolean object indicating whether the SP should ask the IdP to challenge the user even if already authenticated ■ A Boolean object indicating whether the SP should allow the IdP to create a federation record if one does not yet exist, during the SSO operation ■ A Boolean object indicating whether the SP should ask the IdP not to interact with the user during the SSO operation ■ A String representing the binding to use when sending the AuthnRequest ■ A String representing the binding to use when sending the response with the assertion ■ An optional authentication mechanism comparison specifying to the SP which authentication context comparison to request the IdP to use during authentication ■ A String representing the NameID format the SP uses to ask the IdP for the SSO operation Note: if set, this parameter is used to determine the IdP to use, disregarding the default parameter described next.