Pre- and Post-Processing Custom Actions for Authentication Engines

12-4 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation – configure Oracle Identity Federation to invoke the plug-in instead of the SP integration module, so the plug-in can perform the custom tasks.

12.1.3 Custom Actions Architecture

Figure 12–1 explains the custom actions plug-in architecture: Figure 12–1 Custom Action Plug-ins In this figure, Oracle Identity Federation is customized and configured to invoke plug-ins: ■ before the SP integration engine invokes Oracle Identity Federation ■ before Oracle Identity Federation invokes the SP integration engine ■ before Oracle Identity Federation invokes the authentication engine ■ before the authentication engine invokes Oracle Identity Federation

12.1.3.1 Flow for Oracle Identity Federation as SP

During a federated SSO operation where Oracle Identity Federation acts as the service provider, the flow is as follows: 1. An Identity and Access Management IAM module such as Oracle Access Manager invokes the SP integration engine to start a federated SSO operation. The SP integration engine invokes the pre-processing plug-in for the SP engine to perform custom actions. 2. The pre-processing plug-in for SP engine invokes Oracle Identity Federation to start the federated SSO flow. 3. Oracle Identity Federation redirects the user to an IdP where the user is authenticated and an assertion created. 4. The IdP redirects the user back to Oracle Identity Federation with an assertion that is validated and mapped to a user. 5. Oracle Identity Federation bundles the user and assertion data, and invokes the post-processing plug-in for the SP engine to perform some custom tasks. 6. The post-processing plug-in invokes the SP integration engine by providing the user and assertion data. Custom Actions 12-5 7. The SP engine creates a use session in the IAM domain, and redirects the user to the protected resource.

12.1.3.2 Flow for Oracle Identity Federation Authenticating User

When Oracle Identity Federation needs to authenticate a user, the flow is as follows:

1. Oracle Identity Federation, as part of a runtime flow, determines that it needs to

locally authenticate the user. It invokes the pre-processing plug-in for the authentication engine to perform some custom tasks.

2. The pre-processing plug-in invokes the authentication engine.

3. The authentication engine uses the IAM domain to challenge and identify the user.

4. The authentication engine bundles the authentication data and invokes the

post-processing plug-in for the authentication engine to perform some custom tasks.

5. The post-processing plug-in for authentication engine invokes Oracle Identity

Federation, providing the authentication data.

6. Oracle Identity Federation resumes operations.

12.2 Pre-processing Custom Action for Authentication Engine

The pre-processing plug-in is a module to which the user is directed, as part of an authentication operation, before invoking the authentication engine. The plug-in enables custom actions to be taken before authentication. When the plug-in is in use, Oracle Identity Federation does not redirect the user to the authentication engine; rather, it forwards the user internally to the plug-in, passing it certain data for use during authentication. After performing its custom actions, the plug-in forwards the user to the correct authentication engine, along with the data originally provided by the federation server, to resume the authentication flow.

12.2.1 Implementing the Pre-processing Custom Action

Custom Action Interaction with Oracle Identity Federation When Oracle Identity Federation redirects a user to the authentication engine, it passes certain data to the engine as attributes on the HttpServletRequest object. The same data is made available to pre-processing plug-ins: ■ the authentication mechanism to use when challenging the user for identification String, identified by oracle.security.fed.authn.authnmech ■ an identifier referencing the action being performed String, identified by oracle.security.fed.authn.refid ■ the ProviderID and the description of the remote service provider for which this local authentication is requested, if a federated SSO operation is performed String, identified by oracle.security.fed.authn.providerid and oracle.security.fed.authn.providerdescription respectively ■ the identifier referencing the engine used to authenticate the user String, identified by oracle.security.fed.authn.engineid ■ the identifier of the user, if set String, identified by oracle.security.fed.authn.userid