Configuring Oracle Identity Federation 5-23 ■ Enable Common Domain Cookie Service When an identity federation network contains multiple identity providers, a service provider needs to have a way to determine the identity providers in use by a principal. This is achieved by utilizing a domain that is common to IdPs and SPs in the federation network, and sending to the users browser a cookie, written in this domain, that lists all the IdPs where the user is logged in. Such a domain is known as a common domain, and the cookie identifying the IdPs is called a common domain cookie or introduction cookie. Check this box to specify that this SP should read the introduction cookie, and enter the Service URL where Oracle Identity Federation will read the introduction cookie. ■ Enable Attribute Requester Service - check this box to enable this service provider to act as an Attribute Requester. Configure Attribute Requester Service ■ Default Attribute Authority - Select the attribute authority to which Attribute Queries should be sent to as a default, when no attribute authority is specified in the request. ■ DN Pattern to Attribute Responder Mappings - Use this table to map User DN patterns to attribute authorities. When sending an attribute query for a given user, Oracle Identity Federation will look at the users DN, match it to a pattern on this table, and send the attribute query to the corresponding attribute authority. If no pattern matches the users DN, the default attribute authority is used. By default, the DN pattern is case-sensitive, and case is considered in comparing the user DN to the DN pattern. You can make the comparison case-insensitive by using the WLST configuration command: setConfigProperty dnidpmapping,caseinsensitive,true,boolean See Also: Section 6.11, Configuring the Identity Provider Discovery Service See Also: Section 6.10, Configuring the SAML 2.0 IdP Discovery Common Domain Cookie Profile See Also: Section 5.6.5, Configuring Oracle Identity Federation as an SP Attribute Requester Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. 5-24 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Use true for case-insensitive comparison, false for case-sensitive comparison. Identity Providers for SSO Authentication Mechanism Use this table to map authentication mechanisms to identity providers. When an SSO operation is initiated and no identity provider is specified, Oracle Identity Federation will look at this table to map the requested authentication mechanism to an identity provider and send the AuthnRequest to this identity provider. If the authentication mechanism cannot be mapped to an identity provider, the default SSO identity provider will be used.

5.5.2 Configure SAML 2.0 SP Properties

Use this tab to maintain Oracle Identity Federation properties in service provider mode under the SAML 2.0 protocol. Assertion Settings Choose one of these methods of assertion mapping by checking the associated box: ■ Federated Identity ■ Attribute Query See Also: Section 5.6.5, Configuring Oracle Identity Federation as an SP Attribute Requester See Also: Section 5.14, Configuring Authentication Mechanisms Configuring Oracle Identity Federation 5-25 ■ Subject NameID If mapping users through federated identity, check the box labeled Enable Auto Account Linking. If mapping users through attribute query, enter the query string in the associated box. If mapping users through subject NameID, check the box and select the applicable NameID formats from the table titled Assertion Subject NameID Formats. Provide this information in the table: ■ Check the corresponding Enabled box to enable the desired formats that the Oracle Identity Federation instance will support in SP mode. ■ NameID Format - This column displays the available SAML 2.0 NameID formats. ■ User Attribute Mapping - Enter the attribute name for the selected name ID format. Oracle Identity Federation will use this attribute name to perform a lookup in the user data store for a name ID in this format. The name identifier formats are as follows: Name of the Custom Format - When processing an assertion, this is the name of the format that will be mapped to the custom NameID format type. Additionally, you can check Error when User Mapping Fails to indicate how Oracle Identity Federation should handle mapping errors. See Also: Section 6.17, Automatic Account Linking Based on Attribute Query Mapping Table 5–4 SAML 2.0 SP Name ID Formats NameID Format Default X.509 Subject Name dn Email Address mail Windows Domain Qualified Name empty Kerberos Principal Name Custom empty Unspecified empty 5-26 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Protocol Settings Provide the following information: ■ Enable SAML 2.0 Protocol - Check the box to enable this protocol for the SP. ■ Enable Single Sign-On Protocol - Check the box to enable the single sign-on protocol. ■ Enable NameID Management Protocol: Register - Check the box to enable NameID registration. ■ Enable Federation Termination Protocol - Check this box to enable the federation termination protocol. See Section 1.2.4.8, Federation Termination Profile for an explanation of this feature. ■ Send Encryption NameIDs - Check this box to enable Oracle Identity Federation to send encrypted name identifiers to peer providers. ■ Send Encryption Attributes - Check this box to enable Oracle Identity Federation to send encrypted attributes to peer providers. ■ Allow Federation Creation - Check this box to allow federation creation. This is required if you configure the SP to request persistent NameID format as described below. ■ Force User Consent - Check this box to force consent for setting up a new federation. A user who is redirected to the federation server will explicitly have to accept or deny account linking in order to proceed. ■ User Consent URL - Enter the URL to be displayed to the user to obtain consent for federation. The server passes a number of query parameters to this URL: See Also: Section 1.2.4.5, Name Identifier Management Profiles