Configuring Oracle Identity Federation 5-75 Oracle Identity Federation will create the federation record on the first time that the user performs a Single Sign-On operation. If acting as a service provider and using persistent Name IDs, since the Name ID does not contain any user information, Oracle Identity Federation will prompt the user for local authentication and create a federation record taking user information from this authentication. Once the federation has been created, Oracle Identity Federation acting as a service provider will not ask the user to login locally, since it can automatically map the opaque Name ID in the assertion to the user, using the federation record. If the Federation Datastore is set to None, then Oracle Identity Federation will not create, store, or use federation records, but rather use attributes in the user data store to identify users, either to create assertions, in the case when it is acting as the identity provider, or to map assertions to users, in the case when it is acting as the service provider. Guidelines Here are some general guidelines: ■ If the Federation Datastore is set to None: – Persistent Name IDs cannot be used – If acting as an identity provider, Oracle Identity Federation will create an assertion by mapping the Name ID format to be used to an attribute in the user data store, and using the value of this attribute as the Name ID. – If acting as a service provider. Oracle Identity Federation will map the assertion received from the identity provider by either using an attribute query, or by mapping the Name ID in the assertion to an entry in the user data store. ■ If the Federation Datastore is set to XML, LDAP or RDBMS: – Persistent Name IDs can be used – If acting as an identity provider, Oracle Identity Federation will use the Name ID stored in the federation record created for the user, when creating the assertion. – If acting as a service provider, Oracle Identity Federation will map the assertion to a user by finding the federation record with the Name ID included in the assertion. – If acting as a service provider and using persistent Name IDs, Oracle Identity Federation will prompt for local authentication the first time SSO is performed with a given user and a given provider. Subsequent sections cover these topics: ■ Configuring Oracle Identity Federation for an RDMBS Federation Data Store Note: Configuring XML as the federation store is not recommended for production environments. Use an RDBMS or LDAP store in production environments. Note: You can also set up redundancy federation data stores. For more information see Section 5.13.1.4, Configuring a Redundancy User Data Store .