5-40 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Shared Library: oblixlibauthz_attribute ■ Plug-in is Managed Code: no ■ Managed Code Name Space: none ■ User Parameter: RA_SubjectDN Note: This uses the reverse action feature to obtain the SubjectDN header set by the authz_attribute plug-in. ■ Required Parameter – Name: ruleExpression – Value: none Note: Each access policy authorization rule will supply the rule expression. ■ Click Save to commit the changes.

5.6.4.3 Configuring an Oracle Access Manager Policy using Attribute Sharing

Take these steps to configure an Oracle Access Manager policy using the Attribute Sharing profile:

1. Log in to Oracle Access Manager as a Master or Delegated Access Administrator.

Select Create Policy Domain.

2. Fill out the General panel form:

■ Name: as appropriate for example, Oracle Identity Federation Attribute Sharing Test ■ Description: as appropriate Click Save. 3. Select the Resource panel and add one or more resource URL prefixes to protect for example, attribute-test.

4. Select the Authorization Rules panel and add an authorization rule for each set of

attributes represented as a rule expression required for a remote user. ■ Select Custom Authorization Scheme and click Add. ■ Fill out the authorization rule form and click Save. – Name: as appropriate for example, Peer Marketing VP – Description: as appropriate – Authorization Scheme: OIF Attribute Sharing ■ Select the Plug-in Parameters panel, click Modify, and set the ruleExpression parameter as specified in the table. Note: White space is allowed around =, =, , and |. Element Syntax Meaning none alphanumeric string including -, _, and . Name of attribute to request from the users identity provider Configuring Oracle Identity Federation 5-41 ■ Name examples: – title = VP function = Marketing – title = VP | title = Director – title = VP function = Marketing | function = Finance – title = any function = any ■ Set any timing conditions or actions as desired for the authorization rule. ■ Return to the General panel and enable the rule. 5. Select the Authorization Rules panel and add an authorization rule for any local user attributes. ■ Select Oracle Authorization Scheme and click Add. ■ Fill out the authorization rule form: – Name: as appropriate for example, Company Marketing VP. – Description: as appropriate – Enabled: yes – Allow Takes Precedence: no Click Save. ■ Select the Allow Access panel, click Modify, and add an LDAP filter for the local attributes. You can use the Query Builder in the Oracle Access Manager Identity User Manager Configuration, then Delegate Administration, then Build Filter . For example: ldap:o=Company,c=US??sub?title=VPfunction=Marketing ■ Set any timing conditions or actions as desired for the authorization rule. ■ Return to the General panel and enable the rule. 6. Select the Default Rules panel and add the default authentication rule: ■ Name: as appropriate value one of string, any, or null Required attribute value. With Oracle COREid Access 7.0.4 the string is restricted to Latin-1 characters. With Oracle Access Manager 10.1.4 and later, the string can contain any Unicode characters. The any value retrieves and matches all values for the attribute. The null value matches a SAML Attribute with the xsi:nil=true attribute. comparison name = value, name = value, or expression True if the user hasdoes not have the attribute value and-clause comparison comparison True if both comparisons are true. or-clause comparison | comparison True if either comparison is true. has higher precedence than . Element Syntax Meaning