Planning Oracle Identity Federation Deployment 2-23 – Oracle Identity Federation uses the repository to map information in received assertions to user identities at the destination, and subsequently to authorize users for access to protected resources. – When creating a new federation, Oracle Identity Federation uses the repository to identify the user and link the new federation to that users account. Connection Information for LDAP Repositories Collect the following information about the repository prior to installing Oracle Identity Federation: ■ Connection URL - space delimited list of LDAP URLs ■ Bind DN ■ Password ■ User ID Attribute - the attribute name to use to map users during lookups or authentication procedures Here are examples of the User ID Attribute for different types of directory servers: – Oracle Internet Directory: uid – Oracle Directory Server Enterprise Edition: uid – Microsoft Active Directory: sAMAccountName ■ User Description Attribute This field references the user attribute to use as a human readable federation owner identifier. This information will be stored in the federation record. Here are examples of the User Description Attribute for different types of directory servers: – Oracle Internet Directory: uid – Oracle Directory Server Enterprise Edition: uid – Microsoft Active Directory: sAMAccountName ■ Person Object Class - the LDAP object class representing a user in the LDAP server Here are examples of the Person Object Class for different types of directory servers: – Oracle Internet Directory: inetOrgPerson – Oracle Directory Server Enterprise Edition: inetOrgPerson – Microsoft Active Directory: user ■ Base DN - the node under which LDAP user search will be performed. For example: dc=us,dc=oracle,dc=com ■ Maximum Connections - the maximum number of concurrent connections made by Oracle Identity Federation to the LDAP server ■ Connection Wait Timeout - the maximum number in seconds to wait until a connection is available, when the maximum number of connections opened by Oracle Identity Federation to the LDAP server has been reached 2-24 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Connection Information for RDBMS Repositories Collect the following information about the repository prior to installing Oracle Identity Federation: ■ JNDI Name - references the data source configured in Oracle WebLogic Server pointing to the RDBMS to use to authenticatelocate users. You must define this data source after Oracle Identity Federation installation, prior to authenticating any users. ■ Login Table - the RDBMS table containing the user information used for authentication and lookups ■ User ID Column - the RDBMS column in the login table containing the user identifiers ■ User Description Attribute - references the user attribute to use as a human readable federation owner identifier. This information will be stored in the federation record.

2.4.3 Session and Message Data Stores

Oracle Identity Federation also maintains transient session and message data stores for federation sessionprotocol state. This data can be stored in either in-memory tables or a relational database. RDBMS session and message data stores are required for high-availability and clustering support.

2.4.4 Configuration Data Store

Configuration data for Oracle Identity Federation can be stored in either XML files or a relational database. An RDBMS configuration data store is required for high-availability and clustering support.

2.5 Installation Requirements

This section explains installation requirements.

2.5.1 Required Components

Oracle Identity Federation requires the following components: ■ Java 2 SDK, Standard Edition J2SE, Version 1.4.2 bundled with the installation ■ Oracle WebLogic Server ■ A user identity data store. This is typically an LDAP directory, but can optionally be a database store. ■ One of these repositories for the user federation data store: Note: Liberty 1.x support is deprecated. See Also: Oracle Fusion Middleware Security Overview for more information, including a list of supported stores. Planning Oracle Identity Federation Deployment 2-25 – Oracle Internet Directory – Microsoft Active Directory – Sun Java System Directory Server ■ One of these versions of Oracle Database for the RDBMS transient data store: – Oracle Database 10.2.0.4 or higher – Oracle Database 11.1.0.7 or higher – Oracle Database 11.2.x ■ Oracle HTTP Server for proxy implementation; this is the only proxy server supported by Oracle Identity Federation, and is bundled with the installation.

2.6 Sizing Guidelines

When planning to deploy a federated identity system that leverages Oracle Identity Federation, it is critical to understand the performance considerations, choices, and trade-offs involved in the architecture. This section considers various factors that have an impact on performance in a federated environment, and provides some guidelines to help you assess hardware requirements for a production system with a standalone Oracle Identity Federation server. The following topics are included: ■ Deployment and Architecture Considerations ■ Typical Deployment Scenario ■ Reference Server Footprint ■ Topology

2.6.1 Deployment and Architecture Considerations

Before deploying Oracle Identity Federation, you must define the architecture and role that Oracle Identity Federation will play in a federated authentication setting. Here are some decisions that you must make: ■ Which federation specifications will be used with various trusted partners? Choices include: – SAML 2.0. With additional flows in comparison to SAML 1.x, performance considerations may play a greater role. – SAML 1.0 and 1.1 Note: A user federation data store is not absolutely required for Oracle Identity Federation in all cases: it is required for Liberty 1.x and SAML 2.0 opaque persistent identifiers, but is optional for SAML 1.x, WS-Federation, and SAML 2.0 non-opaque identifiers such as email address, subject DN, and so on. Note: Check the certification matrix for the most current version information.