Click New. Using an RDBMS Configuration Data Store

Configuring Oracle Identity Federation 5-83 ■ Configure Authentication Mechanisms - Local ■ Configure Authentication Mechanisms - SAML 2.0 ■ Configure Authentication Mechanisms - SAML 1.x ■ Configure Authentication Mechanisms - WS-Federation 1.1

5.14.1 About Authentication Mechanisms

Authentication mechanisms specify the way a user should be challenged when authentication is required; options include usernamepassword, kerberos, and others. A service provider can request that the identity provider challenge the user in a certain way by specifying an authentication method in its authentication request. Because the SP and the IdP can communicate using different protocols, Oracle Identity Federation defines local authentication mechanisms to which the protocol-specific methods can be mapped. For example, both the SAML 2.0 method urn:oasis:names:tc:SAML:2.0:ac:classes:Password and the SAML 1.x method urn:oasis:names:tc:SAML:1.0:am:password can be mapped to the local authentication mechanism oracle:fed:authentication:password. Oracle Identity Federation will use these local authentication mechanisms in the following situations: 1. The SP can specify in its request an authentication method that describes the way the user should be authenticated. When the Oracle Identity Federation IdP receives this request, it maps the requested method to a local authentication mechanism. If no authentication method was requested, the IdP uses the default authentication mechanism. This authentication mechanism is then mapped to an authentication engine, which determines the way the user is challenged. 2. An SP engine can specify the authentication method the SP will request from the identity provider by specifying a local authentication mechanism. This local mechanism or the default mechanism if the SP engine did not specify one is mapped to a protocol-specific method, which is included in the authentication request that the SP sends to the identity provider. 3. If an SP engine does not specify an identity provider to which to send the authentication request, the SP locates the IdP by mapping the authentication mechanism received from the SP engine or using the default mechanism if the engine did not send a mechanism to an identity provider. 4. When creating an assertion, the identity provider determines the mechanism used to authenticate the user and specifies the corresponding protocol-specific authentication method in the assertion. 5. When creating a user session, Oracle Identity Federation records the local authentication mechanism used to authenticate the user. 6. When an Oracle Identity Federation IdP uses the Federation SSO Proxy authentication engine, it uses the requested authentication mechanism or the default mechanism if no method was requested by the SP to locate the identity provider to which to send the request. See Section 5.15.8.1, About the Federated SSO Proxy Authentication Engine for a description of this authentication engine. Additional topics in this section include: ■ Setting the Default Authentication Mechanism 5-84 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Mapping from Protocol-specific Methods to Local Mechanisms To Authentication Engines ■ Mapping Local Authentication Mechanisms to Identity Providers

5.14.1.1 Setting the Default Authentication Mechanism

If a service provider does not specify an authentication method in its request, the Oracle Identity Federation IdP uses the default authentication mechanism in the cases described earlier. Follow these steps to set the default authentication mechanism:

1. Log in to Fusion Middleware Control and navigate to the Oracle Identity

Federation instance.

2. Navigate to Administration, then Authentication Mechanisms.

3. Select the default authentication mechanism and click Apply.

5.14.1.2 Mapping from Protocol-specific Methods to Local Mechanisms To Authentication Engines

As mentioned earlier, Oracle Identity Federation provides the ability to map: ■ protocol specific authentication methods to local authentication mechanisms, and ■ local authentication mechanisms to authentication engines Thus, different authentication engines can be used depending on the authentication method specified by the service provider in its request. For example, you can define the following mappings for the SAML 2.0 protocol: urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos - oracle:fed:authentication:kerberos oracle:fed:authentication: kerberos - Custom Kerberos Authentication Engine and: urn:oasis:names:tc:SAML:2.0:ac:classes:Password - oracle:fed:authentication:password oracle:fed:authentication:password - Oracle Single Sign-On If a SAML 2.0 SP requests that the user be authenticated with mechanism urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, Oracle Identity Federation uses the custom authentication engine created to authenticate the user through Kerberos. But if the SP requests the urn:oasis:names:tc:SAML:2.0:ac:classes:Password mechanism, the user is authenticated with the Oracle Single Sign-On engine. To configure: ■ the local authentication mechanism to authentication engine mappings and ■ protocol-specific authentication method to local authentication mechanism mappings follow these steps: See Also: Section 5.14.1, About Authentication Mechanisms