Click the Certification Path tab.

Additional Server Configuration 6-29 By default, validation is disabled. To configure the return URL validation module, enter the WLST script environment for Oracle Identity Federation and set the returnurlvalidationenabled boolean property from the serverconfig group to true or false to enable or disable the module. For example: setConfigPropertyserverconfig, returnurlvalidationenabled, true, boolean To add a host name or domain to the list of approved URLsdomains, enter the WLST script environment for Oracle Identity Federation, and issue these commands: ■ Add a host name to the returnurlvalidationlist list: addConfigPropertyListEntryserverconfig,returnurlvalidationlist, hostname.domain.com,string ■ Add a domain to the returnurlvalidationlist list: addConfigPropertyListEntryserverconfig,returnurlvalidationlist, .domain.com,string

6.13.2 Providing XML Message to SP Engine after SSO Completes

Oracle Identity Federation acting as SP can provide an XML message containing the assertion received by the server during the federated single sign-on flow. Depending on the binding used, this can be a SAML or SOAP message. Note that: ■ The XML message is provided to the SP engine with the attributes received in the assertion. ■ The message is contained in the map referenced by orafed-xmlmessage. ■ The attributes map is stored as an attribute in the HttpServletRequest object, referenced by oracle.security.fed.sp.attributes. To enable sending the message, set the boolean property spattrsincludexmlmessage from the spglobal group to true. To disable sending the message, set the property to false.

6.13.3 Customizing Error Pages

Errors can occur in Oracle Identity Federation for various reasons, such as: ■ page not found ■ federated single sign-on SSO error ■ runtime error Note: A domain is a string beginning with ., such as .oracle.com for the Oracle domain. Note: false is the default configuration. 6-30 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation When an error occurs, the server returns an error code 404, 401 or 500 showing the Oracle WebLogic Server error page to the user. You can configure Oracle Identity Federation to redirect the user to a custom page based on the error code. Set the string property or urlerrornnn from the serverconfig configuration group to the URL to which the user should be redirected when Oracle Identity Federation returns the error, where nnn is 401, 404, or 500. Thus, you can set the urlerror401, urlerror404, and urlerror500 properties.

6.13.4 Configuring Schema Validation for SSO Protocol Messages

Oracle Identity Federation supports XML schema validation for SSO protocol messages. This feature is implemented with the schemavalidationenabled property; validation is off by default. To enable schema validation, enter the script environment for the Oracle Identity Federation server instance, and set the schemavalidationenabled property to true: setConfigPropertyserverconfig,schemavalidationenabled,true,boolean To disable validation, set the property to false default value. setConfigPropertyserverconfig,schemavalidationenabled,false,boolean

6.14 Additional Federation Data Store Configuration

When Oracle Identity Federation is configured to use an LDAP server or an RDBMS as its federation data store, the server performs various operations to create, locate, update, or delete federation records. A federation record typically consists of the following data: ■ IdP NameID: name identifier data created by the identity provider and used in the SAML messages ■ SP NameID: name identifier data optionally set by the service provider during a Name Identifier Management update operation. If that NameID is set, it is used in SAML messages; otherwise, the IdP NameID is used. Notes: ■ 401 errors occur during Fed SSO operation if the federated SSO fails. ■ 404 errors are raised when the user tries to access one of the Oracle Identity Federation servlets fedidp, fedsp, feduser... and the page is not found. ■ 500 errors occur when fatal exceptions occur at runtime. ■ If the server cannot initialize correctly, Oracle Identity Federation is unable to redirect the user to the urlerror500 URL.