10-12 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation When Oracle Identity Federation receives an SSO assertion, processes it and requests that the user be locally authenticated because the server was not able to map the assertion to a local user, the Map contains this data from the assertion: – orafed-nameid-value – the user’s Name ID value – orafed-nameid-qualifier – the user’s Name ID qualifier – orafed-nameid-format – the user’s Name ID format – orafed-providerid – the IdP’s ProviderID – orafed-assertionid - the ID of the assertion – orafed-xmlmessage - the optional XML message containing the assertion. See Section 6.13.2, Providing XML Message to SP Engine after SSO Completes for details. ■ Optionally, a String containing the Oracle Identity Federation session identifier, if the user has already an active session. Oracle Identity Federation is passing the sessionID of the already existing user session if one exists, to the authentication engine, so that the engine can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid. After successful authentication, the engine must forward the user to the federation server with the rootContext of the federation engine being fed, and the relativePath userloginsso. Oracle Identity Federation expects this data when processing the internal forward: ■ The identifier of the user as a String identified by oracle.security.fed.authn.userid ■ Authentication time as a Date object identified by oracle.security.fed.authn.authntime ■ Expiration time of the authenticated session as a Date object identified by oracle.security.fed.authn.expirationtime ■ The authentication mechanism used to identify the user as a String identified by oracle.security.fed.authn.authnmech ■ The identifier referencing the action that was being performed, from the request identified by oracle.security.fed.authn.refid ■ The identifier referencing the engine used to authenticate the user identified by oracle.security.fed.authn.engineid ■ Optionally, a Map of attributes that is stored in the user session. This map will have String objects as the keys and a set of objects as the values identified by oracle.security.fed.authn.attributes. ■ Optionally, a String containing the Oracle Identity Federation session identifier that Oracle Identity Federation will need to use to reference the Oracle Identity Federation user session. This allows the engine and Oracle Identity Federation to share the same identifier to reference the user session. Later on, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is See Also: Section 5.9.2.1, Configuring Attribute Name Mapping . Integrating with Third-Party Identity and Access Management Modules 10-13 being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid Here are some additional implementation requirements: ■ If the service needs to set any cookies, perform this operation before forwarding the user to the federation server. ■ Set the cookie path value to . This is required because of the internal forwards between the Oracle Identity Federation web application and the authentication engine web application; the users browser needs to send the cookies related to the authentication engine, even when it is accessing only the federation server. This way, at an internal forward from the federation server to the authentication engine, the cookies set by the engine are available in the HTTP Request.

10.3.3 Sample Authentication Module for Oracle Single Sign-On Integration

This section describes how to integrate a custom authentication engine with OracleAS Single Sign-On. Setup In this example, the application server where Oracle Identity Federation is running has been integrated with the Oracle Single Sign-On server, and the SSO module statically protects the engineforward.jsp URL. Additionally, the user data store configured for Oracle Identity Federation references the Oracle Internet Directory server used by Oracle Single Sign-On. Notes: ■ If the oracle.security.fed.authn.userid attribute is empty but the oracle.security.fed.authn.authntime and oracle.security.fed.authn.authnmech attributes are not empty, it tells Oracle Identity Federation that the authentication succeeded, but that the user is unknown on the server. This is useful when Oracle Identity Federation, acting as an IdP, is configured to use the attributes passed by the engine to create an assertion. If the oracle.security.fed.authn.userid attribute is null, the IdP must be configured to not use any federation data stores, since the assertion data will be solely based on information passed from the custom authentication engine. ■ Use the XML-based federation store only for testing, and not in a production environment. ■ If the oracle.security.fed.authn.authntime or oracle.security.fed.authn.authnmech attributes are empty, it tells Oracle Identity Federation that the authentication failed See Also: Section 3.2.2, Deploying Oracle Identity Federation with Oracle Single Sign-On for more information on SSO integration.