10-6 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Here is a step-by-step description of how an SP integration engine interacts with the Oracle Identity Federation Framework in a typical user flow: 1. The user attempts to access a resource protected by the IAM solution, and configured to use Federation SSO to authenticate the user. 2. The IAM deployment redirects the user to the corresponding SP integration Module on Oracle Identity Federation. 3. The SP integration Module decodes the information sent by the IAM deployment and internally forward the user to the Oracle Identity Federation server with the following information set as HttpServletRequest attributes: ■ An optional authentication mechanism specifying to the SP which authentication mechanism to request the IdP to use during authentication. ■ An optional Provider ID referencing the IdP to use for the Federation SSO. If missing, Oracle Identity Federation uses the IdP mapped for the specified authentication mechanism. If no IdP could be found, Oracle Identity Federation uses the IdP configured as the Default SSO IdP ■ An optional federation ID referencing the affiliation to use to trigger the Federation SSO ■ The relay state. It can contain a small string, for example a reference to some data saved in a repository or a small URL pointing to the protected resource to redirect the user to after completion of the SSO operation ■ The identifier of the SP engine that started the SSO flow ■ An optional boolean indicating if the Oracle Identity Federation server should authenticate the user locally using the authentication engines or if a Federation SSO should be started by redirecting the user to an IdP for authentication ■ A Boolean object indicating whether to use the configuration stored in Oracle Identity Federation or to only start the SSO operation based on the information being passed by the SP engine, except for the IdP ■ A Boolean object indicating whether the SP should ask the IdP to challenge the user even if already authenticated ■ A Boolean object indicating whether the SP should allow the IdP to create a federation record if one does not yet exist, during the SSO operation ■ A Boolean object indicating whether the SP should ask the IdP not to interact with the user during the SSO operation ■ A String representing the binding to use when sending the AuthnRequest ■ A String representing the binding to use when sending the response with the assertion ■ An optional authentication mechanism comparison specifying to the SP which authentication context comparison to request the IdP to use during authentication ■ A String representing the NameID format the SP uses to ask the IdP for the SSO operation Note: if set, this parameter is used to determine the IdP to use, disregarding the default parameter described next. Integrating with Third-Party Identity and Access Management Modules 10-7 4. Oracle Identity Federation initiates a Federation SSO operation with a remote IdP. 5. The IdP authenticates the user and, if necessary, redirects the user, with an assertion, to the federation server acting as an SP. 6. The server processes the assertion and locates the user in the user data store. The user is now authenticated at the federation server. 7. Oracle Identity Federation internally forwards the user back to the SP integration Module by using the Web Context and Login Relative Path of that module configured in Oracle Identity Federation. The server passes the following data as HttpServletRequest attributes: ■ A Boolean object indicating if the SSO operation was successful ■ The identifier of the user ■ Authentication time ■ Expiration time of the authenticated session ■ The authentication mechanism used to identify the user ■ The relay state ■ The contents of the assertion: the NameID, the Issuer of the assertion and the optional attributes. Note: the content of the assertion is not passed as XML Data, that is the original assertion will not be passed back to the module. The extra data is referenced as: – orafed-nameid-value containing the Name ID value – orafed-nameid-qualifier containing the Name ID qualifier – orafed-nameid-format containing the Name ID format – orafed-providerid containing the Peer ProviderID ■ The top status of the SAML Response ■ The low status of the SAML Response if any ■ The status message if any ■ The ProviderID that created the SSO assertion ■ The identifier of the SP engine to process the above information ■ A String containing the Oracle Identity Federation identifier of the user session. Oracle Identity Federation is passing the sessionID of the user session to the SP engine, so that it can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation passes the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. 8. The SP integration engine interacts with the IAM server to create an authenticated session for the user. The session is based on the data received from Oracle Identity Federation. 9. The SP integration engine redirects the user to the final target URL.

10.2.4 Logout

When logging out, Oracle Identity Federation and the authenticationSP engines need to be logged out. This involves: 10-8 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation 1. Logging out the user from the authentication engines 2. Logging out the user from the SP engines 3. Performing the SAMLWS-Fed Global Logout profiles 4. Logging the user out from Oracle Identity Federation Figure 10–2 Oracle Identity Federation Module Interactions There are several ways to invoke the logout: ■ The user invokes the Oracle Identity Federation logout server, at feduserlogout by specifying an optional return URL. In this case, Oracle Identity Federation logs the user out from authenticationSP engines, the remote SAML providers and from Oracle Identity Federation itself, and Oracle Identity Federation redirects the user to the return URL, or display the logout result page. ■ The user is redirected from a remote SAMLWS-Fed provider to Oracle Identity Federation using the Global Logout protocol. In this case, Oracle Identity Federation logs the user out from authenticationSP engines, the remote SAMLWS-Fed providers except the one that sent the logout message, from Oracle Identity Federation itself and redirect the user back to the remote SAML provider that sent the original message. ■ The user initiates logout from an environment integrated with an authenticationSP engine. In that case, that environment would invoke the authenticationSP engine for logout, and the engine would then send the user to Oracle Identity Federation for logout. From that point, Oracle Identity Federation would log out the user from the authenticationSP engines except the engine that redirected the user to Oracle Identity Federation, from Oracle Identity Federation itself and redirect the user back to the authenticationSP engine that started the flow Oracle Identity Federation invokes AuthnSP Engine When Oracle Identity Federation sends the user to the authenticationSP engine, it: Note: Internal forwards is used to send the user from Oracle Identity Federation to the authenticationSP engines and from the authenticationSP engines to Oracle Identity Federation.