24-2 Oracle Fusion Middleware Performance and Tuning Guide For the best performance, review the tuning configurations in Chapter 2, Top Performance Areas before tuning Oracle Identity Federation.

24.2.1 Connection Pool Settings

When Oracle Identity Federation is integrated with LDAP Servers as a user data store, federation data store, or authentication engine, the server keeps a pool of LDAP connections that can be re-used for subsequent requests. Oracle Identity Federation performs the following kind of operations to the LDAP Servers: 1. User Data Store ■ Locate users during assertion mappings ■ Retrieve attributes from the user record when creating an assertion 2. Authentication Engine ■ Locate user ■ Validate user credentials during authentication operations 3. Federation Data Store, if used ■ Create a federation record ■ Locate a federation record ■ Update or delete a federation record. The LDAP Connection Pool can be configured by: – Setting Maximum Connections to indicate how many LDAP connections can the pool contain. – Setting the Connection Wait Timeout which is the time that a thread waits before re-trying to get an LDAP connection when none are available in the pool and that the pool is at maximum capacity. See Configuring Oracle Identity Federation in Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation for more information on the User and Federation Stores as well as the LDAP Authentication Engine.

24.2.2 Connection Settings

When Oracle Identity Federation is integrated with LDAP Servers as a user data store, federation data store, or authentication engine, the LDAP run time connections can be configured. For more information, see Configuring Oracle Identity Federation in Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. The LDAP Connections can be configured by: ■ Setting the LDAP Inactivity setting which tells Oracle Identity Federation how long an LDAP connection should be kept in a pool before being removed due to inactivity. Over time, the LDAP server may close some connections due to a long inactivity period, and if left unchecked, this can result in errors and may impact performance in Oracle Identity Federation. See Configuring the LDAP Inactivity Setting in Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. ■ Setting the LDAP Read Timeout Setting. Sometimes the LDAP server can become unresponsive, causing the threaduser to wait for a response or an error. To avoid Oracle Identity Federation Performance Tuning 24-3 waiting too long for an error when the server is not responding, Oracle Identity Federation sets a read timeout property on the LDAP connection. If the LDAP server does not respond before the read timeout period, an error is generated. Oracle Identity Federation closes the connection, open a new one and re-issue the LDAP command. See Configuring the LDAP Read Timeout Setting in Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. ■ Setting the High Availability HA LDAP Flag. When integrated with LDAP Servers that are deployed in HA mode, Oracle Identity Federation must configured to indicate that the LDAP Servers are in HA mode. See Configuring High Availability LDAP Servers in Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation.

24.2.3 Federation Data Store Settings

When using Oracle Internet Directory as the Federation Data Store, Oracle Identity Federation creates, locates, updates and deletes federation records containing Account Linking Information. Oracle Identity Federation uses specific queries when interacting with Oracle Internet Directory, and the performance can be improved by creating filters in Oracle Internet Directory. If Oracle Internet Directory is used as the Federation Data Store, it is possible to tune the LDAP Server to improve the performance of the lookup operations. Oracle Identity Federation server can be configured to use a Federation Store to persist Federated Identities records. The Federation server uses this store to: ■ Lookup a federation record through different queries ■ Create a federation record ■ Delete a federation In addition to the Oracle Identity Federation-related orclinmemfiltprocess filter objectclass=orclfeduserinfo, which is included by default, some Oracle Identity Federation environments might benefit from additional filters with the following formats: orclfedserverid=local_oif_server_id orclfedproviderid=providerid_of_remote_server orclfedfederationtype=n where orclfedserverid denotes the Oracle Identity Federation server that is making the query, orclfedproviderid is the identifier of a remote SAML server, and orclfedfederationtype is 1 or 3. Use 1 as the value for orclfedfederationtype when Oracle Identity Federation is an Identity Provider and the remote provider is a Service Provider. Use 3 when Oracle Identity Federation is a Service Provider and the remote provider is an Identity Provider. A deployment can be configured to work with many remote SAML servers, so there can be several orclfedproviderid filters and more than one orclfedfederationtype filter. For example: orclfedserverid=my_oif_server orclfedproviderid=http:server.example.com:7499fedidp