Additional Server Configuration 6-31 During an operation that consumes an assertion, when Oracle Identity Federation acts as a service provider, the server tries to locate the federation record referenced in the NameID element contained in the assertion. By default, it first performs a lookup based on the SP NameID; if no results are returned, it performs a lookup based on the IdP NameID. In some deployments, Oracle Identity Federation: ■ might not be configured to do any NameID Management protocol exchanges, and ■ might not have any of its federation records updated to set an SP NameID that is, the administrator never performed an update operation on any federation records using the administrative tools In this case, the first federation record lookup performed during assertion consumption using the SP NameID will never return any records and serves to increase the response time. If SP NameID lookup is not needed, it is possible to disable it to improve performance. To enable or disable the lookup, enter the WLST script environment for Oracle Identity Federation and make this configuration change: ■ Set the fedusespnameidlookup boolean property from the datastore group to true to enable the SP NameID lookup. ■ Set the fedusespnameidlookup boolean property from the datastore group to false to disable the SP NameID lookup For example: setConfigPropertydatastore, fedusespnameidlookup, false, boolean

6.15 Setting up Backwards Compatibility for Oracle Identity Federation 10g and ShareID service URLs

Background Oracle Identity Federation 10g, and SHAREidCOREid Federation 2.x, provided service URLs for SAML 1.x and WS-Federation protocol support which were different from the SAML 2.0 and Liberty 1.x service URLs. These URLs have been modified in the 11g Oracle Identity Federation for consistency with the SAML 2.0 and Liberty 1.x service URLs. Customers upgrading to Oracle Identity Federation 11g, who use SAML 1.x or WS-Federation, must inform their partner providers of the new single sign-on service URLs. To ease that transition, Oracle Identity Federation 11g provides a separate module that allows backwards compatibility with the SHAREid service URLs. This module is a JavaEE application you can deploy alongside Oracle Identity Federation, to handle requests for the ShareIDOracle Identity Federation 10g service URLs and redirectforward them to the corresponding Oracle Identity Federation 11g service URLs. Note: By default, the SP NameID lookup is enabled. Note: Liberty 1.x support is deprecated. 6-32 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Procedure Take these steps to set up a ShareID proxy:

1. At the Oracle WebLogic Server Administration Console, navigate to the

Deployments page.

2. Click Lock Edit.

3. Click Install.

4. Navigate to the location of the shareidupdate.ear file located in ORACLE_

HOMEfedinstall.

5. Click Next.

6. Select Install this deployment as an application and click Next.

7. Select the name of the managed server and click Next.

8. Select Advanced in the Security section.

9. Click Finish.

10. Click Apply Changes.

11. Returning to the Deployments page, find the new application called

shareidupdate Note: you may have to click Next if the application does not appear in the first 10 entries.

12. If the state of the shareidupdate application is not listed as Active select the

application and click Start, servicing all requests, and click yes. Now locate the shareidupdate application in the Deployments page; its state should be listed as Active. By default, the shareidupdate proxy uses the incoming protocol HTTP or HTTPS, server name, and server port as the protocol, server name, and server port to which messages should be redirected. Consider using non-default values when using a proxy server, for example. To set these values: ■ Find the shareidupdate web.xml file; it should be in a subfolder of: Note: For the SAML1x protocol, in release 10g it was possible to set the authentication response profile binding by setting the METHOD query parameter to the desired profile while sending the authentication request. This feature is not supported in 11g, and you must configure the IdP to send the authentication response using the desired profile binding. Note: If a proxy is configured as in Appendix B, Using Oracle HTTP Server as a Proxy for Oracle Identity Federation , you need to modify the oif.conf file to also divert shareid URLs to Oracle WebLogic Server. See Also: Getting Started with Oracle WebLogic Server Administration Console in the Oracle Fusion Middleware Administrators Guide.