Deploying Oracle Identity Federation 3-17 Integrate Oracle Identity Federation with Oracle Access Manager After processing an incoming SSO assertion and identifying the user, Oracle Identity Federation will create an Oracle Access Manager session for that user in the Oracle Access Manager domain. To do so, Oracle Identity Federation will: 1. Use a policy domain created by Oracle Identity Federation at configuration time. 2. Map the Oracle Identity Federation authentication mechanism, representing the authentication method used by the IdP to challenge the user, to an Oracle Access Manager authentication scheme that was created by Oracle Identity Federation at configuration time. If the mapped Oracle Access Manager authentication scheme does not exist, then Oracle Identity Federation will use the default authentication scheme entered in the Oracle Identity Federation configuration section 3. Interact with Oracle Access Manager to create the user session, by specifying the policy domain and the authentication scheme for that session The policy domain name that you enter for Oracle Identity Federation cannot reference an existing policy domain that was not created by Oracle Identity Federation. It must be created by Oracle Identity Federation. 4. Set the Oracle Access Manager cookie in the users browser For proper integration, Oracle Identity Federation needs to create policy objects and authentication schemes in Oracle Access Manager. Perform the following operations: Note: ■ The cookie domain must be set on the Webgate for the protected resource. An example of a cookie domain is: .us.oracle.com ■ You use Fusion Middleware Control to configure the user data store that Oracle Identity Federation uses when creating policy objects in the Oracle Access Manager Policy Server. If you change the user data store through Fusion Middleware Control: ■ redo the Oracle Identity FederationOracle Access Manager integration ■ update the existing authentication schemes that were created by Oracle Identity Federation in the Oracle Access Manager Policy Server. Note: This task assumes you have the appropriate administrator credentials for Oracle Access Manager. Ensure that the Oracle Access Manager Master Administrators account is used to create the policy objects. See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager 10g 3-18 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation 1. Locate the Oracle Identity Federation instance in Fusion Middleware Control.

2. Navigate to Administration, then Service Provider Integration Modules, then

Oracle Access Manager .

3. Expand the Oracle Access Manager Properties section.

4. Enter the Oracle Access Manager credentials to configure Oracle Access Manager. 5. Enter the Host ID that Oracle Identity Federation must use when configuring the policy domain. Define the Host ID in the Oracle Access Manager server. The Host ID must contain the hostname:port information that the Oracle Identity Federation server is configured to use, and its variations.

6. Enter the default authorization rule that will be used when creating the policy

domain.

7. The available Oracle Identity Federation authentication mechanisms are listed in

the table; for each, the table lists the mapped authentication scheme name and its authentication scheme level. These mappings are stored in Oracle Identity Federation only by default, and you need to select the mechanisms and schemes to be created, updated, or deleted in Oracle Access Manager. When you select a scheme to create, and click Configure Oracle Access Manager, the scheme is created with the specified name and level, and mapped to the corresponding authentication mechanism in the Oracle Identity Federation configuration. You must select one of the created schemes as the default Oracle Access Manager authentication scheme used by Oracle Identity Federation. By default this value is password-protected by Oracle Identity Federation, so if nothing is selected as default, the password-protected authentication scheme must be selected for create. If you select a scheme to delete, likewise, the scheme is deleted from Oracle Access Manager. If you select a scheme for update, the default Oracle Access Manager authentication scheme used by Oracle Identity Federation, and its name, are updated in Oracle Access Manager.

8. Click Configure Oracle Access Manager.

Protect an Oracle Access Manager Resource with Oracle Identity Federation See Also: Section 5.16.2, SP Integration module - Oracle Access Manager for screen details. Note: Credentials will only be used to connect to the Oracle Access Manager Server for configuration when you click the Configure Oracle Access Manager button; these credentials are not stored in any Oracle Identity Federation configuration file. Note: This is a required parameter. Note: In order that the server can updatedelete the authentication scheme, it must not be in use by any domains. See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager for 10g. Deploying Oracle Identity Federation 3-19 After integrating Oracle Identity Federation with Oracle Access Manager and creating authentication schemes, you can now protect resources using the schemes you have created. Protecting a resource with a specific scheme has the following effect: 1. When a non-authenticated user or an authenticated user with authentication level lower than that of the scheme tries to access a resource protected by an Oracle Identity Federation authentication scheme, the Oracle Access Manager server redirects the user to Oracle Identity Federation for Federation SSO. 2. Oracle Access Manager provides Oracle Identity Federation the resource being requested and the Oracle Identity Federation authentication scheme name to be used. 3. Oracle Identity Federation maps that authentication scheme to an authentication mechanism, and then to a SAMLWS-Fed authentication method. 4. Oracle Identity Federation starts the Federation SSO flow by sending the user to an identity provider and by specifying the authentication method to use in challenging the user for authentication. 5. The IdP will challenge the user, create an assertion and send the user back to Oracle Identity Federation with the assertion. 6. Oracle Identity Federation processes the assertion, extracting from it the method used to authenticate the user and map it to an authentication mechanism. 7. After successful processing, Oracle Identity Federation maps the authentication mechanism to an authentication scheme and creates an Oracle Access Manager session for the user. 8. Oracle Identity Federation redirects the user to the requested resource. 9. Finally Oracle Access Manager grants access to the resource for the authenticated user.

3.2.4 Deploying Oracle Identity Federation with Oracle Access Manager 11g

You can integrate Oracle Identity Federation with Oracle Access Manager 11g. For details, see Integrating Oracle Identity Federation in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.

3.2.5 Oracle Identity FederationSP Authenticating to Oracle Access Manager

You can configure Oracle Identity Federation, when acting as service provider, to authenticate itself to the Oracle Access Manager server when creating an Oracle Access Manager user session. Topics in this section include: ■ Authentication Overview ■ Enabling Authentication with Existing Federation Schemes ■ Enabling Authentication when Creating New Federation Schemes ■ Updating Oracle Identity Federation Credentials ■ Disabling Authentication to Oracle Access Manager