Example 1: Assertion Mapping without federated identities using NameID for SAML 2.0

Additional Server Configuration 6-37 The server is configured to use the LDAPSQL query functionality to locate the user. Perform the following configuration steps: 1. Log in to Fusion Middleware Control. 2. Navigate to Administration, then Service Provider, then SAML 2.0, then Assertion Settings .

3. Uncheck Map User via Federated Identity.

4. Check Map User via Attribute Query.

5. Enter the following LDAP query in the Attribute Query field: mail=emailsn=lastname

6. Uncheck Map User via NameID.

7. Check Error when User Mapping fails; this forces Oracle Identity Federation to

return a 401 error to the browser if the user cannot be located. 8. Apply the changes. 6.16.6 Example 4: Assertion Mapping without Federated Identities using LDAPSQL Query and NameID Mapping In this example, Oracle Identity FederationSP uses the email address contained in the NameID to locate the user. If the operation fails, the last name SAML attribute from the assertion is used to look up a local user in the LDAP user data store, using the local attributes mail and sn from the LDAP user record. The server is configured to use both NameID Mapping and LDAPSQL Query to locate the user. Perform the following steps to configure Oracle Identity FederationSP: 1. Log in to Fusion Middleware Control. 2. Navigate to Administration, then Service Provider, then SAML 2.0, then Assertion Settings .

3. Uncheck Map User via Federated Identity.

4. Check Map User via Attribute Query.

5. Enter the following LDAP query in the Attribute Query field: sn=lastname

6. Check Map User via NameID.

7. Enable Email Address NameID Format, and enter the attribute of the user record

holding the email address mail typically for LDAP server.

8. Check Error when User Mapping fails; this forces Oracle Identity Federation to

return a 401 error to the browser if the user cannot be located. 9. Apply the changes.

6.16.7 Example 5: Assertion Mapping without Federated Identities for a Specific IdP

If Oracle Identity FederationSP needs an attribute-based authentication configuration specific to a peer identity provider, the setup information must be stored in the IdPs entry in the Federations list. 6-38 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation In this example, Oracle Identity Federation SP is set up for attribute-based authentication for an IdP referenced by http:idp.com. Perform the following steps to configure Oracle Identity FederationSP: 1. Log in to Fusion Middleware Control.

2. Navigate to Administration, then Federations.

3. Select the identity provider and click Update.

4. Click the Oracle Identity Federation Settings tab.

5. Expand the Service ProviderRequester Settings section, and go to assertion

settings.

6. Uncheck Map User via Federated Identity.

7. Check Map User via Attribute Query.

8. Enter the following LDAP query in the Attribute Query field: mail=emailsn=lastname

9. Uncheck Map User via NameID.

10. Check Error when User Mapping fails; this forces Oracle Identity Federation to

return a 401 error to the browser if the user cannot be located. 11. Apply the changes.

6.17 Automatic Account Linking Based on Attribute Query Mapping

Automatic account linking at the SP allows the service provider to directly map an identity contained in an assertion to a user. When Oracle Identity Federation is acting as a service provider, and is configured to use federated identities to map the incoming SAML 2.0 assertion, it can automatically create a federation record by locating a user based on the attributes and name identifier received in an assertion. This section contains topics related to account linking: ■ Locating the User ■ Configuring Oracle Identity Federation ■ Example 1: Automatic Account Linking through NameID mapping for SAML 2.0 ■ Example 2: Simple Automatic Account Linking through LDAPSQL Query ■ Example 3: Complex Automatic Account Linking through LDAPSQLQuery ■ Example 4: Automatic Account Linking through LDAPSQL Query and NameID Mapping ■ Example 5: Automatic Account Linking via Attribute Query for a Specific IdP

6.17.1 Locating the User

When configured to use federated identities and Automatic Account Linking is enabled, the administrator has two options for locating a user record in the repository: ■ Using the Name ID Format mapping, where the NameID is linked to a user attribute. This uses the existing mapping. ■ Using an LDAPSQL query that involves the NameID and the attributes stored in the assertion.