Configuring Oracle Identity Federation 5-19 ■ Enable Attribute Query Responder - Check this box to enable the identity provider to act as an attribute authority. ■ Enable Authentication Query Responder In SAML protocols, an identity provider may act as an Authentication authority. A service provider may send an Authentication query to an Authentication authority to ask What assertions used for authentication have been issued for this subject? The Authentication authority responds by providing the assertions that have been previously issued for authentication of the given subject. Check this box to enable the identity provider to act as an Authentication authority. ■ Enable Assertion ID Responder In SAML protocols, an identity provider may act as an assertion ID authority. A trusted service provider may send an assertion ID request to an assertion ID authority in which it provides the unique ID of an assertion previously issued by the identity provider. The assertion ID authority responds by providing the assertion with the ID in the request. Check this box to enable this identity provider to act as an assertion ID authority. ■ Default SSO Response Binding - Select the binding to be used as a default when the identity provider sends an SSO Response and no preferred binding was specified in the AuthnRequest. ■ Messages to SendRequire Signed - specify the messages that Oracle Identity Federation sends, in IdP mode, that it must sign; and the messages it receives, in IdP mode, that it requires signed.

5.4.3 Configure WS-Federation IdP Properties

Use this page to configure Oracle Identity Federation to use the WS-Federation 1.1 protocol when acting as an identity provider. Provide the following information: ■ Enable WS-Federation 1.1 Protocol - Check this box to enable the protocol. ■ SSO Token Type - Use the drop-down box to select the single sign-on token type. ■ Use Microsoft Web Browser Federated SSO Profile - Check this box to have Oracle Identity Federation use the Microsoft WS-Fed protocol specifications.

5.4.4 Configure OpenID IdP Properties

Use this page to configure the OpenID protocol in IdP mode. See Also: Section 2.2.1.3, OpenID 2.0 Protocol . 5-20 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation The fields are as follows: ■ Enable OpenID 2.0 Protocol - Check this box to enable the OpenID 2.0 protocol. ■ Validate ReturnTo URL using XRDS metadata - Check this box to verify the ReturnTo URL which is the URL to which the server redirects once the authentication is processed using the XRDS. ■ Validate ReturnTo URL using Realm - Check this box to specify that the IdP should validate the ReturnTo URL present in the OpenID authentication request using the realm. ■ Enabled Session Types - If validating ReturnURL using realm, check the boxes to enable specific session types or All to enable all session types. ■ Default Session Type - If validating ReturnURL using realm, use the drop-down to select the default session type. Any of the enabled session types may be selected. ■ Enable Association Session Types - Lists the enabled association types that the OpenID provider supports: – No encryption – Diffie-Hellman SHA1 – Diffie-Hellman SHA256 ■ Default Association Session Type - Specifies the default association session type. ■ Association Timeout sec -This is the duration of validity of the association in seconds. Note: Changes in session type andor association session type require restart of the Oracle Identity Federation server. Configuring Oracle Identity Federation 5-21 ■ Force User Consent to create new Federated Identity - Check this box to force consent for setting up a new federation. ■ Force User Consent for all Single Sign-On Operations - Check this box to force consent for SSO. ■ Force User Consent for Single Sign-On Operations with attributes exchange - Check this box to prompt the user for consent any time an SSO operation is being performed between Oracle Identity FederationIdP and the RP, where user attributes will be released to the RP. Related fields for this feature: – Force User Consent Web Context - Contains the Web Context of the OpenID consent page to be used instead of the Oracle Identity Federation OpenID built-in consent page. If filled, it will reference a user-implemented page on Oracle WebLogic Server. – Force User Consent Web Path ■ Enable Attribute Exchange AX 1.0 - Check this box to to enable the AX extension. ■ Enable PAPE 1.0 - Check this box to enable the PAPE 1.0 extension. With this feature you can specify one or more of: – US Government Level of Assurance Policy – PPID Policy – US Government OpenID Trust Level 1 Policy – US Government No PII Policy ■ Generic OpenID Service Provider Oracle Identity Federation lets you define the OpenID RP as: – a federated partner for which you can define specific settings – an unknown RP with general attribute mappings Click Create to define a generic OpenID RP.

5.5 Configuring Service Providers

This section describes how to edit and update the protocol-specific service provider SP properties in Oracle Identity Federation. It contains these sub-sections: ■ Configure Service Provider - Common Properties ■ Configure SAML 2.0 SP Properties ■ Configure SAML 1.x SP Properties ■ Configure WS-Federation 1.1 SP Properties ■ Configure OpenID SP Properties

5.5.1 Configure Service Provider - Common Properties

Use this table to configure SP properties common to all protocols.