5-14 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Additional Assertion Fields The fields below the table are as follows: ■ Federation Creation User Consent URL If the user must consent to setting up a new federation, this is the URL to which the user is redirected. You must design a consent page for this purpose. ■ Force User Consent Check this box to force consent for setting up a new federation. If this box is checked, a user who is redirected to the federation server will explicitly have to accept or deny account linking in order to proceed. ■ Send Encrypted Attributes Check this box to enable Oracle Identity Federation to send encrypted attributes to peer providers. ■ Send Encrypted NameIDs Check this box to enable Oracle Identity Federation to send encrypted name identifiers to peer providers. ■ Send Encrypted Assertions Check this box to enable Oracle Identity Federation to send encrypted assertions to peer providers. ■ Send Signed Assertions Check this box to enable Oracle Identity Federation to send signed assertions to peer providers. The value specified on this page will override the value specified in the Identity Provider - Common tab, when using the SAML 2.0 protocol. If you do not wish to override the value in Identity Provider - Common, click the blue circle so that the square is not filled in, and there is an arrow pointing to the square, as in the image above. About the User Consent Page If the user must consent to setting up a new federation, you must design a consent page to which the user is redirected. The server passes a number of query parameters to this URL: When the consent URL page directs the user back to the return URL by way of a link, form submission, or other means it must pass two query parameters: the refid parameter described in the table, and a consent parameter indicating if consent was granted by the user values are true or false. Table 5–2 Parameters Passed to User Consent URL SP Global Parameter Description providerid The peer provider id. description The description of the peer provider id. returnurl The URL to which the user should be directed once a consent decision has been made. refid Passed as a query parameter to the returnurl. Oracle Identity Federation requires this parameter in order to resume the operation the server had been performing prior to redirection to the consent URL. Configuring Oracle Identity Federation 5-15 Here is an example of a consent page: String prefix = request.getContextPath; String redirectURL = request.getParameterreturnurl; String refID = request.getParameterrefid; String providerID = request.getParameterproviderid; String desc = request.getParameterdescription; HTML BODY Do you consent to create a federation with =providerID =desc:br form method=POST action==redirectURL input type=checkbox name=userconsent value=trueI agreebr input type=submit value=OK input type=hidden name=refid value==refID form BODY HTML Protocol Settings ■ Enable SAML 2.0 Protocol - Check this box to enable the SAML 2.0 protocol. ■ Enable Single Sign-On Protocol - Check this box to enable the single sign-on protocol. ■ Enable NameID Management Protocol: Terminate Check this box to enable the federation termination capability. See Also: Section 1.2.4.8, Federation Termination Profile 5-16 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Enable NameID Management Protocol: Register - Check this box to enable name ID registration. ■ Enable Attribute Query Responder Check this box to enable the identity provider to act as an attribute authority. ■ Use Identity Federation for Attribute Response Check this box if you wish the user in the attribute request to be located in this identity provider using its federated identity. Note that if using this setting, the user must have a federation identity and its Name ID value and format must match the subject value and format specified in the AttributeQuery. When this box is checked, the attribute authority first tries to look up the user in the federation store; if no records are found, it locates the user by attribute value from the user data store. This property may also be overridden on the Edit Trusted Provider page on the Oracle Identity Federation Settings tab. ■ Enable Authentication Query Responder In SAML protocols, an identity provider may act as an authentication authority. A service provider may send an authentication query to an Authentication authority to ask What assertions used for authentication have been issued for this subject? The Authentication authority responds by providing the assertions that have been previously issued for authentication of the given subject. Check this box to enable the identity provider to act as an Authentication authority. ■ Enable Assertion ID Responder In SAML protocols, an identity provider may act as an assertion ID authority. A trusted service provider may send an assertion ID request to an assertion ID authority in which it provides the unique ID of an assertion previously issued by the identity provider. The assertion ID authority responds by providing the assertion with the ID in the request. Check this box to enable this identity provider to act as an assertion ID authority. Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. See Also: Section 1.2.4.5, Name Identifier Management Profiles Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. See Also: Section 5.6.6, Configuring Oracle Identity Federation as an IdP Attribute Responder Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. Configuring Oracle Identity Federation 5-17 ■ Enable Protocol Bindings In the drop down, select all protocol bindings you wish to enable. ■ Default Binding Select the binding to be used as a default when the identity provider sends a request or response excluding SSO Responses and no preferred binding was specified. e.g. in Name ID Management Protocol messages. ■ Default SSO Response Binding Select the binding to be used as a default when the identity provider sends an SSO Response and no preferred binding was specified in the AuthnRequest. ■ Messages to SendRequire Signed specify the messages that Oracle Identity Federation sends, in IdP mode, that it must sign; and the messages it receives, in IdP mode, that it requires signed.

5.4.2 Configure SAML 1.x IdP Properties

Use this page to configure Oracle Identity Federation to use the SAML 1.0SAML 1.1 protocol when acting as an identity provider. The page contains tables for assertion settings and protocol settings, respectively. Assertion Settings The table shows the Subject NameID formats you can configure. Provide the following information: ■ Enabled - Check a box to enable the corresponding NameID format. ■ Default - Use the radio button to select a default NameID format. ■ Get Value from User Session - Check a box to specify that the attribute to which the corresponding NameID maps is found in the session created when the user is authenticated. Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. Note: The Require AuthnRequest Signed property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. 5-18 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ NameID Format - This column displays the available name identifier formats. The formats are as follows: ■ User Attribute Mapping - Enter the attribute name for the selected name ID format. Oracle Identity Federation will use the attribute name to perform a lookup in the user data store or user session if Get Value from User Session is checked for a name ID in this format. Send Signed Assertion - Check this box to enable Oracle Identity Federation to send signed assertions to peer providers. The value specified on this page will override the value specified in the Identity Provider - Common tab, when using the SAML 1.0 or SAML 1.1 protocols. If you do not wish to override the value in Identity Provider - Common , click the blue circle so that the square is not filled in, and there is an arrow pointing to the square, as in the image above. Protocol Settings Use this table to specify protocol settings and related attributes. Provide the following information: ■ Protocol - Check one or both of the Enable SAML 1.1 Protocol and Enable SAML 1.0 Protocol boxes. ■ Enable Single Sign-On - Check this box to enable the single sign-on protocol. Table 5–3 SAML 1.x Identity Provider Name ID Formats NameID Format Default X.509 Subject Name dn Email Address mail Windows Domain Qualified Name empty Unspecified empty Custom empty None Note: You can set the user attribute in the Assertion Subject NameID Formats table to orafed-userid to use the UserID to populate the NameID element. This is specially useful when no user store is configured for the IdP and thus no user store attributes are available. Configuring Oracle Identity Federation 5-19 ■ Enable Attribute Query Responder - Check this box to enable the identity provider to act as an attribute authority. ■ Enable Authentication Query Responder In SAML protocols, an identity provider may act as an Authentication authority. A service provider may send an Authentication query to an Authentication authority to ask What assertions used for authentication have been issued for this subject? The Authentication authority responds by providing the assertions that have been previously issued for authentication of the given subject. Check this box to enable the identity provider to act as an Authentication authority. ■ Enable Assertion ID Responder In SAML protocols, an identity provider may act as an assertion ID authority. A trusted service provider may send an assertion ID request to an assertion ID authority in which it provides the unique ID of an assertion previously issued by the identity provider. The assertion ID authority responds by providing the assertion with the ID in the request. Check this box to enable this identity provider to act as an assertion ID authority. ■ Default SSO Response Binding - Select the binding to be used as a default when the identity provider sends an SSO Response and no preferred binding was specified in the AuthnRequest. ■ Messages to SendRequire Signed - specify the messages that Oracle Identity Federation sends, in IdP mode, that it must sign; and the messages it receives, in IdP mode, that it requires signed.

5.4.3 Configure WS-Federation IdP Properties

Use this page to configure Oracle Identity Federation to use the WS-Federation 1.1 protocol when acting as an identity provider. Provide the following information: ■ Enable WS-Federation 1.1 Protocol - Check this box to enable the protocol. ■ SSO Token Type - Use the drop-down box to select the single sign-on token type. ■ Use Microsoft Web Browser Federated SSO Profile - Check this box to have Oracle Identity Federation use the Microsoft WS-Fed protocol specifications.

5.4.4 Configure OpenID IdP Properties

Use this page to configure the OpenID protocol in IdP mode. See Also: Section 2.2.1.3, OpenID 2.0 Protocol .