8-232 Oracle Fusion Middleware High Availability Guide Figure 8–20 Oracle Identity Federation Non-High Availability Architecture Figure 8–20 shows Oracle Identity Federation deployed on Oracle WebLogic Server in a non-high availability architecture and its relationship to other federation components. Figure 8–20 shows Oracle Identity Federation as a member of Federation between other identity providers IdP and service providers SP. The Oracle Identity Federation authentication service can be configured: ■ To enable single sign-on access to resources protected by Oracle Single Sign-On with the Oracle Internet Directory user repository or Oracle Access Manager with various repositories. Resources can include Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft modules, and so on. ■ To interact with Identity and Access Management solutions such as LDAP directories, RDBMS databases, and Oracle Access Manager.

8.13.1.1 Oracle Identity Federation Component Characteristics

Oracle Identity Federation is Oracles self-contained, standalone federation server, based on J2EE standards. It enables single sign-on and authentication in a multiple-domain identity network and supports a broad set of federation standards such as SAML 1.x, SAML 2.0, WS-Federation, and SAML 1.x2.0 attribute sharing functionality. Note: In an environment where Oracle Identity Federation and Oracle Single Sign-On both protect resources, you can configure either component to serve as the authentication mechanism when a user requests access to a protected resource. Likewise, environments containing both Oracle Identity Federation and Oracle Access Manager provide similar functionality. For more information about Oracle Identity Federation authentication, see Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. Service Provider Service Provider Identity Provider Oracle HTTP Server Fed Data Store User Data Store AuthN Engine SP Engine Oracle Applications Configuration Session Message Memory Oracle Identity Federation Oracle WebLogic Server LDAP DB DB Identity Access Management Oracle IdM XML XML Configuring High Availability for Identity Management Components 8-233 By default, Oracle Identity Federation is deployed as an externally staged application on Oracle WebLogic Server.

8.13.1.1.1 Runtime Processes Oracle Identity Federation is a J2EE application that is

deployed on Oracle WebLogic Server as an externally staged application. The Oracle Identity Federation server is initialized when the WebLogic Server it is deployed on starts up. The Oracle Identity Federation application accesses the Credential Store Framework, to get the credentials to connect to the back-end servers. Once this is complete, the Oracle Identity Federation server is running and is ready to accept and serve requests.

8.13.1.1.2 Process Lifecycle Oracle Identity Federation is deployed to an Oracle

WebLogic Server as an externally managed application. By default, the Oracle WebLogic Server starts, stops, monitors and manages other lifecycle events for the Oracle Identity Federation application. The application is initialized when the Oracle WebLogic Server it is deployed to starts up and it stops when the WebLogic Server is shut down. WebLogic Node Manager can be configured to monitor the server process and restart it in case of failure The Oracle Enterprise Manager Fusion Middleware Control is used to monitor as well as modify the configuration of the application. Starting and Stopping Oracle Identity Federation lifecycle events can be managed using one or more of the command line tools and consoles listed below: ■ Oracle WebLogic Scripting Tool WLST ■ Oracle WebLogic Server Administration Console ■ Oracle Enterprise Manager Fusion Middleware Control ■ WebLogic Node Manager

8.13.1.1.3 Request Flow Users typically access applications in multiple domains

through a corporate portal. For example, Alpha Corporation could have a Portal Server in place to manage Alpha’s user logins, page personalization, and so on. The portal server might consist of homegrown logic running within an application server, or it might be a commercial product. Its partner, Beta Corporation, may serve its technical database application with a MyBeta.com type of portal. In that case, each company would operate its own portal server. The processing flow is as follows: 1. The user logs into the Alpha portal whose access is being managed by a web access management WAM system such as Oracle Access Manager or Oracle Single Sign-On. 2. The user initiates a request by clicking on a resource that is actually hosted by Beta Corporation. 3. The Oracle Identity Federation instance at the Alpha portal, acting as the identity provider IdP, will send the user information to the WAM system. 4. The WAM system will create a session after mapping a user to an identity in its local identity store. 8-234 Oracle Fusion Middleware High Availability Guide 5. The WAM system will return the successful response and the session token to the Oracle Identity Federation IdP server at the Alpha portal. 6. Using the above information, the IdP at the Alpha portal creates a SAML identity assertion and signs it using its private signing key. This response is sent to the Oracle Identity Federation instance acting as a Service Provider SP at Beta Corporation. 7. The Oracle Identity Federation server acting as SP at Beta Corporation verifies the signed response using the IdPs public certificate associated with its signing key. 8. The Oracle Identity Federation service provider at Beta Corporation extracts the assertion, and creates a user session for the assertion after mapping the user session to its local authorization system. 9. The Oracle Identity Federation service provider sends the users browser a redirect to the requested resource. 10. The users browser sends a request to the target resource over the user session created by the service provider.

8.13.1.1.4 Configuration Artifacts The configuration of the Oracle Identity Federation

server is managed by MBeans. The configuration data for Oracle Identity Federation is stored in three main files: ■ config.xml: contains server-wide configuration ■ cot.xml: stores provider-specific configuration ■ datastore.xml: stores back-end data store configuration The Oracle Identity Federation application is deployed as an EAR file by the Oracle Identity Management 11g Installer. The Oracle Identity Federation application is located under the ORACLE_HOMEfedinstalloif.ear directory. The Oracle Identity Federation configuration artifacts are located under the DOMAIN_ HOME configfmwconfigserversserverNameapplicationsOIF_ 11.1.1.2.0configuration directory on the managed servers where the application is deployed. Using Oracle Enterprise Manager Fusion Middleware Control to make configuration changes can help prevent inconsistent configuration across different nodes. This is especially true when the application is deployed in a high availability configuration. However, WLST scripts and JMX MBeans can also be used to configure the Oracle Identity Federation server.

8.13.1.1.5 External Dependencies The Oracle Identity Federation server is a J2EE

application that is deployed on an Oracle WebLogic Managed Server. The Oracle Identity Federation server interacts with external repositories to store configuration data, runtime transient data message, user session and federation data and to authenticate users. The Oracle Identity Federation server requires these repositories to be available during initialization or during runtime. These are the external components required for the Oracle Identity Federation server to function: ■ Oracle WebLogic Server – Administration Server – Managed Server ■ Data Repositories – Message data store and user session data store transient data store Configuring High Availability for Identity Management Components 8-235 – Configuration data store – User data store – Federation data store ■ Authentication Engines ■ Service Provider Engines See the following subsections for more information about how these external components function with Oracle Identity Federation. Oracle WebLogic Server The Oracle Identity Federation server is a J2EE application that is deployed on an Oracle WebLogic Managed Server. The server is administered and managed using the Oracle Enterprise Manager Fusion Middleware Control. The application cannot start if the Managed Server is not running. If the Administration Server is not available, the server continues to run in its current state but changes cannot be made to its configuration. Data Repositories The Oracle Identity Federation server uses the various external data repositories to store configuration, user session, message and federation data. The server requires these data stores to be available during initialization, runtime or both. Details of the repositories are shown below: ■ Message data store and user session data store transient data store: The Oracle Identity Federation server uses the message data store and the user session data store for storing transient data like federation protocolsession state. The message data store together with the user session data store is also referred to as a the transient data store. Depending on the deployment option for the Oracle Identity Federation server, the transient data can either be stored in memory or in a relational database. Table 8–11 shows the relationship between the deployment option and the required transient data store type: ■ Configuration data store: The Oracle Identity Federation application uses the configuration data store to store its configuration artifacts. Depending on the deployment option of the Oracle Identity Federation server, the configuration store can either be stored in an XML file or in a relational database. Table 8–12 shows the relationship between the deployment option and the required configuration data store type: Table 8–11 Transient Data Store Types for Oracle identity Federation Deployment Options Deployment Option Store Type Non-high Availability Standalone In Memory Store Relational Database Store High Availability Relational Database Store 8-236 Oracle Fusion Middleware High Availability Guide The Oracle Identity Federation application connects to the configuration data store to retrieve its configuration data during the start up process. The application fails to start up if the configuration data store is unavailable. ■ User data store: The Oracle Identity Federation server uses the user data store to locate users after local authentication or after processing an incoming SAML Assertion and to retrieve user specific attributes. The user data repository can be either a relational database or a LDAP repository. The Oracle Identity Federation server is certified to work with LDAP repositories such as Oracle Internet Directory, Sun Java System Directory Server, and Microsoft Active Directory, as well as with a relational database. The role played by the user data repository depends on whether Oracle Identity Federation will be configured as an identity provider IdP or a service provider SP. – When configured as an IdP: Oracle Identity Federation uses the repository to verify user identities and to build protocol assertions. – When configured as an SP: Oracle Identity Federation uses the repository to map information in received assertions to user identities at the destination, and subsequently to authorize users for access to protected resource. When creating a new federation, Oracle Identity Federation uses the repository to identify the user and link the new federation to that users account. The Oracle Identity Federation application does not require the user data store to be available while starting up. The user data store is required at runtime. ■ Federation Data Store: The federation data store can be XML, RDBMS or LDAP. In high availability mode, use only RDBMS or LDAP so that the federation data store is available to all members of the cluster. The Oracle Identity Federation server uses the federation data store to persist user federation records. Identity federation is the linking of two or more accounts that a principal may hold with one or more identity providers or service providers within a given circle of trust. When users federate the otherwise isolated accounts Table 8–12 Configuration Data Store Types for Oracle Identity Federation Deployment Option Deployment Option Store Type Non-high Availability Standalone XML Relational Database Store High Availability Relational Database Store Note: Oracle Identity Federation is only certified to work with Oracle Database versions 10.2.0.4 and higher or Oracle Database 11.1.0.7 and higher. Configuring High Availability for Identity Management Components 8-237 they have with businesses known as their local identities, they are creating a relationship between two entities, an association comprising any number of service providers and identity providers. The Oracle Identity Federation server is certified with industry-standard LDAP repositories including Oracle Internet Directory, Sun Java System Directory Server, and Microsoft Active Directory or a relational database. Table 8–13 shows the relationship between the deployment option and the required federation data store type: The federation data store is required at runtime only if persistent name identifier formats are used during protocol exchanges. The federation data store is optional at runtime if non-opaque name identifier formats are used, such as email address. For more information about the federation data store for Oracle Identity Federation, see the Federation Data Store section in Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation. ■ Authentication engines: Oracle Identity Federation IdP and SP protocol operations, such as single sign-on, federation creation, federation termination, and NameID registration, require users to be authenticated. The Oracle Identity Federation authentication module handles user authentication. The authentication module can perform two distinct roles in user authentication: – When Oracle Identity Federation is deployed as an Identity Provider, the authentication module acts as a local authentication mechanism. The authentication module can delegate authentication or directly interact with a number of repositories and identity management solutions. – When Oracle Identity Federation is deployed as a service provider, it uses federation protocols to have the user authenticated at a peer identity provider. Oracle Identity Federation then forwards the user to the authentication module, which propagates and creates an authenticated user session in the deployed identity management solution at the SP. In turn, this enables access to the requested protected resource. The Oracle database, Oracle Internet Directory, Sun Java System Directory Server, and Microsoft Active Directory are some examples of supported RDBMS and LDAP repositories. Oracle Access Manager and Oracle Single Sign On are examples of supported repositories and Identity Management solutions. Table 8–13 Federation Data Store Types for Oracle Identity Federation Deployment Option Deployment Option Store Type Non-high Availability Standalone None or XML High Availability None, LDAP, or Relational Database Store Note: Oracle Identity Federation is only certified to work with Oracle Database versions 10.2.0.4 and higher or Oracle Database 11.1.0.7 and higher. 8-238 Oracle Fusion Middleware High Availability Guide The authentication module only requires the external authentication engines to be available at runtime. ■ Service provider engines: A Service Provider Integration Engine SP Integration Engine is used to create a user authenticated session at the Identity and Access Management IAM server. Oracle Identity Federation is shipped with an SP engine includes several internal plug-ins that allow it to interact with different IAM servers, such as: – Oracle Single Sign-On – Oracle Access Manager – Oracle Identity Federation Test Application Oracle Identity Federation also provides a framework to integrate with third party IAM frameworks; the customized SP Integration Module will interact with Oracle Identity Federation using internal J2EE Servlet forwards, and it will communicate with the third party IAM system to create the user authenticated session. Any custom SP Engine modules should be deployed on each Managed Server in the cluster.

8.13.1.1.6 Oracle Identity Federation Log File Location Oracle Identity Federation is a J2EE

application deployed on Oracle WebLogic Server. All server related logs messages are logged in the server log file and all Oracle Identity Federation specific messages are logged into the diagnostic log file of the Oracle WebLogic Server where the application is deployed. The default location of the Oracle WebLogic Server log file is: WEBLOGIC_SERVER_HOME user_projectsdomainsdomainNameserversserverNamelogs serverName -diagnostic.log The Oracle Identity Federation log file is named serverName-diagnostic.log. For example, if the Oracle WebLogic Server name is wls_oif1, then the log file name is wls_oif1-diagnostic.log. Use the Oracle Enterprise Manager Fusion Middleware Control to view the log files.

8.13.2 Oracle Identity Federation High Availability Concepts