10-20 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ An optional boolean indicating if Oracle Identity Federation should authenticate the user locally using the authentication engines or if a Federation SSO should be started by redirecting the user to an IdP for authentication, as a Boolean identified by oracle.security.fed.sp.localauthn ; default is false ■ A Boolean object indicating whether to use the configuration stored in Oracle Identity Federation or to only start the SSO based on the information being passed by the SP engine, except the IdP identified by oracle.security.fed.sp.usedefault. If missing, true is assumed. ■ A Boolean object indicating whether the SP should ask the IdP to challenge the user even if heshe is already authenticated identified by oracle.security.fed.sp.forceauthn. This parameter is ignored if usedefault is true or missing. ■ A Boolean object indicating whether the SP should allow the IdP to create a federation record if one does not yet exist, during the SSO operation identified by oracle.security.fed.sp.allowfedcreation. This parameter is ignored if usedefault is true or missing. ■ A Boolean object indicating whether the SP should ask the IdP not to interact with the user during the SSO operation identified by oracle.security.fed.sp.passive. This parameter is ignored if usedefault is true or missing. ■ A String representing the binding to use when sending the AuthnRequest identified by oracle.security.fed.sp.requestbinding. This parameter is ignored if usedefault is true or missing. Acceptable values are httpredirect, httpost, httppostsimple depending on the protocol ■ A String representing the binding to use when sending the Response with the assertion identified by oracle.security.fed.sp.responsebinding. This parameter is ignored if usedefault is true or missing. Acceptable values are artifact or httpost depending on the protocol. ■ An optional authentication mechanism comparison specifying to the SP which authentication context comparison to request the IdP to use during authentication. identified by oracle.security.fed.sp.authnmechcomparison. This parameter is ignored if usedefault is true or missing. ■ A String representing the NameID format the SP will ask to the IdP for the SSO operation identified by oracle.security.fed.sp.nameidformat. This parameter is ignored if usedefault is true or missing. ■ Optional attributes to be requested from the identity provider during the Federation SSO operation for example when interacting with an OpenID IdP. The data is passed as a Map with Strings as keys and a set of objects as values, identified by oracle.security.fed.sp.attributes. The values is optional, while the keys contain the attribute names. Oracle Identity Federation Assertion Processing Oracle Identity Federation then performs a SAMLWS-Fed SSO operation with a remote IdP, processes the assertion, maps it optionally to a local user record and finally forwards the user back to the SP integration engine that initiated the operation by specifying the following information as HttpServletRequest attributes: ■ A Boolean object indicating if the SSO operation was successful identified by oracle.security.fed.sp.authnresult ■ The identifier of the user as a String identified by oracle.security.fed.sp.userid Integrating with Third-Party Identity and Access Management Modules 10-21 ■ Authentication time as a Date object identified by oracle.security.fed.sp.authntime ■ Expiration time of the authenticated session as a Date identified by oracle.security.fed.sp.expirationtime ■ The authentication mechanism used to identify the user as a String identified by oracle.security.fed.sp.authnmech ■ The relay state as a String identified by oracle.security.fed.sp.relaystate ■ The contents of the assertion: the NameID, the issuer of the assertion and the optional attributes. Note: the content of the assertion is not passed as XML Data, that is the original assertion will not be passed back to the module. The data is passed as a Map with Strings as keys and Set of Objects as values identified by oracle.security.fed.sp.attributes. The extra data is referenced as: – orafed-nameid-value containing the Name ID value – orafed-nameid-qualifier containing the Name ID qualifier – orafed-nameid-format containing the Name ID format – orafed-providerid containing the Peer ProviderID – orafed-assertionid - the ID of the assertion – orafed-xmlmessage - the optional XML message containing the assertion See Section 6.13.2, Providing XML Message to SP Engine after SSO Completes for details. ■ The top status of the SAML Response as a String identified by oracle.security.fed.sp.topstatus ■ The low status of the SAML Response if any, as a String identified by oracle.security.fed.sp.lowstatus ■ The status message if any as a String identified by oracle.security.fed.sp.statusmessage ■ The ProviderID that created the SSO assertion as a String identified by oracle.security.fed.sp.providerid ■ The identifier of the SP engine that will process the above information identified by oracle.security.fed.sp.engineid ■ A String containing the Oracle Identity Federation identifier of the user session. Oracle Identity Federation is passing the sessionID of the user session to the SP engine, so that it can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation passes the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid Authenticated Session Creation Using this data, the SP integration engine creates an authenticated session and redirects the user to the final target URL. If the service needs to set cookies, the cookie path must be set to . This is necessary because of the internal forwards between the Oracle Identity Federation and SP integration engine web applications; the users browser needs to send the cookies related to the SP integration engine, even when accessing only the federation server.