5-42 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Description: as appropriate ■ Authentication Scheme: OIF Attribute Sharing Click Save. 7. Select the Authorization Expression panel and add the default authorization rule: ■ Select the applicable remote authorization rule as defined above and click Add for example, Peer Marketing VP. ■ If there is a corresponding local authorization rule, select OR and add the local authorization rule. for example, Peer Marketing VP | Company Marketing VP. Click Save. 8. Alternatively, you can add policies to the policy domain with authorization expressions for subsets of the protected URLs.

5.6.5 Configuring Oracle Identity Federation as an SP Attribute Requester

Take these steps to configure Oracle Identity Federation as an attribute requester in service provider mode: 1. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance. 2. Enable the Attribute Requester functionality: ■ Navigate to Administration, then Service Provider. ■ Check the Enable Attribute Requester Service box, and click Apply.

3. Upload the SAML 1.x or SAML 2.0 IdP metadata, or manually create an entry for a

SAML 1.x provider. ■ Navigate to Administration, then Federations. ■ Click Add. ■ To upload SAML 1.x or SAML 2.0 metadata, select Upload Metadata and enter the location of the IdP metadata and an additional description. ■ To add a SAML 1.x provider manually, select Add Trusted Provider Manually , and enter the Provider ID, the Provider Version SAML 1.1 or SAML 1.0, select Identity Provider and Attribute Responder as the Provider Type, and enter an additional description. ■ Click OK. 4. Configure the DN to IdP mapping: ■ Navigate to Administration, then Service Provider. ■ Click Configure Attribute Requester Service. Note: Checking the Enable Attribute Requester Service box enables the Attribute Requester feature. It also modifies the SPs metadata to include information about the Attribute Requester service. Note that the metadata at the peer providers sites must be updated with the new version. Configuring Oracle Identity Federation 5-43 ■ Select the Default Attribute Authority from the drop down list, and click Apply . ■ To add a mapping: – Click Add. – Enter the DN or sub-DN for example, c=us – Map this DN or sub-DN to an existing IdP – Repeat the operation if necessary ■ Click OK. 5. Enable and configure certificate Validation: ■ Navigate to Administration, then Security and Trust. ■ Select Enable Certificate Validation, and click Apply. ■ Add Trusted CAs or CRLs by clicking Add in the corresponding table and selecting the location of the CA or the CRL. Note: if certificate Validation is enabled, a Trusted CA is required to validate signatures. 6. If using SAML 2.0, enable encryption: ■ Navigate to Administration, then Service Provider. ■ In the SAML 2.0 tab, under Protocol Settings: – Check Send Encrypted NameIDs to encrypt the Name Identifiers in the AttributeQuery to the Attribute Responder. – Check Send Encrypted Attributes to encrypt the Attributes in the AttributeQuery to the Attribute Responder. ■ Click Apply. 7. The Attribute Requester service is available at http:sp-hostname:portfedarsoap. After enabling the attribute requester capabilities and setting the Default Attribute Authority andor the DN Mappings, you must configure the attribute name mappings and the attribute value mappings. See Section 5.9.2, Mapping and Filtering Configuration for more information. Additional topics include: ■ If Using HTTP Basic Authentication With OHS ■ If Using HTTP Basic Authentication Without OHS ■ If Using SSL Client Authentication Note: Configuring DN to IdP and certificate Validation is optional. Note: Encryption is optional. 5-44 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation

5.6.5.1 If Using HTTP Basic Authentication With OHS

If using basic authentication between the plug-in and Oracle Identity Federation, you need to add the following to the httpd.conf file of the OHS for your Oracle Identity Federation instance: LocationMatch fedarsoap AllowOverride None AuthType Basic AuthName Restricted Files AuthUserFile privateoifpassword Require user alice Order allow,deny Allow from all LocationMatch A user passwords file must also be created using the htpasswd utility. In the above example, the AuthUserFile containing the users and their passwords points to the privateoifpassword file, in which the user alice is defined. This example creates such a file by adding the user alice: ORACLE_HOMEohsbinhtpasswd -c privateoifpassword alice

5.6.5.2 If Using HTTP Basic Authentication Without OHS

If using HTTP Basic Authentication without Oracle HTTP Server, see Section 6.9.2, HTTP Basic Authentication .

5.6.5.3 If Using SSL Client Authentication

If using client certificate authentication, see Section 8.1, Configuring SSL for Oracle Identity Federation .

5.6.6 Configuring Oracle Identity Federation as an IdP Attribute Responder

Take these steps: 1. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance. 2. Enable the Attribute Responder functionality: ■ Navigate to Administration, then Identity Provider. ■ In the SAML 2.0 or SAML 1.x tab, select Enable Attribute Query Responder. If using SAML 2.0, select Use Identity Federation for Attribute Response if you want the user in the attribute request to be located in the IdP using its federated identity. Note that if using this setting, the user must have a federation identity and its Name ID value and format must match the subject value and format specified in the AttributeQuery. ■ Click Apply. Note: Checking the Attribute Responder Enabled box enables the attribute authority feature. It also modifies the IdPs metadata to include information about the attribute authority service. Note that the metadata at the peer providers sites must be updated with the new version.