Deploying Oracle Identity Federation 3-13 Using an Alternate Return Attribute for the HTTP Header When Oracle Identity Federation is integrated with Oracle Access Manager for authentication, WebGate is protecting the feduserauthnoam URL, and Oracle Access Manager is configured to pass the user identifier as an HTTP header to Oracle Identity Federation, the policy protecting the feduserauthnoam URL contains an authorization rule with an action that adds an HTTP header with a return attribute referencing the user ID from the LDAP user record. This return attribute is the same as the Unique User ID set in Fusion Middleware Control when you navigate to the Oracle Identity Federation instance, under Administration, then Data Stores, then User Data Store section. Due to a bug, orclguid cannot be used as the return attribute for the HTTP header containing the user identifier. As a workaround, the unique user identifier must be changed to another attribute. To perform the change: ■ change the return attribute in the Oracle Access Manager console to the new attribute uid for example. ■ in Fusion Middleware Control navigate to Oracle Identity Federation Administration , then Data Stores, then User Data Store, and change the Unique User ID to the new attribute uid for example. ■ if other authentication engines were used, check that their Unique User ID attributes is correctly updated. ■ if Oracle Identity Federation was integrated with Oracle Access Manager through the Oracle Access Manager SP Integration Module, update the integration: after performing the above changes, navigate to the Oracle Identity Federation instance in Fusion Middleware Control, then Administration, then SP Integration Modules , then OAM SP Engine, enter the Oracle Access Manager administrator credentials, select the created authentication schemes to be updated, and click Configure Oracle Access Manager; this updates the mapping rules in Oracle Access Manager to reflect the new attribute.

3.2.3.3 Integrate Oracle Access Manager as an SP Integration Module

This task enables the SP integration module to interact with Oracle Access Manager. The basic steps are: ■ Verify requirements ■ Install Oracle Access Server SDK ■ Integrate Oracle Access Manager with Oracle Access Server SDK ■ Update the Oracle WebLogic Server Classpath ■ Configure Oracle Identity Federation ■ Integrate Oracle Identity Federation with Oracle Access Manager ■ Protect an Oracle Access Manager Resource with Oracle Identity Federation Verify Requirements Take these steps: Note: The fix for Oracle Access Manager bug 5736326 is required when protecting the feduserauthnoam URL with HTTP Basic Authentication. 3-14 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation 1. Ensure Access Server SDK 10g is installed. 2. In a high availablity HA environment, the Access Server SDK needs to be installed on different machines, and integrated as different AccessGates with Oracle Access Manager. Install Oracle Access Server SDK Configure Oracle Identity Federation to reference the directory where the SDK is installed. If the SDK is installed in the Domain Home directory, you can reference the SDK folder relative to the Domain Home folder; otherwise, Oracle Identity Federation needs to reference the SDK folder using an absolute path. To use Oracle Identity Federation in an HA environment, it is preferable to install the Access Server SDK under the Domain Home folder, using the same directory name relative path on the different machines where Oracle Identity Federation is installed. This way, the different Oracle Identity Federation instances share the same configuration; specifically, the directory where the Access Server SDK is installed has the same value for all the Oracle Identity Federation instances. Integrate Oracle Access Manager with Oracle Access Server SDK This task enables a new AccessGate to be associated with an Access Server instance. On the Oracle Access Manager console, create the new AccessGate with Access Management Service enabled, and associate it with the Access Server instance. Integrate the Access Server SDK by invoking the configureAccessGate script: ACCESS_SERVER_SDKoblixtoolsconfigureAccessGate -i ACCESS_SERVER_SDK -t AccessGate -w ACCESS_GATE_ID -m open -h ACCESS_SERVER_HOST -p ACCESS_SERVER_ PORT replacing: ■ ACCESS_SERVER_SDK by the absolute path of the Access Server SDK directory ■ ACCESS_GATE_ID by the identifier for this Acccess Gate ■ ACCESS_SERVER_HOST by the hostname of machine where the Access Server is installed ■ ACCESS_SERVER_PORT by the port of the Access Server. Note: When deploying in an HA environment, be sure to read and complete the instructions in the section High Availability Considerations for Integration with Oracle Access Manager in the Oracle Fusion Middleware High Availability Guide. Be sure to follow the directions regarding the directory where the Access Server SDK is installed, and restart all managed servers. See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager 10g for details about the Web-based user interface.