10-8 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation 1. Logging out the user from the authentication engines 2. Logging out the user from the SP engines 3. Performing the SAMLWS-Fed Global Logout profiles 4. Logging the user out from Oracle Identity Federation Figure 10–2 Oracle Identity Federation Module Interactions There are several ways to invoke the logout: ■ The user invokes the Oracle Identity Federation logout server, at feduserlogout by specifying an optional return URL. In this case, Oracle Identity Federation logs the user out from authenticationSP engines, the remote SAML providers and from Oracle Identity Federation itself, and Oracle Identity Federation redirects the user to the return URL, or display the logout result page. ■ The user is redirected from a remote SAMLWS-Fed provider to Oracle Identity Federation using the Global Logout protocol. In this case, Oracle Identity Federation logs the user out from authenticationSP engines, the remote SAMLWS-Fed providers except the one that sent the logout message, from Oracle Identity Federation itself and redirect the user back to the remote SAML provider that sent the original message. ■ The user initiates logout from an environment integrated with an authenticationSP engine. In that case, that environment would invoke the authenticationSP engine for logout, and the engine would then send the user to Oracle Identity Federation for logout. From that point, Oracle Identity Federation would log out the user from the authenticationSP engines except the engine that redirected the user to Oracle Identity Federation, from Oracle Identity Federation itself and redirect the user back to the authenticationSP engine that started the flow Oracle Identity Federation invokes AuthnSP Engine When Oracle Identity Federation sends the user to the authenticationSP engine, it: Note: Internal forwards is used to send the user from Oracle Identity Federation to the authenticationSP engines and from the authenticationSP engines to Oracle Identity Federation. Integrating with Third-Party Identity and Access Management Modules 10-9 1. Performs an internal forward to the web context and relative logout path of the engine 2. Specifies the engine ID of the invoked engine for logout 3. Optionally specifies the identifier of the user session being logged out When the authenticationSP engine logs the user out, the engine internally forwards the user back to Oracle Identity Federation, it: 1. Performs an internal forward to the fed web context and userlogoutretsso 2. Specifies the engine ID of the invoked engine AuthnSP invokes Oracle Identity Federation When an authenticationSP engine invokes Oracle Identity Federation for logout, it: 1. Performs an internal forward to the fed web context and userlogoutsso 2. Specifies the engine ID of the invoked engine for logout 3. Specifies a return URL where Oracle Identity Federation redirects the user after logout. At the end of the logout flow, the user is logged out from Oracle Identity Federation and redirected to the return URL.

10.2.5 Requirements

Oracle Identity Federations design is consistent with certain requirements for authentication operations and SP integration where a user session is created at the IAM server. Consequently, you must meet the following requirements when implementing a custom authentication engine or an SP integration engine: ■ The authentication engine, the SP integration engine, the Oracle Identity Federation engine and the IAM server must use the same user data store as the user repository. This store contains the user data used to look up and authenticate users. ■ The authentication engine and the SP integration engine must include a Java Servlet JSP. ■ The data exchanges between Oracle Identity Federation and the authenticationSP integration engines are done via internal HTTP request forwarding. This is actually an internal API call between the modules that relies on the J2EE servlet framework via the HTTP protocol. ■ A logout service needs to be implemented and made available to the authentication engine andor the SP integration engine. This logout service must be published as ServletJSP.

10.3 Creating a Custom Authentication Engine

This section explains how to plan, develop, and implement a custom authentication engine.

10.3.1 Planning a Custom Authentication Engine

Creating a customized authentication engine involves: ■ creating a service that will process incoming requests from Oracle Identity Federation 10-10 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ implementing a module to authenticate a user ■ creating a service that forwards the user to the federation server with the required information ■ deciding whether the authentication engine will set a cookie after authenticating a user. If yes, the authentication module must be integrated into the logout process see Section 10.5, Logout