5-32 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation specified and the authentication request format is based solely on the RP configuration. ■ Force User Consent - Check this box to prompt the user for consent for any new federation that is, new ClaimedID created between the IdPOP, the RPSP and the user. ■ Default Authentication Mechanism - Holds the local authentication mechanism to use as the authentication method to authenticate the user at the IdPOP, if the assertion uses the PAPE authentication policy. ■ Enabled Session Types - Use the drop-down to list the enabled session types that can be used during the association exchange. Possible values: – no-encryption – dh-sha1 – dh-sha256 ■ Enabled Association Session Types - Use the drop-down to list the enabled association types that the OP supports. Possible values: – hmac-sha1 – hmac-sha256 ■ Default Association Session Type - Specify the default association session type from one of the enabled types. ■ Force User Consent - Check the box to prompt the user for consent for any new federation that is, new ClaimedID created between the OP, the RP, and the user. ■ Force User Consent Web Context - Contains the Web context of the OpenID consent page to be used instead of the Oracle Identity Federation OpenID built-in consent page. ■ Generate Diffie-Hellman parameters when initiating associations - Check the box to generate Diffie-Hellman parameters when initiating association of types DH-SHA1 or DH-SHA256. If not checked, default values are used. ■ Enable PAPE 1.0 - Check this box to enable the PAPE 1.0 extension. With this feature you can specify one or more of: – US Government Level of Assurance Policy – PPID Policy – US Government OpenID Trust Level 1 Policy – US Government No PII Policy

5.6 Configuring Attribute Sharing with the Oracle Access Manager AuthZ Plug-in

Attribute sharing is a joint feature of Oracle Access Manager and Oracle Identity Federation that implements the SAML Attribute Sharing Profile for X.509 Authentication-Based Systems. In this profile, a user who requests a protected resource or service is authenticated with SSL client X.509 certificates, but authorization Note: Changes in session type andor association session type require restart of the Oracle Identity Federation server. Configuring Oracle Identity Federation 5-33 is performed with user attributes retrieved from the users home organization using the SAML protocol. The users home organization is the identity provider IdP, and the organization performing authentication and authorization is the service provider SP. This section explains how to configure Oracle Access Manager and Oracle Identity Federation for attribute sharing. It contains these topics: ■ Components Used for Attribute Sharing ■ Remote and Local Users ■ Configuring the Oracle Access Manager Plug-ins ■ Configuring Oracle Access Manager Schemes and Policies ■ Configuring Oracle Identity Federation as an SP Attribute Requester ■ Configuring Oracle Identity Federation as an IdP Attribute Responder ■ Configuring Oracle Identity Federation for SSL

5.6.1 Components Used for Attribute Sharing

Attribute sharing uses several Oracle Access Manager and Oracle Identity Federation components. The instructions assume that these components have been installed and configured for their normal operation. Service Provider Components SP components include: ■ Web Server with an Access Manager WebGate - for HTTP requests for a protected URL, performs the SSL client certificate authentication and enforces the access decision from the Oracle Access Manager server ■ Oracle Access Manager - performs authentication and authorization for the WebGate. Uses these custom plugins for the attribute sharing feature: – authz_attribute Authentication Plug-in - passes the certificate SubjectDN to the authz_attribute authorization plug-in – authz_attribute Authorization Plug-in - uses the Attribute Requester Service to retrieve attribute values for the users SubjectDN and evaluates a rule expression with the attribute values to determine if access is allowed ■ Oracle Identity Federation Attribute Requester Service - sends a SAML 1.x or SAML 2.0 attribute query to the IdP Attribute Responder Service determined by the users SubjectDN, and returns the retrieved attributes to the authz_attribute plug-in. IdP Component Oracle Identity Federation Attribute Responder Service or other SAML 1.x or SAML 2.0-compliant federation product - receives a SAML attribute query from the SP Attribute Requester Service, retrieves the attributes for the specified user subject to local policy controls, and returns a response with the attributes to the Attribute Requester Service. Note: The authentication and authorization plug-ins use the same authz_attribute library. 5-34 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation

5.6.2 Remote and Local Users

In addition to remote users authorized by SAML attribute retrieval, the protected resource may also be accessed by local users with attributes defined within the service provider Oracle Access Manager user directory. Local users, configured as discussed here, are detected by the authz_attribute authentication plug-in, which returns a Failure status. The authentication scheme described later uses this status to create a local session for the user, and authorization rules with local LDAP filters can be applied.

5.6.3 Configuring the Oracle Access Manager Plug-ins

Take these steps to configure the Oracle Access Manager plug-ins: 1. Log in to the Access Server host as the user who installed the Access Server. 2. Create the directory INSTALLDIRoblixconfigattributePlug-in, if it does not already exist. 3. Edit or create the config.xml file in the INSTALLDIRoblixconfigattributePlug-in directory, using the sample config.xml file shown here as a template. 4. Edit the attributes and elements of the config.xml file as required. 5. Restart the Access Server for changes to take effect. Sample config.xml Here is a sample config.xml file: Config LogLevel=audit WaitTime=30 SizeLimit=0 MaxConnections=5 InitialConnections=2 Authn=basic Username=coreid-as-ashost-6021 Password=xyzzy KeyPassword=abcde CacheTimeout=3600 MaxCachedUsers=1000 HeaderKeyLength=128 RequestFormat=values Mapping Local=true DNO=Company,C=USDN Mapping Mapping URL=https:fed1.company.com:7499fedarsoap DNO=PeerA,C=USDN DNO=PeerB,C=USDN Mapping Mapping URL=https:fed2.company.com:7499fedarsoap RequestFormat=all DNO=PeerC,C=USDN DNO=PeerD,C=USDN Mapping Mapping URL=https:fed3.company.com:7499fedarsoap DNC=USDN Mapping Config Configuration Parameters The configuration parameters are: See Also: Oracle Fusion Middleware Administrators Guide for Oracle Access Manager 10g for details about the Web-based user interface.