Integrating with Third-Party Identity and Access Management Modules 10-13 being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid Here are some additional implementation requirements: ■ If the service needs to set any cookies, perform this operation before forwarding the user to the federation server. ■ Set the cookie path value to . This is required because of the internal forwards between the Oracle Identity Federation web application and the authentication engine web application; the users browser needs to send the cookies related to the authentication engine, even when it is accessing only the federation server. This way, at an internal forward from the federation server to the authentication engine, the cookies set by the engine are available in the HTTP Request.

10.3.3 Sample Authentication Module for Oracle Single Sign-On Integration

This section describes how to integrate a custom authentication engine with OracleAS Single Sign-On. Setup In this example, the application server where Oracle Identity Federation is running has been integrated with the Oracle Single Sign-On server, and the SSO module statically protects the engineforward.jsp URL. Additionally, the user data store configured for Oracle Identity Federation references the Oracle Internet Directory server used by Oracle Single Sign-On. Notes: ■ If the oracle.security.fed.authn.userid attribute is empty but the oracle.security.fed.authn.authntime and oracle.security.fed.authn.authnmech attributes are not empty, it tells Oracle Identity Federation that the authentication succeeded, but that the user is unknown on the server. This is useful when Oracle Identity Federation, acting as an IdP, is configured to use the attributes passed by the engine to create an assertion. If the oracle.security.fed.authn.userid attribute is null, the IdP must be configured to not use any federation data stores, since the assertion data will be solely based on information passed from the custom authentication engine. ■ Use the XML-based federation store only for testing, and not in a production environment. ■ If the oracle.security.fed.authn.authntime or oracle.security.fed.authn.authnmech attributes are empty, it tells Oracle Identity Federation that the authentication failed See Also: Section 3.2.2, Deploying Oracle Identity Federation with Oracle Single Sign-On for more information on SSO integration. 10-14 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Packaging The authentication engine consists of a Web application with a root context set to engine, and contains two JSP pages: ■ authentication.jsp which processes the incoming request from Oracle Identity Federation ■ forward.jsp which is protected by Oracle Single Sign-On, and which forwards the user back to the federation server with the required data. Adding the Engine To add the engine: ■ Go to Fusion Middleware Control and navigate to the Oracle Identity Federation instance. ■ Navigate to Administration, then Authentication Engines. Select the Authentication Engines - Custom tab. ■ To add an authentication engine, click Add and enter a name for that authentication engine. Oracle Identity Federation will generate an ID for that new engine: this ID is reference by TEST_ENGINE_ID for this test ■ Select the authentication engine to modify it: – Enable the engine. – Set engine as the Web Context of the authentication engine – Set authentication.jsp as the Login Relative Path of the authentication engine ■ Click Apply. Implementation of authentication.jsp page buffer=5 autoFlush=true session=false page language=java import=java.net. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; String authnMech = Stringrequest.getAttributeoracle.security.fed.authn.authnmech; String refid = Stringrequest.getAttributeoracle.security.fed.authn.refid; String redirectURL = engineforward.jsp?refid= + refid = null ? URLEncoder.encoderefid : ; response.sendRedirectredirectURL; Implementation of forward.jsp page buffer=5 autoFlush=true session=false page language=java import=java.util. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; See Also: Section 5.15, Configuring Authentication Engines Integrating with Third-Party Identity and Access Management Modules 10-15 response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; String refid = request.getParameterrefid; String userID = request.getRemoteUser; String authnMethod = oracle:fed:authentication:password-protected; Date now = new Date; request.setAttributeoracle.security.fed.authn.engineid, TEST_ENGINE_ID; request.setAttributeoracle.security.fed.authn.userid, userID; request.setAttributeoracle.security.fed.authn.refid, refid; request.setAttributeoracle.security.fed.authn.authnmech, authnMethod; request.setAttributeoracle.security.fed.authn.authntime, now; request.getSession.getServletContext.getContextfed.getRequestDispatcher userloginsso.forwardrequest, response; Since the Oracle Single Sign-On framework sets cookies in the users browser, the authentication engine should be integrated into the logout flow; see Section 10.5, Logout .

10.3.4 Sample Authentication Module for LDAP Integration

This section shows how to integrate a customized authentication engine with a standalone LDAP server. Setup The user data store configured in Fusion Middleware Control for Oracle Identity Federation references the LDAP server used by the authentication engine. Packaging The authentication engine consists of a Web application with a root context set to engine, and contains two JSP pages: ■ loginpage.jsp, which processes the incoming request from the federation server, and displays the login page. ■ ldapforward.jsp, which authenticates the users credentials against the LDAP server; upon success it forwards the user to the federation server. Adding the Engine To add the engine: 1. Go to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

2. Navigate to Administration, then Authentication Engines. Select the

Authentication Engines - Custom tab.

3. To add an authentication engine, click Add and enter a name for that

authentication engine. Oracle Identity Federation will generate an ID for that new engine: this ID is reference by TEST_ENGINE_ID for this test 4. Select the authentication engine to modify it: ■ Enable the engine ■ Set engine as the Web Context of the authentication engine 10-16 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Set loginpage.jsp as the Login Relative Path of the authentication engine 5. Save the changes. Implementation of loginpage.jsp page buffer=5 autoFlush=true session=false page language=java import=java.net. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; String refid = request. getAttributeoracle.security.fed.authn.refid; String postURL = engineldapforward.jsp?refid= + refid = null ? URLEncoder.encoderefid : ; String msg = request.getParametermessage; HTML BODY FORM action==postURL method=POST ifmsg = null msg.length 0 { =msgBR } Username: INPUT type=text name=usernameBR Password: INPUT type=password name=passwordBR INPUT type=submit value=Submit FORM BODY HTML Implementation of forward.jsp page buffer=5 autoFlush=true session=false page language=java import=java.util., javax.naming., javax.naming.directory., java.net. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; String refid = request.getParameterrefid; String authnMethod = oracle:fed:authentication:password-protected; String userID = request.getParameterusername; String password = request.getParameterpassword; Date now = new Date; Hashtable env = new Hashtable; env.putContext.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory; env.putContext.PROVIDER_URL, ldap:mynode.us.mycorp.com:389; env.putContext.SECURITY_AUTHENTICATION, simple; env.putContext.SECURITY_PRINCIPAL, cn= + userID + ,cn=users,dc=us,dc=oracle,dc=com; env.putContext.SECURITY_CREDENTIALS, password; try { See Also: Section 5.15, Configuring Authentication Engines