Configuring Oracle Identity Federation 5-41 ■ Name examples: – title = VP function = Marketing – title = VP | title = Director – title = VP function = Marketing | function = Finance – title = any function = any ■ Set any timing conditions or actions as desired for the authorization rule. ■ Return to the General panel and enable the rule. 5. Select the Authorization Rules panel and add an authorization rule for any local user attributes. ■ Select Oracle Authorization Scheme and click Add. ■ Fill out the authorization rule form: – Name: as appropriate for example, Company Marketing VP. – Description: as appropriate – Enabled: yes – Allow Takes Precedence: no Click Save. ■ Select the Allow Access panel, click Modify, and add an LDAP filter for the local attributes. You can use the Query Builder in the Oracle Access Manager Identity User Manager Configuration, then Delegate Administration, then Build Filter . For example: ldap:o=Company,c=US??sub?title=VPfunction=Marketing ■ Set any timing conditions or actions as desired for the authorization rule. ■ Return to the General panel and enable the rule. 6. Select the Default Rules panel and add the default authentication rule: ■ Name: as appropriate value one of string, any, or null Required attribute value. With Oracle COREid Access 7.0.4 the string is restricted to Latin-1 characters. With Oracle Access Manager 10.1.4 and later, the string can contain any Unicode characters. The any value retrieves and matches all values for the attribute. The null value matches a SAML Attribute with the xsi:nil=true attribute. comparison name = value, name = value, or expression True if the user hasdoes not have the attribute value and-clause comparison comparison True if both comparisons are true. or-clause comparison | comparison True if either comparison is true. has higher precedence than . Element Syntax Meaning 5-42 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Description: as appropriate ■ Authentication Scheme: OIF Attribute Sharing Click Save. 7. Select the Authorization Expression panel and add the default authorization rule: ■ Select the applicable remote authorization rule as defined above and click Add for example, Peer Marketing VP. ■ If there is a corresponding local authorization rule, select OR and add the local authorization rule. for example, Peer Marketing VP | Company Marketing VP. Click Save. 8. Alternatively, you can add policies to the policy domain with authorization expressions for subsets of the protected URLs.

5.6.5 Configuring Oracle Identity Federation as an SP Attribute Requester

Take these steps to configure Oracle Identity Federation as an attribute requester in service provider mode: 1. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance. 2. Enable the Attribute Requester functionality: ■ Navigate to Administration, then Service Provider. ■ Check the Enable Attribute Requester Service box, and click Apply.

3. Upload the SAML 1.x or SAML 2.0 IdP metadata, or manually create an entry for a

SAML 1.x provider. ■ Navigate to Administration, then Federations. ■ Click Add. ■ To upload SAML 1.x or SAML 2.0 metadata, select Upload Metadata and enter the location of the IdP metadata and an additional description. ■ To add a SAML 1.x provider manually, select Add Trusted Provider Manually , and enter the Provider ID, the Provider Version SAML 1.1 or SAML 1.0, select Identity Provider and Attribute Responder as the Provider Type, and enter an additional description. ■ Click OK. 4. Configure the DN to IdP mapping: ■ Navigate to Administration, then Service Provider. ■ Click Configure Attribute Requester Service. Note: Checking the Enable Attribute Requester Service box enables the Attribute Requester feature. It also modifies the SPs metadata to include information about the Attribute Requester service. Note that the metadata at the peer providers sites must be updated with the new version.