10-10 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ implementing a module to authenticate a user ■ creating a service that forwards the user to the federation server with the required information ■ deciding whether the authentication engine will set a cookie after authenticating a user. If yes, the authentication module must be integrated into the logout process see Section 10.5, Logout ■ packaging the services and module into a web application, and deploying the application to the Oracle WebLogic Managed Server where Oracle Identity Federation is running ■ configuring Oracle Identity Federation to reference the new authentication engine. ■ ensuring that the user identifier returned by the authentication engine references the same user in the Oracle Identity Federation User Data Store

10.3.2 Developing and Implementing the Authentication Module

Several aspects of module development are explained here. URLs Communication between the federation engine and the authentication engine occurs through internal servlet forwards that are equivalent to API calls. These forwards use the following JavaEE API: ServletContext.getContextString contextPath .getRequestDispatcherString relativePath .forwardHttpServletRequest request, HttpServletResponse response where: ■ contextPath is the root context path of the web application. For example, the contextPath of Oracle Identity Federation is fed. ■ relativePath is the service URL to which to forward the user; it is relative to the contextPath. For example, after authenticating a user, the authentication engine uses userloginsso as the relativePath when forwarding the user. Oracle Identity Federation needs to be aware of the ID of the new authentication engine, and the contextPath and the relativePath. This is the URL that will process authentication requests issued by the federation server. Adding or Modifying an Authentication Engine To add an authentication engine or modify one: ■ Go to Fusion Middleware Control and locate the Oracle Identity Federation instance. ■ Navigate to Administration then Authentication Engines. ■ To add an authentication engine, click Add and enter a name for that authentication engine. Oracle Identity Federation generates an ID for that new engine. Note: Fusion Middleware Control only uses the name for display purposes while the ID is used during communications between Oracle Identity Federation and the authentication engine. Integrating with Third-Party Identity and Access Management Modules 10-11 ■ To modify an authentication engine, select it and: – Enable or disable the engine – Specify the contextPath of the authentication engine in the Web Context field – Specify the relative path of the login service of the authentication engine in the Login Relative Path field – Enable or disable logout – Specify the relative path of the logout service of the authentication engine in the Logout Relative Path field ■ Click Apply. Implementing the Service This section describes the roles that are played by the authentication engine, and the processing tasks that the service must be able to handle for a successful implementation. The authentication engine needs to: ■ process requests from the federation engine ■ forward the user to the federation server after a successful authentication When processing authentication requests from the server, the engine must process the following incoming data: ■ The authentication mechanism to use when challenging the user for identification as a String identified by oracle.security.fed.authn.authnmech ■ An identifier referencing the current action that is being performed as a String identified by oracle.security.fed.authn.refid ■ The ProviderID and the description of the remote service provider for which this local authentication is requested, if a Federation SSO operation is performed as a String identified by oracle.security.fed.authn.providerid and oracle.security.fed.authn.providerdescription. ■ The identifier referencing the engine used to authenticate the user identified by oracle.security.fed.authn.engineid ■ The identifier of the user as a String, if set identified by oracle.security.fed.authn.userid ■ The Force Authentication flag, a Boolean object, indicating whether the engine should challenge the user even if the user is already authenticated. If missing, False is assumed. identified by oracle.security.fed.authn.forceauthn ■ The Is Passive flag, a Boolean object, indicating whether the engine is allowed to visually interact with the user. If missing, False is assumed. identified by oracle.security.fed.authn.passive ■ Optionally, a map of attributes that need to be set by the engine: these attributes are required for Oracle Identity FederationIdP to correctly create the assertion with the AttributeStatement, as specified by the configuration for that specific remote provider. identified by oracle.security.fed.authn.attributes See Also: Section 5.15, Configuring Authentication Engines 10-12 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation When Oracle Identity Federation receives an SSO assertion, processes it and requests that the user be locally authenticated because the server was not able to map the assertion to a local user, the Map contains this data from the assertion: – orafed-nameid-value – the user’s Name ID value – orafed-nameid-qualifier – the user’s Name ID qualifier – orafed-nameid-format – the user’s Name ID format – orafed-providerid – the IdP’s ProviderID – orafed-assertionid - the ID of the assertion – orafed-xmlmessage - the optional XML message containing the assertion. See Section 6.13.2, Providing XML Message to SP Engine after SSO Completes for details. ■ Optionally, a String containing the Oracle Identity Federation session identifier, if the user has already an active session. Oracle Identity Federation is passing the sessionID of the already existing user session if one exists, to the authentication engine, so that the engine can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid. After successful authentication, the engine must forward the user to the federation server with the rootContext of the federation engine being fed, and the relativePath userloginsso. Oracle Identity Federation expects this data when processing the internal forward: ■ The identifier of the user as a String identified by oracle.security.fed.authn.userid ■ Authentication time as a Date object identified by oracle.security.fed.authn.authntime ■ Expiration time of the authenticated session as a Date object identified by oracle.security.fed.authn.expirationtime ■ The authentication mechanism used to identify the user as a String identified by oracle.security.fed.authn.authnmech ■ The identifier referencing the action that was being performed, from the request identified by oracle.security.fed.authn.refid ■ The identifier referencing the engine used to authenticate the user identified by oracle.security.fed.authn.engineid ■ Optionally, a Map of attributes that is stored in the user session. This map will have String objects as the keys and a set of objects as the values identified by oracle.security.fed.authn.attributes. ■ Optionally, a String containing the Oracle Identity Federation session identifier that Oracle Identity Federation will need to use to reference the Oracle Identity Federation user session. This allows the engine and Oracle Identity Federation to share the same identifier to reference the user session. Later on, when the logout flow is being executed, Oracle Identity Federation will pass the sessionID that is See Also: Section 5.9.2.1, Configuring Attribute Name Mapping .