Configuring Oracle Identity Federation 5-35 ■ LogLevel - Controls the amount of information logged to INSTALL_ DIRoblixlogsauthz_attribute_plug-in_log.txt. – off - Nothing is logged except errors this is the default. – audit - One line is logged for each authentication request, showing the access decision, the users certificate subject DN or local directory DN, and the HTTP operation and the local part of the requested URL. – debug - Logs extensive information useful in debugging problems. ■ HTTP connection parameters authz_attribute plug-in to the Oracle Identity Federation Attribute Requester Service, consisting of: – WaitTime - This is the time in seconds to wait for a response; default is 30 seconds. – SizeLimit - This is the maximum size in bytes of HTTP messages sent and received default is unlimited, 0 means unlimited. – MaxConnections - This is the maximum number of concurrent HTTP connections default is 5. – InitialConnections - This is the number of current HTTP connections opened initially default is 2. ■ Parameters for authentication of the authz_attribute plug-in to the Oracle Identity Federation Attribute Requester Service, including: – Authn - authentication method none - no authentication basic - use HTTP basic authentication with Username and Password default cert - use SSL client certificate authentication using key.pem, cert.pem, and KeyPassword – Username - This is the username for basic authentication. – Password - This is the password for basic authentication. – KeyPassword - This is the password for key.pem for SSL client certificate authentication. ■ Attribute value cache parameters, including: – CacheTimeout - This is the time, in seconds, that cached attribute values will be held before requiring updated values default 3600 seconds - 1 hour; 0 disables caching. – MaxCachedUsers - This is the maximum number of users with cached attribute values; if the cache is full, the least recently used unexpired entries will be reclaimed default is 1000. ■ Mappings of subject DNs to Attribute Requester Service URLs. For each Attribute Requester Service, specify: – URL - the URL for the service, of the form HTTP_PROTOCOL:OIF_ HOST:OIF_PORT fedarsoap, where: HTTP_PROTOCOL - http or https OIF_HOST:OIF_PORT - This is the host and port of Oracle Identity Federation. 5-36 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation For example: https:fed1.company.com:7499fedarsoap – Local - if true, the matching users are local and an Attribute Requester Service is not used. If true, the URL parameter is ignored – DN - one or more elements specifying a DN pattern to match against the user Subject DN; the pattern is simply the right most components of the DN. For example: O=PeerA,C=US ■ Attribute query properties - The RequestFormat parameter determines the attributes and values returned in an attribute response. RequestFormat overrides authorization rules; for example, if an authorization rule specifies both attributes and values, but RequestFormat specifies names, the query omits values. RequestFormat can be specified with these options: – RequestFormat=values The AttributeQuery contains attribute names and values taken from the authorization rules ruleExpression. The Attribute Responder will only return user attributes and values that are in the AttributeQuery. This is the default setting. This setting minimizes the amount of memory used for cached attribute values values are only requested when needed for authorization, at the cost of more frequent attribute requests. – RequestFormat=names The AttributeQuery contains attribute names but not values taken from the ruleExpression. The Attribute Responder returns all the users values for the named attributes, subject to any Responder policies controlling access to the attributes values. This setting provides a trade-off between cache memory usage and attribute requests that is somewhere between the values and all setttings. Note: With this setting, the AttributeQuery does not disclose to the IdP what attribute values are required for authorization; for security reasons, this might be preferred over the values setting. – RequestFormat=all The AttributeQuery does not contain any attribute names or values. The Attribute Responder returns all the attributes and values for the user subject to any Responder policies controlling access to the attributes values. This setting minimizes the number of attribute requests only one request per user, at the cost of more memory used for caching attribute values before they are used and may never be used for authorization. This setting works best when the Attribute Responder policies have been reasonably configured to return only attributes that the SP might want. Note: With this setting, the AttributeQuery does not disclose to the IdP what attributes are required for authorization; for security reasons, you may prefer this over the values and names settings. As illustrated in the sample config.xml file, the RequestFormat parameter can appear in the Config element, where it sets the default request format, and in the Mapping elements, where it sets the request format for subject DNs covered by the mappings. Mapping Examples for the Sample Configuration Here are some mapping examples for the sample config.xml configuration file shown earlier.