Integrating with Third-Party Identity and Access Management Modules 10-21 ■ Authentication time as a Date object identified by oracle.security.fed.sp.authntime ■ Expiration time of the authenticated session as a Date identified by oracle.security.fed.sp.expirationtime ■ The authentication mechanism used to identify the user as a String identified by oracle.security.fed.sp.authnmech ■ The relay state as a String identified by oracle.security.fed.sp.relaystate ■ The contents of the assertion: the NameID, the issuer of the assertion and the optional attributes. Note: the content of the assertion is not passed as XML Data, that is the original assertion will not be passed back to the module. The data is passed as a Map with Strings as keys and Set of Objects as values identified by oracle.security.fed.sp.attributes. The extra data is referenced as: – orafed-nameid-value containing the Name ID value – orafed-nameid-qualifier containing the Name ID qualifier – orafed-nameid-format containing the Name ID format – orafed-providerid containing the Peer ProviderID – orafed-assertionid - the ID of the assertion – orafed-xmlmessage - the optional XML message containing the assertion See Section 6.13.2, Providing XML Message to SP Engine after SSO Completes for details. ■ The top status of the SAML Response as a String identified by oracle.security.fed.sp.topstatus ■ The low status of the SAML Response if any, as a String identified by oracle.security.fed.sp.lowstatus ■ The status message if any as a String identified by oracle.security.fed.sp.statusmessage ■ The ProviderID that created the SSO assertion as a String identified by oracle.security.fed.sp.providerid ■ The identifier of the SP engine that will process the above information identified by oracle.security.fed.sp.engineid ■ A String containing the Oracle Identity Federation identifier of the user session. Oracle Identity Federation is passing the sessionID of the user session to the SP engine, so that it can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation passes the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. identified by oracle.security.fed.sessionid Authenticated Session Creation Using this data, the SP integration engine creates an authenticated session and redirects the user to the final target URL. If the service needs to set cookies, the cookie path must be set to . This is necessary because of the internal forwards between the Oracle Identity Federation and SP integration engine web applications; the users browser needs to send the cookies related to the SP integration engine, even when accessing only the federation server. 10-22 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation This way, when an internal forward occurs from the federation server to the SP integration engine, the cookie set by the latter is available in the HTTP Request.

10.4.3 Sample Integration Modules

The next two sections provide examples of implementing a custom authentication engine: ■ Sample Integration Module 1: Oracle WebLogic Server JavaEE Integration ■ Sample Integration Module 2: Customized Single Sign-On Integration

10.4.4 Sample Integration Module 1: Oracle WebLogic Server JavaEE Container Integration

This section shows a simple SP integration engine that uses the javax.servlet.http.HttpSession to set an attribute. The presence of this attribute shows whether a user is authenticated. Setup The SP integration engine will not interact with the user data store used by Oracle Identity Federation. Packaging The SP integration engine consists of a Web application with a root context set to engine, and contains two JSP pages: ■ wlsintegration.jsp, which processes the request from the federation server and creates an HttpSession with a feduserid attribute containing the user’s identifier ■ application.jsp, which serves as an application. It looks for the HttpSession’s feduserid attribute, and triggers a Federation SSO if the attribute is not found Adding or Modifying an SP Integration Engine To add or modify the SP integration engine take these steps: Note: Oracle strongly discourages users from deploying any applications on the Oracle WebLogic Managed Server other than the ones for custom integration and authentication described as sample integration modules 1 and 2 below, because doing so introduces potential security risks. Extraneous applications deployed in the Oracle WebLogic Managed Server can potentially affect the security of the federation server by allowing rogue software to change the behavior of the server flows. Note: The example in this section is intended for illustration only and should not be used in a production environment. Indeed, it supposes that other applications deployed on the Oracle WebLogic Managed Server will consume data set by the SP integration engine, which is an approach strongly discouraged by Oracle. Furthermore, this example might not function properly in certain deployments, especially when propagating HttpSession across J2EE applications.