5-74 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ after local authentication, or ■ after the incoming assertion is mapped with the use of a federated identity record, when the server acts as a Service Provider To configure Oracle Identity Federation not to use a user data store: 1. Modify Oracle Identity Federation Data Store Configuration 2. Modify Oracle Identity Federation Configuration to use the user identifier Modify Oracle Identity Federation Data Store Configuration Follow these steps to configure no user data store: 1. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

2. Navigate to Administration, then Data Stores.

3. In the User Data Store section, click Edit.

4. Select None from the Repository Type dropdown list.

5. Click OK.

Modify Oracle Identity Federation Configuration to use the User Identifier When None is selected as the user data store, you can configure Oracle Identity Federation so that the user identifier will be used to populate assertion data, or to configure the federation data store. If Oracle Identity Federation acts as an Identity Provider, you can configure the server to: ■ set the user identifier as the Assertion Name ID To achieve this, navigate to the NameID format table, and set the user attribute for the NameID format to orafed-userid. ■ add the user identifier as an assertion attribute To achieve this, navigate to the configuration screen for the remote Service Provider to which the assertion will be sent, define an attribute to be sent, and set the user attribute to orafed-userid. If a federation data store is in use, be sure to configure Oracle Identity Federation to use orafed-userid as the user ID attribute and user description attribute in the section that configures the federation data store.

5.13.2 Manage the Federation Data Store

Oracle Identity Federation provides the option of configuring a back-end data store to store records containing federated identity information. If configured to use a federation data store of type XML, LDAP, or RDBMS, Oracle Identity Federation will create a federation record for each user, store this record in the selected data store, and use it in Single Sign-On to create an assertion if acting as the identity provider, or to map the assertion received from the IdP to a user if acting as the service provider. To use persistent Name IDs with the SAML 2.0 protocol requires a Federation Datastore, as an opaque identifier must be created for each user that is, the Name ID used to identify the user cannot be an attribute from the user datastore, and must thus be created and stored separately. Configuring Oracle Identity Federation 5-75 Oracle Identity Federation will create the federation record on the first time that the user performs a Single Sign-On operation. If acting as a service provider and using persistent Name IDs, since the Name ID does not contain any user information, Oracle Identity Federation will prompt the user for local authentication and create a federation record taking user information from this authentication. Once the federation has been created, Oracle Identity Federation acting as a service provider will not ask the user to login locally, since it can automatically map the opaque Name ID in the assertion to the user, using the federation record. If the Federation Datastore is set to None, then Oracle Identity Federation will not create, store, or use federation records, but rather use attributes in the user data store to identify users, either to create assertions, in the case when it is acting as the identity provider, or to map assertions to users, in the case when it is acting as the service provider. Guidelines Here are some general guidelines: ■ If the Federation Datastore is set to None: – Persistent Name IDs cannot be used – If acting as an identity provider, Oracle Identity Federation will create an assertion by mapping the Name ID format to be used to an attribute in the user data store, and using the value of this attribute as the Name ID. – If acting as a service provider. Oracle Identity Federation will map the assertion received from the identity provider by either using an attribute query, or by mapping the Name ID in the assertion to an entry in the user data store. ■ If the Federation Datastore is set to XML, LDAP or RDBMS: – Persistent Name IDs can be used – If acting as an identity provider, Oracle Identity Federation will use the Name ID stored in the federation record created for the user, when creating the assertion. – If acting as a service provider, Oracle Identity Federation will map the assertion to a user by finding the federation record with the Name ID included in the assertion. – If acting as a service provider and using persistent Name IDs, Oracle Identity Federation will prompt for local authentication the first time SSO is performed with a given user and a given provider. Subsequent sections cover these topics: ■ Configuring Oracle Identity Federation for an RDMBS Federation Data Store Note: Configuring XML as the federation store is not recommended for production environments. Use an RDBMS or LDAP store in production environments. Note: You can also set up redundancy federation data stores. For more information see Section 5.13.1.4, Configuring a Redundancy User Data Store .