Additional Server Configuration 6-31 During an operation that consumes an assertion, when Oracle Identity Federation acts as a service provider, the server tries to locate the federation record referenced in the NameID element contained in the assertion. By default, it first performs a lookup based on the SP NameID; if no results are returned, it performs a lookup based on the IdP NameID. In some deployments, Oracle Identity Federation: ■ might not be configured to do any NameID Management protocol exchanges, and ■ might not have any of its federation records updated to set an SP NameID that is, the administrator never performed an update operation on any federation records using the administrative tools In this case, the first federation record lookup performed during assertion consumption using the SP NameID will never return any records and serves to increase the response time. If SP NameID lookup is not needed, it is possible to disable it to improve performance. To enable or disable the lookup, enter the WLST script environment for Oracle Identity Federation and make this configuration change: ■ Set the fedusespnameidlookup boolean property from the datastore group to true to enable the SP NameID lookup. ■ Set the fedusespnameidlookup boolean property from the datastore group to false to disable the SP NameID lookup For example: setConfigPropertydatastore, fedusespnameidlookup, false, boolean

6.15 Setting up Backwards Compatibility for Oracle Identity Federation 10g and ShareID service URLs

Background Oracle Identity Federation 10g, and SHAREidCOREid Federation 2.x, provided service URLs for SAML 1.x and WS-Federation protocol support which were different from the SAML 2.0 and Liberty 1.x service URLs. These URLs have been modified in the 11g Oracle Identity Federation for consistency with the SAML 2.0 and Liberty 1.x service URLs. Customers upgrading to Oracle Identity Federation 11g, who use SAML 1.x or WS-Federation, must inform their partner providers of the new single sign-on service URLs. To ease that transition, Oracle Identity Federation 11g provides a separate module that allows backwards compatibility with the SHAREid service URLs. This module is a JavaEE application you can deploy alongside Oracle Identity Federation, to handle requests for the ShareIDOracle Identity Federation 10g service URLs and redirectforward them to the corresponding Oracle Identity Federation 11g service URLs. Note: By default, the SP NameID lookup is enabled. Note: Liberty 1.x support is deprecated.