Managing Credentials for Oracle Identity Federation

5 Configuring Oracle Identity Federation 5-1 5 Configuring Oracle Identity Federation This chapter describes configuration tasks for Oracle Identity Federation. It contains these topics: ■ Data Maintained by Oracle Identity Federation ■ Configuring Server Properties ■ Configuring Identity Providers - Common Properties ■ Configuring Identity Providers - Protocol-Specific Properties ■ Configuring Service Providers ■ Configuring Attribute Sharing with the Oracle Access Manager AuthZ Plug-in ■ Configuring Identity Provider to send attributes in SSO Assertions ■ Web Services Interface for Attribute Sharing ■ Configuring Attribute Mapping and Filtering ■ Configuring Security and Trust ■ Configuring Federations ■ Configuring Identities ■ Managing Data Stores ■ Configuring Authentication Mechanisms ■ Configuring Authentication Engines ■ Configuring SP Integration Modules

5.1 Data Maintained by Oracle Identity Federation

The Oracle Identity Federation administrator acquires the data needed to manage and operate the server from a variety of sources, including third parties other providers’ administrators, agreements with the third parties, and from local configuration decisions. The administrator is responsible for loading and maintaining this information in the federation server. Broadly speaking, the federation server maintains two categories of configuration details: ■ Server Configuration Data , which includes properties that determine the runtime behavior of a federation server instance ■ User Federation Data , including details about individual users’ federated identities and usage information 5-2 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation

5.1.1 Server Configuration Data

Each Oracle Identity Federation instance maintains two types of configuration data: ■ Protocol data, including: – properties of the server instance as a whole, including the hostname and port, whether SSL is enabled, signing and encryption PKCS12JKS keystores, and so on – how the server instance supports its enabled federation protocols when acting as an identity provider, including session time-outs, re-authentication time-outs, the default provider ID, and so on – how the server instance supports its enabled federation protocols when acting as a service provider. The data maintained in this case is very similar to the data stored when the server acts as an identity provider ■ Information about peer providers that are trusted providers of this server. Trusted provider configuration data includes: – name ID formats to use for assertions – attributes to send along with an authentication response – signing requirements for assertions and authentication requests – preferred bindings – validity periods of assertions and artifacts – other time-related parameters such as the allowable time difference between servers that are not synchronized. – account linking parameters Configuration Settings and Provider Metadata Note that relationships may exist between configuration settings and the provider metadata that the server generates. Some settings do not affect the metadata while others do. For example, changing the Session Timeout value does not affect the metadata, but changing the SOAP port will require the administrator to re-publish his metadata to the other trusted providers. Likewise, the administrator must be aware of changes to peer providers’ metadata. Here is a list of properties that affect metadata: ■ Metadata Properties – Signing Metadata – Validity Period ■ Server Properties – Server Hostname – Server Port – SOAP Port – IdP Enabled – SP Enabled Note: Liberty 1.x support is deprecated. Configuring Oracle Identity Federation 5-3 – SSL Enabled – Signing PKCS 12JKS Keystore – Encryption PKCS 12JKS Keystore ■ Common IdP Properties – ProviderID – SAML 2.0 Enabled ■ Common SP Properties – ProviderID – SAML 2.0 Enabled – Enable Attribute Requester Service ■ SAML 2.0 IdP Properties – Enable Protocol Profiles – Federation Termination Enabled – Register NameID Enabled – Attribute Responder Enabled ■ SAML 2.0 SP Properties – Enable Protocol Profiles – Federation Termination Enabled – Register NameID Enabled The metadata URLs for the various protocols are in this format: ■ IdP metadata URL - https:hostname:portfedidpmetadata?version=version ■ SP metadata URL - https:hostname:portfedspmetadata?version=version where version can be saml20, saml11, saml10, lib11, or lib12.

5.1.2 User Federation Data

A data store contains each user’s identity federation data; the data store can be an LDAP directory or an RDBMS. In addition to the user’s basic reference information, there are records for each unique identity federation associated with the user. A federation record is defined by: ■ the remote provider ■ the name identifier type for example, an e-mail address or a DN ■ the protocol for example, SAML 2.0 Note: You can retrieve the metadata from Fusion Middleware Control, by navigating to Security and Trust, then Provider Metadata .