Planning Oracle Identity Federation Deployment 2-25 – Oracle Internet Directory – Microsoft Active Directory – Sun Java System Directory Server ■ One of these versions of Oracle Database for the RDBMS transient data store: – Oracle Database 10.2.0.4 or higher – Oracle Database 11.1.0.7 or higher – Oracle Database 11.2.x ■ Oracle HTTP Server for proxy implementation; this is the only proxy server supported by Oracle Identity Federation, and is bundled with the installation.

2.6 Sizing Guidelines

When planning to deploy a federated identity system that leverages Oracle Identity Federation, it is critical to understand the performance considerations, choices, and trade-offs involved in the architecture. This section considers various factors that have an impact on performance in a federated environment, and provides some guidelines to help you assess hardware requirements for a production system with a standalone Oracle Identity Federation server. The following topics are included: ■ Deployment and Architecture Considerations ■ Typical Deployment Scenario ■ Reference Server Footprint ■ Topology

2.6.1 Deployment and Architecture Considerations

Before deploying Oracle Identity Federation, you must define the architecture and role that Oracle Identity Federation will play in a federated authentication setting. Here are some decisions that you must make: ■ Which federation specifications will be used with various trusted partners? Choices include: – SAML 2.0. With additional flows in comparison to SAML 1.x, performance considerations may play a greater role. – SAML 1.0 and 1.1 Note: A user federation data store is not absolutely required for Oracle Identity Federation in all cases: it is required for Liberty 1.x and SAML 2.0 opaque persistent identifiers, but is optional for SAML 1.x, WS-Federation, and SAML 2.0 non-opaque identifiers such as email address, subject DN, and so on. Note: Check the certification matrix for the most current version information. 2-26 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation – WS-Federation ■ What profiles will you use to federate with your partners? Options include Browser POST or Artifact profile, WS-Federation Passive Requestor profile, attribute sharing, and others. ■ Which transport security protocols and certificates will be used? Will the assertions be signed? ■ What roles will Oracle Identity Federation be playing? Options are: – Identity Provider IdP, also referred to as a source domain – Service Provider SP, also referred to as a destination domain – Both IdP and SP ■ What type and what vendors authoritative identity repositories will be installed? ■ Will you install a proxy server with Oracle Identity Federation? If so, take into account where the Oracle Identity Federation and proxy servers will reside - for example, in the DMZ or behind a firewall. ■ How will the architecture provide high availability scenarios? Specifically: – Whether you want to support cold failover clusters leveraging the Oracle Application Server High Availability topologies – Whether you want to set up a common assertion store database to make assertion data available to more than one federation server in a load-balancing and failover configuration The overall throughput and performance of Oracle Identity Federation can depend on a number of factors, such as: ■ Which profiles are supported for example, Artifact or POST ■ Security features in use using certificates, digitally signing andor encrypting assertions ■ Use of individual components involved in processing a transaction, such as fire walls, proxy servers, LDAP directories, databases, and IAM systems The subsequent subsections provide more detail on these topics: ■ Profiles ■ Repositories ■ Transient Session and Message Storage ■ Security for Assertions ■ Connection Tuning ■ High Availability ■ Tuning Servers ■ HTTP Session Persistence Note: Oracle Identity Federation provides an integration framework that enables you to create lightweight federation endpoints without requiring an access management system.