5-26 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Protocol Settings Provide the following information: ■ Enable SAML 2.0 Protocol - Check the box to enable this protocol for the SP. ■ Enable Single Sign-On Protocol - Check the box to enable the single sign-on protocol. ■ Enable NameID Management Protocol: Register - Check the box to enable NameID registration. ■ Enable Federation Termination Protocol - Check this box to enable the federation termination protocol. See Section 1.2.4.8, Federation Termination Profile for an explanation of this feature. ■ Send Encryption NameIDs - Check this box to enable Oracle Identity Federation to send encrypted name identifiers to peer providers. ■ Send Encryption Attributes - Check this box to enable Oracle Identity Federation to send encrypted attributes to peer providers. ■ Allow Federation Creation - Check this box to allow federation creation. This is required if you configure the SP to request persistent NameID format as described below. ■ Force User Consent - Check this box to force consent for setting up a new federation. A user who is redirected to the federation server will explicitly have to accept or deny account linking in order to proceed. ■ User Consent URL - Enter the URL to be displayed to the user to obtain consent for federation. The server passes a number of query parameters to this URL: See Also: Section 1.2.4.5, Name Identifier Management Profiles Configuring Oracle Identity Federation 5-27 ■ Enable Protocol Bindings - Specify the valid bindings using the drop-down list. ■ Default Binding - Specifies the preferred binding to use, when possible, in sending messages to peer providers. Valid values are: ■ HTTP Redirect ■ HTTP POST ■ HTTP Post Simple Sign ■ SOAP ■ Default SSO Request Binding - Specifies the preferred binding for the service provider to use, when possible, in sending authentication requests to the identity provider. Use only if this server instance is acting as a service provider. Valid values are: ■ HTTP Redirect ■ HTTP POST ■ HTTP Post Simple Sign ■ Default SSO Response Binding - Specifies the preferred binding for the identity provider to use, when possible, in sending an assertion to the service provider. Valid values are: ■ Artifact ■ HTTP POST ■ HTTP POST Simple Sign ■ Default Authentication Request NameID Format - Use the list box to select a default name ID format for authentication requests. Choices are: ■ X.509 Subject Name ■ Email Address ■ Windows Domain Qualified Name ■ Kerberos Principal Name ■ Persistent identifier ■ Transientone-time identifier See Also: Section 5.4.1, Configure SAML 2.0 IdP Properties for an example showing how the query parameters are used. Table 5–5 Parameters Passed to User Consent URL Local Setting Parameter Description providerid This is the peer provider id. description This is the description of the peer provider id. returnurl This is the URL to which the user should be directed once a consent decision has been made. refid This is passed as a query parameter to the returnurl. Oracle Identity Federation require this parameter in order to resume the operation the server had been performing prior to redirection to the consent URL. 5-28 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Unspecified If the default authentication request NameID format at the SP is unspecified, the IdP will use the default assertion NameID format when creating the assertion for example, email NameID format. ■ Request Authentication Context Mechanism - Use this list box to select the authentication mechanism that this service provider will specify in the AuthnRequest to the identity provider. ■ Request Authentication Context Comparison - Use the list box to select the authentication context comparison that this service provider will specify in the AuthnRequest sent to the identity provider. ■ Messages to SendRequire Signed Use this table when configuring a service provider to specify which message types that provider should send signed andor require signed.

5.5.3 Configure SAML 1.x SP Properties

Use this tab to specify configuration details for Oracle Identity Federation SAML 1.x domains. Assertion Settings Select one of these mapping choices: ■ Map User via Attribute Query - Check the box and enter an attribute query. ■ Map User via NameID - Check the box and select the applicable NameID formats from the table titled Assertion Subject NameID Formats. Additionally, you can check Error when User Mapping Fails to indicate how Oracle Identity Federation should handle mapping errors. See Also: Section 5.14, Configuring Authentication Mechanisms Notes: ■ The Require Signed Assertion property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. ■ If you configure the SP to request Persistent NameID format or if it expects to receive Persistent from the IdP in case the SP does not specify a format, then the SP has to be configured to allow federation creation. ■ Although your configuration changes are saved when you click Apply , at least one of the protocol boxes must also be checked to ensure that the changes on this page are effective. Configuring Oracle Identity Federation 5-29 To Use the Table of Assertion Subject NameID Formats If you selected assertion mapping through subject NameIDs, provide this information in the table: ■ Check the corresponding Enabled box to enable the desired formats that the Oracle Identity Federation instance will support as SAML 1.11.0 name identifier formats in SP mode. ■ NameID Format - This column displays the available SAML 1.x NameID formats. ■ User Attribute Mapping - Enter the attribute name for the selected name ID format. Oracle Identity Federation will use this attribute name to perform a lookup in the user data store for a name ID in this format. The name identifier formats are as follows: Protocol Settings Provide the following information: ■ Enable SAML 1.1 Protocol - Check the box to enable this protocol for the SP. Table 5–6 SAML 1.11.0 SP Name ID Formats NameID Format Default X.509 Subject Name dn Email Address mail Windows Domain Qualified Name empty Unspecified empty Custom empty 5-30 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ Enable SAML 1.0 Protocol - Check the box to enable this protocol for the SP. ■ Enable Protocol Bindings - Use the drop-down to select the binding to use. ■ Messages to SendRequire Signed - Use this table when configuring a service provider to specify which message types that provider should send signed

5.5.4 Configure WS-Federation 1.1 SP Properties

Use this page to configure Oracle Identity Federation to use the WS-Federation 1.1 protocol when acting as a service provider. Provide the following information: ■ Enable WS-Federation 1.1 Protocol - Check the box to enable WS-Federation 1.1 protocol for the provider. ■ Request Authentication Context Mechanism - Use the drop-down to select the authentication mechanism that will be sent in the authentication request to the identity provider. Click Apply to save your changes, or Revert to restore the screen to its previous values.

5.5.5 Configure OpenID SP Properties

Use this page to configure the OpenID protocol in SP mode. Note: Although your configuration changes are saved when you click Apply, at least one of the protocol boxes must also be checked to ensure that the changes on this page are effective. See Also: Section 2.2.1.3, OpenID 2.0 Protocol .