2-14 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ If the IdP supports PAPE, and if configured to request a specific authentication mechanism, the SP indicates the mechanism to use to authenticate the user at the IdP. US Government Federal Identity, Credentialing and Access Management ICAM Profile Oracle Identity Federation supports these privacy policy and security requirements for the US Government for OpenID 2.0 deployments: ■ No Personal Identification Information referenced by the http:www.idmanagement.govdocumentsICAM_ OpenID20Profile.pdf URI. When enabled and specified in the protocol exchange, the IdP cannot include any personal information in the response to the SP. ■ Private Personal Identifier referenced by the http:schemas.xmlsoap.orgws200505identityclaimsprivate personalidentifier URI. When enabled and specified in the protocol exchange, the IdP must return an opaque ClaimedID specific to the RP. ■ GSA Profile for OpenID referenced by the http:www.idmanagement.govdocumentsICAM_ OpenID20Profile.pdf URI. When enabled and specified in the protocol exchange, the IdP must follow GSA profile rules when performing the OpenID SSO protocol. ■ NIST authentication levels referenced by the http:csrc.nist.govpublicationsnistpubs800-63SP800-63V1_ 0_2.pdf URI. When enabled, the IdP includes the NIST Level Of Assurance information in the response to the SP. OpenID Profile Request Processing Figure 2–6 shows the request processing under the OpenID profile: Note: The Oracle Identity Federation authentication mechanism is translated to OpenID authentication methods. Note: While these profiles can be enabled on Oracle Identity Federation, you must ensure that the federation server complies with the requirements. Planning Oracle Identity Federation Deployment 2-15 Figure 2–6 OpenID Processing Flow

2.3 Authentication Engines

Many Oracle Identity Federation features require the user to be authenticated. Such operations include: ■ IdP protocol operations such as single sign-on, federation creation, federation termination, and NameID registration ■ SP protocol operations such as federation creation, federation termination, and NameID registration To gain a perspective on how authentication is effected, we can think of the federation server as comprising these distinct modules: 1. Oracle Identity Federation provides support for WS-Federation, Liberty 1.x, SAML 1.01.1, SAML 2.0, and OpenID protocols. 2. An authentication module provides support for user authentication and integration with IdM solutions. To support these operations, Oracle Access Manager provides a range of identity administration functions including Web single sign-on, user self-service and registration, policy management, and delegated administration. In this section we look at the authentication flows these modules enable in different configurations: ■ Engines in Oracle Identity Federation ■ Authenticating with a Repository ■ Authenticating with an IdM Solution in IdP Mode ■ Propagating Authentication State to Oracle Access Manager in SP Mode ■ Propagating Authentication State to Oracle Single Sign-On in SP Mode ■ HTTP Basic Authentication Note: Liberty 1.x support is deprecated. 2-16 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation

2.3.1 Engines in Oracle Identity Federation

Oracle Identity Federation interacts with two distinct modules when performing User Federation operations: ■ The authentication engine acts as a local authentication mechanism. In this mode, the authentication module can authenticate locally with available authentication systems. Oracle Identity Federation conveys authentication requests to the authentication module. Depending on the deployment, the authentication module may interact directly with RDBMS or LDAP repositories, or it may delegate authentication to an IdM solution such as Oracle Single Sign-On. ■ The Oracle Identity Federation SP integration engine acts to propagate the authentication state. In this mode, Oracle Identity Federation, as a service provider, uses federation protocols to have the user authenticated at a peer identity provider. Oracle Identity Federation then forwards the user to the authentication module, which propagates and creates an authenticated user session in the deployed IdM solution at the SP. In turn, this enables access to the requested protected resource.

2.3.2 Authenticating with a Repository

In this deployment, the authentication module interacts directly with a number of repositories and IdM solutions to enable Oracle Identity Federation to locally authenticate the user: ■ an RDBMS repository ■ an LDAP repository Figure 2–7 Authenticating with a Repository in IdP Mode The flow for a local authentication involving such a deployment is as follows: ■ The user accesses Oracle Identity Federation Step 1. ■ Oracle Identity Federation forwards the user to the authentication module for local authentication Step 3. ■ The user enters credentials Step 5, when ■ the authentication module prompts the user for credentials Step 6 ■ The authentication module interacts with the repository to authenticate the user Step 7. ■ The authentication module forwards the user to Oracle Identity Federation with the user’s identification Steps 6,1.