Custom Actions 12-3 When the IAM system invokes Oracle Identity Federation for federated SSO, the flow is as follows: 1. A user attempts to access a resource protected by the IAM system. 2. The IAM system determines that the user needs to be authenticated by means of a federated SSO operation. 3. The IAM system redirects the user to the Oracle Identity Federation SP engine with which it is integrated. 4. The Oracle Identity Federation SP integration module, which could be a custom module, performs some operations and internally forwards the user to Oracle Identity Federation, specifying the information needed for the operation. For example, it can specify the authentication mechanism to use, the relay state, and so on. 5. Oracle Identity Federation processes the information, triggers the federated SSO operation, and redirects the user to the remote identity provider for authentication. 6. The identity provider identifies the user, creates an assertion, and redirects the user back to Oracle Identity FederationSP. 7. Oracle Identity Federation validates the assertion, maps it to a user in the local domain, and creates an Oracle Identity Federation session for the user. 8. Oracle Identity Federation internally forwards the user back to the SP integration module that triggered the flow or to the default SP integration module in case of an IdP-initiated SSO operation. 9. The SP integration module processes the data, creates a web access session, and redirects the user to the protected resource. 10. The IAM system grants the user access to the resource. You can use custom actions to customize the data exchanged between the federation server and the SP integration module, and perform certain actions in the process. To set up a custom action plug-in: – implement a pre-processing plug-in when actions or changes must occur before the SP Integration Module redirects the user to Oracle Identity Federation to start the flow. – implement a post-processing plug-in when actions or changes must happen after the federated SSO operation, when the user is redirected from Oracle Identity Federation to the SP Integration Module. – deploy the plug-in to the WebLogic Managed Server where Oracle Identity Federation is running – configure the SP integration module to invoke the plug-in instead of redirecting to Oracle Identity Federation, so that the plug-in can perform the custom tasks. Note: If the default out-of-the-box SP integration module is in use, you will need to modify the Oracle Identity Federation configuration; if a custom engine is in use, you will need to update the engine. 12-4 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation – configure Oracle Identity Federation to invoke the plug-in instead of the SP integration module, so the plug-in can perform the custom tasks.

12.1.3 Custom Actions Architecture

Figure 12–1 explains the custom actions plug-in architecture: Figure 12–1 Custom Action Plug-ins In this figure, Oracle Identity Federation is customized and configured to invoke plug-ins: ■ before the SP integration engine invokes Oracle Identity Federation ■ before Oracle Identity Federation invokes the SP integration engine ■ before Oracle Identity Federation invokes the authentication engine ■ before the authentication engine invokes Oracle Identity Federation

12.1.3.1 Flow for Oracle Identity Federation as SP

During a federated SSO operation where Oracle Identity Federation acts as the service provider, the flow is as follows: 1. An Identity and Access Management IAM module such as Oracle Access Manager invokes the SP integration engine to start a federated SSO operation. The SP integration engine invokes the pre-processing plug-in for the SP engine to perform custom actions. 2. The pre-processing plug-in for SP engine invokes Oracle Identity Federation to start the federated SSO flow. 3. Oracle Identity Federation redirects the user to an IdP where the user is authenticated and an assertion created. 4. The IdP redirects the user back to Oracle Identity Federation with an assertion that is validated and mapped to a user. 5. Oracle Identity Federation bundles the user and assertion data, and invokes the post-processing plug-in for the SP engine to perform some custom tasks. 6. The post-processing plug-in invokes the SP integration engine by providing the user and assertion data.