10-4 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation 2. An internal process in the server determines that the user needs to be identified using a specific authentication mechanism either the default one from the configuration or one requested by a remote service provider. 3. The federation server determines which authentication engine to use to challengeidentify the user for the specified authentication mechanism. 4. The federation server then internally forwards the users request to the Web Context and Login Relative Path of the authentication engine to challengeidentify the user, and it passes some information, specified via Java Objects stored as Attributes of the HttpServletRequest instance: ■ The authentication mechanism to use when challenging the user for identification ■ An identifier referencing the current action that is being performed ■ The ProviderID and the description of the remote service provider for which this local authentication is requested, if a Federation SSO operation is performed ■ The identifier referencing the engine used to authenticate the user ■ The identifier of the user ■ The Force Authentication flag, indicating whether the engine should challenge the user even if the user is already authenticated. ■ The Is Passive flag, indicating whether the engine is allowed to visually interact with the user. ■ Optionally, a map of attributes that need to be set by the engine: these attributes are required in order for Oracle Identity FederationIdP to create correctly the assertion with the AttributeStatement, as specified by the configuration for that specific remote provider. ■ Optionally, a String containing the Oracle Identity Federation session identifier, if the user has already an active session. Oracle Identity Federation is passing the sessionID of the already existing user session if one exists, to the authentication engine, so that the engine can persist state linked to the user, and it can reference that data by using the sessionID value. Later on, when the logout flow is being executed, Oracle Identity Federation passes the sessionID that is being logged out to the engine, so that the engine can delete the data that was used for this user session. 5. The authentication engine processes the incoming request, and it has access to the information stored as HttpServletRequest attributes. 6. The authentication engine interacts with the IAM component and may challenge the user for credentials. After successful authentication, it may set a cookie for example, to maintain the authenticated session with the IAM server andor the target application. 7. The authentication module sends the user back to Oracle Identity Federation using an internal forward Web Context fed and Login Relative Path userloginsso, and it passes the following information as HttpServletRequest attributes: ■ The identifier of the user ■ Authentication time ■ Expiration time of the authenticated session