Additional Server Configuration 6-47 ■ For WS-Fed protocol exchanges using SAML assertions, set the Audience as the ProviderID of the service provider. When Oracle Identity Federation receives and processes an assertion, by default it validates the AudienceRestrictionCondition, if present, by using the ProviderID or URL where the assertion was posted. Depending on the deployment scenario, it might be necessary to disable generation and validation of the AudienceRestrictionCondition element; you can do so either at a protocol level SAML 1.0, SAML 1.1 or SAML 2.0 assertions, or at the trusted provider level. To configure Oracle Identity Federation to control generation and processing of the AudienceRestrictionCondition for SAML 1.xSAML 2.0 assertions at a global level, enter the WLST script environment for the Oracle Identity Federation instance, and: ■ Set the audiencerestrictionenabled boolean property from the idpsaml10, idpsaml11 or idpsaml20 groups to true default to enable the generation of AudienceRestrictionCondition when creating a SAML 1.0, SAML 1.1 or SAML 2.0 assertion respectively. setConfigPropertyidpsaml11, audiencerestrictionenabled, true, boolean Set it to false to disable the generation of the condition ■ Set the audiencerestrictionenabled boolean property from the spsaml10, spsaml11 or spsaml20 groups to true default to enable the validation of AudienceRestrictionCondition when processing a SAML 1.0, SAML 1.1 or SAML 2.0 assertion respectively: setConfigPropertyspsaml11, audiencerestrictionenabled, true, boolean Set it to false to disable validation of the condition. To configure Oracle Identity Federation to enable generation and processing of the AudienceRestrictionCondition for a specific trusted provider, enter the WLST script environment for the Oracle Identity Federation instance, and set the audiencerestrictionenabled boolean property for a trusted provider referenced by REMOTE_PROVIDER_ID to true: setFederationPropertyREMOTE_PROVIDER_ID, audiencerestrictionenabled, true, boolean Set the property to false to disable generation and processing of the condition. You can also configure Oracle Identity Federation to use a custom string when: ■ Oracle Identity FederationIdP creates an assertion. Oracle Identity Federation uses the custom string specified in the configuration to populate the AudienceRestrictionCondition element ■ Oracle Identity FederationSP processes an assertion. Oracle Identity Federation validates the AudienceRestrictionCondition element, if present, by comparing it to the custom string specified in the configuration. To configure Oracle Identity Federation to use a specific audience value when validating the AudienceRestrictionCondition for SAML 1.xSAML 2.0 assertions at a global level, enter the WLST script environment for Oracle Identity Federation instance, and set the audiencerestrictionvalue string property from 6-48 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation the spsaml10, spsaml11 or spsaml20 groups to the custom value that Oracle Identity Federation uses during the validation of AudienceRestrictionCondition when processing a SAML 1.0, SAML 1.1 or SAML 2.0 assertion respectively: setConfigPropertyspsaml11, audiencerestrictionvalue, someglobalvalue, string If you set the audiencerestrictionvalue to the empty string value, Oracle Identity FederationSP validates the AudienceRestrictionCondition element as shown above. To configure Oracle Identity Federation to use a specific Audience value when generatingvalidating the AudienceRestrictionCondition for a specific trusted provider, enter the WLST script environment for Oracle Identity Federation instance, and set the audiencerestrictionvalue string property for a trusted provider referenced by REMOTE_PROVIDER_ID to use a custom string to generate and validate the condition when creating and processing an assertion: setFederationPropertyREMOTE_PROVIDER_ID, audiencerestrictionvalue, customvalue, string If you set the audiencerestrictionvalue to the empty string value, Oracle Identity FederationSP populatesvalidates the AudienceRestrictionCondition element as shown above.

6.22 Certificate Path Validation

Oracle Identity Federation provides a certificate validation module described in Section 5.10.3, Security and Trust - Trusted CAs and CRLs that validates any certificate used for XML digital signature verification by using the certificates of the Trusted CAs and the CRLs uploaded by the administrator. The module integrates with the JRE CertPathValidation API to validate certificates using the default CertPathValidation module configured in the JVM. When the default CertPathValidation module is the Sun implementation, Oracle Identity Federation can leverage the Online Certificate Status Protocol OCSP and the CRL Distribution Point CDP features provided by the Sun module. You manage the certificate validation flow using the following properties: ■ In Fusion Middleware Control, navigate to the Oracle Identity Federation server instance, then Security and Trust, then Trusted CAs and CRLs section: – Checking the Enable Certificate Validation box enables certificate validation in Oracle Identity Federation – The Trusted Certificate Authorities table lists all the known and trusted certificates of the CAs – The Certificate Revocation Lists table contains the CRLs used to check the revocation status of certificates. ■ the certpathvalidationenabled boolean property in the serverconfig configuration group determines the validation module to be used: – false means that Oracle Identity Federation’s internal certificate validation module is used, based on the Trusted Certificate Authorities and Certificate Revocation Lists tables.