Configuring Oracle Identity Federation 5-73 ■ User Description attribute - This is the human-readable LDAP attribute used to identify the owner of a federation record, for example uid. Here are examples of the User Description Attribute for different types of directory servers: – Oracle Internet Directory: uid – Sun Java System Directory Server: uid – Microsoft Active Directory: sAMAccountName ■ Person Object Class - Object classes define what data or attributes are associated with an object. A person object class refers to the attributes of a person object; in our context, it is the owner of a federated identity. A directory may utilize one or more object classes to hold person data names, addresses, and so on. Enter the LDAP object class representing an LDAP user entry in the server. Here are examples of the person object class for different types of directory servers: – Oracle Internet Directory: inetOrgPerson – Sun Java System Directory Server: inetOrgPerson – Microsoft Active Directory: user ■ Base DN - This is the directory to which the search for users should be confined. ■ Maximum Connections - This is the maximum number of LDAP connections that Oracle Identity Federation will simultaneously open to the LDAP server. ■ Connection Wait Timeout - This is the timeout, in minutes, to use when Oracle Identity Federation opens a connection to the LDAP server.

5.13.1.3 Configuring Oracle Virtual Directory as User Data Store

Oracle Identity Federation can be integrated with Oracle Virtual Directory; when using Oracle Virtual Directory as the user data store, ensure that the base DN, person object class, unique user id and user description attribute settings are valid for all directory structures connected to Oracle Virtual Directory.

5.13.1.4 Configuring a Redundancy User Data Store

Redundancy is supported for the user data stores; this section explains how to set up redundancy user data stores. There are two ways to set up redundancy user data stores:

1. In the user data store configuration, in the Server URL field, enter a list of

space-separated ldap URLs. For example: ldap:ldap1.oif.mycorp.com ldap:ldap2.oif.mycorp.com ldap:ldap3.oif.mycorp.com or 2. Set up a load balancer in front of the LDAP servers and set the ldaphaenabled property in Oracle Identity Federation configuration to true. For details about this task, see Section 6.4.1, Configuring High Availability LDAP Servers .

5.13.1.5 Configuring No User Data Store

You can configure Oracle Identity Federation not to use a user data store at runtime. In this configuration, the only user information available to the server is the user identifier: 5-74 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation ■ after local authentication, or ■ after the incoming assertion is mapped with the use of a federated identity record, when the server acts as a Service Provider To configure Oracle Identity Federation not to use a user data store: 1. Modify Oracle Identity Federation Data Store Configuration 2. Modify Oracle Identity Federation Configuration to use the user identifier Modify Oracle Identity Federation Data Store Configuration Follow these steps to configure no user data store: 1. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

2. Navigate to Administration, then Data Stores.

3. In the User Data Store section, click Edit.

4. Select None from the Repository Type dropdown list.

5. Click OK.

Modify Oracle Identity Federation Configuration to use the User Identifier When None is selected as the user data store, you can configure Oracle Identity Federation so that the user identifier will be used to populate assertion data, or to configure the federation data store. If Oracle Identity Federation acts as an Identity Provider, you can configure the server to: ■ set the user identifier as the Assertion Name ID To achieve this, navigate to the NameID format table, and set the user attribute for the NameID format to orafed-userid. ■ add the user identifier as an assertion attribute To achieve this, navigate to the configuration screen for the remote Service Provider to which the assertion will be sent, define an attribute to be sent, and set the user attribute to orafed-userid. If a federation data store is in use, be sure to configure Oracle Identity Federation to use orafed-userid as the user ID attribute and user description attribute in the section that configures the federation data store.

5.13.2 Manage the Federation Data Store

Oracle Identity Federation provides the option of configuring a back-end data store to store records containing federated identity information. If configured to use a federation data store of type XML, LDAP, or RDBMS, Oracle Identity Federation will create a federation record for each user, store this record in the selected data store, and use it in Single Sign-On to create an assertion if acting as the identity provider, or to map the assertion received from the IdP to a user if acting as the service provider. To use persistent Name IDs with the SAML 2.0 protocol requires a Federation Datastore, as an opaque identifier must be created for each user that is, the Name ID used to identify the user cannot be an attribute from the user datastore, and must thus be created and stored separately.