5-10 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation This is the URI for the Oracle Identity Federation instance. If it is a URL, it need not point to an actual resource. Assertion Settings Specify assertion parameters as follows: ■ Send Signed Assertion This determines whether the assertions issued by the identity provider will be signed. ■ Assertion Validity This is the time, in seconds, during which an assertion issued by the identity provider is valid. An assertion is considered invalid if processed outside the validity period. The default is 300 seconds. ■ Reauthenticate After This is the time, in seconds, after which the service provider must re-authenticate the user. Assertions containing an authentication statement by the identity provider are only valid for this period, after which the user is to be considered non-authenticated. The default is 3600 seconds. Protocol Settings Specify protocol settings as follows: ■ Artifact Timeout This is the validity time, in seconds, of an artifact object created by Oracle Identity Federation. The default is 300 seconds. ■ Include Signing Certificate in XML Signatures If checked, Oracle Identity Federation will add its signing certificate to the XML Digital Signature element of outgoing messages. This can be useful when the remote provider needs the signing certificate included in the message to be able to verify the signature created by Oracle Identity Federation. ■ Common Domain When an identity federation network contains multiple identity providers, a service provider needs to have a way to determine the identity providers in use by a principal. This is achieved by utilizing a domain that is common to IdPs and SPs in the federation network, and sending to the user’s browser a cookie, written in this domain, that lists all the IdPs where the user is logged in. Such a domain is known as a common domain, and the cookie identifying the IdPs is called a common domain cookie or introduction cookie. Check Enable Common Domain to specify that this IdP should set the introduction cookie. After every local authentication, Oracle Identity Federation redirects the user to the common domain, where the server can add its identifier to the introduction cookies at the user’s browser. Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. See Also: Section 6.10, Configuring the SAML 2.0 IdP Discovery Common Domain Cookie Profile Configuring Oracle Identity Federation 5-11 Setting the common domain requires these parameters: – Common Domain URL When an identity federation network contains multiple identity providers, a domain common to all providers is a way for a service provider to determine the identity providers in use by a principal. After every authentication, a cookie on the user’s browser written in this domain is updated with the IdPs identifier; the cookie lists all the user’s IdPs and can be read by the service provider. Enter the URL where Oracle Identity Federation will read and set the IdP introduction cookie. The server listens on this URL, accepts requests, and updates the introduction cookie in the user’s browser. Set this value only if you enabled the common domain. – Name This is the common domain used for the IdP introduction cookie. It will be set as a cookie parameter on the introduction cookie. The value must begin with a dot . and must be of the form .domain.suffix. The default value is .DOMAIN_TO_BE_SET. – Cookie Lifetime This is the lifetime, in days, of a common domain cookie issued by the IdP. If this field is set to 0 default, the common domain cookie will be a session cookie. ■ SSO User Opt-InOpt-Out Determines if a user has given or denied permission to perform federated single sign-on for the user, based on the value of an attribute in the user’s directory record. ■ Reauthenticate when Missing User Session Attributes When Oracle Identity Federation acts as an IdP, it can use attributes stored in the session to populate the assertion. The session attributes are set: – during authentication, where a custom authentication engine provides attributes to be stored in the Oracle Identity Federation user session – when Oracle Identity Federation acts as a service provider. The content of the assertion NameID, attributes... can be saved in the user session; by default that data is not saved. When the assertion is created, Oracle Identity FederationIdP will list the attributes it needs to retrieve from the user session and include in the assertion. If some attributes required in the assertion are missing from the user session, Oracle Identity Federation can be configured to either dismiss those attributes, or to invoke the authentication framework so that the custom authentication engine can provide those attributes to Oracle Identity Federation.

5.4 Configuring Identity Providers - Protocol-Specific Properties

This section describes how to configure IdP protocol-specific properties: See Also: Section 6.18, User Opt-In and Opt-Out for Single Sign-On for details