15 Extending the Domain with Oracle Identity Federation 15-1 15 Extending the Domain with Oracle Identity Federation Oracle Identity Federation is a self-contained, standalone federation server that enables single sign-on and authentication in a multiple-domain identity network and supports the broadest set of federation standards. This enables users to federate in heterogeneous environments and business associations, whether they have implemented other Oracle Identity Management products in their solution set or not. It can be deployed as a multi-protocol hub acting as both an Identity Provider IdP and Service Provider SP. Acting as an SP, Oracle Identity Federation enables you to manage your resources while off loading actual authentication of users to an IdP, without having to synchronize users across security domains out of band. Once authenticated at the IdP, the SP can allow or deny access to users for the SPs applications depending upon the local access policies. This chapter contains the following topics: ■ Section 15.1, Prerequisites ■ Section 15.2, Configuring Oracle Identity Federation on OIFHOST1 ■ Section 15.3, Configuring Oracle Identity Federation on OIFHOST2 ■ Section 15.4, Provisioning the Managed Servers on the Local Disk ■ Section 15.5, Validating Oracle Identity Federation ■ Section 15.6, Configure the Enterprise Manager Agents ■ Section 15.7, Enabling Oracle Identity Federation Integration with LDAP Servers ■ Section 15.8, Configuring Oracle Identity Federation to work with the Oracle Web Tier ■ Section 15.9, Validating Oracle Identity Federation ■ Section 15.10, Backing Up the Application Tier Configuration

15.1 Prerequisites

Before proceeding with Oracle Identity Federation configuration, ensure that you have done the following. 1. Create a domain directory on OIFHOST1 and OIFHOST2, for example: u01apporacleadminIDMDomainaserverIDMDomain. This directory must exist before you extend the domain with Oracle Identity Federation. This is 15-2 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management especially important in Windows environments where the path including drive letter must be the same as that on IDMHOST1. 2. Install and upgrade the software on OIFHOST1 and OIFHOST2 as described in Section 4.5.4, Installing Oracle WebLogic Server and Section 4.5.5, Installing Oracle Identity Management. 3. Run the Repository Creation Utility RCU to create and configure the collection of schemas used by Oracle Identity Federation as described in Chapter 3, Configuring the Database Repositories. 4. Create the Identity Management domain as described in Chapter 6, Creating the WebLogic Server Domain for Identity Management. 5. Install and configure Oracle Internet Directory as described in Chapter 7, Extending the Domain with Oracle Internet Directory. .Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory is used as the User Store and the Federation Store 6. Install and configure Oracle HTTP Server on WEBHOST1 and WEBHOST2 as described in Chapter 5, Configuring the Web Tier. 7. Associate the Identity Management domain created with an External LDAP Store as described in Section 10.3.2, Reassociating the Policy and Credential Store. This is required because Oracle Identity Federation is being extended on a node where the Administration Server is not running.

15.2 Configuring Oracle Identity Federation on OIFHOST1