27-12 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Solution Chances are that something went wrong with your certificate setup due to which SAML assertions are not getting validated. This is likely because the certificate registered in the SAML Identity asserter is incorrect. Export the certificate used for SAML SSO setup in the WebCenter Spaces domain specified by certAlias and certPassword and copy it to a accessible location in the destination domain. 1. Update the relevant config section in the wcsamlsso.properties file in the WebCenter Spaces domain for example, if the certificate was invalid for the SOA configuration, update the certPath in the soa_config section. 2. Open the WebLogic Server Admin Console, and from the WC_Spaces domain go to Security Realm Providers Credential Mapping wcsamlcm Management Relying Parties and delete the relying parties relevant to the domain for example, for SOA, they would be Worklist Integration, Worklist Detail, and Worklist SDP.

3. Go to Destination Domain Security Realm Providers Authentication

wcsamlia Management Asserting Parties and delete the corresponding asserting parties. 4. Open the Certificates tab and delete the certificate as well. 5. Go back to the WebCenter Spaces domain and re-run the scripts for creating asserting-relying parties pairs. For SOA, for example, you would need to re-run: WC_ORACLE_HOMEwebcenterscriptssamlssoconfigureWorklistIntegration.py WC_ORACLE_HOMEwebcenterscriptssamlssoconfigureWorklistDetail.py WC_ORACLE_HOMEwebcenterscriptssamlssoconfigureWorklistSDP.py 6. Test your configuration again. If all works well, you can disable SAML logging. 28 Configuring the Identity Store 28-1 28 Configuring the Identity Store This chapter describes how to reassociate the identity store with an external LDAP rather than the default embedded LDAP identity store. It also describes how to configure an LDAP server for Oracle Content Server and contains the following subsections: ■ Section 28.1, Reassociating the Identity Store with an External LDAP Server ■ Section 28.2, Tuning the Identity Store for Performance ■ Section 28.3, Adding Users to the Embedded LDAP Identity Store ■ Section 28.4, Managing Users and Application Roles ■ Section 28.5, Moving the Administrator Account to an External LDAP Server ■ Section 28.6, Configuring the Oracle Content Server to Share the WebCenter Spaces Identity Store LDAP Server ■ Section 28.7, Aggregating Multiple Identity Store LDAP Servers Using libOVD ■ Section 28.8, Configuring the REST Service Identity Asserter Note that for WebCenter Portal applications, the steps for Granting the WebCenter Spaces Administrator Role and Migrating the WebCenter Discussions Server to Use an External LDAP are not required. For more information about the identity store, see the Oracle Fusion Middleware Security Guide. Audience The content of this chapter is intended for Fusion Middleware administrators users granted the Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes. See also, Section 1.8, Understanding Administrative Operations, Roles, and Tools. Caution: Before reassociating the identity store, be sure to back up the relevant configuration files: ■ config.xml ■ jps-config.xml As a precaution, you should also back up the boot.properties file for the Administration Server for the domain.