5-6 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation This is the port where Oracle Identity Federation listens for SOAP messages. Checking the SSL Enabled box enables Secure Sockets Layer SSL encryption, allowing the server to listen in HTTPS mode. Checking the Force SSL box forces communications with the server to be conducted in HTTPS mode. If true, Oracle Identity Federation checks an incoming connection to ensure that it is done over SSL. If it is not, the server redirects the user to a URL supporting SSL; the URL is built with the host name and port properties and the requested URL. Checking Require Client Certificate forces SSL client authentication in all incoming SOAP connections. ■ Server Clock Drift This is the allowable time difference, in seconds, between Oracle Identity Federation and its peer servers. The default is 600 seconds. ■ Session Timeout This parameter is used to determine the period, in seconds, for which an authenticated session is active. If the session remains inactive beyond the active period, the user must re-authenticate. The default value is 7200 seconds. How this parameter is used depends on the server’s role and the nature of the session in question. Scenario 1: User Authenticated Locally The user can be authenticated locally when: ■ Oracle Identity Federation acts as an IdP Note: ■ This setting only dictates what SOAP port will be specified in the IdP and SP metadata when the metadata is generated. If there are several HTTP or HTTPS ports enabled for the container instance in which Oracle Identity Federation is running, a user or peer provider can access Oracle Identity Federation through any of those ports, not just the port you specify here. ■ This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. Note: ■ This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. ■ Setting this property does not configure SSL. For details of how to enable SSL, see: ■ Section 8.1, Configuring SSL for Oracle Identity Federation ■ Oracle Fusion Middleware Administrators Guide Configuring Oracle Identity Federation 5-7 ■ Oracle Identity Federation is an SP, and the user needs to be prompted for its credentials because a new federation is being created In this case, the expiration time of the authenticated session is set to the value of the Session Timeout parameter. Scenario 2: Existing Federation When Oracle Identity Federation is acting as an SP with an existing federation, the server receives a SAML assertion from the IdP containing user and authentication information. The assertion may include a ReauthenticateOnOrAfter attribute, indicating to Oracle Identity Federation that the user should be re-authenticated after the period specified by the attribute. In this case, the Oracle Identity Federation server acting as SP sets the expiration time of the authenticated session to: the Session Timeout parameter or the ReauthenticateOnOrAfter assertion attribute, whichever is less. ■ Request Timeout This is the validity time, in seconds, of an outgoing request from the Oracle Identity Federation. The default is 120 seconds. Encryption Settings For Default XML Data Encryption Algorithm - Select one of the available encryption algorithms: ■ AES-128 CBC ■ Triple DES CBC ■ AES-192 CBC ■ AES-256 CBC Logout Options You can configure one of these logout options: ■ Failure on Error During the Global Logout flow, if an error is encountered, Oracle Identity Federation will either abort the operation and throw an error or continue and finish the logout operation. ■ Status Return Return: If enabled and if the logout operation is started at Oracle Identity Federation by accessing the feduserlogout URL, the server redirects the Note: When Oracle Identity Federation uses Oracle Access Manager or Oracle Single Sign-On as its user data store, the Session Timeout has no effect on the user session. With Oracle Access Manager, the session timeout is determined by the configuration of the AccessGates protecting accessed resources. Note: Encryption methods other than AES-128 CBC require installation of the JCE encryption package. See Section 8.3, Setting up JCE Policy Files for Oracle WebLogic Server . 5-8 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation user to the returnURL once the logout operation is done, and appends to that URL a query parameter indicating the result of the logout operation. The query parameter name is orafed_slostatus, and the possible values are: – 0 for success – 1 for failure ■ Local Only Logout If enabled, when Oracle Identity Federation performs a logout operation for a user, it will not invoke the WS-FedSAML Logout protocol. Instead it only logs the user out of the Authentication Engines and Identity and Access Management framework, and destroys the Oracle Identity Federation session. ■ Parallel Logout By default, when performing a SAMLWS-Fed Global Logout operation, Oracle Identity Federation sequentially redirects the user to all the providers from which the user needs to be logged out. This can become a time-consuming operation and if the logout flow is broken at one point because a provider is unresponsive, the logout flow will not finish. By enabling Parallel Logout, Oracle Identity Federation will display to the user a page with frames, each one performing a SAMLWS-Fed Logout operation with one specific provider. This can improve the global performance of the logout flow and minimize disruptions.

5.2.2 Outbound Connection Properties

Configuring Oracle Identity Federation 5-9 Outbound SOAP Connections You can configure the following parameters: ■ Maximum SOAP Connection ■ Maximum SOAP Connection Per Server Oracle Identity Federation can communicate with remote SAML Servers using different bindings, among them the SOAP binding. When Oracle Identity Federation needs to send a message to a remote server using the SOAP protocol, it will directly open a connection and send a SOAP message. You can configure the maximum number of concurrent connections that Oracle Identity Federation can open when sending SOAP messages, and the maximum number of concurrent connections that Oracle Identity Federation can open when sending SOAP messages to a specific provider. HTTP Proxy Settings Use this section to configure Oracle Identity Federation to use a proxy for outgoing SOAP connections: ■ Proxy Host - The proxy hostname. ■ Proxy Port - The proxy port number. ■ Username - The username to use when connecting to the proxy. ■ Password - The password to use when connecting to the proxy. ■ Non-Proxy Hosts - A list of hosts for which the proxy should not be used. Use ; to separate multiple hosts.

5.3 Configuring Identity Providers - Common Properties

Enabling IdP To enable the server as an IdP: ■ Check the Enable Identity Provider box. ■ Specify the Provider ID. 5-10 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation This is the URI for the Oracle Identity Federation instance. If it is a URL, it need not point to an actual resource. Assertion Settings Specify assertion parameters as follows: ■ Send Signed Assertion This determines whether the assertions issued by the identity provider will be signed. ■ Assertion Validity This is the time, in seconds, during which an assertion issued by the identity provider is valid. An assertion is considered invalid if processed outside the validity period. The default is 300 seconds. ■ Reauthenticate After This is the time, in seconds, after which the service provider must re-authenticate the user. Assertions containing an authentication statement by the identity provider are only valid for this period, after which the user is to be considered non-authenticated. The default is 3600 seconds. Protocol Settings Specify protocol settings as follows: ■ Artifact Timeout This is the validity time, in seconds, of an artifact object created by Oracle Identity Federation. The default is 300 seconds. ■ Include Signing Certificate in XML Signatures If checked, Oracle Identity Federation will add its signing certificate to the XML Digital Signature element of outgoing messages. This can be useful when the remote provider needs the signing certificate included in the message to be able to verify the signature created by Oracle Identity Federation. ■ Common Domain When an identity federation network contains multiple identity providers, a service provider needs to have a way to determine the identity providers in use by a principal. This is achieved by utilizing a domain that is common to IdPs and SPs in the federation network, and sending to the user’s browser a cookie, written in this domain, that lists all the IdPs where the user is logged in. Such a domain is known as a common domain, and the cookie identifying the IdPs is called a common domain cookie or introduction cookie. Check Enable Common Domain to specify that this IdP should set the introduction cookie. After every local authentication, Oracle Identity Federation redirects the user to the common domain, where the server can add its identifier to the introduction cookies at the user’s browser. Note: This property affects server metadata. When updating this property, distribute the updated metadata to all trusted providers. See Also: Section 6.10, Configuring the SAML 2.0 IdP Discovery Common Domain Cookie Profile