5-54 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation wsdl:service name=AttributeRequesterService wsdl:port name=AttributeRequesterServicePort binding=orafed-arwsdl:AttributeRequesterServiceBinding soap:address location=http:stadm04.us.oracle.com:7778fedarsoap wsdl:port wsdl:service wsdl:definitions The types and message sections define the contents of the AttributeRequest and AttributeResponse messages. The built-in XML Scheme type ID is used for the Name attribute of the attribute elements; this type approximates the desired syntax for attribute names letters, numbers, _, -, and . However, ID which is derived from the XML NCName type also includes a number of Unicode combining characters and extenders. The binding and service sections specify how the messages are to be sent over SOAP and HTTPS.

5.9 Configuring Attribute Mapping and Filtering

This section explains how to configure the attribute mapping functionality in Oracle Identity Federation. It contains these topics: ■ Introduction to Attribute Mapping and Filtering ■ Mapping and Filtering Configuration

5.9.1 Introduction to Attribute Mapping and Filtering

Supported Entities Oracle Identity Federation supports attribute mapping for the following: ■ Attribute Authority ■ Attribute Requester ■ Identity Provider, when sending attributes in SSO assertions Mapping Capabilities Oracle Identity Federation provides the following attribute mapping capabilities: ■ Attribute Name Mapping: maps local attribute names to external attribute names used in SAML messages ■ Attribute Value Mapping: maps local attribute values to external attribute values used in SAML messages ■ Attribute Value Filtering: filters local attribute values by sending only allowed values in assertion messages See Also: The W3C specification, Namespaces in XML, at http:www.w3.orgTR1999REC-xml-names-19990114NT -NCName Configuring Oracle Identity Federation 5-55 Attribute Sources Oracle Identity Federation can map attributes to an outgoing assertion from these sources: 1. user sessions 2. user data stores 3. static values from the Oracle Identity Federation configuration This section contains these topics: ■ Attribute Name Mapping ■ Attribute Value Mapping ■ Attribute Value Filtering

5.9.1.1 Attribute Name Mapping

Attribute name mapping allows the administrator to specify the name with which a local attribute should be defined in the SAML messages when sending or receiving messages. On the IdPAttribute Authority side, when a mapping is defined, Oracle Identity Federation can also be configured to send the attribute to a specific peer provider. Thus, when no name mappings are defined, Oracle Identity Federation is configured to send no attributes to peer providers. Oracle Identity Federation exercises attribute name mapping when acting as a: ■ Attribute Authority ■ Attribute Requester ■ Identity Provider, when sending attributes in SSO assertions Attribute name mapping is configured through the Fusion Middleware Control Console. See Section 5.9.2.1, Configuring Attribute Name Mapping for details.

5.9.1.1.1 Static Attribute Value

You can map a static attribute value for example., DeploymentVersion=6.4 from the Oracle Identity Federation configuration to an outgoing assertion. The feature is implemented with two properties for an existing attribute name mapping definition: ■ from-config, a boolean ■ attribute-value-fromconfig If from-config is true, and if that attribute needs to be included in an outgoing assertion, the value stored in attribute-value-fromconfig is placed in the outgoing assertion. If from-config is false, the value set for the attribute in Fusion Middleware Control is used. Note: In 11g Release 1 11.1.1, all attribute mapping and filtering is available only as per-peer-provider configuration, not at the global level. 5-56 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation The steps involve creating an attribute name mapping definition to the list of attribute mappings, and setting these properties: ■ the internal name of the attribute, referenced by datastore-attr ■ the name of the attribute as it will appear in the assertion, referenced by assertion-attr ■ the format or namespace of the SAML attribute which can be blank, referenced by format-attr ■ a flag referenced by send-with-sso indicating whether the attribute should be sent in an SSO assertion ■ a flag referenced by from-session indicating whether to retrieve the attribute value from the Oracle Identity Federation user session, ■ a flag referenced by from-config indicating whether the attribute value is static ■ a property referenced by attribute-value-fromconfig containing the static value The WLST commands to configure static attribute mapping are as follows: ■ Create an attribute name mapping definition for an attribute - with local name set to cn and assertion name set to commonName - for providerid http:myhost.domain.com:7499fedsp, if it does not already exist: createFederationPropertyMaphttp:myhost.domain.com:7499fedsp, attributelist createFederationPropertyMapInMaphttp:myhost.domain.com:7499fedsp,attrib utelist,cncommonName ■ Add the new set of properties for the attribute, if they do not already exist, using these guidelines. These properties are added to the previously created element. Note: You must replace the sample host:port, map name, and static values used in this example with valid values. Note: When creating a mapping from scratch, you must also include the attribute require-from-infocard. Property Set to datastore-attr cn assertion-attr commonName format-attr empty value send-with-sso true always send the attribute with SSO assertions or false do not send attribute from-session true retrieve the attribute value from the Oracle Identity Federation user session or false do not retrieve value from-config true attribute has a static value or false attribute-value-fromconfig static value if needed