Integrating with Third-Party Identity and Access Management Modules 10-25 ■ Set engine as the Web Context of the authentication engine ■ Set domainintegration.jsp as the Login Relative Path of the SP integration engine ■ Select the authentication mechanism to use if a local authentication procedure needs to occur during the assertion processing this can happen when Federated Identities are used to map the assertion to a user record, if the Federation record does not exist: in this case, the user will need to be locally authenticated in order to perform the one-time operation that will create the record 5. Save your changes. Implementation of domainapplication.jsp page buffer=5 autoFlush=true session=false page language=java import=java.net., java.util. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; Cookie[] cookies = request.getCookies; String userid = null; Date timeout = null; forint i = 0, size = cookies = null ? cookies.length : 0; i size; i++ { String name = cookies[i].getName; if spintegrationcookie.equalsname{ String value = cookies[i].getValue; StringTokenizer st = new StringTokenizervalue, ; userid = st.nextToken; timeout = new DateLong.parseLongst.nextToken; break; } } if userid == null || userid.length == 0 { request.setAttributeoracle.security.fed.sp.engineid, TEST_ENGINE_ID; request.setAttributeoracle.security.fed.sp.usedefault, Boolean.TRUE; request.setAttributeoracle.security.fed.sp.relaystate, enginedomainapplication.jsp; request.getSession.getServletContext.getContextfed.getRequestDispatcher spstartsso.forwardrequest, response; return; } Welcome =userid. You are logged until =timeout Implementation of domainintegration.jsp page buffer=5 autoFlush=true session=false page language=java import=java.util. response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, Thu, 29 Oct 1969 17:04:19 GMT; String userid = Stringrequest.getAttributeoracle.security.fed.sp.userid; String targetURL = See Also: Section 5.16, Configuring SP Integration Modules 10-26 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation Stringrequest.getAttributeoracle.security.fed.sp.relaystate; Date expirationInst = Daterequest.getAttributeoracle.security.fed.sp.expirationtime; String cookieValue = userid + + expirationInst.getTime; Cookie cookie = new Cookiespintegrationcookie, cookieValue; cookie.setDomain.us.oracle.com; cookie.setPath; response.addCookiecookie; response.sendRedirecttargetURL; Logout Since this sample application sets up a domain cookie, the SP integration engine must be integrated into the logout flow see Section 10.5, Logout .

10.5 Logout

This section explains how to configure logout flows.

10.5.1 Changing Logout Flow

This section contains topics relevant to redirection during logout. URLs During the logout operations, the user is being redirected between the federation engine and the logout service of the authentication and SP integration engines. Oracle Identity Federation needs to be aware of the location of the logout service in order to redirect the user to the servletjsp page for logout. This URL is defined in the logout location field of the authentication and SP integration engines. The URL can be defined as the union of the Web Context of the engine and the logout relative path. Implementing the Logout Service The operations that need to be performed by the logout service include: ■ processing requests from the federation engine, logging the user out of the IAM framework and sending the user back to Oracle Identity Federation ■ processing requests from the IAM framework, sending the user to Oracle Identity Federation for logout, receiving the user back from Oracle Identity Federation after logout and sending the user to the IAM framework Oracle Identity Federation invokes AuthnSP Engine When Oracle Identity Federation sends the user to the authenticationSP engine, it will: 1. Perform an internal forward to the web context and relative logout path of the engine 2. Specify the engine ID of the invoked engine on the HttpServletRequest the attribute referenced by oracle.security.fed.authn.engineid if the engine is an authentication engine or oracle.security.fed.sp.engineid if the engine is an SP engine Integrating with Third-Party Identity and Access Management Modules 10-27 3. Optionally specify on the HttpServletRequest the attribute referenced by oracle.security.fed.sessionid that will hold the identifier of the user session being logged out String object When the authenticationSP engine logs the user out, and internally forwards the user back to Oracle Identity Federation, it: 1. Performs an internal forward to the fed web context and userlogoutretsso 2. Specifies the engine ID of the invoked engine on the HttpServletRequest the attribute referenced by oracle.security.fed.authn.engineid if the engine is an authentication engine or oracle.security.fed.sp.engineid if the engine is an SP engine, and that attribute value is the identifier of the engine that performed the logout operation AuthnSP invokes Oracle Identity Federation When an authenticationSP engine invokes Oracle Identity Federation for logout, it: 1. Performs an internal forward to the fed web context and userlogoutsso 2. Specifies the engine ID of the invoked engine on the HttpServletRequest the attribute referenced by oracle.security.fed.authn.engineid if the engine is an authentication engine or oracle.security.fed.sp.engineid if the engine is an SP engine, and that attribute value is the identifier of the engine being invoked for logout 3. Specifies a return URL where Oracle Identity Federation redirects the user after logout. That URL is specified via HttpServletRequest attribute, referenced by oracle.security.fed.logout.returnurl. At the end of the logout flow, the user is logged out from Oracle Identity Federation and redirected to the return URL.

10.5.2 Sample Logout Services

In the next two sections, these scenarios of logout services are outlined: ■ Logout Service Example 1 describes a custom logout service when both the authentication and SP integration engines are customized ■ Logout Service Example 2 describes a custom logout service when only the SP integration engine is customized

10.5.3 Logout Service Example 1

This section describes how to integrate a custom logout service, assuming that both the authentication and SP integration engines have been customized, that is, the default engines are not used anymore. Setup In this example, the authentication engine is the LDAP engine described in Section 10.3, Creating a Custom Authentication Engine , and the SP integration engine is the Oracle WebLogic Server integration engine described in Section 10.4.4, Sample Integration Module 1: Oracle WebLogic Server JavaEE Container Integration . Packaging The logout service consists of a JSP page bundled with the authentication and SP integration engines: