Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86-64 Part Number E14770-05 |
|
|
View PDF |
This chapter describes issues associated with Oracle Identity Federation. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
When using a database table as the authentication engine, and the password is stored hashed as either MD5 or SHA, it must be in base64 format.
The hashed password can be either in the base64-encoded format or with a prefix of {SHA} or {MD5}. For example:
{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
This section describes configuration issues and their workarounds. It includes the following topics:
Section 27.2.1, "WLST Environment Setup when SOA and OIF are in Same Domain"
Section 27.2.2, "Oracle Virtual Directory Requires LSA Adapter"
Section 27.2.3, "Settings for Remote WS-Fed SP Must be Changed Dynamically"
Section 27.2.4, "Required Property when Creating a WS-Fed Trusted Service Provider"
Section 27.2.5, "Federated Identities Table not Refreshed After Record Deletion"
Section 27.2.6, "Default Authentication Scheme is not Saved"
Section 27.2.7, "Configuring 10g to Work with 11g Oracle Identity Federation using Artifact Profile"
If your site contains Oracle SOA Suite and Oracle Identity Federation in the same domain, the WLST
setup instructions in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation are insufficient for WLST
to correctly execute Oracle Identity Federation commands.
This can happen if you install an IdM domain, then extend it with an Oracle SOA install; the SOA installer changes the ORACLE_HOME
evironment variable. This breaks the Oracle Identity Federation WLST
environment, as it relies on the IdM value for ORACLE_HOME
.
Take these steps to enable the use of WLST
commands:
Execute the instructions described in Section 9.1.1, Setting up the WLST Environment, in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Copy OIF-ORACLE_HOME/fed/script/*.py
to WL_HOME/common/wlst
.
Append the CLASSPATH
environment variable with OIF-ORACLE_HOME/fed/scripts
.
To use Oracle Virtual Directory as an Oracle Identity Federation user store or an authentication engine, you must configure a Local Storage Adapter, and the context root must be created as required at installation or post-install configuration time.
For details about this task, see the chapter Creating and Configuring Oracle Virtual Directory Adapters in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
On the Edit Federations page, the Oracle Identity Federation (OIF) settings for remote WS-Fed service provider contain a property called SSO Token Type; you can choose to either inherit the value from the IdP Common Settings page or override it here. The number of properties shown in 'OIF Settings' depends on the value of SSO Token Type.
If you choose to override SSO Token Type with a different value (for example, by changing from SAML2.0 to SAML1.1), the number of properties shown in 'OIF Settings' does not change until you click the Apply button.
Also, if you have overridden the value for Default NameID Format to 'Persistent Identifier' or 'Transient/One-Time Identifier', then changed the SSO Token Type value from 'SAML2.0' to 'SAML1.1' or 'SAML1.0', you will notice that the value for Default NameID Format is now blank. To proceed, you must reset this property to a valid value from the list.
When you create a WS-Fed Trusted Service Provider, you must set the value for the 'Use Microsoft Web Browser Federated Sign-On' property with these steps:
In Fusion Middleware Control, navigate to Federations, then Edit Federations.
Choose the newly create WS-Fed Trusted Service Provider and click Edit.
In the 'Trusted Provider Settings' section, set the value for Use Microsoft Web Browser Federated Sign-On by checking or unchecking the check-box.
Click Apply.
When the federation store is XML-based, a record continues to be displayed in the federated identities table after it is deleted.
The following scenario illustrates the issue:
The federation data store is XML.
Perform federated SSO, using "map user via federated identity".
In Fusion Middleware Control, locate the Oracle Identity Federation instance, and navigate to Administration, then Identities, then Federated Identities.
Click on the created federation record and delete it.
After deletion, the federated record is still in the table. Further attempts at deleting the record result in an error.
The workaround is to manually refresh the table by clicking Search.
Problem
This problem is seen when you configure Oracle Access Manager in Fusion Middleware Control as a Service Provider Integration Module. It is not possible to set a default authentication scheme since the default is set to a certain scheme (say OIF-password-protected
) but the radio button is disabled.
Solution
Take these steps to set the preferred default authentication scheme:
Check the Create check-box for the scheme that is currently set as the default but disabled.
Check the Create check-box(es) for the authentication scheme(s) that you would like to create.
Click the radio button of the scheme that you wish to set as the default.
Uncheck the Create check-box of the scheme in Step 1 only if you do not want to create the scheme.
Provide all the required properties in the page.
Click the Configure Oracle Access Manager button to apply the changes.
The default authentication scheme is now set to the one that you selected.
Note:
In addition, when trying to remove any authentication scheme, ensure that you do not remove the default scheme; if you must remove the scheme, change the default to another authentication scheme before you remove the scheme.In the SAML 1.x protocol, for a 10g Oracle Identity Federation server to work with an 11g Oracle Identity Federation server using the Artifact profile, you need to set up either basic authentication or client cert authentication between the two servers.
For instructions, see:
Section 6.9 Protecting the SOAP Endpoint, in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, 11g Release 1 (11.1.1)
Section 6.5.13.2 When Oracle Identity Federation is an SP, in the Oracle Identity Federation Administrator's Guide, 10g (10.1.4.0.1)
This section describes documentation errata for the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, part number E13400-01. It includes the following topics:
Section 27.3.1, "Incorrect SP Integration Engine Code Example"
Section 27.3.3, "Clarification on Setting up Single Sign-On for SAML 1.x and WS-Federation"
Section 27.3.4, "Managed Server Startup Script Name and Windows Instructions"
Section 27.3.8, "Different Passwords for Keystore and Private Key not Supported"
Section 3.2.5.3.5, Sample Integration Module 2: Customized Single Sign-On Integration, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation contains incorrect sample code titled "Implementation of domainapplication.jsp".
Replace this code with the following corrected code:
<%@page buffer="5" autoFlush="true" session="false"%> <%@page language="java" import="java.net.*, java.util.*"%> <% response.setHeader("Cache-Control", "no-cache"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT"); Cookie[] cookies = request.getCookies(); String userid = null; Date timeout = null; for(int i = 0, size = (cookies != null ? cookies.length : 0); i < size; i++) { String name = cookies[i].getName(); if ("spintegrationcookie".equals(name)){ String value = cookies[i].getValue(); StringTokenizer st = new StringTokenizer(value, "*"); userid = st.nextToken(); timeout = new Date(Long.parseLong(st.nextToken())); break; } } if (userid == null || userid.length() == 0) { request.setAttribute("oracle.security.fed.sp.engineid", TEST_ENGINE_ID); request.setAttribute("oracle.security.fed.sp.usedefault", Boolean.TRUE); request.setAttribute("oracle.security.fed.sp.relaystate", "/engine/domainapplication.jsp"); request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/sp/startsso").forward(request, response); return; } %> Welcome <%=userid%>. You are logged until <%=timeout%>
Section 3.2.5.4.3, Logout Service Example #1, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation contains incorrect sample code titled "Implementation of logout.jsp".
Replace this code with the following corrected code:
<%@page buffer="5" autoFlush="true" session="false"%> <%@page language="java" import="java.net.*"%> <% response.setHeader("Cache-Control", "no-cache"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT"); request.getSession().removeAttribute("feduserid"); request.setAttribute("oracle.security.fed.sp.engineid", TEST_ENGINE_ID); request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/user/logoutretsso").forward(request, response); %>
Section 3.2.5.4.4, Logout Service Example #2, contains incorrect sample code titled "Implementation of domainlogout.jsp".
Replace this code with the following corrected code:
<%@page buffer="5" autoFlush="true" session="false"%> <%@page language="java" import="java.net.*"%> <% response.setHeader("Cache-Control", "no-cache"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT"); Cookie cookie = new Cookie("spintegrationcookie", ""); cookie.setDomain(".us.oracle.com"); cookie.setPath("/"); cookie.setMaxAge(0); response.addCookie(cookie); request.setAttribute("oracle.security.fed.sp.engineid", TEST_ENGINE_ID); request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/user/logoutretsso").forward(request, response); %>
Section 4.3.5, Set Up Single Sign-On for SAML 1.x and WS-Federation, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation requires clarification of the procedure titled "Fill in the Required Attributes for SAML 1.x".
Change Step 4d of this procedure to read as follows:
In the Initiate SSO Provider ID Parameter field, enter the name of the parameter that the peer provider uses to identify the provider ID of the service provider. For an Oracle Identity Federation peer identity provider, the parameter name must be "providerid
".
Immediately following Step 4e, add the following:
For example, an Oracle Identity Federation peer identity provider might have the following Initiate SSO URL, using the configuration entered in steps b, c, and d above:
http://saml.example.com/fed/idp/initiatesso?TARGET=<protected-resource-url>&providerid=<sp-provider-id-uri>
Section 3.2.3.3, Integrate Oracle Access Manager as an SP Integration Module, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation in the sub-section "Update the Oracle WebLogic Server Environment", Step 3, second bullet mentions the use of the following script:
$DOMAIN/bin/startManagedServer.sh
The script name is incorrect. The correct script name should be:
startManagedWebLogic.sh
(on Linux)
startManagedWebLogic.cmd
(on Windows)
Also, the discussion provides only Linux instructions. The following text is needed for Windows:
Open the $DOMAIN/bin/startManagedWebLogic.cmd
file. Add the following:
set PATH=%PATH%;AccessSDK_InstallDir/oblix/lib
Start managed server from the command line (not the administration console).
In section 6.13.3, "Redirect to Target URLs at Error", of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, the following text:
Set the string property ornnn from the serverconfig configuration group to the URL to which the user should be redirected when Oracle Identity Federation returns the error, where nnn is 401, 404, or 500. (Thus, you can set the or401, or404, and or500 properties.)
should be replaced with:
Set the string property or urlerrornnn from the serverconfig configuration group to the URL to which the user should be redirected when Oracle Identity Federation returns the error, where nnn is 401, 404, or 500. (Thus, you can set the urlerror401, urlerror404, and urlerror500 properties.)
For details about configuring the Sun One proxy server for Oracle Identity Federation, see Guidelines for Modifying the obj.conf File in the document titled Oracle Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server, Part Number E14395-01.
In section 7.1.2.1, "About Sensor Weights", of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, the instructions under Set the Sensor Weight contain a typographical error.
Change "-oracle.dms.sensors=
level
" to read "-Doracle.dms.sensors
=level
". Note that this change must be made in two places.
Oracle Identity Federation only supports configuring one password for signing and encryption keystores, and uses that password to open both the keystore and the private key. This means that if a keystore is configured with different store password and key password, an error will occur when Oracle Identity Federation tries to access the private key.
To avoid this error, ensure that the private key password for the configured key alias is the same as the keystore password.
Note:
In Oracle Identity Federation 11g Release 1 (11.1.1), if you change the key password to match the keystore password, you must remove the old keystore/wallet from the configuration.