27 Oracle Identity Federation

27.1.1 Database Table for Authentication Engine must be in Base64 Format

When using a database table as the authentication engine, and the password is stored hashed as either MD5 or SHA, it must be in base64 format.

The hashed password can be either in the base64-encoded format or with a prefix of {SHA} or {MD5}. For example:

{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M= 

27.2.1 WLST Environment Setup when SOA and OIF are in Same Domain

If your site contains Oracle SOA Suite and Oracle Identity Federation in the same domain, the WLST setup instructions in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation are insufficient for WLST to correctly execute Oracle Identity Federation commands.

This can happen if you install an IdM domain, then extend it with an Oracle SOA install; the SOA installer changes the ORACLE_HOME evironment variable. This breaks the Oracle Identity Federation WLST environment, as it relies on the IdM value for ORACLE_HOME.

Take these steps to enable the use of WLST commands:

1. Execute the instructions described in Section 9.1.1, Setting up the WLST Environment, in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.

2. Copy OIF-ORACLE_HOME/fed/script/*.py to WL_HOME/common/wlst.

3. Append the CLASSPATH environment variable with OIF-ORACLE_HOME/fed/scripts.

27.2.2 Oracle Virtual Directory Requires LSA Adapter

To use Oracle Virtual Directory as an Oracle Identity Federation user store or an authentication engine, you must configure a Local Storage Adapter, and the context root must be created as required at installation or post-install configuration time.

For details about this task, see the chapter Creating and Configuring Oracle Virtual Directory Adapters in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

27.2.3 Settings for Remote WS-Fed SP Must be Changed Dynamically

On the Edit Federations page, the Oracle Identity Federation (OIF) settings for remote WS-Fed service provider contain a property called SSO Token Type; you can choose to either inherit the value from the IdP Common Settings page or override it here. The number of properties shown in 'OIF Settings' depends on the value of SSO Token Type.

If you choose to override SSO Token Type with a different value (for example, by changing from SAML2.0 to SAML1.1), the number of properties shown in 'OIF Settings' does not change until you click the Apply button.

Also, if you have overridden the value for Default NameID Format to 'Persistent Identifier' or 'Transient/One-Time Identifier', then changed the SSO Token Type value from 'SAML2.0' to 'SAML1.1' or 'SAML1.0', you will notice that the value for Default NameID Format is now blank. To proceed, you must reset this property to a valid value from the list.

27.2.4 Required Property when Creating a WS-Fed Trusted Service Provider

When you create a WS-Fed Trusted Service Provider, you must set the value for the 'Use Microsoft Web Browser Federated Sign-On' property with these steps:

1. In Fusion Middleware Control, navigate to Federations, then Edit Federations.

2. Choose the newly create WS-Fed Trusted Service Provider and click Edit.

3. In the 'Trusted Provider Settings' section, set the value for Use Microsoft Web Browser Federated Sign-On by checking or unchecking the check-box.

4. Click Apply.

27.2.5 Federated Identities Table not Refreshed After Record Deletion

When the federation store is XML-based, a record continues to be displayed in the federated identities table after it is deleted.

The following scenario illustrates the issue:

1. The federation data store is XML.

2. Perform federated SSO, using "map user via federated identity".

3. In Fusion Middleware Control, locate the Oracle Identity Federation instance, and navigate to Administration, then Identities, then Federated Identities.

4. Click on the created federation record and delete it.

After deletion, the federated record is still in the table. Further attempts at deleting the record result in an error.

The workaround is to manually refresh the table by clicking Search.

27.2.6 Default Authentication Scheme is not Saved

Problem

This problem is seen when you configure Oracle Access Manager in Fusion Middleware Control as a Service Provider Integration Module. It is not possible to set a default authentication scheme since the default is set to a certain scheme (say OIF-password-protected) but the radio button is disabled.

Solution

Take these steps to set the preferred default authentication scheme:

1. Check the Create check-box for the scheme that is currently set as the default but disabled.

2. Check the Create check-box(es) for the authentication scheme(s) that you would like to create.

3. Click the radio button of the scheme that you wish to set as the default.

4. Uncheck the Create check-box of the scheme in Step 1 only if you do not want to create the scheme.

5. Provide all the required properties in the page.

6. Click the Configure Oracle Access Manager button to apply the changes.

The default authentication scheme is now set to the one that you selected.

27.2.7 Configuring 10g to Work with 11g Oracle Identity Federation using Artifact Profile

In the SAML 1.x protocol, for a 10g Oracle Identity Federation server to work with an 11g Oracle Identity Federation server using the Artifact profile, you need to set up either basic authentication or client cert authentication between the two servers.

For instructions, see:

• Section 6.9 Protecting the SOAP Endpoint, in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, 11g Release 1 (11.1.1)

• Section 6.5.13.2 When Oracle Identity Federation is an SP, in the Oracle Identity Federation Administrator's Guide, 10g (10.1.4.0.1)

27.3.1 Incorrect SP Integration Engine Code Example

Section 3.2.5.3.5, Sample Integration Module 2: Customized Single Sign-On Integration, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation contains incorrect sample code titled "Implementation of domainapplication.jsp".

Replace this code with the following corrected code:

<%@page buffer="5" autoFlush="true" session="false"%>
<%@page language="java" import="java.net.*, java.util.*"%>
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT");
 
Cookie[] cookies = request.getCookies();
String userid = null;
Date timeout = null;
for(int i = 0, size = (cookies != null ? cookies.length : 0); i < size; i++) {
   String name = cookies[i].getName();
   if ("spintegrationcookie".equals(name)){
      String value = cookies[i].getValue();
      StringTokenizer st = new StringTokenizer(value, "*");
      userid = st.nextToken();
      timeout = new Date(Long.parseLong(st.nextToken()));
      break;
   }
}
if (userid == null || userid.length() == 0) {
request.setAttribute("oracle.security.fed.sp.engineid", TEST_ENGINE_ID);  
request.setAttribute("oracle.security.fed.sp.usedefault", Boolean.TRUE);
request.setAttribute("oracle.security.fed.sp.relaystate", "/engine/domainapplication.jsp");
request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/sp/startsso").forward(request, response);
   return;
}
%>
Welcome <%=userid%>. You are logged until <%=timeout%>

27.3.2 Incorrect Logout Service Code Examples

Section 3.2.5.4.3, Logout Service Example #1, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation contains incorrect sample code titled "Implementation of logout.jsp".

Replace this code with the following corrected code:

<%@page buffer="5" autoFlush="true" session="false"%>
<%@page language="java" import="java.net.*"%>
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT");
 
request.getSession().removeAttribute("feduserid");
 
request.setAttribute("oracle.security.fed.sp.engineid", TEST_ENGINE_ID); 
 
request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/user/logoutretsso").forward(request, response);
%>

Section 3.2.5.4.4, Logout Service Example #2, contains incorrect sample code titled "Implementation of domainlogout.jsp".

Replace this code with the following corrected code:

<%@page buffer="5" autoFlush="true" session="false"%>
<%@page language="java" import="java.net.*"%>
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT");
 
Cookie cookie = new Cookie("spintegrationcookie", "");
cookie.setDomain(".us.oracle.com");
cookie.setPath("/");
cookie.setMaxAge(0);
response.addCookie(cookie);
 
request.setAttribute("oracle.security.fed.sp.engineid", TEST_ENGINE_ID); 
 
request.getSession().getServletContext().getContext("/fed").getRequestDispatcher("/user/logoutretsso").forward(request, response);
%>

27.3.3 Clarification on Setting up Single Sign-On for SAML 1.x and WS-Federation

Section 4.3.5, Set Up Single Sign-On for SAML 1.x and WS-Federation, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation requires clarification of the procedure titled "Fill in the Required Attributes for SAML 1.x".

Change Step 4d of this procedure to read as follows:

In the Initiate SSO Provider ID Parameter field, enter the name of the parameter that the peer provider uses to identify the provider ID of the service provider. For an Oracle Identity Federation peer identity provider, the parameter name must be "providerid".

Immediately following Step 4e, add the following:

For example, an Oracle Identity Federation peer identity provider might have the following Initiate SSO URL, using the configuration entered in steps b, c, and d above:

http://saml.example.com/fed/idp/initiatesso?TARGET=<protected-resource-url>&providerid=<sp-provider-id-uri>

27.3.4 Managed Server Startup Script Name and Windows Instructions

Section 3.2.3.3, Integrate Oracle Access Manager as an SP Integration Module, of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation in the sub-section "Update the Oracle WebLogic Server Environment", Step 3, second bullet mentions the use of the following script:

$DOMAIN/bin/startManagedServer.sh

The script name is incorrect. The correct script name should be:

startManagedWebLogic.sh (on Linux)

startManagedWebLogic.cmd (on Windows)

Also, the discussion provides only Linux instructions. The following text is needed for Windows:

• Open the $DOMAIN/bin/startManagedWebLogic.cmd file. Add the following:

  set PATH=%PATH%;AccessSDK_InstallDir/oblix/lib
  

• Start managed server from the command line (not the administration console).

27.3.5 Incorrect URL Error Property Names

In section 6.13.3, "Redirect to Target URLs at Error", of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, the following text:

Set the string property ornnn from the serverconfig configuration group to the URL to which the user should be redirected when Oracle Identity Federation returns the error, where nnn is 401, 404, or 500. (Thus, you can set the or401, or404, and or500 properties.)

should be replaced with:

Set the string property or urlerrornnn from the serverconfig configuration group to the URL to which the user should be redirected when Oracle Identity Federation returns the error, where nnn is 401, 404, or 500. (Thus, you can set the urlerror401, urlerror404, and urlerror500 properties.)

27.3.6 Configuring the Sun One Proxy Server

For details about configuring the Sun One proxy server for Oracle Identity Federation, see Guidelines for Modifying the obj.conf File in the document titled Oracle Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server, Part Number E14395-01.

27.3.7 Setting the Sensor Weight Property

In section 7.1.2.1, "About Sensor Weights", of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, the instructions under Set the Sensor Weight contain a typographical error.

Change "-oracle.dms.sensors=level" to read "-Doracle.dms.sensors=level". Note that this change must be made in two places.

27.3.8 Different Passwords for Keystore and Private Key not Supported

Oracle Identity Federation only supports configuring one password for signing and encryption keystores, and uses that password to open both the keystore and the private key. This means that if a keystore is configured with different store password and key password, an error will occur when Oracle Identity Federation tries to access the private key.

To avoid this error, ensure that the private key password for the configured key alias is the same as the keystore password.