Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

What's New in This Guide?

• New Features Introduced with Oracle Identity Federation 11g Release 1 (11.1.1)

1 Introduction to Oracle Identity Federation

• 1.1 Federated Identity Management
  • 1.1.1 Challenges of Identity Federation
  • 1.1.2 Federation Use Cases
  • 1.1.3 Concepts
  • 1.1.4 Federation Protocols
    • 1.1.4.1 SAML Basics
    • 1.1.4.2 Evolution of the Federated Identity Standards
    • 1.1.4.3 SAML 1.x
    • 1.1.4.4 SAML 2.0
    • 1.1.4.5 WS-Federation
• 1.2 About Oracle Identity Federation
  • 1.2.1 Features and Benefits of Oracle Identity Federation
  • 1.2.2 Architecture
  • 1.2.3 High-Level Processing Flow
  • 1.2.4 Federation Protocol Profiles
    • 1.2.4.1 Browser POST Profile
    • 1.2.4.2 Browser Artifact Profile
    • 1.2.4.3 SOAP Binding
    • 1.2.4.4 Browser HTTP Redirect Profile
    • 1.2.4.5 Name Identifier Management Profiles
    • 1.2.4.6 SAML Attribute Sharing Profile
    • 1.2.4.7 WS-Federation Passive Requester Profile
    • 1.2.4.8 Federation Termination Profile
    • 1.2.4.9 Global Logout Profile
  • 1.2.5 Affiliations
  • 1.2.6 Cryptographic Provider
  • 1.2.7 Example of Federation Event Flow
  • 1.2.8 Supported Standards and Applications

2 Planning Oracle Identity Federation Deployment

• 2.1 Architecture Options
  • 2.1.1 Role in Federation
  • 2.1.2 Proxy Server
  • 2.1.3 Server Security
    • 2.1.3.1 SSL Encryption
    • 2.1.3.2 Certificate-based Authentication
    • 2.1.3.3 Certificate Repository and Validation
  • 2.1.4 Protocol
• 2.2 Profiles and Bindings
  • 2.2.1 Supported Protocols
  • 2.2.2 Choosing a Profile
    • 2.2.2.1 Using the Artifact Profile
    • 2.2.2.2 Using the POST Profile
    • 2.2.2.3 SAML Security Considerations
    • 2.2.2.4 Using the SAML Attribute Sharing Profile
    • 2.2.2.5 Using the WS-Federation Logout Profile
• 2.3 Authentication Engines
  • 2.3.1 Engines in Oracle Identity Federation
  • 2.3.2 Authenticating with a Repository
  • 2.3.3 Authenticating with an IdM Solution in IdP Mode
  • 2.3.4 Propagating Authentication State to Oracle Access Manager in SP Mode
  • 2.3.5 Propagating Authentication State to Oracle Single Sign-On in SP Mode
  • 2.3.6 HTTP Basic Authentication
• 2.4 Data Repositories
  • 2.4.1 Federation Data Store
  • 2.4.2 User Data Store
  • 2.4.3 Session and Message Data Stores
  • 2.4.4 Configuration Data Store
• 2.5 Installation Requirements
  • 2.5.1 Required Components
• 2.6 Sizing Guidelines
  • 2.6.1 Deployment and Architecture Considerations
    • 2.6.1.1 Profiles
    • 2.6.1.2 Repositories
    • 2.6.1.3 Transient (Session and Message) Storage
    • 2.6.1.4 Security for Assertions
    • 2.6.1.5 Connection Tuning
    • 2.6.1.6 High Availability
    • 2.6.1.7 Tuning Servers
    • 2.6.1.8 HTTP Session Persistence
    • 2.6.1.9 Impact of Additional Security
  • 2.6.2 Typical Deployment Scenario
  • 2.6.3 Reference Server Footprint
  • 2.6.4 Topology
• 2.7 Implementation Checklist

3 Deploying Oracle Identity Federation

• 3.1 Introduction
• 3.2 Deployment Scenarios
  • 3.2.1 Deploying Oracle Identity Federation with Oracle HTTP Server
    • 3.2.1.1 Starting and Stopping the Oracle HTTP Server Instance
  • 3.2.2 Deploying Oracle Identity Federation with Oracle Single Sign-On
    • 3.2.2.1 Create and Manage the Oracle HTTP Server Instance
    • 3.2.2.2 Integrate Oracle Single Sign-On with OHS
    • 3.2.2.3 Configure Oracle Identity Federation to use Oracle Single Sign-On as the Authentication Engine
    • 3.2.2.4 Configure Oracle Identity Federation for Oracle Single Sign-On SP Integration
    • 3.2.2.5 Configure Oracle Single Sign-On
    • 3.2.2.6 Testing Federated Single Sign-On
  • 3.2.3 Deploying Oracle Identity Federation with Oracle Access Manager
    • 3.2.3.1 Create and Manage OHS
    • 3.2.3.2 Integrate Oracle Access Manager as an Authentication Engine
    • 3.2.3.3 Integrate Oracle Access Manager as an SP Integration Module
  • 3.2.4 Deploying Oracle Identity Federation with a Sun Java System Web Server
    • 3.2.4.1 Requirements
    • 3.2.4.2 Configuring Oracle Identity Federation Without a Web Proxy Server
    • 3.2.4.3 Configuring Oracle Identity Federation Behind a Web Proxy Server
    • 3.2.4.4 Updating the Identity and Access Management servers
    • 3.2.4.5 Sun Java System Web Server Sample Configuration Files
  • 3.2.5 Integrating with Third-Party Identity & Access Management Modules
    • 3.2.5.1 Architecture and Flows
    • 3.2.5.2 Creating a Custom Authentication Engine
    • 3.2.5.3 Creating a Custom SP Integration Engine
    • 3.2.5.4 Logout
  • 3.2.6 Using the Test SP Engine
    • 3.2.6.1 Configure the Test SP Engine
    • 3.2.6.2 Use the Test SP Engine for SP-Initiated SSO
    • 3.2.6.3 Use the Test SP Engine with IdP-Initiated SSO
    • 3.2.6.4 Test SP Engine Results

4 Server Administration

• 4.1 Basic Administration
  • 4.1.1 About the Federation Server Administrator
    • 4.1.1.1 About Roles
    • 4.1.1.2 Deployment Planning
    • 4.1.1.3 Other Planning Tasks
  • 4.1.2 Administering Oracle Identity Federation
  • 4.1.3 Oracle Identity Federation Log Files
  • 4.1.4 Backups
• 4.2 Common Tasks
  • 4.2.1 Obtain Server Metadata
    • 4.2.1.1 Versions
    • 4.2.1.2 Provider-specific Metadata
  • 4.2.2 Obtain Server Certificates
    • 4.2.2.1 Specifying Certificate Usage
    • 4.2.2.2 Specifying Certificate Type
  • 4.2.3 Perform SP-initiated Single Sign-On
  • 4.2.4 Perform IdP-initiated Single Sign-On
  • 4.2.5 Launch the Logout Process
  • 4.2.6 Set Signature Verification Certificate Property (SAML 1.x)
  • 4.2.7 Perform SP-initiated Single Sign-On (SAML 1.x)
  • 4.2.8 Send Attribute Requests and Queries (SAML 1.x)
    • 4.2.8.1 NameID Format Strings when Using the Attribute Requester Service
  • 4.2.9 Send Authentication Queries (SAML 1.x)
• 4.3 Managing Identity Federations
  • 4.3.1 Search for a Provider
  • 4.3.2 Add Trusted Providers
  • 4.3.3 Update Trusted Providers
  • 4.3.4 Delete Trusted Providers
  • 4.3.5 Set Up Single Sign-On for SAML 1.x and WS-Federation
• 4.4 Configuring Identities
  • 4.4.1 About Federated Identities
  • 4.4.2 Identities - Federations
  • 4.4.3 Identities - Users
  • 4.4.4 Identities - Search Options
• 4.5 Managing Credentials for Oracle Identity Federation

5 Configuring Oracle Identity Federation

• 5.1 Data Maintained by Oracle Identity Federation
  • 5.1.1 Server Configuration Data
  • 5.1.2 User Federation Data
• 5.2 Configuring Server Properties
  • 5.2.1 Host Connection Properties
  • 5.2.2 Outbound Connection Properties
• 5.3 Configuring Identity Providers - Common Properties
• 5.4 Configuring Identity Providers - Protocol-Specific Properties
  • 5.4.1 Configure SAML 2.0 IdP Properties
  • 5.4.2 Configure SAML 1.x IdP Properties
  • 5.4.3 Configure WS-Federation IdP Properties
• 5.5 Configuring Service Providers
  • 5.5.1 Configure Service Provider - Common Properties
  • 5.5.2 Configure Service Provider - SAML 2.0
  • 5.5.3 Configure Service Provider - SAML 1.x
  • 5.5.4 Configure Service Provider - WS-Federation 1.1
• 5.6 Configuring Attribute Sharing with the Oracle Access Manager AuthZ Plug-in
  • 5.6.1 Components Used for Attribute Sharing
  • 5.6.2 Remote and Local Users
  • 5.6.3 Configuring the Oracle Access Manager Plug-ins
  • 5.6.4 Configuring Oracle Access Manager Schemes and Policies
    • 5.6.4.1 Configuring the Attribute Sharing Authentication Scheme
    • 5.6.4.2 Configuring the Attribute Sharing Authorization Scheme
    • 5.6.4.3 Configuring an Oracle Access Manager Policy using Attribute Sharing
  • 5.6.5 Configuring Oracle Identity Federation as an SP Attribute Requester
    • 5.6.5.1 If Using HTTP Basic Authentication With OHS
    • 5.6.5.2 If Using HTTP Basic Authentication Without OHS
    • 5.6.5.3 If Using SSL Client Authentication
  • 5.6.6 Configuring Oracle Identity Federation as an IdP Attribute Responder
  • 5.6.7 Configuring Oracle Identity Federation for SSL
• 5.7 Configuring Identity Provider to send attributes in SSO Assertions
• 5.8 Web Services Interface for Attribute Sharing
  • 5.8.1 Overview of the Service Interface
  • 5.8.2 Attribute Request Message
  • 5.8.3 Attribute Response Message
  • 5.8.4 Interface WSDL
• 5.9 Configuring Attribute Mapping and Filtering
  • 5.9.1 Introduction to Attribute Mapping and Filtering
    • 5.9.1.1 Attribute Name Mapping
    • 5.9.1.2 Attribute Value Mapping
    • 5.9.1.3 Attribute Value Filtering
  • 5.9.2 Mapping and Filtering Configuration
    • 5.9.2.1 Configuring Attribute Name Mapping
    • 5.9.2.2 Configuring Attribute Value Mapping
    • 5.9.2.3 Configuring Attribute Value Filtering
• 5.10 Configuring Security and Trust
  • 5.10.1 Security and Trust - Wallet
  • 5.10.2 Security and Trust - Provider Metadata
  • 5.10.3 Security and Trust - Trusted CAs and CRLs
• 5.11 Configuring Federations
• 5.12 Configuring Identities
• 5.13 Managing Data Stores
  • 5.13.1 Manage the User Data Store
    • 5.13.1.1 Configuring Oracle Identity Federation for RDBMS User Data Store
    • 5.13.1.2 Configuring Oracle Identity Federation for an LDAP User Data Store
    • 5.13.1.3 Configuring Oracle Virtual Directory as User Data Store
    • 5.13.1.4 Configuring a Redundancy User Data Store
  • 5.13.2 Manage the Federation Data Store
    • 5.13.2.1 Configuring Oracle Identity Federation for an RDMBS Federation Data Store
    • 5.13.2.2 Configuring Oracle Identity Federation for an LDAP Federation Data Store
    • 5.13.2.3 Configuring Oracle Identity Federation for an XML Federation Data Store
    • 5.13.2.4 Configuring Oracle Virtual Directory as Federation Data Store
  • 5.13.3 Manage the Session Data Store and the Message Data Store
  • 5.13.4 Manage the Configuration Data Store
    • 5.13.4.1 Using a File System Configuration Data Store
    • 5.13.4.2 Using an RDBMS Configuration Data Store
    • 5.13.4.3 When the RDBMS Configuration Data Store is Down
  • 5.13.5 Create the Oracle Identity Federation Schema Using RCU
• 5.14 Configuring Authentication Mechanisms
  • 5.14.1 About Authentication Mechanisms
    • 5.14.1.1 Setting the Default Authentication Mechanism
    • 5.14.1.2 Mapping from Protocol-specific Methods to Local Mechanisms To Authentication Engines
    • 5.14.1.3 Mapping Local Authentication Mechanisms to Identity Providers
  • 5.14.2 Configure Authentication Mechanisms - Local
  • 5.14.3 Configure Authentication Mechanisms - SAML 2.0
  • 5.14.4 Configure Authentication Mechanisms - SAML 1.x
  • 5.14.5 Configure Authentication Mechanisms - WS-Federation 1.1
• 5.15 Configuring Authentication Engines
  • 5.15.1 Authentication Engines - Oracle Single Sign-On
  • 5.15.2 Authentication Engines - Oracle Access Manager
  • 5.15.3 Authentication Engines - LDAP Directory
    • 5.15.3.1 Configuring Oracle Virtual Directory as the Authentication Engine
  • 5.15.4 Authentication Engines - Database Security
  • 5.15.5 Authentication Engines - Database Table
    • 5.15.5.1 Configuring Oracle Identity Federation for RDBMS Authentication Engine
  • 5.15.6 Authentication Engines - Infocard
  • 5.15.7 Authentication Engines - Federated SSO Proxy
    • 5.15.7.1 About the Federated SSO Proxy Authentication Engine
    • 5.15.7.2 Selecting the Identity Provider to use
    • 5.15.7.3 Configuring the Federated SSO Proxy Authentication Engine
  • 5.15.8 Authentication Engines - JAAS
  • 5.15.9 Authentication Engines - Custom
• 5.16 Configuring SP Integration Modules
  • 5.16.1 SP Integration module - Oracle Single Sign-On
  • 5.16.2 SP Integration module - Oracle Access Manager
  • 5.16.3 SP Integration module - Test SP Engine
  • 5.16.4 SP Integration Module - Custom

6 Additional Server Configuration

• 6.1 Setting up Single Sign-On Services
  • 6.1.1 Oracle Single Sign-On
  • 6.1.2 Oracle Access Manager
  • 6.1.3 SP-initiated SSO
  • 6.1.4 IdP-initiated SSO
• 6.2 Working with Affiliations
• 6.3 Additional LDAP Configuration
  • 6.3.1 Configuring the LDAP Inactivity Setting
  • 6.3.2 Configuring the LDAP Read Timeout Setting
  • 6.3.3 ECID Support for LDAP Connections
• 6.4 Additional Configuration for High Availability
  • 6.4.1 Configuring High Availability LDAP Servers
  • 6.4.2 Configuring the HTTP Session State Sleep/Retry Interval
• 6.5 Additional RDBMS Configuration
  • 6.5.1 Configuring RDBMS Session Cache
  • 6.5.2 Configuring RDBMS Data Compression
• 6.6 Session Repository Configuration
  • 6.6.1 Storing Assertion Attributes of User Session
• 6.7 Additional HTTP Configuration
  • 6.7.1 Configuring HTTP-Only Flag for HTTP Cookies Set by Oracle Identity Federation
  • 6.7.2 Precautions when Customizing the Page in HTTP Post Profile
  • 6.7.3 Using a 303 Status Code for Redirects
• 6.8 Additional Protocol Configuration
  • 6.8.1 Configuring for eAuth Mode
  • 6.8.2 Configuring the SAML 2.0 LDAP Attribute Profile
• 6.9 Protecting the SOAP Endpoint
  • 6.9.1 SSL Client Authentication
  • 6.9.2 HTTP Basic Authentication
    • 6.9.2.1 Configuring HTTP Basic Authentication to protect the SOAP URLs
    • 6.9.2.2 Configuring Oracle Identity Federation to Connect to a Protected SOAP URL
• 6.10 Configuring the SAML 2.0 IdP Discovery (Common Domain Cookie) Profile
  • 6.10.1 Preliminary Steps to Set Up the CDC
  • 6.10.2 Configuring the Common Domain Cookie Profile as an Identity Provider
  • 6.10.3 Configuring the Common Domain Cookie Profile as a Service Provider
  • 6.10.4 Configuring Oracle Identity Federation to Display List of Trusted Providers in CDC
• 6.11 Configuring the Identity Provider Discovery Service
  • 6.11.1 Create the IdP Discovery Service Page
• 6.12 Setting up Infocard
  • 6.12.1 Server-side Infocard Setup
    • 6.12.1.1 Set up JCE Policy Files for Oracle WebLogic Server
    • 6.12.1.2 Update the Oracle Identity Federation Configuration
    • 6.12.1.3 Add Personal Card Issuer STS
    • 6.12.1.4 Add Infocard Managed STS
  • 6.12.2 Client-side Infocard Setup
    • 6.12.2.1 Import the Oracle Identity Federation SSL Certificate
    • 6.12.2.2 Create a Personal Infocard
• 6.13 Additional Run-time Configuration
  • 6.13.1 Redirect to Target URLs for SSO and Logout Operations
  • 6.13.2 Provide XML Message to SP Engine after SSO Completes
  • 6.13.3 Redirect to Target URLs at Error
• 6.14 Additional Federation Data Store Configuration
• 6.15 Setting up Backwards Compatibility for Oracle Identity Federation 10g and ShareID service URLs
• 6.16 Mapping Users through Attributes and NameID in SP Mode
  • 6.16.1 Locating a User
  • 6.16.2 Configuring Oracle Identity Federation
  • 6.16.3 Example 1: Assertion Mapping without federated identities using NameID for SAML 2.0
  • 6.16.4 Example 2: Simple Assertion Mapping without federated identities with an LDAP/SQL Query
  • 6.16.5 Example 3: Complex assertion Mapping without federated identities with an LDAP/SQL Query
  • 6.16.6 Example 4: assertion Mapping without federated identities using LDAP/SQL Query and NameID Mapping
  • 6.16.7 Example 5: assertion Mapping without federated identities for a Specific IdP
• 6.17 Automatic Account Linking Based on Attribute Query Mapping
  • 6.17.1 Locating the User
  • 6.17.2 Configuring Oracle Identity Federation
  • 6.17.3 Example 1: Automatic Account Linking through NameID mapping for SAML 2.0
  • 6.17.4 Example 2: Simple Automatic Account Linking through LDAP/SQL Query
  • 6.17.5 Example 3: Complex Automatic Account Linking through LDAP/SQLQuery
  • 6.17.6 Example 4: Automatic Account Linking through LDAP/SQL Query and NameID Mapping
  • 6.17.7 Example 5: Automatic Account Linking via Attribute Query for a Specific IdP
• 6.18 User Opt-In and Opt-Out for Single Sign-On
  • 6.18.1 Modes of Operation
  • 6.18.2 Configuring Oracle Identity Federation
  • 6.18.3 Example 1: Off Mode
  • 6.18.4 Example 2: Opt-In Mode
  • 6.18.5 Example 3: Opt-Out Mode
  • 6.18.6 Example 4: Opt-In Mode for a Specific IdP
• 6.19 Bypassing User Mapping During Assertion Processing
  • 6.19.1 Configuring Oracle Identity Federation
• 6.20 Configuring Audience Restrictions for Assertions

7 Diagnostics and Auditing

• 7.1 Monitoring
  • 7.1.1 Oracle Identity Federation Home Page
  • 7.1.2 Performance Summary
    • 7.1.2.1 About Sensor Weights
    • 7.1.2.2 Event Metrics
    • 7.1.2.3 State Events
    • 7.1.2.4 Phase Events
• 7.2 Availability
• 7.3 Logging
  • 7.3.1 About Oracle Identity Federation Logging
    • 7.3.1.1 Types of Logs
    • 7.3.1.2 Log Levels
    • 7.3.1.3 Message IDs
    • 7.3.1.4 Tools for Log Configuration
  • 7.3.2 Viewing Oracle Identity Federation Log Messages
    • 7.3.2.1 Select Messages to View
    • 7.3.2.2 Specify View Options
  • 7.3.3 Configuring Oracle Identity Federation Logs
    • 7.3.3.1 Configure Oracle Identity Federation Log Levels
    • 7.3.3.2 Configure Oracle Identity Federation Log Files
  • 7.3.4 Common Log Messages
    • 7.3.4.1 thread interrupt Messages
• 7.4 Auditing
  • 7.4.1 About Auditing in Oracle Identity Federation
    • 7.4.1.1 Categories of Audit Events
    • 7.4.1.2 Audit Levels
  • 7.4.2 Configuring Auditing for Oracle Identity Federation
    • 7.4.2.1 Configuring Auditing at the Custom Level
  • 7.4.3 Viewing Audit Data

8 Advanced Topics

• 8.1 Setting Up a Proxy for Oracle Identity Federation
• 8.2 Configuring SSL for Oracle Identity Federation
  • 8.2.1 Configuring Oracle Identity Federation as an SSL Server
    • 8.2.1.1 Setting up SSL on Oracle WebLogic Server
    • 8.2.1.2 Configuring Oracle Identity Federation
  • 8.2.2 Configuring Oracle Identity Federation as an SSL Client
    • 8.2.2.1 Configuring Oracle WebLogic Server
    • 8.2.2.2 Configuring Keystore Passwords in Oracle Identity Federation
    • 8.2.2.3 Alternative Way to Configure Oracle Identity Federation as SSL Client
    • 8.2.2.4 Connecting to an LDAP Server over SSL
• 8.3 Managing Signing and Encryption Wallets
• 8.4 Setting up JCE Policy Files for Oracle WebLogic Server
• 8.5 Configuring Oracle Identity Federation for the Business Processing Plug-in
  • 8.5.1 About the Business Processing Plug-in
  • 8.5.2 Configuring the Business Processing Plug-in
  • 8.5.3 Example of Plug-in and Redirect Page
  • 8.5.4 Business Processing Plug-in API

9 Oracle Identity Federation Command-Line Tools

• 9.1 Introduction to Command-Line Tools for Oracle Identity Federation
  • 9.1.1 Setting up the WLST Environment
  • 9.1.2 Executing the Commands
• 9.2 Oracle Identity Federation Commands
  • 9.2.1 addConfigListEntryInMap
    • 9.2.1.1 Description
    • 9.2.1.2 Syntax
    • 9.2.1.3 Example
  • 9.2.2 addConfigMapEntryInMap
    • 9.2.2.1 Description
    • 9.2.2.2 Syntax
    • 9.2.2.3 Example
  • 9.2.3 addConfigPropertyListEntry
    • 9.2.3.1 Description
    • 9.2.3.2 Syntax
    • 9.2.3.3 Example
  • 9.2.4 addConfigPropertyMapEntry
    • 9.2.4.1 Description
    • 9.2.4.2 Syntax
    • 9.2.4.3 Example
  • 9.2.5 addCustomAuthnEngine
    • 9.2.5.1 Description
    • 9.2.5.2 Syntax
    • 9.2.5.3 Example
  • 9.2.6 addCustomSPEngine
    • 9.2.6.1 Description
    • 9.2.6.2 Syntax
    • 9.2.6.3 Example
  • 9.2.7 addFederationListEntryInMap
    • 9.2.7.1 Description
    • 9.2.7.2 Syntax
    • 9.2.7.3 Example
  • 9.2.8 addFederationMapEntryInMap
    • 9.2.8.1 Description
    • 9.2.8.2 Syntax
    • 9.2.8.3 Example
  • 9.2.9 addFederationPropertyListEntry
    • 9.2.9.1 Description
    • 9.2.9.2 Syntax
    • 9.2.9.3 Example
  • 9.2.10 addFederationPropertyMapEntry
    • 9.2.10.1 Description
    • 9.2.10.2 Syntax
    • 9.2.10.3 Example
  • 9.2.11 deleteCustomAuthnEngine
    • 9.2.11.1 Description
    • 9.2.11.2 Syntax
    • 9.2.11.3 Example
  • 9.2.12 deleteCustomSPEngine
    • 9.2.12.1 Description
    • 9.2.12.2 Syntax
    • 9.2.12.3 Example
  • 9.2.13 deleteProviderFederation
    • 9.2.13.1 Description
    • 9.2.13.2 Syntax
    • 9.2.13.3 Example
  • 9.2.14 deleteUserFederations
    • 9.2.14.1 Description
    • 9.2.14.2 Syntax
    • 9.2.14.3 Example
  • 9.2.15 changeMessageStore
    • 9.2.15.1 Description
    • 9.2.15.2 Syntax
    • 9.2.15.3 Example
  • 9.2.16 changePeerProviderDescription
    • 9.2.16.1 Description
    • 9.2.16.2 Syntax
    • 9.2.16.3 Example
  • 9.2.17 changeSessionStore
    • 9.2.17.1 Description
    • 9.2.17.2 Syntax
    • 9.2.17.3 Example
  • 9.2.18 createConfigPropertyList
    • 9.2.18.1 Description
    • 9.2.18.2 Syntax
    • 9.2.18.3 Example
  • 9.2.19 createConfigPropertyListInMap
    • 9.2.19.1 Description
    • 9.2.19.2 Syntax
    • 9.2.19.3 Example
  • 9.2.20 createConfigPropertyMap
    • 9.2.20.1 Description
    • 9.2.20.2 Syntax
    • 9.2.20.3 Example
  • 9.2.21 createConfigPropertyMapInMap
    • 9.2.21.1 Description
    • 9.2.21.2 Syntax
    • 9.2.21.3 Example
  • 9.2.22 createFederationPropertyList
    • 9.2.22.1 Description
    • 9.2.22.2 Syntax
    • 9.2.22.3 Example
  • 9.2.23 createFederationPropertyListInMap
    • 9.2.23.1 Description
    • 9.2.23.2 Syntax
    • 9.2.23.3 Example
  • 9.2.24 createFederationPropertyMap
    • 9.2.24.1 Description
    • 9.2.24.2 Syntax
    • 9.2.24.3 Example
  • 9.2.25 createFederationPropertyMapInMap
    • 9.2.25.1 Description
    • 9.2.25.2 Syntax
    • 9.2.25.3 Example
  • 9.2.26 createPeerProviderEntry
    • 9.2.26.1 Description
    • 9.2.26.2 Syntax
    • 9.2.26.3 Example
  • 9.2.27 getConfigListValueInMap
    • 9.2.27.1 Description
    • 9.2.27.2 Syntax
    • 9.2.27.3 Example
  • 9.2.28 getConfigMapEntryInMap
    • 9.2.28.1 Description
    • 9.2.28.2 Syntax
    • 9.2.28.3 Example
  • 9.2.29 getConfigProperty
    • 9.2.29.1 Description
    • 9.2.29.2 Syntax
    • 9.2.29.3 Example
  • 9.2.30 getConfigPropertyList
    • 9.2.30.1 Description
    • 9.2.30.2 Syntax
    • 9.2.30.3 Example
  • 9.2.31 getConfigPropertyMapEntry
    • 9.2.31.1 Description
    • 9.2.31.2 Syntax
    • 9.2.31.3 Example
  • 9.2.32 getFederationListValueInMap
    • 9.2.32.1 Description
    • 9.2.32.2 Syntax
    • 9.2.32.3 Example
  • 9.2.33 getFederationMapEntryInMap
    • 9.2.33.1 Description
    • 9.2.33.2 Syntax
    • 9.2.33.3 Example
  • 9.2.34 getFederationProperty
    • 9.2.34.1 Description
    • 9.2.34.2 Syntax
    • 9.2.34.3 Example
  • 9.2.35 getFederationPropertyList
    • 9.2.35.1 Description
    • 9.2.35.2 Syntax
    • 9.2.35.3 Example
  • 9.2.36 getFederationPropertyMapEntry
    • 9.2.36.1 Description
    • 9.2.36.2 Syntax
    • 9.2.36.3 Example
  • 9.2.37 listCustomAuthnEngines
    • 9.2.37.1 Description
    • 9.2.37.2 Syntax
    • 9.2.37.3 Example
  • 9.2.38 listCustomSPEngines
    • 9.2.38.1 Description
    • 9.2.38.2 Syntax
    • 9.2.38.3 Example
  • 9.2.39 loadMetadata
    • 9.2.39.1 Description
    • 9.2.39.2 Syntax
    • 9.2.39.3 Example
  • 9.2.40 oifStatus
    • 9.2.40.1 Description
    • 9.2.40.2 Syntax
    • 9.2.40.3 Example
  • 9.2.41 removeConfigListInMap
    • 9.2.41.1 Description
    • 9.2.41.2 Syntax
    • 9.2.41.3 Example
  • 9.2.42 removeConfigMapEntryInMap
    • 9.2.42.1 Description
    • 9.2.42.2 Syntax
    • 9.2.42.3 Example
  • 9.2.43 removeConfigMapInMap
    • 9.2.43.1 Description
    • 9.2.43.2 Syntax
    • 9.2.43.3 Example
  • 9.2.44 removeConfigProperty
    • 9.2.44.1 Description
    • 9.2.44.2 Syntax
    • 9.2.44.3 Example
  • 9.2.45 removeConfigPropertyList
    • 9.2.45.1 Description
    • 9.2.45.2 Syntax
    • 9.2.45.3 Example
  • 9.2.46 removeConfigPropertyMap
    • 9.2.46.1 Description
    • 9.2.46.2 Syntax
    • 9.2.46.3 Example
  • 9.2.47 removeConfigPropertyMapEntry
    • 9.2.47.1 Description
    • 9.2.47.2 Syntax
    • 9.2.47.3 Example
  • 9.2.48 removeFederationListInMap
    • 9.2.48.1 Description
    • 9.2.48.2 Syntax
    • 9.2.48.3 Example
  • 9.2.49 removeFederationMapInMap
    • 9.2.49.1 Description
    • 9.2.49.2 Syntax
    • 9.2.49.3 Example
  • 9.2.50 removeFederationMapEntryInMap
    • 9.2.50.1 Description
    • 9.2.50.2 Syntax
    • 9.2.50.3 Example
  • 9.2.51 removeFederationProperty
    • 9.2.51.1 Description
    • 9.2.51.2 Syntax
    • 9.2.51.3 Example
  • 9.2.52 removeFederationPropertyList
    • 9.2.52.1 Description
    • 9.2.52.2 Syntax
    • 9.2.52.3 Example
  • 9.2.53 removeFederationPropertyMap
    • 9.2.53.1 Description
    • 9.2.53.2 Syntax
    • 9.2.53.3 Example
  • 9.2.54 removeFederationPropertyMapEntry
    • 9.2.54.1 Description
    • 9.2.54.2 Syntax
    • 9.2.54.3 Example
  • 9.2.55 removePeerProviderEntry
    • 9.2.55.1 Description
    • 9.2.55.2 Syntax
    • 9.2.55.3 Example
  • 9.2.56 setConfigProperty
    • 9.2.56.1 Description
    • 9.2.56.2 Syntax
    • 9.2.56.3 Example
  • 9.2.57 setCustomAuthnEngine
    • 9.2.57.1 Description
    • 9.2.57.2 Syntax
    • 9.2.57.3 Example
  • 9.2.58 setCustomSPEngine
    • 9.2.58.1 Description
    • 9.2.58.2 Syntax
    • 9.2.58.3 Example
  • 9.2.59 setFederationProperty
    • 9.2.59.1 Description
    • 9.2.59.2 Syntax
    • 9.2.59.3 Example

Part I Appendices

A Oracle Identity Federation MBeans

• A.1 Server-wide Configuration (config.xml)
  • A.1.1 FederationConfig
    • A.1.1.1 FederationConfigMXBean
    • A.1.1.2 The FederationConfig Element
  • A.1.2 Config
    • A.1.2.1 ConfigMXBean
    • A.1.2.2 The Config Element
  • A.1.3 PropertiesList
    • A.1.3.1 PropertiesListMXBean
    • A.1.3.2 The PropertiesList Element
  • A.1.4 PropertiesMap
    • A.1.4.1 PropertiesMapMXBean
    • A.1.4.2 The PropertiesMap Element
• A.2 Provider-specific Configuration
  • A.2.1 CircleOfTrust
    • A.2.1.1 CircleOfTrustMXBean
    • A.2.1.2 The CircleOfTrust Element
  • A.2.2 PeerProvider
    • A.2.2.1 PeerProviderMXBean
    • A.2.2.2 The PeerProvider Element
• A.3 Data-store Configuration
  • A.3.1 Datastore
    • A.3.1.1 DatastoreMXBean
    • A.3.1.2 The datastore Element
  • A.3.2 DiscoveryProvider
    • A.3.2.1 DiscoveryProviderMXBean
    • A.3.2.2 The DiscoveryProvider Element
• A.4 Oracle Identity Federation Schema
• A.5 Programmatic Access to Oracle Identity Federation MBeans
  • A.5.1 Access the MBean Server
  • A.5.2 Access Oracle Identity Federation MBeans
• A.6 Oracle Identity Federation MBeans API

B Troubleshooting Oracle Identity Federation

• B.1 Problems and Solutions
  • B.1.1 General Issues
    • B.1.1.1 Attribute Sharing with the Microsoft Internet Information Server Cannot Retrieve X.509 Certificate SubjectDN
    • B.1.1.2 Signed SAML 1.0 Assertions Can Cause SSO Failures
    • B.1.1.3 Encrypting Network Connections
    • B.1.1.4 Connecting to an LDAP Server over SSL
    • B.1.1.5 thread interrupt Messages for RDBMS Message Store
    • B.1.1.6 Metadata File is Unusable when Oracle Identity Federation is Configured for SSL
  • B.1.2 Oracle Identity Federation Configuration Issues
    • B.1.2.1 Assertions Using SAML 1.x POST Method Fail in Japanese Locale
    • B.1.2.2 Failed to find orclfednamevalue Error
    • B.1.2.3 Configuring Audit Policies for Oracle Identity Federation Events
  • B.1.3 Oracle Single Sign-On Login Issues
    • B.1.3.1 Incorrect Login Page Appears
    • B.1.3.2 Bookmarked Login Pages
    • B.1.3.3 Unable to Modify File Used to Upload Provider Metadata
  • B.1.4 Oracle Access Manager Configuration Issues
    • B.1.4.1 AccessGate Permission Error
    • B.1.4.2 Non-ASCII AccessGate ID
    • B.1.4.3 Setting LD_ASSUME_KERNEL Value
    • B.1.4.4 Using the Same Cookie Domain for Two Back-ends
    • B.1.4.5 Oracle Access Manager Integration Issues
  • B.1.5 Operating System Configuration Issues
    • B.1.5.1 File Descriptors on Linux
    • B.1.5.2 Search Fails Against Microsoft Active Directory with an Unknown Host Exception
  • B.1.6 Runtime/Single Sign-On Issues
    • B.1.6.1 Bookmarking a WS-Federation Protected Resource
    • B.1.6.2 SP Unable to Map NameID to Local User
  • B.1.7 Performance Issues
    • B.1.7.1 Internal Error 500 when Using LDAP Store

Glossary

Index