This chapter describes issues associated with Oracle Identity Federation. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
Section 22.1.1, "Database Table for Authentication Engine must be in Base64 Format"
Section 22.1.2, "Considerations for Oracle Identity Federation HA in SSL mode"
Section 22.1.3, "Database Column Too Short error for IDPPROVIDEDNAMEIDVALUE"
When using a database table as the authentication engine, and the password is stored hashed as either MD5 or SHA, it must be in base64 format.
The hashed password can be either in the base64-encoded format or with a prefix of {SHA} or {MD5}. For example:
Sign In
Thank you for your feedback!{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
In a high availability environment with two (or more) Oracle Identity Federation servers mirroring one another and a load balancer at the front-end, there are two ways to set up SSL:
Configure SSL on the load balancer, so that the SSL connection is between the user and the load balancer. In that case, the keystore/certificate used by the load balancer has a CN referencing the address of the load balancer.
The communication between the load balancer and the WLS/Oracle Identity Federation can be clear or SSL (and in the latter case, Oracle WebLogic Server can use any keystore/certificates, as long as these are trusted by the load balancer).
SSL is configured on the Oracle Identity Federation servers, so that the SSL connection is between the user and the Oracle Identity Federation server. In this case, the CN of the keystore/certificate from the Oracle WebLogic Server/Oracle Identity Federation installation needs to reference the address of the load balancer, as the user will connect using the hostname of the load balancer, and the Certificate CN needs to match the load balancer's address.
In short, the keystore/certificate of the SSL endpoint connected to the user (load balancer or Oracle WebLogic Server/Oracle Identity Federation) needs to have its CN set to the hostname of the load balancer, since it is the address that the user will use to connect to Oracle Identity Federation.
When Oracle Identity Federation is configured to use a database store for session and message data store, the following error is seen if data for IDPPROVIDEDNAMEID is over 200 characters long:
ORA-12899: value too large for column "WDO_OIF"."ORAFEDTMPPROVIDERFED"."IDPPROVIDEDNAMEIDVALUE" (actual: 240, maximum: 200)\n]
Alter table ORAFEDTMPPROVIDERFED to increase the column size for "idpProvidedNameIDValue" to 240.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 22.2.1, "WLST Environment Setup when SOA and OIF are in Same Domain"
Section 22.2.2, "Oracle Virtual Directory Requires LSA Adapter"
Section 22.2.3, "Settings for Remote WS-Fed SP Must be Changed Dynamically"
Section 22.2.4, "Required Property when Creating a WS-Fed Trusted Service Provider"
Section 22.2.5, "Federated Identities Table not Refreshed After Record Deletion"
Section 22.2.6, "Default Authentication Scheme is not Saved"
Section 22.2.7, "Configuring 10g to Work with 11g Oracle Identity Federation using Artifact Profile"
Section 22.2.8, "Regenerating OAM 11g Key Requires Oracle Identity Federation Upgrade Script"
If your site contains Oracle SOA Suite and Oracle Identity Federation in the same domain, the WLST setup instructions in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation are insufficient for WLST to correctly execute Oracle Identity Federation commands.
This can happen if you install an IdM domain, then extend it with an Oracle SOA install; the SOA installer changes the ORACLE_HOME environment variable. This breaks the Oracle Identity Federation WLST environment, as it relies on the IdM value for ORACLE_HOME.
Take these steps to enable the use of WLST commands:
Execute the instructions described in Section 9.1.1, Setting up the WLST Environment, in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Copy OIF-ORACLE_HOME/fed/script/*.py to WL_HOME/common/wlst.
Append the CLASSPATH environment variable with OIF-ORACLE_HOME/fed/scripts.
To use Oracle Virtual Directory as an Oracle Identity Federation user store or an authentication engine, you must configure a Local Storage Adapter, and the context root must be created as required at installation or post-install configuration time.
For details about this task, see the chapter Creating and Configuring Oracle Virtual Directory Adapters in the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
On the Edit Federations page, the Oracle Identity Federation (OIF) settings for remote WS-Fed service provider contain a property called SSO Token Type; you can choose to either inherit the value from the IdP Common Settings page or override it here. The number of properties shown in 'OIF Settings' depends on the value of SSO Token Type.
If you choose to override SSO Token Type with a different value (for example, by changing from SAML2.0 to SAML1.1), the number of properties shown in 'OIF Settings' does not change until you click the Apply button.
Also, if you have overridden the value for Default NameID Format to 'Persistent Identifier' or 'Transient/One-Time Identifier', then changed the SSO Token Type value from 'SAML2.0' to 'SAML1.1' or 'SAML1.0', you will notice that the value for Default NameID Format is now blank. To proceed, you must reset this property to a valid value from the list.
When you create a WS-Fed Trusted Service Provider, you must set the value for the 'Use Microsoft Web Browser Federated Sign-On' property with these steps:
In Fusion Middleware Control, navigate to Federations, then Edit Federations.
Choose the newly create WS-Fed Trusted Service Provider and click Edit.
In the 'Trusted Provider Settings' section, set the value for Use Microsoft Web Browser Federated Sign-On by checking or unchecking the check-box.
Click Apply.
When the federation store is XML-based, a record continues to be displayed in the federated identities table after it is deleted.
The following scenario illustrates the issue:
The federation data store is XML.
Perform federated SSO, using "map user via federated identity".
In Fusion Middleware Control, locate the Oracle Identity Federation instance, and navigate to Administration, then Identities, then Federated Identities.
Click on the created federation record and delete it.
After deletion, the federated record is still in the table. Further attempts at deleting the record result in an error.
The workaround is to manually refresh the table by clicking Search.
This problem is seen when you configure Oracle Access Manager in Fusion Middleware Control as a Service Provider Integration Module. It is not possible to set a default authentication scheme since the default is set to a certain scheme (say OIF-password-protected) but the radio button is disabled.
Take these steps to set the preferred default authentication scheme:
Check the Create check-box for the scheme that is currently set as the default but disabled.
Check the Create check-box(es) for the authentication scheme(s) that you would like to create.
Click the radio button of the scheme that you wish to set as the default.
Uncheck the Create check-box of the scheme in Step 1 only if you do not want to create the scheme.
Provide all the required properties in the page.
Click the Configure Oracle Access Manager button to apply the changes.
The default authentication scheme is now set to the one that you selected.
Note:
In addition, when trying to remove any authentication scheme, ensure that you do not remove the default scheme; if you must remove the scheme, change the default to another authentication scheme before you remove the scheme.
In the SAML 1.x protocol, for a 10g Oracle Identity Federation server to work with an 11g Oracle Identity Federation server using the Artifact profile, you need to set up either basic authentication or client cert authentication between the two servers.
For instructions, see:
Section 6.9 Protecting the SOAP Endpoint, in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, 11g Release 1 (11.1.1)
Section 6.5.13.2 When Oracle Identity Federation is an SP, in the Oracle Identity Federation Administrator's Guide, 10g (10.1.4.0.1)
In Oracle Enterprise Manager Fusion Middleware Control, when you configure the SP Integration Module for Oracle Access Manager 11g, you can regenerate the secret key by clicking the Regenerate button (Service Provider Integration Modules page, Oracle Access Manager 11g tab).
In an upgraded 11.1.1.7.0 environment, it is necessary to execute the Oracle Identity Federation upgrade script before you regenerate the OAM 11g secret key from this page. For details about how to run the script, see the Oracle Fusion Middleware Patching Guide.
This section contains documentation errata for the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Note:
For documentation errata and other release notes relating to the integration of Oracle Identity Federation with Oracle Access Manager 11g , see the chapter for "Oracle Access Manager."
This section contains these topics:
Section 22.3.1, "Incorrect Command Cited for BAE Configuration Procedure"
Section 22.3.2, "SP Post-Processing Plug-in Properties for OAM 11g"
Section 22.3.3, "Short Hostname Redirect Using mod_rewrite Configuration"
In the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, Part Number E13400-06, Section 6.8.2 Configuring the BAE Direct Attribute Exchange Profile, subsection "Set the BAE Direct Attribute Exchange Profile for a Partner", the procedure incorrectly documents the WLST command setPartnerProperty instead of the correct setFederationProperty command.
Replace the two commands mentioned in that subsection with:
setFederationProperty("PARTNER_PROVIDER_ID", "attributebaeenabled" ,
"true","boolean")
setFederationProperty("PARTNER_PROVIDER_ID", "attributebaeenabled" ,
"false","boolean")
to set and unset the BAE property, respectively.
In the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, Part Number E13400-06, Section 12.5.2 Configuring Oracle Identity Federation for the Plug-in is missing the properties needed to configure Oracle Access Manager 11g.
Add the following row to the end of Table 12-3 SP Engine Configuration for Post-processing Plug-in; this row shows the properties needed for Oracle Access Manager 11g:
| SP Engine | web context property | relative path property |
|---|---|---|
|
OAM 11g |
oam11g-login-context |
oam11g-login |
In the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation, Part Number E13400-06, Section 3.2.2.2 Integrate Oracle Single Sign-On with OHS (as well as earlier editions with the same section), the code in comments (lines starting with #) at the end of the section should be revised to use a mod_rewrite configuration.
Replace the text:
# # If you would like to have short hostnames redirected to # fully qualified hostnames to allow clients that need # authentication via mod_osso to be able to enter short # hostnames into their browsers uncomment out the following # lines # #PerlModule Apache::ShortHostnameRedirect #PerlHeaderParserHandler Apache::ShortHostnameRedirect
with the text:
#
# To have short hostnames redirected to fully qualified
# hostnames for clients that need authentication via
# mod_osso to be able to enter short hostnames into their
# browsers use a mod_rewrite configuration such as the following.
#
# e.g
#RewriteEngine On
#RewriteCond %{HTTP_HOST} !www.example.com
#RewriteRule î.*$ http://%{SERVER_NAME}%{REQUEST_URI} [R]
#where www.example.com is the fully qualified domain name.