32 Managing Settings for Identity Federation
Introduction to the settings that you must configure for use by Oracle Access Management Identity Federation.
This chapter includes the following sections:
32.1 Prerequisites for Settings in Federation Identity
The following topics presume that you have performed tasks in Managing Identity Federation Partners.
32.2 About Federation Settings
This topic introduces the federation settings that must be configured to enable the Identity Federation functionality available from the Oracle Access Management Console.
Figure 32-1 shows the Federations Settings page as it appears in the Oracle Access Management Console. This page is the same whether you choose Identity Federation Service Settings from the Welcome page, Configuration panel, or you display the Federation section of the System Configuration tab and choose Federation Settings.
Figure 32-1 Identity Federation Service Settings Page

Description of "Figure 32-1 Identity Federation Service Settings Page"
Table 32-1 outlines the types of federation settings you can configure.
Table 32-1 Federation Settings in the Console
Elements | Description |
---|---|
General |
General federation settings include basic information about the provider and the keys used to send assertions. See Also: Managing General Federation Settings |
Proxy |
Proxy settings enable you to set up a proxy server for federation. See Also: Managing Proxy Settings for Federation |
Keystore |
Keystore settings enable you to create aliases (a short hand notation) for keys in the keystore. |
32.3 Managing General Federation Settings
The following topics describe how to manage general Federation Settings:
32.3.1 About Managing General Federation Settings
You view and manage general federation properties on the Federation Settings page of the console.
Figure 32-1 shows the General section of the Federation Settings page.
Table 32-2 describes each element on the General section of the Federation Settings page.
Table 32-2 General Federation Settings
Element | Description |
---|---|
Provider ID |
This is the provider ID of this federation server. For example, |
Signing Key |
This key is used to sign assertions. |
Encryption Key |
This key is used to decrypt incoming messages. |
Custom Trust Anchor File |
Specifies a keystore that contains trusted root certificates use in federation. The default trust store is In most cases, the default trust anchor should be enough. If necessary, specify the location of an alternate keystore to use. Note: When you use a custom trust anchor keystore, it will not be replicated automatically across the cluster. You must manage replication of this keystore. |
Export SAML 2.0 Metadata |
After changes to the General settings, you must export the metadata for use by federation partners. See Also: Exporting Metadata |
32.3.2 Managing General Federation Settings
General settings include basic information about a provider.
32.3.2.2 Setting or Modifying General Settings for Federation
You can set or modify General settings for Federation.
To set or modify:
- In the Oracle Access Management Console, click Federation at the top of the window.
- In the Federation console, Select Federation from the drop-down list in the Settings section.
- On the Federation Settings page, enter General Settings values for your (Table 32-2).
- Click Apply to save your changes.
- Proceed to "Managing Proxy Settings for Federation".
32.4 Managing Proxy Settings for Federation
This topic is organized in the following sections.
32.4.1 About Proxy Settings for Federation
A proxy may be required when Identity Federation needs to directly connect to the federation partner, such as in a SAML artifact SSO operation. You view and manage a proxy configured for use with federation partners on the Federation Settings page of the console.
Figure 32-1 illustrates the Federation Proxy Settings section of the Federation Settings page. Table 32-3 describes each element on the Federation Proxy Settings section of the Federation Settings page.
Table 32-3 Federation Proxy Settings
Element | Description |
---|---|
Enable Proxy |
Checking the box enables the proxy server. When the box is unchecked, the Proxy function is disabled and related fields are inaccessible for editing. |
Host |
This element specifies the proxy hostname. |
Port |
This element specifies the proxy port number. |
Non-proxy Hosts |
This is a list of hosts for which the proxy should not be used. Use ';' to separate multiple hosts. |
Username |
This is the proxy user name to use when connecting to the proxy. |
Password |
This is the proxy password to use when connecting to the proxy. |
32.4.2 Managing Proxy Settings for Identity Federation
Skip Step 1 if you are viewing the Federation Settings page.
32.4.2.2 Setting or Modifying Proxy Settings for Federation
You can set or modify Proxy settings for Federation.
To set or modify:
- In the Oracle Access Management Console, click Federation at the top of the window.
- In the Federation console, Select Federation from the drop-down list in the Settings section.
- On the Federation Settings page, evaluate current proxy settings values against those needed for your environment.
- Fill in the Proxy settings using values for your environment (Table 32-3).
- Click Apply to save your changes.
- Proceed to "Defining Keystore Settings for Federation".
32.5 Defining Keystore Settings for Federation
The following topics describe how to define Keystore settings for Federation:
32.5.1 About Managing Keytore Settings for Identity Federation
You view and manage keystores configured for use with federation partners on the Federation Settings page of the console.
Figure 32-2 illustrates the expanded Federation Proxy Settings section of the Federation Settings page.
Table 32-4 describes each element on the Keystore Settings section of the Federation Settings page.
Table 32-4 Keystore Settings for Federation
Element | Description |
---|---|
Keystore Location |
This element specifies the keystore path. |
Key ID |
This is the unique key ID. |
Description |
This element provides a brief description of the key, such as its usage type. |
Alias |
This element specifies the key alias. Note: You can choose one of the aliases that is available in the keystore using the drop-down. |
Password |
This element specifies the key password. |
32.5.2 Managing Identity Federation Encryption/Signing Keys
As described in Managing Data Sources, Identity Federation uses keys in the following keystore to store encryption and signing certificates:
$DOMAIN_HOME/config/fmwconfig/.oamkeystore
32.5.2.1 Task Overview: Managing Identity Federation Encryption/Signing Keys
-
Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password
-
Adding a New Key Entry to the System Keystore (.oamkeystore)
Note:
AM denotes Access Manager and IF denotes Identity Federation in this discussion.
32.5.2.2 Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password
You can reset the password that protects the keystores as well as the key entries which use the same password as the keystore.
The keystores have been created and configured by the IDM/OAM installer,
and the password and the key entries password were randomly generated. The WLST
resetKeystorePassword
method allows you to set the
.oamkeystore
password and any key entries with a password
identical to the .oamkeystore
password to a new value. The command
updates the:
-
.oamkeystore
password -
Key entries in the
.oamkeystore
which had the same password as the keystore -
OAMAM/IF configuration to reflect the change
-
amtruststore
password if the keystore is protected by the same password as the.oamkeystore
(default)
To set the system keystore (.oamkeystore
) password:
32.5.2.3 Adding a New Key Entry to the System Keystore (.oamkeystore)
You can add a new key entry into the system keystore (.oamkeystore) using the keytool
command to create and add the new key entry.
Once the entry has been added, it must be defined in the Identity Federation settings configuration screen so that it can be used to sign assertions and decrypt incoming messages.
32.5.2.3.1 Task Overview: Adding a New Key Entry to the System Keystore (.oamkeystore)
The following topics describe how to add a new entry to the system keystore to sign SAML assertions or decrypt XML-encrypted data not covered by WSS:
32.5.2.3.2 Adding a New Entry in the .oamkeystore
There are no prerequisites for this task. The system keystore (.oamkeystore) password has been reset.
To add a new entry in the .oamkeystore:
32.5.2.3.3 Adding a New Entry in the Identity Federation Settings
In the Identity Federation settings, you can add a new row to the Keystore table.
To add a new entry in the Identity Federation settings:
- In the Oracle Access Management Console, click Federation at the top of the window.
- In the Federation console, Select Federation from the drop-down list in the Settings section.
- On the Federation Settings page, navigate to the Keystore table.
- Add a row.
- Enter a key ID that will be used to reference this key when configuring Identity Federation.
- Select the alias of the key entry stored in .oamkeystore.
- Enter the key password.
- Click Apply.
32.5.2.3.4 Configuring the Signing and Encryption Key
Once the key has been added to the keystore table, you can configure Identity Federation to use the key.
To configure the signing and encryption key:
- In the Oracle Access Management Console, click Federation at the top of the window.
- In the Federation console, Select Federation from the drop-down list in the Settings section.
- Navigate to the General section.
- Select the Signing Key from the list of available key entries that were defined in the keystore table.
- Select the encryption key from the list of available key entries that were defined in the keystore table.
- Click Apply.
Note:
With this release, a view only field API Key is added in the partner details screen while creating/editing/viewing a partner and allows you to view the Key details which can be shared to respective partners by admin for secure updates.32.5.2.3.5 Using WLST for Key Transport Algorithm
Oracle Identity Federation supports RSA 1.5 as the key transport algorithm by default. The key transport algorithm can be changed from RSA 1.5 to RSA-OAEP based on the requirement, by adding a new property, defaultkeytransportmethod to oam-config.xml using the WLST commands.
You can configure the defaultkeytransportmethod parameter in oam-config.xml as follows:
<Setting Name=”defaultkeytransportmethod” Type=”xsd: xsd”> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p </Setting>
-
To update the key transport algorithm for a specific partner only (in this example, OIFSP), use the following WLST command:
updatePartnerProperty(partnerName=”OIFSP”, partnerType=”SP”, propName=”defaultkeytransportmethod”, propValue=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”,type=”string”)
-
To update the key transport algorithm for all partners that use a specific partner profile (in this example, saml20-sp-partner-profile), use the following WLST command:
putStringProperty("/fedpartnerprofiles/saml20-sp-partner-profile/defaultkeytransportmethod","http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
-
To update the key transport algorithm for all defined SP partners, use the following WLST command:
putStringProperty("/idpglobal/defaultkeytransportmethod", “http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”)
Note:
This is a global change.
32.5.2.3.6 Configuring RSA OAEP Key Transport Digest and MGF Digest
The properties described in this section only apply to IdP partner configurations
where the defaultkeytransportmethod
property is set to http://www.w3.org/2009/xmlenc11#rsa-oaep.
defaultkeytransportdigest
is added to configure the
digest used by RSA OAEP key transport algorithm. The possible values are:
defaultkeytransportmgfdigest
is added to configure
the MGF digest used by RSA OAEP key transport algorithm. The possible values are:
For example:
updatePartnerProperty(partnerName=" OIFIDP ", partnerType="idp",propName="defaultkeytransportmethod",propValue=http://www.w3.org/2009/xmlenc11#rsa-oaep, type="string")
updatePartnerProperty(partnerName=" OIFIDP ", partnerType="idp",propName="defaultkeytransportdigest",propValue=http://www.w3.org/2001/04/xmlenc#sha256, type="string")
updatePartnerProperty(partnerName=" OIFIDP ", partnerType="idp",propName="defaultkeytransportmgfdigest",propValue=http://www.w3.org/2009/xmlenc11#mgf1sha256, type="string")
32.5.2.3.7 Configuring Signature Algorithm
signaturedigestalgorithm
property. This property can take the
following values:
- SHA-1 to use http://www.w3.org/2000/09/xmldsig#rsa-sha1 signature algorithm (default)
- SHA-256 to use http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature algorithm
- PSS-SHA-1 to use http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1 signature algorithm
- PSS-SHA-256 to use http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 signature algorithm
- PSS-SHA-384 to use http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 signature algorithm
- PSS-SHA-512 to use http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 signature algorithm
- Java version must be greater than 8u251
- OWSM patch 34566592 must be installed in the middleware home
For example:
updatePartnerProperty(partnerName="OIFSP", partnerType="SP",propName="signaturedigestalgorithm", propValue="PSS-SHA-256", type="string")
32.6 Exporting Metadata
After you have made changes to the general settings, you can export the metadata for use by federation partners.
To export SAML 2.0 metadata:
- In the Oracle Access Management Console, click Federation at the top of the window.
- In the Federation console, Select Federation from the drop-down list in the Settings section.
- On the Federation Settings page, click Export SAML 2.0 Metadata.
- A dialog box appears where you must specify the file for the exported metadata.
- Click Save to save your new metadata file.
32.7 Masking SAML Attributes in Log Records
- PIILogsMaskEnabled: Flag to enable/disable masking.
- PIILogsDataMaskTags: List of XML tags from SAML response
whose content needed to be masked. For example,
saml:NameID
. - PIILogsDataMaskStrategy: Defines how masking will happen.
Possible values:
MASK_ALTERNATIVE_LETTERS
: Masks the alternative letters.MASK_FULL
: Masks full content.MASK_FIRST_HALF
: Masks first half of the content.MASK_SECOND_HALF
: Masks the second half of the content.MASK_CUSTOM
: This can be used if you need a custom masking strategy.
MASK_FIRST_HALF
- PIILogsDataMaskCustom: Define a regular expression that
contains Regex groups. Should be provided if masking strategy is
MASK_CUSTOM
. This value will be ignored for other masking strategies.For example, If the content isusername@exampleDomain.com
both email-ID and email-domain part need to be masked, then the Regex must be(.*)@(.*).com
.Note:
The masked part must be grouped using parenthesis.If the regular expression is invalid, the default masking strategy
MASK_FIRST_HALF
will be used.
Sample Configuration
NameID
tag in the SAML response using custom masking strategy,
use the following configuration in the REST API body. For details, see Perform method PUT on
resource.<Configuration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsd:schemaLocation="http://higgins.eclipse.org/sts/Configuration Configuration.xsd" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/fedserverconfig/PIILogsDataMasking">
<Setting Name="PIILogsDataMasking" Type="htf:map">
<Setting Name="PIILogsMaskEnabled" Type="xsd:boolean">true</Setting>
<Setting Name="PIILogsDataMaskXmlTags" Type="htf:list">
<Setting Name="0" Type="xsd:string">saml:NameID</Setting>
</Setting>
<Setting Name="PIILogsDataMaskStrategy" Type="xsd:string">MASK_CUSTOM</Setting>
<Setting Name="PIILogsDataMaskCustom" Type="xsd:string">(.*)@(.*).com</Setting>
</Setting>
</Configuration>
<saml:NameID>xxxxx@xxxxxxxxxxxxx.com</saml:NameID>