7 Integrating with Identity Federation
This chapter contains these sections:
7.1 Introduction to Identity Federation with Oracle Access Manager
This section provides background about federation with Access Manager.
Topics include:
7.1.1 About Oracle Access Management Identity Federation
Identity federation is available in two architectures:
-
As a federation engine, known as Oracle Access Management Identity Federation, built into Oracle Access Management.
-
As a standalone, self-contained federation server, known as Oracle Identity Federation, that enables single sign-on and authentication in a multiple-domain identity network.
The SP integration Engine included with Oracle Identity Federation consists of a servlet that processes requests from the server to create a user authenticated session at the Identity and Access Management (IAM) server. The engine includes several internal plug-ins that allow it to interact with different IAM servers, including Access Manager (formerly Oracle Access Manager).
7.1.2 About Deployment Options for Identity Federation
See Also:
For details about naming conventions and name changes in Oracle Access Management, see Introduction to Oracle Access Management in Administering Oracle Access Management.
Various deployment options are available for leveraging identity federation with Access Manager to create an authenticated user session.
The Oracle Fusion Middleware framework supports these integrated approaches to cross-domain single sign-on:
-
An Oracle Access Management Identity Federation engine built into the Access Manager server. All configuration is performed in Access Manager.
This approach is available in 14c (14.1.2.1.0). The engine supports both Service Provider (SP) and Identity Provider (IdP) modes.
-
Separate Oracle Identity Federation and Oracle Access Manager servers that can be integrated to provide federation capabilities. Management and configuration of both servers is required for this integration.
This approach is available in 11g Release 1 (11.1.1).
Under this approach, Oracle Identity Federation provides two deployment scenarios for Oracle Access Manager:
-
Oracle Identity Federation 11g Release 1 (11.1.1) integrated with Oracle Access Manager 10g
-
Oracle Identity Federation 11g Release 1 (11.1.1) integrated with Access Manager 11g
-
Table 7-1 summarizes the options available to integrate the identity federation products with Oracle Access Manager and provides links to deployment procedures:
Table 7-1 Deployment Options involving Oracle Access Manager 10g and Access Manager 11g
| Access Manager Version | Description | Additional Information |
|---|---|---|
|
Oracle Access Manager 11gR2 |
Access Manager contains a built-in federation engine that supports both SP and IdP mode functionality configurable through the Oracle Access Management Console. |
Introduction to Federation within Oracle Access Suite Console in Administering Oracle Access Management |
|
Oracle Access Manager 11gR1 |
The stand-alone Oracle Identity Federation 11g Release 1 server integrates with the Access Manager 11g server. |
Integrating Oracle Identity Federation in Integration Guide for Oracle Access Manager. |
|
Oracle Access Manager 10g |
The stand-alone Oracle Identity Federation 11g Release 1 server integrates with the Oracle Access Manager 10g server. |
Deploying Oracle Identity Federation with Oracle Access Manager 10g in Administrator's Guide for Oracle Identity Federation. |
7.2 Running Access Manager-OIF Integration Scripts to Automate Tasks
The automated steps make the integration smoother and faster than a purely manual procedure.
This section contains these topics:
7.2.1 Performing Prerequisite Steps Before Integration
The prerequisite procedure is performed before you do anything else for integration. Ensure that the following have been done:
7.2.2 Verifying WebLogic and Oracle Identity Federation Servers are Running
Verify WebLogic and Oracle Identity Federation Servers are running.
-
Oracle WebLogic Server
Ensure that the administration and managed servers are up and running.
-
Oracle Identity Federation
Access the Fusion Middleware Control console for the Oracle Identity Federation server using a URL of the form:
http://oif_host:oif_em_port/em
Verify that all the servers are running.
7.2.3 Executing the Automated Procedure for Access Manager-OIF Integration
Automating some tasks in the integration of Access Manager with Oracle Identity Federation is achieved by executing python scripts provided in the distribution.
7.2.3.1 Tasks Performed by Federation Configuration Scripts
The scripts perform the following tasks/procedures:
-
Automation of all Oracle Identity Federation configuration
-
Registration of Oracle Identity Federationas DAP partner in Access Manager
-
Addition of Oracle Identity Federation URLs as protected resources in the policy domain.
7.2.3.2 Copying the Access Manager-OIF Integration Scripts to the Access Manager Machine
You need to copy certain files to the Access Manager host. The files are as follows:
-
setupOIFOAMConfig.sh, -
setupOIFOAMIntegration.py -
locale specific resource bundle
oifWLSTResourceBundle_locale.properties
Create a directory to save these files or copy into an existing directory, in the Access Manager host machine. For example, /scratch/scripts (linux) or c:\temp\scripts (Windows).
7.2.3.3 Understanding Inputs to the Access Manager-OIF Integration Scripts
The script takes in named parameters as inputs (order of inputs does not matter). The inputs mostly have default values if not passed in.
Table 7-2 shows the inputs needed by the scripts:
Table 7-2 Inputs for the Access Manager-OIF 11gR1 Integration Scripts
| Parameter | Description | Default | Required? |
|---|---|---|---|
|
oifHost |
Hostname of Oracle Identity Federation managed server |
None |
Yes |
|
oifPort |
Port number of Oracle Identity Federation Managed server |
7499 |
No |
|
oifAdminHost |
Hostname of Oracle Identity Federation Admin server |
oifHost |
No |
|
oifAdminPort |
Port number of Oracle Identity Federation Admin server |
7001 |
No |
|
oamAdminHost |
Hostname of Access Manager Admin server |
localhost |
No |
|
oamAdminPort |
Port number of Access Manager Admin server |
7001 |
No |
|
agentType |
Agent type used, such as webgate10g, webgate11g, mod_osso |
webgate11g |
No |
Note:
The agent type is the agent created in Access Manager using the rreg tool or through the Oracle Access Management Console.
7.2.3.4 Running the Access Manager-OIF Integration Scripts
The automation is run by executing the script file setupOIFOAMConfig.sh (Linux) or setupOIFOAMConfig.cmd (Windows).
The steps are as follows:
On Unix:
The following steps show how to run the script. Substitute the sample parameter values with appropriate values.
-
In a command line prompt set the
DOMAIN_HOME:export DOMAIN_HOME=path to domain home -
If Oracle Identity Federation administration and managed server are on the same host and the agent type is non-default (for example, webgate10g), execute the command:
./setupOIFOAMConfig.sh oifHost=myhost oifPort=portnum oamAdminHost=myhost2 oamAdminPort=portnum2 agentType=webgate10g
-
If Oracle Identity Federation administration and managed server are on different hosts, with a default agent type (webgate11g), execute the command:
./setupOIFOAMConfig.sh oifHost=myhost oifPort=portnum oifAdminHost=myhost2 oifAdminPort=portnum2 oamAdminHost=myhost3 oamAdminPort=portnum3
-
If Oracle Identity Federation administration and managed server are on the same host, and all defaults apply from Table 7-2, execute the command:
./setupOIFOAMConfig.sh oifHost=myhost oamAdminHost=myhost2
On Windows:
The following steps show how to run the script. Substitute the sample parameter values with appropriate values.