Oracle Identity Federation Questions & Answers
Oracle Identity Federation:
Q: What is Federation?
A: Federation is the user account linking between providers in a circle of trust.
Q: What is Federated Identity?
A: Identity across domains is called Federation. The identity that is federated encircled with trust by linking of one more more accounts with one or more identity and service providers is called Federated Identity.
Q: What is the difference between Multi Domain SSO and Federation?
A: There are couple of differences and are listed below.
- Multi domain SSO can happen if the applications are residing in different domains within same organization or a company. Federation happens if the applications are residing within same organization as well as between organizations.
- In Federation, there is a trust established between both the providers residing in different domains, whereas in Multi Domain SSO, trust is not established.
- The mechanism used in MD – SSO is cookie and is SAML Assertion in case of Federation.
- The attributes passed in the header cannot be encrypted OOTB in MD-SSO where as it can be digitally signed.
- There is more of security involved along with interoperability in case of federation.
Q: What is an Identity Provider and Service Provider?
A: IDP is the site that authenticates the user and sends an assertion to the destination site or SP. SP is the site that consumes the assertion and determines the entitlements of the user and grants or deny access to the requested resource.
Q: Explain the flow when an user makes a federation request?
A:
Step 1: The user logs in to the identity provider using an ID and password for authentication. Once the user is authenticated, a session cookie is placed in the browser.
Step 2: The user then clicks on the link to view an application residing on the service provider. The IdP creates a SAML assertion based on the user’s browser cookie, digitally signs the assertion, and then redirects to the SP.
Step 3: The SP receives the SAML assertion, extracts the user’s identity information, and maps the user to a local user account on the destination site.
Step 4: An authorization check is then performed and if successfully authorized, redirects the user’s browser to the protected resource. If the SP successfully received and validated the user, it will place its own cookie in the user’s browser so the user can now navigate between applications in both domains without additional logins.
Q: What is the authentication mechanism used for federation?
A: Assertions. The assertion created by the IDP will be sent to SP where it will be validated.
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com