Oracle Identity Federation Questions & Answers

Oracle Identity Federation: 
Q: What is Federation?
A: Federation is the user account linking between providers in a circle of trust.


Q: What is Federated Identity?
A: Identity across domains is called Federation. The identity that is federated encircled with trust by linking of one more more accounts with one or more identity and service providers is called Federated Identity.

Q: What is the difference between Multi Domain SSO and Federation?
A: There are couple of differences and are listed below.

  • Multi domain SSO can happen if the applications are residing in different domains within same organization or a company. Federation happens if the applications are residing within same organization as well as between organizations.
  • In Federation, there is a trust established between both the providers residing in different domains, whereas in Multi Domain SSO, trust is not established.
  • The mechanism used in MD – SSO is cookie and is SAML Assertion in case of Federation.
  • The attributes passed in the header cannot be encrypted OOTB in MD-SSO where as it can be digitally signed.
  • There is more of security involved along with interoperability in case of federation.

Q: What is an Identity Provider and Service Provider?
A: IDP is the site that authenticates the user and sends an assertion to the destination site or SP. SP is the site that consumes the assertion and determines the entitlements of the user and grants or deny access to the requested resource.

Q: Explain the flow when an user makes a federation request?
A:
Step 1: The user logs in to the identity provider using an ID and password for authentication. Once the user is authenticated, a session cookie is placed in the browser.
Step 2: The user then clicks on the link to view an application residing on the service provider. The IdP creates a SAML assertion based on the user’s browser cookie, digitally signs the assertion, and then redirects to the SP.
Step 3: The SP receives the SAML assertion, extracts the user’s identity information, and maps the user to a local user account on the destination site.
Step 4: An authorization check is then performed and if successfully authorized, redirects the user’s browser to the protected resource. If the SP successfully received and validated the user, it will place its own cookie in the user’s browser so the user can now navigate between applications in both domains without additional logins.

Q: What is the authentication mechanism used for federation?
A: Assertions. The assertion created by the IDP will be sent to SP where it will be validated.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

20 comments
North Queensland Fury appear to be safe « unitedportsmouth.com says March 31, 2010

[…] » Oracle Identity Federation Questions & Answers Online Apps DBA … […]

Reply
prasad says November 10, 2010

It is good question and answers. Please also put Identity Manager question and answers in basic.

Reply
Mohankumar says June 2, 2011

Hi..Mahendra
I want now little bit deep adout oif 10g where can i get it….pls provide me the doccumentation link..and your post is helpful to me….

Thanks & Regards
Mohankumar

Reply
Mahendra says June 2, 2011

Hello Mohan,

Here isthe OIF 10g Documentation.

Admin Guide: http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/title.htm

This document should give good insight into the product.

Hope this helps.

-Mahendra.

Reply
Mohankumar says June 3, 2011

Hi..Mahendra

Thank you for your ouick response…
do you have any idea about
1..from which company oracle bought this oracle identity federation like orcale bougt oam from a company called netpoint…
2..who are the developers of oif.?

Thanks & Regards
Mohankumar

Reply
Vikas Panwar says June 3, 2011

Hi Mohan,

Oracle bought this product from Oblix its mentioned in various documents.

Reply
Vikas says June 3, 2011

Hi,

Could anybody tell me how to integrate OIF with already deployed web application (kindda step-by-step guide), I need to test OIF working, till now i am able to get SUCCESS page from Idp,as given in available tutorials.
In other words now I am trying to open my application’s url after authorization from OIF.

Thanks,
Vikas

Reply
Mohankumar says June 3, 2011

Hi..

where can i get oif 10g installiation guide

Reply
Mohankumar says June 6, 2011

Hi..

How to provide single sign on to a sample application..using oracle identity federation 10g and i am using federation data store as microsoft ad2003

Reply
Mahendra says June 6, 2011

Hi,

Please go through the OIF documentation to get good understanding of the product. Later you can setup IDP and SP with respective data stores and protect the application.

-Mahendra.

Reply
Morkel says June 7, 2011

Hi,

while integrating with a sample application for single sign on…authentaction is failed…the error log should be in federation-msg.log but i can’t find …can you tell how to enable debuging in oif

Reply
Mohankumar says July 6, 2011

Hi,

can you please give the information regarding saml1.1..i am trying to provide single sign on to replicon which suuports saml 1.1 using oif 10g

thanks
mohan

Reply
Mahendra says July 6, 2011

Hi Mohan,

Please brief what is that replicon? Why are you specific to SAML 1.1, latest version is 2.0 and there are lot of features available there. If you just want to establish a federation session, you can install federation instances at replicon end and have another federation as a source (IDP) at your org end. Implementation details depends on your requirements purely.

-Mahendra.

Reply
tammy says August 24, 2011

Hi,

I have webcenter and OAM is installed for provide SSO to Webcneter. Now I want to integrate BMC Remedy with OAM using OIF.

Briefly, what steps are required? do I need to change anything at the Remedy side to achieve the SSO?

Reply
Mahendra says August 24, 2011

Hi Tammy,

You did not specify the necessity of having BMC remedy in the picture. Any how, to my knowledge here are the high level steps :

1. Integrate OAM with BMC Remedy first. You need to understand how BMC remedy system accepts tokens/headers from 3rd party systems. Most of the legacy applications should be able to accept headers. If it is so in your case, then have a webserver fronting BMC system, configure a proxy. Install a webgate over there and get the SSO done.
2. Integrate OAM with OIF and you don’t have to do anything between OIF and BMC remedy system.

Hope this helps.

-Mahendra.

Reply
» Installing Oracle Identity Federation 10g Online Apps DBA: One Stop Shop for Apps DBA’s says September 6, 2011

[…] 10g in this post. To learn some basics of OIF, there are some Question and Answers written here, go through […]

Reply
Zach says January 5, 2012

Hello, thank you for the great articles.

I’ve successfully integrated our R12 EBS with OAM11g and AccessGate using Note 1309013.1

My question now is: Our company currently has a SSO and identity management solution. We’d like to use that as the Identity Provider, and use OIF to allow users to login to EBS (through OAM) using a federated SAML assertion. Is this easy to accomplish?

Reply
sree says January 9, 2013

Hi Mahendra,

My requirement is like this.

We have existing applications and LDAP. We are going to implement R12 and the client want to access R12 without entering credentials by using SAML2.0. ( without OID)

Pls let me know how we can implement this.What components are required.

Thanks
Sree

Reply
» Working with Fedlet Online Apps DBA: One Stop Shop for Apps DBA’s says May 20, 2013

[…] To understand the federation concepts such as Identity Provider, Service Provider, Circle of Trust etc., please check this post. […]

Reply
puneet khullar says May 6, 2014

How can we find out the version of OIF ?

Reply
Add Your Reply