This post talks about configuring Federation Data Store in Oracle Identity Federation 10g. Please read the previous post on installing OIF 10g in a development environment, where no Federation or User data store details are provided during installation.
Let me tell you the significance of Federation data store. Whenever federation happens between providers, a record gets created with account linking and this record will be used by OIF instances for federations. We can choose to store these records in a industry specific LDAPs supported by OIF. In a specific case, where non-opaque name identifiers are used in architecture using SAML 2.0, there is no need to store federation records in a repository.
NOTE : SAML 1.x and WS-FED protocol specific federations does not require a federation data store.
There are 2 ways to provide federation store details in OIF:
1. During installation using Advanced installation type.
2. Post installation
The advantage of 1st approach is that installer automatically updates the LDAP repository with OIF specific schema which is required by OIF for updating records in LDAP.
If we wish to do it manually post installation of OIF, here are the steps to be followed:
Upgrade the LDAP schema using the ldif file located under:
$Oracle_Home/fed/setup/ldap/userFedSchemaOid.ldif
if you use Oracle Internet Directory$Oracle_Home/fed/setup/ldap/userFedSchemaIPlanet.ldif
if you use the Sun One Directory Server$Oracle_Home/fed/setup/ldap/userFedSchemaAD.ldif
$Oracle_Home/fed/setup/ldap/userFedSchemaTivoli.ldif
if you use the IBM Tivoli Directory Server (IBM TDS) 6.0I am using Sun Directory Server in my environment and hence used userFedSchemaIPlanet.ldif.
Execute ldapmodify command as shown below.
ldapmodify -h hostname -p port -D userid -w password -f userFedSchemaIPlanet.ldif
Let us examine the Sun Directory Server for OIF specific object classes as shown below.
Observer the object class orclFedUserInfo added for OIF purpose.
Create the entry in Sun Directory Server such as ou=Fed under dc=mydomain,dc=com by assigning OIF specfic object class. This entry will have federation records stored.
Now, configure the federation store in OIF admin console as shown below.To do that, Login to OIF Admin console, goto IdM Data Stores tab. Goto Federation Data Store tab and provide the LDAP details.
Few parameters to talk about here:
Connection URL: ldap://hostname:port
Bind DN: Admin user of LDAP
Password: Admin user password of LDAP
User Federation Record Context: ou=Fed,dc=mydomain,dc=com
The above DN entry has been created in LDAP in previous steps.
LDAP Container Object class is left empty.
Unique Federation ID Attribute: This is the LDAP attribute to be used to uniquely identify a federation record. This attribute should be defined in the LDAP Object Class of the Federation Record type, or in its top parent. I have specified cn as per my environment.
Save the configurations by clicking Save button. Restart the OIF server using opmnctl command.
The job is done now!!
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com