OIF 10g: Configure Federation Data Store as OID 10g
In my earlier post, I have explained the installation steps of Oracle Identity Federation 10g, where I did not select Configuring Federation Data Store during installation. So, I would like to explain the process of configuring the federation data store post installation of OIF 10g and how can we see the assertion records created in federation store.
In my environment, I am using OID 10g as Federation Repository.
To start with, login to OIF Admin Console and provide the OID specific details as shown below.
If you notice, I had provided User Federation Record Context as ou=FedRecords,dc=nic,dc=co,dc=in and it is clearly understood that federation records will get created under this container. Save the configuration by clicking Save.
Start the OIF services as shown below for these configuration changes to take into effect.
Technically speaking, after the OIF services are started, OIF server should create the above entry in OID server, which has not happened in my case. Literally I struggled for a day to get this working, but could not achieve through OIF server automatically. So I did a work around by creating the above entry in OID manually as shown below. Please note that this does not require any restart for OID services.
Now, it is time to test whether federation is working or not.
Access the IDP initiated URL http://nic-tebmigr1a-ac.nic.co.in:7778/fed/idp/initiatesso?providerid=http://nic-tebmigr1a-ac.nic.co.in:7778/fed/sp&returnurl=http://nic-tebmigr1a-ac.nic.co.in:7779/FederationExample.html and it will display the page as shown in below screenshot. Login as valid user (in my case, userid is mahendra.k and password is admin123) .
After submitting the login details, Requested resource will be displayed as shown below.
I am not going to explain in this post about how federation happens here!!
We shall look at the federation records created under that DN entry as shown below.
Observe the below screenshot which shows description field having userid of the user who logged in to application.
Underneath this entry, you can see two more entries.
The 1st entry is associated with OIF acting as IDP.
The 2nd entry is associated with OIF acting as SP. It can be recognized with the attribute orclfedfederationtype containing value as either 1 or 3. Use 1 as the value for orclfedfederationtype when Oracle Identity Federation is an Identity Provider and the remote provider is a Service Provider. Use 3 when Oracle Identity Federation is a Service Provider and the remote provider is an Identity Provider.
Let me show the federation records in OIF admin console.
Login to OIF Admin console and goto the tab Identity Federation and select the checkbox of Provider ID and click Show Federations button.
Notice the result in the below screenshot. (Similar results will be seen when Show Federations is clicked under Service Providers section)
Explanation of the above screenshot:
User Name: mahendra.k is the user who performed this federation
Protocol: SAML 2.0 is used.
Idp Identifier: We used e-mail address as the Name ID Format.
Format: e-mail address is specified in the name id format.
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com