Oracle Identity Federation (OIF) 11.1.1.6 Installation & Configuration
I recently implemented Oracle Identity Federation (OIF) as Service Provider (SP) integrated with Oracle Access Manager (OAM) as SP Integration Module. For basics of OIF SP/IdP click here. OIF SP with IdP is integrated using linked federation (attribute employeeNumber on IdP is linked to uid on SP). To further complicate this integration OIF as SP is integrated with two Identity Providers so resource protected in OAM (via OIF SP module) should be able to use either IdP1 or IdP2 .
I’ll start with installation and configuration of Oracle Identity Federation (OIF) in this port and cover remaining tasks (configuring OIF SP/IdP, OIF with OAM and protecting a resource using multiple IdP) in future posts.
.
OIF Installation Key Points
1. OIF software is part of Oracle Identity Management (IDM) software (This software also contains OID and OVD)
2. Latest version of OIF (as of April 2012) is 11.1.1.6 where 11.1.1.2 and 11.1.1.6 is full software (11.1.1.3/4/5 and are patch-set). For 11.1.1.3/4/5 you must first install 11.1.1.2 and then patch it to specific required version i.e. 11.1.1.3/4/5. For 11.1.1.6 version install directly 11.1.1.6. [Thanks Arshad for pointing this out]
3. OIF (IDM software) requires weblogic, so install WebLogic (For 11.1.1.6 OIF install 10.3.6 WebLogic and for 11.1.1.5 OIF install 10.3.5 WebLogic)
4. During IDM 11.1.1.2 installation, select option Install Software- Do Not Configure . You should then apply patchset 11.1.1.3/4/5 (depending on which version you need)
For 11.1.1.6 , you can either select “Install and Configure” or “Install Software Do not Configure” (For high avabilability select Install Software Do not Configure)
5. OIF User/Message store and Configuration can be stored in Database . If you are planning to use Database to store User/Message data and configuration file, then create OIF schema in database using Repository Creation Utility (RCU)
6. After installation of WebLogic & then Identity Management Software (OIF), start OIF configuration from $ORACLE_HOME/bin/config.sh (here ORACLE_HOME is directory in which you installed idm software)
7. Select Oracle Identity Federation from list of components
8. For OIF you get two options to configure BASIC or Advanced
a) Basic – Use this to configure;
User Data Store (NONE), Federation Data Store (NONE), Authentication Engine (JAAS), Session Store (MEMORY), Transient Message Data Store (MEMORY), Configuration Store (FILE)
b) Advanced – Use this to configure;
User Data Store (NONE, LDAP, RDBMS)
Federation Data Store (NONE, LDAP, RDBMS, XML)
Authentication Type (JAAS or LDAP)
User Session Store (MEMORY, RDBMS)
Transient Message Data Store (MEMORY, RDBMS)
Configure Store (FILE, RDBMS)
Note: If you select option BASIC then you don’t need Database & LDAP Server where as for Advanced you need LDAP Server and Database. I am using OID as LDAP Server.
Note: These configuration (Autehntication Type, User Data Store, Federation/Message store..) can be changed later as well using Fusion Middleware Control (/em)
9. Select Advanced and then select Authentication Type, User Store, Federation Store, User Session Store, Message Store, and Configuration Store in OIF as shown below
10. In specifiy Authentication LDAP Details enter LDAP Server (I am using OID as ldap server where innowave21 is server where OID is running and 3063 is LDAP port, cn=orcladmin is OID superuser). When OIF is configured as IdP and LDAP as authentication engine then uid will be used as login attribute.
Change Base DN from dc=com to your LDAP server domain (in OID this is Realm defined during OID configuration)
Change Base DN from dc=com to your LDAP server domain (in OID this is Realm defined during OID configuration)
11. Specify LDAP Server details for Federation Data. During Feedration, federated data will be stored under OID container cn=Federation,dc=<your_domain> (OIF will create this container cn=Federation)
12. Specify Database details for Transient Data Store (OIF schema should already exist that was created earlier using RCU)
13. After installation, from WebLogic Admin Console (/console) you should see managed server (wls_oif1) like below
14. Key configuration files for OIF are
a) WebLogic Domain Configuration File config.xml under $DOMAIN_HOME/config/
b) OIF Circle of Trust and Configuration file cot.xml, config.xml under directory $DOMAIN_HOME/config/fmwconfig/ servers/ <wls_oif1>/ applications/ OIF_11.1.1.2.0/ configuration
For configuring OIF as Identity Provider (IdP) or Service Provider (SP) stay tuned.