■ Configuring Basic Authentication
■ Configuring SSL and Client Certificate Authentication
■ Configure the Session Token Cache for Federated Attribute Sharing
Setting Parameters in the config.xml File
The config.xml file contains settings for associating local Oracle Identity Federation instances with users’s Identity Providers based on information in the user’s DN entry. It also contains settings that control what information related to attribute sharing is written to a log, and other settings to control interaction with the Access System. The config.xml file is located in the following directory:
Access_Server_install_dir/access/oblix/config/attributePlugin/
config.xml
The following is a sample config.xml file:
<Config LogLevel="audit" WaitTime="30" SizeLimit="0" MaxConnections="5" InitialConnections="2" Authn="cert" Username="MyAccessServer" Password="MyPassword" KeyPassword="MyKeyPassword" CacheTimeout="30" MaxCachedUsers="1000" HeaderKeyLength="128" HeaderKeyRegen="86400" RequestFormat="values"> <Mapping Local="true"> <DN>OU=Engg,O=MyCompany,L=MyCity,ST=California,C=US</DN> </Mapping> <Mapping URL="https://host1.us.company.com:8888/osfs/ar/soap"> <DN>OU=Test,O=MyCompany,L=MyCity,ST=California,C=US</DN> </Mapping> <Mapping URL="https://host2.us.company.com:8777/osfs/ar/soap"> <DN>C=US</DN> <DN>C=IN</DN> </Mapping> <Mapping URL=http://SP-HOST:SP-PORT/fed/ar/soap"> <DN>O=Partner1,C=US</DN> </Mapping>
<Mapping URL="http://SP-HOST:SP-PORT/fed/ar/soap" RequestFormat="all"> <DN>O=Partner2,C=US</DN>
</Mapping> </Config>
Setting up the Federated Attribute Sharing Environment
Table 5–1 Attributes in the config.xml File
Attribute Description
LogLevel Controls the amount of information that is logged to
AS_install_dir/oblix/logs/authz_attribute_plugin_log.txt. The following are possible values for this parameter:
■ none—Nothing is logged except errors (the default). ■ audit—One line is logged for each authorization request,
showing the access decision, the user’s certificate subject DN or local directory DN, and the HTTP operation and the local part of the requested URL.
■ debug—Extensive information used in debugging
problems. HTTP connection
parameters
The authorization plug-in uses these parameters. These parameters contain information that is sent from the Access System to the Oracle Identity Federation instance. You can configure the following HTTP connection parameters:
■ WaitTime—Time in seconds to wait for a response. Default:
30 seconds.
■ SizeLimit—Maximum size in bytes of HTTP messages sent
and received. 0 means unlimited (the default).
■ MaxConnections—The maximum number of concurrent
HTTP connections. Default: 5.
■ InitialConnections—Number of concurrent HTTP
connections opened initially. Default: 2.
Authentication parameters Authenticates the authorization plug-in to the Oracle Identity Federation instance. You can configure the following
authentication parameters:
■ Authn—The authentication method. The following are
possible values for this parameter:
none—No authentication is used.
basic—Use HTTP basic authentication with user name and password (the default).
cert—Use SSL client certificate authentication using key.pem, cert.pem, and KeyPassword.
■ Username—The username for basic authentication. ■ Password—The password for basic authentication. ■ KeyPassword—The password for key.pem for SSL client
certificate authentication. Attribute value cache
parameters
This cache is located in the authorization plug-in memory in the Access Server. You can set values for caching parameters:
■ CacheTimeout—The time in seconds that cached attributes
values are held before requiring updated values. A value of 0 disables caching. Default: 3600 seconds (1 hour).
■ MaxCachedUsers—The maximum number of users whose
attribute values can be cached. If the cache is full, entries with the oldest unexpired entries are reclaimed. Default: 1,000.
Setting up the Federated Attribute Sharing Environment
Encryption parameters HeaderKeyLength—The length (in bits) of a key that is generated for AES encryption of the SubjectDN header. This header is passed from the authentication plug-in to the authorization plug-in. Possible values for this parameter: 128, 192, or 256. Higher values provide stronger encryption but slower performance. A value of 0 disables encryption of the header. Oracle does not recommend setting a value of 0 due to potential impersonation attacks.
HeaderKeyRegen—The interval (in seconds) for regenerating the key that encrypts the SubjectDN header. The default is 86400 (one day).
Attribute query properties The RequestFormat parameter determines what attributes and values are returned on an attribute response. This parameter overrides authorization rules. For example, if an authorization rule specifies attributes and values, the RequestFormat parameter can omit the values from a request.
You can specify the RequestFormat parameter in the global CONFIG element or in a local MAPPING element in the config.xml file. For example, in the sample config.xml file shown above this table, Partner2 uses a local RequestFormat setting. The RequestFormat parameter can be configured as follows:
■ RequestFormat="values"—This setting enables a query for
information about a user to contain attribute names and values. The names and values are taken from the authorization rule expression that you configured for federated attribute sharing. With this setting, the response from the Identity Provider only returns user attributes and values that match those in the query. This is the default setting. This setting minimizes the memory used for cached attribute values because the request contains only the values neededed for authorization. This setting results in more frequent attribute requests.
■ RequestFormat="names"—This setting permits a query to
contain attribute names, but not the values that you configured in the authorization rule expression that you configured for federated attribute sharing. The response from the Identity Provider returns the user’s values for the named attributes, as long as the Identity Provider’s Responder policies permit access to the values. This setting uses more cache memory than the "values" setting, but less than the "all" setting. This setting does not disclose to the Identity Provider what attribute values are required for authorization. For security reasons, this setting may be preferable over the "values" setting.
■ RequestFormat="all"—The setting omits attribute names
and values from a query. The Identity Provider returns all user attributes and values, as long as the Identity Provider’s Responder policies permit access to the attributes and values. This setting minimizes the number of attribute requests to one per user, but it uses the most cache memory. Use this setting if the Attribute Responder policies are configured to only return attributes that the Service Provider may want. This setting does not disclose to the Identity Provider what attributes are required for
authoirzation. For security reasons, this may be preferable to the "values" and "names" settings.
Table 5–1 (Cont.) Attributes in the config.xml File
Setting up the Federated Attribute Sharing Environment
The following table provides examples of how subject DNs are evaluated according to the config.xml file. When Oracle Access Manager evaluates the Subject DN of a user, users who are deemed to be local are given local Oracle Access Manager credentials. All other users are referred to the attribute sharing authorization plug-in. Depending on the DNs of the remote users, a corresponding URL is used for sending a query to a local Oracle Identity Federation instance:
To configure the config.xml file:
1. Log in to the Access Server host as the user who installed the Access Server.
Mappings of Subject DNs to Attribute Requester Service URLs.
The following parameters enable the Access System to determine if users are local—that is, if they have an identity in Oracle Access Manager—or remote and must be identified by an Attribute Requester Service. For remote users, these parameters map the subject DNs to a URL for your domain’s (the Service Provider) instance of Oracle Identity Federation. For local users, authorization can be determined by the local Oracle Access Manager. You can configure following parameters:
■ DN—One or more elements of a DN pattern to match
against the user Subject DN in the request that the Access System receives. The pattern consists of the rightmost components of the DN, for example:
O=MyCompany,L=MyCity,ST=California,C=US
■ Local—If this parameter is true, the matching users are
assumed to be local and the URL parameters are ignored.
■ URL—The URL for the Oracle Identity Federation instance.
The form is
HTTP:// or HTTPS://OIF_host:OIF_port/fed/ar/soap Where OIF_host is the host name and OIF_port is the port of a local Oracle Identity Federation server. This is the server that receives requests from the Access System for
verification of a user’s attributes and forwards a
SAML-formatted request to an Identity Provider’s SAML services.
Table 5–2 Mappings of Subject DNs
User Subject DN Mapping
[email protected],CN=John Smith,OU=Engg,O=MyCompany, L=MyCity,ST=California,C=US local [email protected], CN=Margaret Abel, OU=Test,O=MyCompany, L=MyCity, ST=California,C=US https://host1.us.company.com:8888/fed/ar/soap [email protected], CN=Fred Jones, OU=Sales,O=OtherCompany, L=OtherCity,ST=Iowa,C=US https://host2.us.company.com:8777/fed/ar/soap [email protected], CN=Mahitha Chandra,OU=Sales,O=OtherCompany, L=OtherCity,ST=TamilNadu,C=IN https://host2.us.company.com:8777/fed/ar/soap
Table 5–1 (Cont.) Attributes in the config.xml File
Setting up the Federated Attribute Sharing Environment
2. Create a file named config.xml in this directory.
3. Edit the attributes and elements of the config.xml file in the following directory:
AS_install_dir/access/oblix/config/attributePlugin
4. Restart the Access Server.