Skip Headers
Oracle® OpenSSO Fedlet Interoperability Guide for Oracle Identity Federation
11g Release 1 (11.1.1.3.0)

Part Number E17847-01
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

1 About the Oracle OpenSSO Fedlet

This chapter provides an introduction to the Oracle OpenSSO Fedlet, including:

For information about federated identity management, including a description of the key features and concepts of Oracle Identity Federation, see the “Introduction to Oracle Identity Federation” in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.

1.1 What is the Oracle OpenSSO Fedlet?

The Oracle OpenSSO Fedlet (Fedlet) is a compact, easy to deploy SAML 2.0 service provider implementation. It includes a small software package and a simple file-based configuration, embeddable into a service provider's Java or .NET application. The Fedlet establishes single sign-on (SSO) between an identity provider instance and the service provider application without requiring a fully-featured federation product on the service provider side.

The Oracle OpenSSO Fedlet can accept SAML 2.0 assertions from any SAML 2.0 identity provider and retrieve user attributes to accomplish SSO and content personalization. The Fedlet can be configured to communicate with any number of identity providers. It also can leverage an external discovery service to find the preferred identity provider.

1.2 Oracle OpenSSO Fedlet Supported Standards and Applications

For information about the platforms and product versions supported by the Oracle OpenSSO Fedlet, see the appropriate certification matrix:

http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html

1.3 Installing and Configuring the Oracle OpenSSO Fedlet

The Oracle OpenSSO Fedlet can be downloaded as a separate ZIP file. The ZIP file includes all the files and components required to deploy the Fedlet with a Java or .NET service provider application. To use the Fedlet, you are not required to install any other federation components on the service provider side.

To install and configure the Oracle OpenSSO Fedlet, follow these general steps:

  1. Download and unzip the Oracle-OpenSSO-Fedlet.zip file, as described in Chapter 2, "Installing the Oracle OpenSSO Fedlet."

    Note:

    For some deployments, rather than downloading the Oracle OpenSSO Fedlet ZIP file, a service provider administrator can simply get a previously configured Oracle OpenSSO Fedlet package from the identity provider administrator. The service provider administrator then adds any application specific logic to the package and deploys the Fedlet service provider application.

    To determine the Oracle OpenSSO Fedlet version, check the FederationConfig.properties file for the Java Fedlet or the Fedlet.dll.config file for the .NET Fedlet after you extract the files in the Fedlet package.

  2. Get the metadata file from your identity provider, name this file idp.xml, and copy it to the Fedlet configuration directory.

  3. Configure the Oracle OpenSSO Fedlet as follows:

  4. A service provider administrator (or developer) can add any specific application logic to the service provider application. For example, for the Java Fedlet, add the logic to the fedlet.war or embed the fedlet.war in the service provider application.

  5. Import the Fedlet service provider metadata file (sp.xml) into the identity provider. This file is created during the Fedlet configuration.

  6. If you configured the Fedlet for features such as the identity provider discovery service or attribute query, perform the additional configuration steps on the identity provider side required for these features.

You can deploy multiple instances of the Oracle OpenSSO Fedlet on the same host as follows:

One consideration, however, is that the Oracle OpenSSO Fedlet does not perform session management on the service provider side. The service provider application or web container must perform the session management.

1.4 Oracle OpenSSO Fedlet Features

The Oracle OpenSSO Fedlet supports the following features:

1.4.1 Oracle OpenSSO Fedlet SAML 2.0 Single Sign-on (SSO) and Single Logout Features

Table 1-1 Oracle OpenSSO Fedlet SAML 2.0 Single Sign-on (SSO) and Single Logout Features

Feature Java Fedlet .NET Fedlet

SAML 2.0 SSO

IdP and SP Initiated HTTP POST

Yes

Yes

IdP and SP Initiated HTTP Artifact

Yes

Yes

SAML 2.0 Single Logout

IdP and SP Initiated HTTP POST

Yes

Yes

IdP and SP Initiated HTTP Redirect

Yes

Yes


1.4.2 Oracle OpenSSO Fedlet SAML 2.0 Discovery Service Features

Table 1-2 Oracle OpenSSO Fedlet SAML 2.0 Discovery Service Features

Feature Java Fedlet .NET Fedlet

Multiple IdP Support

Yes

Yes

External IdP Discovery Service

Yes

Yes

Bundled IdP Discovery Service (Reader Service Only)

Yes

No


1.4.3 Oracle OpenSSO Fedlet Additional SAML 2.0 Features

Table 1-3 Oracle OpenSSO Fedlet Additional SAML 2.0 Features

Feature Java Fedlet .NET Fedlet

Signing of Requests and Response

Yes

Yes

Encryption of Attribute, Assertion, and NameID Elements

Yes

Yes

Export of SP Metadata

Yes

Yes

Attribute Query

Yes

No


1.5 Oracle OpenSSO Fedlet Scenarios

This section describes the following scenarios for the Oracle OpenSSO Fedlet:

1.5.1 New Oracle OpenSSO Fedlet Deployment

You want to download, install, and configure the Oracle OpenSSO Fedlet as new deployment on the service provider side in your environment. See these chapters:

1.5.2 Oracle OpenSSO Fedlet Configuration Only

You have installed the Oracle OpenSSO Fedlet, and you want to configure or reconfigure your installation. See these chapters:

1.5.3 Oracle OpenSSO Fedlet SP-Initiated and IdP-Initiated SAML 2.0 Single Sign-on

If you have installed the Oracle OpenSSO Fedlet, and you want to configure it for service provider initiated or identity provider initiated SAML 2.0 single sign-on (or both), see the following sections:

1.5.4 Oracle OpenSSO Fedlet Single Logout

You have installed the Oracle OpenSSO Fedlet, and you want to configure single logout. Single logout allows the session termination of all participants in a session simultaneously. Any participant in the session can initiate the logout request. See the following sections:

1.5.5 Oracle OpenSSO Fedlet Identity Provider Discovery Service with Multiple Identity Providers

Your existing identity federation deployment has the Oracle OpenSSO Fedlet configured with multiple identity providers in a circle of trust, and you want to configure the Oracle OpenSSO Fedlet to use the identity provider discovery service to determine the preferred identity provider. See the following sections:

1.5.6 Oracle OpenSSO Fedlet Signing and Encryption

The Oracle OpenSSO Fedlet supports XML signature verification and decryption of encrypted assertion and nameid elements and their corresponding attributes. See the following sections:

1.5.7 Oracle OpenSSO Fedlet Attribute Query

You are a service provider that wants to use the Oracle OpenSSO Fedlet attribute query feature with an identity provider to retrieve user attributes to customize the service you provide for your users. See Section 3.10, "Configuring the Java Oracle OpenSSO Fedlet for SAML 2.0 Attribute Query." (The attribute query feature is not supported by the .NET Fedlet.)

1.5.8 Oracle Identity Federation as an Additional Identity Provider With OpenSSO 8.0 Update 1

Your existing identity federation deployment has the Oracle OpenSSO Fedlet installed with Oracle OpenSSO 8.0 Update 1 configured as an identity provider, and you want to add an Oracle Identity Federation identity provider to your deployment. See the following sections: