Configuration Parameters – Oracle Access Manager Plug-ins – Federation

Configuration Parameters – Oracle Access Manager Plug-ins – Federation:

  • LogLevel – Controls the amount of information logged to INSTALL_DIR/oblix/logs/authz_attribute_plug-in_log.txt.
    • off – Nothing is logged except errors (this is the default).
    • audit – One line is logged for each authentication request, showing the access decision, the user’s certificate subject DN or local directory DN, and the HTTP operation and the local part of the requested URL.
    • debug – Logs extensive information useful in debugging problems.
  • HTTP connection parameters (authz_attribute plug-in to the Oracle Identity Federation Attribute Requester Service), consisting of:
    • WaitTime – This is the time in seconds to wait for a response; default is 30 seconds.
    • SizeLimit – This is the maximum size in bytes of HTTP messages sent and received (default is unlimited, 0 means unlimited).
    • MaxConnections – This is the maximum number of concurrent HTTP connections (default is 5).
    • InitialConnections – This is the number of current HTTP connections opened initially (default is 2).
  • Parameters for authentication of the authz_attribute plug-in to the Oracle Identity Federation Attribute Requester Service, including:
    • Authn – authentication method
      • none – no authentication
      • basic – use HTTP basic authentication with Username and Password (default)
      • cert – use SSL client certificate authentication using key.pem, cert.pem, and KeyPassword
    • Username – This is the username for basic authentication.
    • Password – This is the password for basic authentication.
    • KeyPassword – This is the password for key.pem for SSL client certificate authentication.
  • Attribute value cache parameters, including:
    • CacheTimeout – This is the time, in seconds, that cached attribute values will be held before requiring updated values (default 3600 seconds – 1 hour; 0 disables caching).
    • MaxCachedUsers – This is the maximum number of users with cached attribute values; if the cache is full, the least recently used unexpired entries will be reclaimed (default is 1000).
  • Mappings of subject DNs to Attribute Requester Service URLs. For each Attribute Requester Service, specify:
    • URL – the URL for the service, of the form %HTTP_PROTOCOL%://%OIF_HOST%:%OIF_PORT%/fed/ar/soap, where:
      • %HTTP_PROTOCOL% – http or https
      • %OIF_HOST%:%OIF_PORT% – This is the host and port of Oracle Identity Federation.

      For example: https://fed1.company.com:7499/fed/ar/soap

    • Local – if true, the matching users are local and an Attribute Requester Service is not used. If true, the URL parameter is ignored
    • DN – one or more elements specifying a DN pattern to match against the user Subject DN; the pattern is simply the right most components of the DN. For example: O=PeerA,C=US
  • Attribute query properties – The RequestFormat parameter determines the attributes and values returned in an attribute response. RequestFormat overrides authorization rules; for example, if an authorization rule specifies both attributes and values, but RequestFormat specifies names, the query omits values. RequestFormat can be specified with these options:
    • RequestFormat=”values”

      The AttributeQuery contains attribute names and values taken from the authorization rule’s ruleExpression. The Attribute Responder will only return user attributes and values that are in the AttributeQuery. This is the default setting. This setting minimizes the amount of memory used for cached attribute values (values are only requested when needed for authorization), at the cost of more frequent attribute requests.

    • RequestFormat=”names”

      The AttributeQuery contains attribute names but not values taken from the ruleExpression. The Attribute Responder returns all the user’s values for the named attributes, subject to any Responder policies controlling access to the attributes values. This setting provides a trade-off between cache memory usage and attribute requests that is somewhere between the “values” and “all” setttings. Note: With this setting, theAttributeQuery does not disclose to the IdP what attribute values are required for authorization; for security reasons, this might be preferred over the “values” setting.

    • RequestFormat=”all”

      The AttributeQuery does not contain any attribute names or values. The Attribute Responder returns all the attributes and values for the user subject to any Responder policies controlling access to the attributes values. This setting minimizes the number of attribute requests (only one request per user), at the cost of more memory used for caching attribute values before they are used (and may never be used) for authorization. This setting works best when the Attribute Responder policies have been reasonably configured to return only attributes that the SP might want. Note: With this setting, the AttributeQuery does not disclose to the IdP what attributes are required for authorization; for security reasons, you may prefer this over the “values” and “names” settings.

As illustrated in the sample config.xml file, the RequestFormat parameter can appear in the <Config> element, where it sets the default request format, and in the <Mapping> elements, where it sets the request format for subject DNs covered by the mappings.

Leave a Reply

Your email address will not be published. Required fields are marked *