Overview of Oracle Identity Federation

What exactly is OIF?

Basically it allows different entities to share their services using a global identity maintained by one of the organization.

So what exactly it means?

Take an example to understand the usage of OIF:

Let say a company CCC wants to use the service of a Insurance Company, so that CCC company employees can access Insurance Portal. For this the Insurance company should have the CCC company employee database, so that when the CCC company employees wants to use the Insurance Services they can be authenticate & authorize to do so.But CCC can’t share the database. 

So in this scenario how can Insurance Portal be able to become part of CCC Company?

The answer is Federation.

Thus here CCC Company using the OAM SSO for their employees, decides to enable the Federation feature. And the similar OAM setup needs to be done at the Insurance side.

So in this case CCC Company acts as Identity Provider (IdP) while the Insurance company as Service Provider (SP).

What are IdP & SP

Oracle Identity Federation supports two integration modes with Oracle Access Manager: authentication mode and SP mode.

Authentication Mode (IdP)

In the authentication mode, Oracle Identity Federation delegates authentication of the user to Oracle Access Manager. The user is redirected to an Oracle Identity Federation resource protected by WebGate that triggers the Oracle Access Manager Authentication flow. Once the user is identified, it will access the resource, and WebGate will provide to Oracle Identity Federation an HTTP header containing the user's identity.

SP Mode

In the SP mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.

Use Case:

• User accesses the CCC company portal, & hits the Insurance portal link. User is redirected to Insurance portal, where he is asked to enter his credentials.
• User submits his credentials which are actually saved in the CCC company database. Thus Insurance site sends the credentials submitted by user to the CCC company using SAMLv2.0 token form.
• CCC company replies in the SAMLv2.0 as well & Insurance portal reads the token returned by   CCC & based on the reply like user is valid & authorized or not. Insurance portal takes the  decision and makes the user to access the Insurance services based on that.

So in this way they get federated seamlessly.