What is an Identity?
An identity is the virtual representation of an enterprise resource user including employees, customers, partners and vendors. Identity Management shows the rights and relationships the user has when interacting with a company’s network.
What is Federation?
Federation is the user account linking between providers in a circle of trust.
What is Federated Identity?
Identity across domains is called Federation. The identity that is federated encircled with trust by linking of one more accounts with one or more identity and service providers is called Federated Identity.
What is the difference between Multi Domain SSO and Federation?
There are couple of differences and are listed below.
Identity Federation” refers to the ability to accept users that were not authenticated in your systems (e.g. they use Twitter, FB, someone else’s Active Directory, etc.)
SSO is the ability to login in once and then access many applications without needing to enter credentials again.
You often achieve SSO through Federation. But you can have SSO without it. (e.g. an Active Directory domain and multiple apps in that domain: you only sign-in once)
What is an Identity Provider and Service Provider?
IDP is the site that authenticates the user and sends an assertion to the destination site or SP. SP is the site that consumes the assertion and determines the entitlements of the user and grants or deny access to the requested resource.
Explain the flow when an user makes a federation request?
Step 1: The user logs in to the identity provider using an ID and password for authentication. Once the user is authenticated, a session cookie is placed in the browser.
Step 2: The user then clicks on the link to view an application residing on the service provider. The IdP creates a SAML assertion based on the user’s browser cookie, digitally signs the assertion, and then redirects to the SP.
Step 3: The SP receives the SAML assertion, extracts the user’s identity information, and maps the user to a local user account on the destination site.
Step 4: An authorization check is then performed and if successfully authorized, redirects the user’s browser to the protected resource. If the SP successfully received and validated the user, it will place its own cookie in the user’s browser so the user can now navigate between applications in both domains without additional logins.
What is the authentication mechanism used for federation?
Assertions. The assertion created by the IDP will be sent to SP where it will be validated.
What is Mapped Federation
Mapped Federation (Account Mapping) : user has account on both federation partners i.e. in IdP and SP. Account in IdP is mapped to account in SP based on common attribute. There is 1-to-1 linking of account between IdP and SP based on shared information like email, DN, uid etc.
What is Linked Federation
Linked Federation (Account Linking): is an extension to mapped federation where user has account in both federation partners but there is no common attribute for mapping. This is also 1-to-1 linking of account between IdP and SP (similar to Mapped Federation) . Example of linked federation is where user attribute employeeNumber(or something else) at IdP side is linked to different attribute (like uid or email) at SP.
What is role based federation
Role based federation (attribute based) :IdP can send non-unique attribute in place of specific attribute like role of identity i.e. manager or developer.
What is the latest version of OIF?
Latest available OIF version (as of April 2012) is 11.1.1.6 (11g R1 PS5) . 11g R1 PS5 (11.1.1.6) is patch set only that means it must be installed on base version 11.1.1.2.
Where it stored default.
Default Identity Store for OIF is WebLogic’s embedded LDAP server which can be changed to external LDAP server (OID, AD, ODSEE…) either at initial configuration statgeor later using enterprise manager (em)
What is the purpose of rule designer?
Use this form to create rules that can be applied to password policy selection, automatic group membership, provisioning process selection, task assignment, and prepopulating adapters
What is DN and RDN?
A DN is the LDAP entry that uniquely identifies and describes the entry in LDAP server.
cn=Jones,dc=oracle,dc=com is the DN of user Jones and RDN is cn=Jones.
How do you define Identity Management & Access Management?
Identity Management enables customers to manage end-to-end lifecycle of user identities across all enterprise resources securely. Access Management provides web access management including authentication, fine grained authorization, federation and proactive online fraud prevention.
What are various domains that fall under identity management?
Identity Management, Access Management, Directory Management. Oracle Products that fall under Identity Management are Oracle Identity Manager and Oracle Role Manager. Oracle products that fall under Access Management are Oracle Access Manager, Oracle Entitlement Server, Oracle Adaptive Access Manager, Oracle Identity federation and Enterprise Single Sign-On. Oracle products that fall under Directory Management are OID and OVD.
What is the purpose of rule designer?
Rule designer is used to create rules that can be applied to password policy selection, automatic group membership, provisioning process selection, task assignment, and prepopulating adapters.
What is an object class and their different types?
Structural : Indicates the attributes that the entry may have and where each entry may occur in the DIT.
Auxiliary : Indicates the attributes that the entry may have.
Abstract : Indicates a “partial” specification in the object class hierarchy; only structural and auxiliary subclasses may appear as entries in the directory.