Skip Headers
Oracle® Access Manager Integration Guide
10
g
(10.1.4.0.1)
Part Number B25347-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Manager?
Product and Component Name Changes
Supported Integrations
Updates to the OracleAS Single Sign-On Integration
Updates to the Oracle Identity Federation Integration
Updates to the Siebel 7 Integration
Updates to the SAP Integration
Updates to the RSA Securid Integration
Updates to the WebLogic Integration
Updates to the WebSphere Integration
Updates to the Plumtree Integration
1
Introduction
1.1
About Oracle Access Manager Integrations
1.1.1
Integrations With Other Oracle Products
1.1.2
Integrations with Third-Party Products
Part I Integration with Oracle Fusion Applications and Middleware
2
Integrating the Apache v1.3 and Oracle HTTP Server
2.1
About the Integration of OHS and Oracle Access Manager
3
Integrating the Oracle Virtual Directory
3.1
About the Integration of Oracle Virtual Directory and Oracle Access Manager
4
Integrating with Oracle Application Servers
4.1
Integration Overview and Environment Preparation
4.1.1
Supported Authentication Schemes for the Oracle Application Servers
4.1.2
OracleAS 10g Infrastructure
4.1.3
Integration Architecture
4.1.4
Supported Versions and Platforms
4.1.5
Preparing Your Environment
4.2
Single Sign-On with OracleAS 10g
4.2.1
Enabling Single-Sign On
4.2.1.1
Creating the Java Class for Integration
4.2.2
Integrating the Delegated Administration Service
4.2.3
Integrating the Portal
4.2.4
Enabling Single-Sign On for Forms
4.2.5
Integrating Reports Services
4.2.6
Synchronizing the OID and Oracle Access Manager LDAP Directory
4.2.7
Implementing Global Logout from OracleAS Single Sign-On and Access Server
4.2.8
Configuring Oracle Access Manager for Integration with OracleAS 10g
4.2.9
Protecting the Single-Sign On Login URL
4.3
Authorization Support for Applications Protected by OracleAS Single Sign-On
4.3.1
About Authorization of OracleAS Single Sign-On-Protected Applications
4.3.2
Configuring Authorization Support for OracleAS Single Sign-On-Protected Resources
4.4
Testing the Integration with OracleAS
4.5
OracleAS 10g Files
4.5.1
SSOOblixAuth.java
4.5.2
Logout.jsp
4.6
Troubleshooting the OracleAS 10g Integration
5
Federated Single Sign-On Using Oracle Identity Federation
5.1
About Federated Single Sign-On
5.2
About Federated Authorization
5.3
Setting up the Federated Attribute Sharing Environment
5.3.1
Setting Parameters in the config.xml File
5.3.2
Configuring Basic Authentication
5.3.3
Configuring SSL and Client Certificate Authentication
5.3.4
Configure the Session Token Cache for Federated Attribute Sharing
5.4
Configuring the Authentication Scheme for Attribute Sharing
5.4.1
Configuring the Basic Components of the Authentication Scheme
5.4.2
Configuring Plug-ins and Steps for the Authentication Scheme
5.5
Configuring the Authorization Schemes and Policies for Attribute Sharing
5.5.1
Configuring Basic Characteristics of the Authorization Scheme
5.5.2
Configuring Rules and Policies for the Attribute Sharing Authorization Scheme
6
Integrating Siebel 7
6.1
About the Integration with Siebel 7
6.1.1
Siebel 7 Components
6.2
Integration Architecture
6.3
Supported Version and Platforms
6.4
Preparing Your Environment
6.5
Setting Up Oracle Access Manager Single Sign-on for Siebel Application Server
6.5.1
Setting Up Siebel 7 for integration with Oracle Access Manager
6.5.2
Setting up Oracle Access Manager for Integration with Siebel 7
6.5.3
Testing Integration Between Oracle Access Manager and Siebel
6.6
Configuring Session Logout
6.6.1
Configuring the Siebel Timeout
6.6.2
Configuring the Oracle Access Manager Session Timeout
6.6.3
Configuring the Siebel Logout Behavior
7
Integrating PeopleSoft
7.1
About the Integration with PeopleSoft
7.2
PeopleSoft Components
7.3
PeopleSoft Integration Architecture
7.3.1
Single Sign-On Process
7.4
Supported Version and Platforms
7.5
Preparing Your Environment
7.6
Setting Up Oracle Access Manager Single Sign-On for PeopleSoft
7.7
Setting up PeopleSoft for Single Sign-On with Oracle Access Manager
7.8
Configuring Single Signoff
8
Integrating Oracle eBusiness Suite
8.1
About the Integration with Oracle eBuisiness Suite
Part II Integration with Third-Party Applications
9
Integrating the Security Provider for WebLogic SSPI
9.1
About the Security Provider
9.1.1
WebLogic and Oracle Access Manager Integration Points
9.2
Integration Architecture
9.2.1
Authentication for Mixed Web and Non-Web Resources
9.2.2
Authentication for Web-Only Resources
9.2.3
Authentication for the Portal
9.3
Supported Versions and Platforms
9.4
Online Assistance
9.5
Installing and Configuring the Security Provider
9.5.1
Preparing the Environment
9.5.2
Installing the Security Provider
9.5.3
Completing a Typical Installation
9.5.4
Completing Advanced Installation
9.5.5
Setting Up WebLogic Policies in Oracle Access Manager
9.5.6
Running the NetPoint Policy Deployer
9.5.7
Manually Configuring WebLogic Policies in Oracle Access Manager
9.5.8
Mapping WebLogic Resources to Oracle Access Manager Resources
9.5.8.1
NetPointResourceMap.conf File Format
9.5.9
Preparing the WebLogic Environment
9.5.10
Configuring the Identity Server
9.5.11
Configuring Multiple WebPass Instances
9.6
Configuring Single Sign-On for the Portal Server
9.6.1
Configuring web.xml to Add Filter-related Nodes
9.6.2
Adding Authentication Methods to web.xml
9.6.3
Configuring the login jsp used by the Login Portlet
9.6.4
Copying ObLoginFilter.class in the WEB_INF/classes
9.6.5
Completing Setup
9.6.6
Testing Single Sign-On for the Portal Server
9.7
Authorization Data from an External Source
9.8
Audit Files
9.9
Debug Log Files
9.10
User Creation/Deletion and Group Creation
9.11
Configuration Files
9.11.1
NetPointProvidersConfig.properties
9.11.2
NetPointWeblogicTools.properties
9.12
Implementation Notes for Active Directory
9.12.1
Configuring Security Provider for WebLogic
9.12.2
Setting a Domain in NetPointProvidersConfig.properties
9.12.2.1
About Parameter Names in the NetPointProvidersConfig.properties file
9.12.2.2
Setting up Cookies and Header Attributes in SSPI
9.13
Tips
9.13.1
WebLogic Portal Admin Console Changes
9.13.1.1
Configuring Multiple Policy Domains for Different WebLogic Servers
9.14
References
9.15
Troubleshooting the Security Provider for WebLogic
9.16
Additional Resources
10
Integrating with IBM WebSphere
10.1
About the Connector for WebSphere
10.1.1
WebSphere Components
10.1.2
Connector for WebSphere Components
10.2
Integration Architecture
10.2.1
Scenario 1: Use of NetPointWASRegistry
10.2.2
Scenario 2: Architecture for Single Sign-On
10.2.3
Mapping Users and Groups to Security Roles in WAS
10.3
Integration Scenario with the Oracle Access ManagerCMR
10.4
Supported Versions and Platforms
10.5
Preparing to Install the Connector
10.5.1
Preparing Your Environment
10.5.2
Configuring the Identity System for WAS Integration
10.5.2.1
Configuring WebPass Failover
10.5.2.2
Configuring the Identity Server
10.5.3
Configuring the Access System for WAS Integration
10.5.3.1
Configuring the AccessGate for WAS Integration
10.5.4
Configuring Resource Protection in the Access System
10.5.4.1
Defining a Resource Type for WebSphere
10.5.4.2
Defining an Authentication Scheme for WebSphere
10.5.4.3
Defining a Policy Domain for WebSphere
10.5.5
Defining a Policy Domain for the WebSphere v6.0 Administration Console
10.6
Installing the Connector for WebSphere
10.6.1
Launching the Installation
10.6.2
Defining the Installation Directory
10.6.3
Specifying Connector Details
10.6.4
Completing Details for the WebGate
10.6.5
Specifying AccessGate Details
10.6.6
Installing a Certificate
10.6.7
Configuring Multiple WebPass Instances for the Connector
10.7
Completing Connector Setup
10.7.1
Setting Up the Connector for WebSphere
10.7.2
Testing Environment Setup
10.8
Configuring WebSphere Application Server v5
10.8.1
Enabling the NetPointWASRegistry in WAS v5
10.8.2
Testing the NetPointWASRegistry for WebSphere v5
10.8.3
Configuring the TAI for WebSphere v5
10.8.3.1
Testing the TAI for WAS v5
10.8.3.2
Enabling Logging for TAI for WAS v5
10.9
Integrating with WebSphere Portal v5
10.9.1
About Integration with the CMR
10.9.2
Setting up the WebSphere Portal v5.0.2 for Oracle Access Manager
10.9.3
Setting Up WebSphere Portal v5.1 With Oracle Access Manager
10.9.4
Managing Users and Groups with Portal v5
10.9.5
Modifying User Profiles and Attributes
10.9.6
Password Management with Portal v5
10.9.7
Access Control for the WebSphere Portal v5
10.9.8
Configuring Single Sign-on Functions for the Portal v5
10.10
Configuring the WebSphere Application Server v6
10.10.1
Enabling the NetPointWASRegistry for WAS v6
10.10.2
Testing the NetPointWASRegistry for WebSphere v6
10.10.3
Configuring the TAI for WebSphere v6
10.10.4
Testing the TAI for WAS v6
10.10.5
Enabling Logging for TAI for WAS v6
10.11
Configuration Files
10.11.1
NetPointWASRegistry.properties
10.11.2
WebGate.properties
10.11.3
TrustedServers.properties
10.12
Implementation Notes for the TAI
10.13
Implementation Notes for Active Directory
10.13.1
Configuring the Connector for WebSphere for an Active Directory Forest
10.13.2
Set Active Directory Domain in NetPointWASRegistry.properties
10.14
Troubleshooting the Connector for WebSphere
10.14.1
Troubleshooting the Connector for Portal Server v5
10.14.1.1
Portal Server v5 Installation-Related Issues
10.14.1.2
Custom Security Integration Related Issues
11
Integrating Plumtree Corporate Portal
11.1
About the Integration with Plumtree Corporate Portal
11.2
Supported Versions and Platforms
11.3
Enabling Single Sign-on in PlumTree 5.0.4
11.3.1
Creating a Single Sign-On Authentication Source
11.3.2
Creating an LDAP Authentication Source
11.3.3
Editing Configuration Files to Support Single Sign-On
11.3.4
Synchronizing LDAP Data with Plumtree Database
11.3.4.1
Viewing Synchronized Information
11.3.5
Enabling Single Sign-On Logout
11.4
Setting Up the Access System to Protect Plumtree 5.0.4
11.4.1
Installing Oracle Access Manager Components
11.4.2
Creating a Policy Domain
11.4.3
Configuring the WebGate
11.4.4
Configuring WebGate for IIS
11.5
Integrating Other Features
11.5.1
Enabling Anonymous Users to View Portal Guest Pages
11.5.2
Using the Knowledge Directory
11.5.2.1
Setting Preferences in the Knowledge Directory
11.5.2.2
Creating Folders
11.5.2.3
Uploading Documents
11.5.3
Password Management
11.5.4
Self-Registration
12
Integrating mySAP Applications
12.1
About Integrating Oracle Access Manager with mySAP
12.2
SAP Components
12.2.1
SAP Internet Transaction Server
12.2.2
Pluggable Authentication Service
12.2.3
Integration Architecture
12.3
Supported Versions and Platforms
12.4
Preparing to Integrate Oracle Access Manager with SAP
12.5
Setting up Oracle Access Manager Single Sign-on for mySAP
12.5.1
Setting Up SAP for Integration with Oracle Access Manager
12.5.2
Setting Up Oracle Access Manager for Integration with SAP
12.5.3
Testing Integration Between Oracle Access Manager and SAP
12.6
Integrating the SAP Enterprise Portal 6.0
12.6.1
Architecture for the Integration with SAP Enterprise Portal 6.0 SP2
12.6.2
Supported Platforms for Integrating with SAP Enterprise Portal 6.0 SP2
12.6.3
SAP Enterprise Portal 6.0 Prerequisites
12.6.4
Oracle Access Manager Prerequisites
12.6.5
Configuring a Proxy to Access SAP Enterprise Portal 6.0
12.6.6
Configure Oracle Access Manager for SAP Enterprise Portal 6.0
12.6.7
Configure WebGate on the Proxy Server
12.6.8
Configure SAP Enterprise Portal 6.0 for External Authentication
12.6.9
Testing the Integration with SAP Enterprise Portal 6.0
12.6.10
Troubleshooting the Integration with SAP Enterprise Portal 6.0
13
Integrating the RSA SecurID Authentication Plug-In
13.1
About Oracle Access Manager and SecurID Authentication
13.1.1
Supported Versions and Platforms
13.1.2
RSA Components
13.1.3
Oracle Access Manager Components
13.1.4
Integration Summary
13.2
Support and Requirements
13.2.1
Supported Versions and Platforms
13.2.2
RSA ACE/Server Requirements
13.2.2.1
Next Tokencode Mode Support
13.2.2.2
New PIN Mode Support
13.2.3
Oracle SecurID Access Server and ACE/Agent Requirements
13.2.4
Access Server and ACE/Agent Requirements
13.2.5
WebGate Requirements
13.2.5.1
SecurID CGI Script
13.3
SecurID Authentication Scenarios
13.3.1
SecurID Authentication Sequence
13.3.2
Next Tokencode Sequence
13.3.3
New PIN Sequence
13.4
Integrating SecurID Authentication
13.4.1
Preparing Your Environment
13.4.2
Setting up the Access Server as an ACE/Agent
13.4.2.1
Registering an ACE/Agent Host
13.4.2.2
Setting up the ACE/Agent Host
13.4.3
Setting Up a SecurID WebGate
13.4.3.1
Relocating Oracle SecurID Directories
13.4.3.2
Setting up the SecurID CGI Script
13.4.3.3
Configuring the CGI Directory
13.4.4
Creating a SecurID Authentication Scheme
13.4.4.1
Background
13.4.4.2
Defining an Authentication Scheme for SecurID
13.4.5
Protecting SecurID Resources
13.4.5.1
Creating a Policy Domain
13.4.5.2
Adding a Resource to Your Policy Domain
13.4.5.3
Defining Rules for this Domain
13.4.6
Testing the Policy Domain
13.4.7
Adding ACE/Server Users to Oracle Access Manager
13.5
Oracle Access Manager Authentication Plug-In Parameters
13.5.1
SecurID Plug-In Parameters
13.5.2
Credential Mapping Plug-In Parameters
13.6
Active Directory Forest Considerations
13.6.1
Prerequisites
13.6.2
Integrating SecurID with an Active Directory Forest
13.6.2.1
SecurID Forms for an Active Directory Forest
13.7
Troubleshooting
13.7.1
ACE/Agent Issues
13.7.2
ACE/Server Configuration File
13.7.3
CGI Directory on SecurID WebGates
13.7.4
Environment Variable on Unix Systems
13.7.5
Form-Based Authentication
13.7.6
Access Server Log
13.7.7
Web Server Logs
13.7.8
RSA ACE/Server Logs
13.7.9
Permissions
13.7.10
SecurID Plug-In Parameters with Modified HTML Fields
14
Integrating Smart Card Authentication
14.1
About Smart Card Authentication
14.2
About Oracle Access Manager Components
14.3
Integration Architecture
14.4
Supported Versions and Platforms
14.5
Setting Up Smart Card Authentication
14.5.1
Preparing Active Directory
14.5.2
Preparing the CA and Enrolling for a Certificate
14.5.3
Preparing IIS Web Servers
14.5.4
Preparing Oracle Access Manager for Smart Card Authentication
14.5.5
Protecting Resources with Oracle Access Manager
14.5.6
Setting Up the IIS Manager
14.6
About Policy Domains for Smart Card Authentication
14.7
Client Certificate Authentication Schemes
14.7.1
Smart Card Challenge Method, Parameter, SSL
14.7.2
Plug-Ins for Smart Card Authentication
14.7.2.1
cert_decode Plug-In
14.7.2.2
credential_mapping Plug-In
14.8
Troubleshooting
14.8.1
Problem Requesting X.509 Certificates
14.8.2
Additional Resources
14.8.2.1
Active Directory Resources
14.8.2.2
Smart Card Resources
14.8.2.3
Oracle Access Manager Policy Domain Details
15
Integrating SharePoint Portal Server
15.1
About Oracle Access Manager and the SharePoint Portal Server
15.1.1
About Windows Impersonation
15.2
Supported Platforms and Requirements
15.2.1
Supported Versions and Platforms
15.2.2
Required Microsoft Components
15.2.3
Required Oracle Access Manager Components
15.3
Request Processing by the SPPS Integration
15.4
Integrating with SPPS
15.4.1
Installing Microsoft Components
15.4.2
Installing Oracle Access Manager Components
15.4.2.1
Defining Managed Paths in SharePoint
15.5
Setting Up Impersonation
15.5.1
Creating a Trusted User Accounts
15.5.2
Assigning Rights to the Trusted User
15.5.3
Binding the Trusted User to Your WebGate
15.5.4
Adding an Impersonation Action to a Policy Domain
15.5.5
Adding an Impersonation dll to IIS
15.5.6
Testing Impersonation
15.5.6.1
Creating an IIS Virtual Site Not Protected by SPPS
15.5.6.2
Testing Impersonation Using the Event Viewer
15.5.6.3
Testing Impersonation using a Web Page
15.5.6.4
Negative Testing for Impersonation
15.6
Completing the SPPS Integration
15.6.1
Configuring IIS Security
15.6.2
Configuring the Wildcard Extension
15.6.3
Editing web.config
15.6.4
Synchronizing User Profiles Between Directories
15.6.5
Testing Your Integration
15.6.5.1
Testing the SPPS Integration
15.6.5.2
Testing Single Sign-On for the SPPS Integration
16
Integrating With ASP.NET
16.1
About ASP.NET
16.2
Security Principals and Security Identifiers (SIDs)
16.3
IPrincipal.IsInRole Method Syntax
16.3.1
Parameters
16.3.2
Return value
16.3.3
Supported Versions and Platforms
16.3.4
Requirements
16.4
About the Security Connector for ASP.NET
16.5
Oracle Access Manager Components and Requirements
16.6
The OblixHttpModule
16.6.1
The OblixPrincipal Object
16.7
Authorization with the Security Connector for ASP.NET
16.8
Using the Security Connector for ASP.NET
16.8.1
Setting Up Your Environment
16.9
Setting Up the ASP.NET Application for the Security Connector
16.9.1
Setting up the Oracle Access Manager Role Action
16.10
Oracle Access Manager Role-Based Authorization
17
Integrating Authorization Manager Services
17.1
About Oracle Access Manager and the AzMan Plug-In
17.1.1
Supported Versions and Platforms
17.2
Authorization with the AzMan Plug-In
17.3
Oracle Access Manager Components and Requirements
17.3.1
Oracle Access Manager Authorization Rules and Schemes
17.4
About the Windows Authorization Manager
17.4.1
Authorization Stores
17.4.2
Applications and Scopes
17.4.3
Operations and Tasks
17.4.4
Roles
17.4.5
Groups
17.4.6
Rules
17.4.7
Auditing
17.4.8
Authorization Manager (AzMan) API
17.5
Examples
17.5.1
Example 1: An Expense Application
17.5.2
Example 2: Oracle Access Manager Configuration
17.5.2.1
Authorization Scheme
17.5.2.2
Policy Domain
17.5.2.3
Resources
17.5.2.4
Authorization Rules
17.5.2.5
Default Rules
17.5.2.6
Access Policy
17.5.2.7
Delegated Access Administrators
17.5.3
Example 3: Authorization Process Flow
17.6
Configuring the AzMan Plug-In
17.6.1
Preparing Your Environment
17.6.2
Creating an Authorization Scheme for the AzMan Plug-In
17.6.3
Protecting Resources
17.6.4
Defining Authorization Rules and Policies
17.6.5
Using the AzMan Plug-In with the Access Manager API
17.7
Troubleshooting
Index