| Oracle® Identity Manager Best Practices Guide Release 9.1.0 Part Number E10361-02 |
|
|
View PDF |
| Oracle® Identity Manager Best Practices Guide Release 9.1.0 Part Number E10361-02 |
|
|
View PDF |
This chapter describes how to use Oracle Application Server (OracleAS) Single Sign-On, a component of Oracle Application Server, to manage user authentication and authorization when a user logs in to Oracle Identity Manager.
See Also:
Oracle Application Server Single Sign-On Administrator's Guide for more information about deploying OracleAS Single Sign-OnThis chapter assumes you are familiar with OracleAS Single Sign-On and Oracle Identity Management infrastructure, and that you have already installed the required components, including your application server, Web server, Oracle Identity Manager, OracleAS Single Sign-On, and Oracle Internet Directory.
Important:
Several different configurations, including application and Web servers, are possible in an Oracle Identity Manager and OracleAS Single Sign-On environment.To demonstrate one possible configuration, this chapter describes how to integrate with OracleAS Single Sign-On by using Oracle Application Server and the Oracle Application Server OC4J Plugin. The information in this chapter is based on IIS version 6.0.
See your application and Web server vendor's documentation for more information about configuring single sign-on.
This chapter contains the following topics:
Setting Up Oracle Application Server OC4J Plugin to Communicate with OracleAS Single Sign-On
Setting Up Oracle Identity Manager for Single Sign-On with OracleAS Single Sign-On
Creating Single Sign-On User Accounts for Oracle Identity Manager Users
You must install and configure the Oracle Application Server OC4J Plugin, which is an IIS plug-in for OC4J, so that Oracle Application Server can communicate with the OracleAS Single Sign-On server. The Oracle Application Server OC4J Plugin is a file named opii.dll.
To install and configure the Oracle Application Server OC4J Plugin
Download the Oracle Application Server OC4J Plugin from Oracle Technology Network (OTN) by using the following steps:
Go to the OTN Web site at the following URL:
Click Downloads on the horizontal navigation menu at the top of the page.
Scroll to the Middleware section of the page and click SOA Suite in the Developer Tools section.
Click See All in the Oracle SOA Suite 10g Release 3 (10.1.3.x) section.
In the page that is displayed, accept the License Terms and Export Restrictions and also the Oracle Technology Network Development License Agreement.
Expand the Oracle SOA Suite 10g Companion (10.1.3.x) CD entry. In the list that is displayed, the Oracle Application Server OC4J Plugin is listed as a component.
Click CD1 for the appropriate operating system to download CD1 for the Oracle SOA Suite 10g Companion (10.1.3.x) CD.
Open the Registry Editor and perform the following steps:
Note:
This procedure uses sample steps by using regedit.Click HKEY_LOCAL_MACHINE, and then click SOFTWARE.
Right-click Oracle and select New. Then select Key and name it opii.
Right-click the opii entry, select New. Then select String Value and name the String Value log_file.
Right-click the log_file entry and select Modify. The Edit String dialog box is displayed.
In the Value data field, enter the path where you want to keep the opii log file and click OK.
Right-click the opii entry, and then select New.
Select String Value and name the String Value log_level. This log_level string value specifies the desired log level for opii, for which debug, inform, error, and emerg are valid values.
Right-click the opii entry, and then select New. Then select String Value and name the String Value server_defs.
Right-click the server_def String Value and select Modify. The Edit String dialog box is displayed.
Enter the path where the opii.conf file will reside. You will create the opii.conf file in Step 11.
Start the IIS Management Console, then expand the entry for the node hosting the IIS server that will communicate with the OracleAS Single Sign-On server.
Expand the Web Sites entry, then right-click the Default Web Sites entry and select New, then select Virtual Directory. The Virtual Directory Creation Wizard is displayed.
Click Next and perform the following steps:
Enter opii in the Alias Name field and click Next.
Enter the location where the opii.dll file is located in the Path field and click Next.
Select the Read, Run scripts, and Execute options on the Virtual Directory Access Permissions screen and click Next. Click Finish to close the Virtual Directory Creation Wizard.
Add the opii.dll Oracle Application Server OC4J Plugin as a filter to your IIS Web sites by using the following steps:
In the IIS Management Console, right-click the Default Web Sites entry and select Properties. The Default Web Site Properties dialog box is displayed.
Click the ISAPI Filters tab and click Add.
Enter opii in the Filter Name field.
Enter the path to the location of the opii.dll Oracle Application Server OC4J Plugin in the Executable field.
Click OK on the Add/Edit Filter Properties dialog box.
Click OK on the Default Web Site Properties dialog box.
Give permission to the IIS group on the OSSO_HOME/bin folder by using the following steps:
Right-click the OSSO_HOME/bin folder and select Properties.
Click the Security tab.
Add the IIS_WPG group with Read and Execute permissions.
Restart the IIS server by using the following steps from the IIS Management Console:
Right-click the node hosting the IIS server that will communicate with the OracleAS Single Sign-On server, select All Tasks, and then select Restart IIS. The Stop/Start/Restart dialog box is displayed.
Select Restart Name_of_IIS_server and click OK.
After the IIS server restarts, verify that the opii.dll Oracle Application Server OC4J Plugin is running by right-clicking Default Web Sites, selecting Properties, selecting the ISAPI Filters tab, and confirming that there is a green arrow pointing up for the opii filter.
On the IIS Management Console, click Web Services Extensions, select opii, and then click the Allow button.
Identify the port for the ajp13 protocol by using the following steps:
On the computer hosting Oracle Application Server, open the OAS_HOME/j2ee/OAS_INSTANCE/config/default-web-site-.xml file in a text editor.
Note:
OAS_HOME represents the location where Oracle Application Server is installed. OAS_INSTANCE represents the name of the Oracle Application Server instance.Search for the string ajp13.
Identify the port number for ajp13, for example 8889.
Create a file named opii.conf in the opii directory that contains the following entries. The entries list the Oracle Identity Manager applications protected by OracleAS Single Sign-On, the name of the computer hosting Oracle Identity Manager (for example, host_name), and the port number for ajp13 (for example, ajp13 port number):
Oc4jMount /xlWebApp ajp13://host_name:ajp13 port number Oc4jMount /xlWebApp/* ajp13://host_name:ajp13 port number Oc4jMount /xlScheduler ajp13://host_name:ajp13 port number Oc4jMount /xlScheduler/* ajp13://host_name:ajp13 port number Oc4jMount /Nexaweb ajp13://host_name:ajp13 port number Oc4jMount /Nexaweb/* ajp13://host_name:ajp13 port number
Perform the following steps to set up Oracle Identity Manager for integration with OracleAS Single Sign-On:
Stop the application server.
Start a plain-text editor and open the following file:
OIM_HOME/xellerate/config/xlconfig.xml
Locate the following single sign-on configuration (the following are the default settings without single sign-on):
<web-client> <Authentication>Default</Authentication> <AuthHeader>REMOTE_USER</AuthHeader> </web-client>
Edit the single sign-on configuration as follows.
<web-client> <Authentication>SSO</Authentication> <AuthHeader>osso-username</AuthHeader> </web-client>
To enable single sign-on with non-ASCII character logins, you must include a decoding class name to decode the non-ASCII header value. Add the decoding class name and edit the single sign-on configuration as follows:
<web-client> <Authentication>SSO</Authentication> <AuthHeader>osso-username</AuthHeader> <AuthHeaderDecoder>com.thortech.xl.security.auth.CoreIDSSOAuthHeaderDecoder</AuthHeaderDecoder> </web-client>
Restart the application server.
You must create an entry in Oracle Internet Directory for each Oracle Identity Manager user that will use OracleAS Single Sign-On for authentication. Oracle Internet Directory is the repository for all OracleAS Single Sign-On user accounts and passwords. The OracleAS Single Sign-On server authenticates users against their entries in Oracle Internet Directory.
Perform the following steps to create an entry in Oracle Internet Directory for each Oracle Identity Manager user that will use OracleAS Single Sign-On for authentication:
Log in to the Oracle Delegated Administration Services home page at the following URL:
http://host:port/oiddas/
In this example, host represents the name of the computer on which Oracle Delegated Administration Services is located, and port is the port number of this server. Oracle Delegated Administration Services and OracleAS Single Sign-On generally have the same host name.
Click the Directory tab.
Click Create on the Users tab.
Create the information about the Oracle Identity Manager user by entering information in the following fields:
First Name
Last Name
User ID
Note:
The User ID must be the same as User ID for Oracle Identity Manager.Password for OracleAS Single Sign-On (and confirm by entering it twice)
Create the user by clicking the Submit button.
