This chapter describes how to integrate Oracle Access Manager with Oracle Identity Manager and Oracle Adaptive Access Manager for secure password collection:
Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Integrate Oracle Access Manager and Oracle Adaptive Access Manager
Integrate Oracle Identity Manager and Oracle Adaptive Access Manager
Configure Oracle Identity Manager Properties for the Integration
Configure Oracle Access Manager Policy Authentication Scheme
In 11g Release 1 (11.1.1), Oracle Access Manager does not provide its own identity service. Instead, Oracle Access Manager:
consumes identity services provided by Oracle Identity Manager, LDAP directories, and other sources
integrates with Oracle Identity Manager and Oracle Adaptive Access Manager to deliver a range of secure password collection and challenge-related functionality to Oracle Access Manager protected applications
Although other combinations are possible, integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager is the recommended option and provides these features:
Password entry protection through personalized virtual authenticators
KBA challenge questions for secondary login authentication based on risk
OTP challenge for secondary login authentication based on risk
Registration flows to support password protection and KBA and OTP challenge functionality
User preferences flows to support password protection and KBA and OTP challenge functionality
Password management flows
Oracle Adaptive Access Manager
Oracle Adaptive Access Manager is responsible for:
Running fraud rules before and after authentication
Navigating the user through Oracle Adaptive Access Manager flows based on the outcome of fraud rules
Oracle Identity Manager is responsible for:
Provisioning users (add/modify, delete users)
Managing passwords (reset/change password)
Oracle Access Manager is responsible for:
Authenticating and authorizing users
Providing statuses such as Reset Password, Password Expired, User Locked, and others
In this deployment, Oracle Access Manager redirects users to Oracle Adaptive Access Manager when a trigger condition for password management is in effect. The "trigger condition" is the authentication scheme used in Oracle Access Manager.
Oracle Adaptive Access Manager interacts with the user based on lifecycle policies retrieved from Oracle Access Manager, and when the condition is resolved, notifies Oracle Access Manager so that the user is redirected to the protected resource. In this integration, Oracle Identity Manager serves to provide password policy enforcement.
For a detailed description of the processing flow see Section 2.8, "Integrating Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager"
The following needs to be in place for the integration:
All necessary components have been properly installed and configured:
Oracle Internet Directory 11g installed
For information on installing OID, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Oracle Virtual Directory 11g installed
For information on installing OVD, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Repository Creation Utility 11g installed
For information on installing and using RCU, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Oracle WebLogic Servers installed
For information on installing the WebLogic Server, refer to Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
SOA suite installed and patched to at least PS2
For information on installing the SOA suite, refer to Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
Oracle HTTP Server installed
For information on installing Oracle HTTP Server, refer to Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
Oracle Access Manager 11g agent (WebGate) for Oracle HTTP Server 11g has been installed on the Oracle HTTP Server 11g instance
For information on installing the Oracle HTTP Server WebGate, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
At installation, Oracle Access Manager is configured with the database policy store. The Oracle Access Manager-Oracle Adaptive Access Manager wiring requires the database policy store.
The steps below are based on the assumption that Oracle Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.
The following tasks are required to perform this integration:
Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Integrate Oracle Access Manager and Oracle Adaptive Access Manager
Integrate Oracle Identity Manager and Oracle Adaptive Access Manager
Configure Oracle Identity Manager Properties for the Integration
Configure Oracle Access Manager Policy Authentication Scheme
Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on different servers with all three in the same domain.
Perform post-configuration for Oracle Access Manager and Oracle Adaptive Access Manager with the out-of-the-box configuration.
Ensure that the out-of-the-box policies and KBA questions are configured; this is important for Oracle Adaptive Access Manager authentication to work. For details on these default policies and questions, see:
Importing Challenge Questions in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Importing Base Policies in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
For information on installing the Identity Management Suite, refer to Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Integration between Oracle Identity Manager and Oracle Access Manager is required for integration between Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Manager.
For information on integrating Oracle Access Manager and Oracle Identity Manager, refer to Integration Between OIM and OAM in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Enabling LDAP synchronization for Oracle Identity Manager is required for integration between Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Manager.
Oracle Adaptive Access Manager will be working off the same directory with which Oracle Identity Manager is synchronizing.
For information about setting up Oracle Identity Manager for LDAP synchronization, refer to OIM with LDAP Sync in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
This task involves integrating the Oracle Access Manager and Oracle Adaptive Access Manager components as part of integrating Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager to deliver password management and challenge-related functionality to Oracle Access Manager-protected applications.
Note:
The integration of Oracle Access Manager and Oracle Adaptive Access Manager requires that the IdentityManagerAccessGate 10gWebGate profile exist. You can validate this through the Oracle Access Manager Console by navigating to System Configuration, then Agents, then 10gWebGates.In the integration of Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the IdentityManagerAccessGate profile should already exist since it is configured during the Oracle Access Manager - Oracle Identity Manager integration (see Section 6.6, "Integrate Oracle Access Manager and Oracle Identity Manager").
Configure the Oracle Adaptive Access Manager and Oracle Access Manager integration as follows:
Set Oracle Adaptive Access Manager Properties for Oracle Access Manager
Set Oracle Access Manager Credentials in Credential Store Framework
Note:
Before doing this procedure, you must take into account whether the OAAM console is being protected.If protecting the console, you must take care of user and group creation in the external LDAP store. For details, see Creating Oracle Adaptive Access Manager Administrative Groups and User in LDAP in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.
OR
If not protecting the OAAM console, then the user must be created in the WebLogic Administration Console.
(Note : You can disable OAAM administration console protection by setting the environment variable or Java property WLSAGENT_DISABLED=true.)
To set Oracle Adaptive Access Manager properties for Oracle Access Manager:
Start the managed server hosting the Oracle Adaptive Access Manager server.
Go to the Oracle Adaptive Access Manager Admin Console at http://OAAM Managed Server Host:OAAM Admin Managed Server Port/oaam_admin.
Log in as a user with access to the property editor.
Open the Oracle Adaptive Access Manager property editor to set the Oracle Access Manager properties.
If a property does not exist, you must add it.
For the following properties, set the values according to your deployment:
Table 6-1 Configuring Oracle Access Manager Property Values
| Property Name | Property Values |
|---|---|
|
bharosa.uio.default.password.auth.provider.classname |
com.bharosa.vcrypt.services.OAMOAAMAuthProvider |
|
bharosa.uio.default.is_oam_integrated |
true |
|
oaam.uio.oam.host |
Access Server host machine name For example, host.oracle.com |
|
oaam.uio.oam.port |
Access Server Port; for example, 3004 |
|
oaam.uio.oam.obsso_cookie_domain |
Cookie domain defined in Access Server WebGate Agent |
|
oaam.uio.oam.java_agent.enabledFoot 1 |
Default value is When setting this property, note the following points about the property
|
|
oaam.uio.oam.virtual_host_nameFootref 1 |
Default value is Change this value only if the virtual host name is different from |
|
oaam.uio.oam.webgate_id |
IdentityManagerAccessGate The name of the WebGate Agent for Oracle Identity Manager integration. The default is IdentityManagerAccessGate. |
|
oaam.uio.login.page |
/oamLoginPage.jsp |
|
oaam.uio.oam.secondary.host |
Name of the secondary Access Server host machine. The property must be added, as it is not set by default. This property is used for high availability. You can specify the fail-over hostname using this property. |
|
oaam.uio.oam.secondary.host.port |
Port number of the secondary Access Server The property must be added as it is not set by default. This property is used for high availability. You can specify the fail-over port using this property. |
|
oaam.oam.csf.credentials.enabled |
true This property enables configuring credentials in the Credential Store Framework instead of maintaining them using the properties editor. This step is performed so that credentials can be securely stored in CSF. |
Footnote 1 Required when using the OAM Java agent.
For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
For more information about the IDM Domain Agent, see Section 1.2, "A Note About IDMDomain Agents and Webgates".
So that Oracle Access Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:
Go to the Oracle Fusion Middleware Enterprise Manager Console at http://WebLogic Server Host:Administration Port/em.
Log in as a WebLogic Administrator.
Expand the Base_Domain icon in the navigation tree in the left pane.
Select your domain name, right-click, select the menu option Security, and then select the option Credentials in the sub-menu.
Click Create Map.
Click oaam to select the map, then click Create Key.
In the pop-up window make sure Select Map is oaam.
Provide the following properties and click OK.
| Name | Value |
|---|---|
| Map Name | oaam |
| Key Name | oam.credentials |
| Key Type | Password |
| UserName | Oracle Access Manager user with Administrator rights |
| Password | Password of Oracle Access Manager WebGate Agent |
This section describes how to integrate Oracle Identity Manager and Oracle Adaptive Access Manager for the three-way integration of Oracle Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager:
Set Oracle Adaptive Access Manager Properties for Oracle Identity Manager
Set Oracle Identity Manager Credentials in Credential Store Framework
To set Oracle Adaptive Access Manager properties for Oracle Identity Manager:
Go to the Oracle Adaptive Access Manager Admin Console at http://OAAM Managed Server Host:OAAM Admin Managed Server Port/oaam_admin.
Log in as a user with access to the Properties Editor.
Open the Oracle Adaptive Access Manager Property Editor to set the Oracle Identity Manager properties.
If a property does not exist, you need to add it.
For the following properties, set the values according to your deployment:
Table 6-2 Configuring Oracle Identity Manager Property Values
| Property Name | Property Values |
|---|---|
|
bharosa.uio.default.user.management.provider.classname |
com.bharosa.vcrypt.services.OAAMUserMgmtOIM |
|
oaam.oim.auth.login.config |
${oracle.oaam.home}/../designconsole/config/authwl.conf |
|
oaam.oim.url |
For example, |
|
oaam.oim.xl.homedir |
${oracle.oaam.home}/../designconsole |
|
bharosa.uio.default.signon.links.enum.selfregistration.url |
where OHS setup was performed during the integration between Oracle Access Manager and Oracle Identity Manager. |
|
bharosa.uio.default.signon.links.enum.trackregistration.url |
where OHS setup was performed during the integration between Oracle Access Manager and Oracle Identity Manager. |
|
bharosa.uio.default.signon.links.enum.trackregistration.enabled |
true |
|
bharosa.uio.default.signon.links.enum.selfregistration.enabled |
true |
|
oaam.oim.csf.credentials.enabled |
true This property enables the configuring of credentials in the Credential Store Framework as opposed to maintaining them using the Properties Editor. This step is performed so that credentials can be securely stored in CSF. |
For information on setting properties in Oracle Adaptive Access Manager, see "Using the Property Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
So that Oracle Identity Manager WebGate credentials can be securely stored in the Credential Store Framework, follow these steps to add a password credential to the Oracle Adaptive Access Manager domain:
Go to the Oracle Fusion Middleware Enterprise Manager Console at http://<<WebLogic Server host>:<Administration Port>/em.
Log in as a WebLogic Administrator.
Expand the <Base_Domain> icon in the navigation tree in the left pane.
Select your domain name, right click, and select the menu option Security and then the option Credentials in the sub menu.
Click Create Map.
Click oaam to select the map, then click Create Key.
In the pop-up window make sure Select Map is oaam.
Provide the following properties and click OK.
| Name | Value |
|---|---|
| Map Name | oaam |
| Key Name | oim.credentials |
| Key Type | Password |
| UserName | Username of Oracle Identity Manager Administrator |
| Password | Password of Oracle Identity Manager Administrator |
In Oracle Identity Manager, system properties are configured to enable Oracle Adaptive Access Manager to provide the challenge question-related functionality instead of Oracle Identity Manager:
To modify Oracle Identity Manager properties for Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration:
Log in to Oracle Identity Manager Administrative Console.
Click the Advanced link in the self-service console.
Click System Properties in System Management.
Click on Advanced Search.
Set the following properties and click Save.
Note:
For the URLs, use the hostnames as they were configured in Oracle Access Manager. For example, if a complete hostname (with domain name) was provided during Oracle Access Manager configuration, use the complete hostname for the URLs.Table 6-3 Oracle Identity Manager Redirection
| Keyword | Property Name and Value |
|---|---|
|
OIM.DisableChallengeQuestions |
TRUE |
|
OIM.ChangePasswordURL |
URL for change password page in Oracle Adaptive Access Manager ( In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server. |
|
OIM.ForgotPasswordURL |
URL for forgot password page in Oracle Adaptive Access Manager ( |
|
OIM.ChallengeQuestionModificationURL |
URL for challenge questions modification page in Oracle Adaptive Access Manager ( |
Change your protected web application's Oracle Access Manager policy to point to the OAAMAdvanced authentication scheme using the Oracle Access Manager administration console.
The steps are as follows:
Go to the Oracle Access Manager Administration Console using a URL of the form http://hostname:port/oamconsole.
For details, see Logging In to the Oracle Access Manager 11g Administration Console in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Log in as the Oracle Access Manager administrator.
From the Policy Configuration tab, navigate the tree as follows:
expand the Application Domains node
expand the IDMDomainAgent
expand Authentication Policies
Select for editing the authentication policy named Protected HigherLevel Policy, and assign to it the OAAMAdvanced authentication scheme.
Test the Oracle Adaptive Access Manager URL in a separate browser session by navigating to:
http://OAAM Server Managed Server Host:OAAM Server Managed Server Port/oaam_server/oamLoginPage.jsp
Verify that the Oracle Adaptive Access Manager server user login page appears with no errors.
Do not attempt to log in to the OAAM server yet.
Log in to the Oracle Access Manager administration console using the administrative credentials.
Set the Oracle Adaptive Access Manager URL by navigating to the OAAMAdvanced authentication scheme and making these changes:
Add the challenge_url.
Ensure that the Oracle Adaptive Access Manager URL is correct and is the same URL that you tested in Step 5.
http://OAAM Server Managed Server Host:OAAM Server Managed Server Port/oaam_server/oamLoginPage.jsp
(Note: Do not use the protocol string "http(s)", or URL redirection will not succeed. Use an explicit protocol, either http or https.)
Set contextType to external.
Restart the Oracle Access Manager managed server.
Once integration between Oracle Access Manager and Oracle Adaptive Access Manager is complete, restart the managed servers:
Start the managed server hosting the Oracle Access Manager server.
Restart the Oracle Adaptive Access Manager managed servers (OAAM Admin and OAAM server).
This section provides additional troubleshooting and configuration tips for the integration of Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
You may encounter a non-working URL if policies and challenge questions are not available as expected in your Oracle Adaptive Access Manager environment. For example, the Forgot Password page will fail to come up and you are redirected back to the login page.
To ensure correct operation, make sure that the default base policies and challenge questions shipped with Oracle Adaptive Access Manager have been imported into your system. For details, see Setting Up the Oracle Adaptive Access Manager Environment in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Incorrect value of the cookie domain in your configuration can result in login failure.
For correct Webgate operation, ensure that the property oaam.uio.oam.obsso_cookie_domain is set to match the corresponding value in Oracle Access Manager; for example, .us.oracle.com.