Skip Headers
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
11g Release 2 (11.1.2.0)

Part Number E28212-05
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

15 Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.

This chapter includes the following topics:

15.1 Overview of Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

If you have not integrated Oracle Access Management Access Manager with Oracle Identity Manager, you must first create WebLogic Security Providers. Then proceed as follows.

You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Access Manager for validation

The administration consoles referred to in the chapter title are:

15.2 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:

  1. Configuring Oracle HTTP Server, as described in Chapter 10, "Installing and Configuring Oracle Web Tier for an Enterprise Deployment."

  2. Configuring Access Manager, as described in Chapter 11, "Extending the Domain to Include Oracle Access Management."

  3. Provisioning Weblogic Administrators in LDAP as described in Section 9.4, "Preparing the Identity Store."

15.3 Configuring WebLogic Security Providers

When you run idmConfigTool with the configOAM or configOIM option, the tool creates security providers in the domains IDMDomain and OIMDomain. These security providers restrict access to the consoles in those domains based on the security policies of Access Manager. If you have other domains, you must create security providers in those domains manually and then update them as described in the following sections.

Note:

Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.

If you have used the Oracle Weblogic console to shut down all of the Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.

To start WLS_OAM1 manually, use the command:

MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001

This section describes how to update the security providers to enable single sign on access to the administration consoles. This section should be performed in all domains, which have security providers including ancillary domains which have had them created manually.

This section contains the following topics:

15.3.1 Updating Oracle Unified Directory Authenticator

When the OUD authenticator is created, it is created with some missing information, which must be added. If you are using OUD as your identity store, you must add this information by performing the following steps.

  1. Log in to the WebLogic Administration Console.

  2. Click Security Realms from the Domain structure menu.

  3. Click Lock and Edit in the Change Center.

  4. Click myrealm.

  5. Click on Providers.

  6. Click on OUDAuthenticator.

  7. Click on Provider Specific tab.

  8. On the Provider Specific screen update the following values:

    • All Users Filter: (&(uid=*)(objectclass=person))

    • User From Name Filter: (&(uid=%u)(objectclass=person))

    • User Name Attribute: uid

    • Static Group Object Class: groupofuniquenames

    • Static Member DN Attribute: uniquemember

    • Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))

    • Dynamic Group Name Attribute: cn

    • Dynamic Group Object Class: groupOfURLs

    • Dynamic Member URL Attribute: memberURL

  9. Click Save.

  10. Click Activate Changes.

15.3.2 Reordering the Security Providers

This section sets up an Access Manager asserter to enable you to delegate responsibility for credential collection to Access Manager.

  1. Log in to the WebLogic Administration Console at the URL listed in Section 17.2, "About Identity Management Console URLs."

  2. Click Security Realms from the Domain structure menu.

  3. Click Lock and Edit in the Change Center.

  4. Click myrealm.

  5. Select the Providers tab.

  6. Click Reorder.

  7. Using the arrows on the right hand side order the providers such that the order is:

    • OAMIDAsserter

    • OIM Signature Authenticator, if present

    • OIMAuthenticationProvider, if present

    • OUD Authenticator, OVDAuthenticator or OIDAuthenticator

    • Default Authenticator

    • Default Identity Asserter

    Note:

    Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.

  8. Click OK.

  9. Click Activate Changes.

  10. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components."

15.4 Assigning WLSAdmins Group to WebLogic Administration Groups

In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.

In Section 9.4, "Preparing the Identity Store" you created a user called weblogic_idm and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.

Perform this step for each domain in the topology.

  1. Log in to the WebLogic Administration Server Console at the URL listed in Section 17.2, "About Identity Management Console URLs.".

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.

  6. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

    1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

    2. On the Choose a Predicate page, select Group from the list for predicates and click Next.

    3. On the Edit Arguments Page, Specify WLSAdmins in the Group Argument field and click Add.

  7. Click Finish to return to the Edit Global Rule page.

  8. The Role Conditions table now shows the WLSAdmins Group as an entry.

  9. Click Save to finish adding the Admin role to the WLSAdmins Group.

  10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

15.5 Authorize Access Manager Administrators to Access APM Console

By default, only users in the WebLogic administrators group can access the APM console. After SSO is enabled, you will login as an Access Manager Administrator.

To enable this functionality perform the following steps:

  1. Log in to the APM console at http://ADMIN.mycompany.com/apm as WebLogic administrator.

  2. Click the System Configuration tab.

  3. Click Add in the External Role Mapping box.

  4. Click Search.

  5. Select OAMAdministrators from the returned search results.

  6. Click Add Selected.

  7. Click Add Principals.

15.6 Updating the boot.properties File

Update the boot.properties file for the Administration Server with the WebLogic admin user created in LDAP.

You must update boot.properties on each administration server node. Follow the steps in the following sections to update the file.

This section contains the following topics:

15.6.1 Update the Administration Servers on All Domains

  1. On each of the servers in the topology, go the directory:

    ASERVER_HOME/servers/serverName/security
    

    For example:

    cd ASERVER_HOME/servers/AdminServer/security
    
  2. Rename the existing boot.properties file.

  3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

    username=adminUser
    password=adminUserPassword
    

    For example:

    username=weblogic_idm
    password=Password for weblogic_idm user
    

    Note:

    When you start the Administration Server, the username and password entries in the file get encrypted.

    For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

15.6.2 Restarting the Servers

Restart the WebLogic Administration server and all managed servers, as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components."

15.7 Installing and Configuring WebGate 11g

This section describes how to install and configure WebGate.

This section contains the following topics:

15.7.1 Prerequisites

Ensure that the following tasks have been performed before installing the Oracle Web Gate:

  1. Install and configure the Oracle Web Tier as described in Chapter 10.

  2. Ensure Oracle Access Management Access Manager has been configured as described in Chapter 11.

15.7.2 Installing Oracle WebGate on WEBHOST1 and WEBHOST2

Before starting the installer ensure that Java is installed on your machine.

  1. Start the WebGate installer by issuing the command:

    ./runInstaller
    

    You are asked to specify the location of the Java Development Kit for example:

    WEB_MW_HOME/jrockit_version

  2. On the Welcome screen, click Next.

  3. On the Prerequisites screen, after all the checks have successfully completed, click Next.

  4. On the Installation Location Screen, enter the following information:

    • Oracle Middleware Home: WEB_MW_HOME

    • Oracle Home Directory: webgate

    Click Next.

  5. On the installation summary screen, click Install.

  6. Click Next.

  7. Click Finish.

Deploy WebGate to Oracle HTTP, as follows:

  1. Execute the command deployWebGateInstance which is located in:

    WEBGATE_ORACLE_HOME/webgate/ohs/tools/deployWebGate

    The command takes the following arguments:

    Oracle HTTP Instance configuration Directory

    WebGate Home Directory

    For example:

    ./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
    
  2. Set the library path and change directory.

    On Linux systems, set the library path to include the WEB_ORACLE_HOME/lib directory, for example:

    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
    

    Then change directory to: WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools

  3. Run the following command to copy the file apache_webgate.template from the WebGate home directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf.

    On Linux, type:

    ./EditHttpConf -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME 
    
  4. Copy the files ObAccessClient.xml, cwallet.sso, and password.xml, which were generated when you created the agent from the directory ASERVER_HOME/output/Webgate_IDM_11g on IDMHOST1, to the directory WEB_ORACLE_INSTANCE/config/OHS/component_name/webgate/config

  5. The files aaa_key.pem and aaa_cert.pem were generated when you created the agent from the directory ASERVER_HOME/output/Webgate_IDM_11g on IDMHOST1. Copy the files aaa_key.pem and aaa_cert.pem to the WebGate instance directory WEB_ORACLE_INSTANCE/config/OHS/component_name/webgate/config/simple.

  6. Restart the Oracle HTTP Server as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components."

15.8 Validating WebGate and the Access Manager Single Sign-On Setup

To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 17.2, "About Identity Management Console URLs."

You now see the Oracle Access Management Login page displayed. Enter your OAM administrator user name (for example, oamadmin) and password and click Login. Then you see theOracle Access Management console displayed.

To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 17.2, "About Identity Management Console URLs."

The Oracle Access Management Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.

15.9 Backing Up Single Sign-on

Back up the Web Tier and WebLogic domain, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."