Skip Headers
Oracle® Fusion Middleware Integration Guide for Oracle Identity Management Suite
11g Release 2 (11.1.2)

Part Number E27123-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

9 Integrating Access Manager, OAAM, and OIM

The Oracle Access Management Access Manager (Access Manager), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) integration provides control access to resources with Access Manager, strong multi-factor authentication and advanced real-time fraud prevention with OAAM, and self-service password management with OIM.

This chapter describes how to integrate Oracle Access Management Access Manager (Access Manager), Oracle Identity Manager (OIM), and Oracle Adaptive Access Manager.

This chapter contains these sections:

9.1 About Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager Integration

In the Oracle Access Management Access Manager (Access Manager), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) integration, the secure password collection features of the last two products are added to Access Manager-protected applications.

The range of secure password collection and challenge-related functionality include:

In 11g Release 2 (11.1.2), Access Manager does not provide its own identity service; instead, Access Manager:

Responsibilities are divided as follows:

Table 9-1 Responsibilities for Each Component in Integration

Component Responsibilities

Oracle Adaptive Access Manager

Responsible for:

  • Running real-time risk analysis rules before and after authentication

  • Navigating the user through login, challenge, registration, and self-service flows

Oracle Identity Manager

Responsible for:

  • Provisioning users to add, modify, or delete users

  • Managing passwords through Reset Password or Change Password flows

Access Manager

Responsible for:

  • Authenticating and authorizing users

  • Providing advanced status flags such as Reset Password, Password Expired, User Locked, and others


9.1.1 Deployment Options for Strong Authentication

In the integration scenario, Access Manager acts as the authenticating and authorizing module, while Oracle Adaptive Access Manager provides strong authenticators and performs the risk and fraud analysis.

There are two ways that Access Manager can leverage the strong authentication capabilities of Oracle Adaptive Access Manager:

  • OAAM Basic Integration with Access Manager

    Access Manager users wishing to add login security, including Knowledge Based Authentication (KBA), may use OAAM Basic integration with Access Manager. This option will still require an OAAM Admin Server, but it does not require the deployment of a separate OAAM Server. The functionality is accessed through native OAAM calls. The "OAAM Basic Integration" option has a smaller footprint than the "OAAM Advanced Integration" option.

    The "OAAM Basic Integration" differs from the "OAAM Advanced Integration" in that it does not provide access to more advanced features such as One-Time Password (OTP) through SMS, email, or IM. In addition, this native integration is not customizable beyond basic screen branding.

  • OAAM Advanced Integration with Access Manager

    This option provides advanced features and customizations beyond that available with native integration. Leveraging the Java Oracle Access Protocol (OAP) library, the integration of Access Manager and Oracle Adaptive Access Manager requires a full OAAM deployment.

For implementation details, see Chapter 8, "Integrating Access Manager and Oracle Adaptive Access Manager".

9.1.2 Deployment Options for Password Management

You can implement password management features for Access Manager-protected applications by integrating Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager.

This section explains the deployment options for password management. For more information about the scenarios that are supported by each deployment, and the flow that achieves each scenario see, Section 1.5, "Common Integration Scenarios".

In the context of password management, Access Manager works in different deployment modes:

  1. Access Manager and Oracle Identity Manager integrated for authentication and password management.

    For details, see Section 1.5.3.1, "Access Manager Integrated with Oracle Identity Manager."

  2. Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager integrated for authentication, password management, fraud detection, and additional capabilities.

    For details of the processing flow, see, Section 1.5, "Common Integration Scenarios".

    For implementation details, see Section 9.3, "Integration Roadmap."

  3. Access Manager also provides a password policy management feature through the Oracle Access Management Console. The password policy is applied to all resources protected by Access Manager. This feature is not used in the Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration documented in this chapter. For more information about this Oracle Access Management feature, see "Managing Common Services, Certificate Validation, and Password Policy" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

9.2 Definitions, Acronyms, and Abbreviations

This section provides key definitions, acronyms, and abbreviations that are related to this integration.

Table 9-2 Advanced Integration Terms

Term Definition

Action

Oracle Adaptive Access Manager provides functionality to calculate the risk of an access request, an event or a transaction, and determine proper outcomes to prevent fraud and misuse. The outcome can be an action, which is an event activated when a rule is triggered. For example: block access, challenge question, ask for PIN or password, and so on.

For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Advanced integration with Access Manager

The "Advanced" option is an integration of Access Manager and full deployment of Oracle Adaptive Access Manager.

  • An Access Manager and Oracle Adaptive Access Manager integration with a full OAAM deployment. This option provides authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms, and additional advanced security access features, such as step up authentication. It includes advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows.

  • An Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration. This option provides advanced features and customizations beyond that available with native integration. Leveraging the Java OAP library, the integration of Access Manager and Oracle Adaptive Access Manager requires a full OAAM deployment.

Alert

Alerts are messages that indicate the occurrence of an event. An event can be that a rule was triggered, a trigger combination was met or an override was used.

Alert groups are used as results within rules so that when a rule is triggered all of the alerts within the groups are created.

For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Authentication

The process of verifying a person's, device's, application's identity. Authentication deals with the question "Who is trying to access my services?"

Authentication Level

Access Manager supports various authentication levels to which resources can be configured so as to provide discrete levels of security required to access various resources. Discrete authentication levels distinguish highly protected resources from other resources. The TAP token sent by Access Manager provides parameters related to the authentication level.

The trust level of the authentication scheme reflects the challenge method and degree of trust used to protect transport of credentials from the user.

The trust level is expressed as an integer value between 0 (no trust) and 99 (highest level of trust).

Note: After a user is authenticated for a resource at a specified level, the user is automatically authenticated for other resources in the same application domain or in different application domains, if the resources have the same or a lower trust level as the original resource.

Current Authentication level is the current authentication level of the user.

Target Authentication level is the authentication level required to access the protected resource.

Authorization

Authorization regards the question "Who can access what resources offered by which components?"

Authentication Scheme

Access to a resource or group of resources can be governed by a single authentication process known as an authentication scheme. An authentication scheme is a named component that defines the challenge mechanism required to authenticate a user. Each authentication scheme must also included a defined authentication module.

When you register a partner (either using the Oracle Access Management Console or the remote registration tool), the application domain that is created is seeded with a policy that uses the authentication scheme that is set as the default scheme. You can choose any of the existing authentication schemes as the default for use during policy creation.

Authentipad Checkpoint

The Authentipad checkpoint determines the type of device to use based on the purpose of the device.

Basic Integration of Access Manager and OAAM

Access Manager users wishing to add login security, including Knowledge Based Authentication (KBA), may use the Basic (native) integration option. This option will still require an OAAM Admin Server, but it does not require you to deploy a separate OAAM Server (the functionality is accessed through native OAAM calls), so the footprint is reduced.

The native integration does not provide access to more advanced features such as One-Time Password (OTP) through SMS, email, or IM. The native integration is not customizable beyond basic screen branding.

Blocked

If a user is "Blocked" when a policy has found certain conditions to be "true" and is set up to respond to these conditions with a "Block Action." If those conditions change, the user may no longer be "Blocked." The "Blocked" status is not necessarily permanent and therefore may or may not require an administrator action to resolve. For example, if the user was blocked because he was logging in from a blocked country, but he is no longer in that country, he may no longer be "Blocked."

Challenge Parameters

Challenge parameters are short text strings consumed and interpreted by WebGates and Credential Collector modules to operate in the manner indicated by those values. The syntax for specifying any challenge parameter is:

<parameter>=<value>

This syntax is not specific to any Webgate release (10g versus 11g). Authentication schemes are independent of Webgate release.

Challenge Questions

Challenge Questions are a finite list of questions used for secondary authentication.

During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the user's "registered questions."

When rules in OAAM Admin trigger challenge questions, OAAM Server displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other pads, where the challenge question is embedded into the image of the authenticator, or simple HTML.

Checkpoint

A checkpoint is a specified point in a session when Oracle Adaptive Access Manager collects and evaluates security data using the rules engine.

Examples of checkpoints are:

  • Pre-authentication - Rules are run before a user completes the authentication process.

  • Post-authentication - Rules are run after a user is successfully authenticated.

For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Management.

Delegated Authentication Protocol

The Delegated Authentication Protocol (DAP) challenge mechanism indicates that Access Manager does an assertion of the token that it receives, which differs from the standard challenge "FORM" mechanism with the external option.

Device

A computer, PDA, cell phone, kiosk, and other web-enabled device used by a user

Device fingerprinting

Device fingerprinting collects information about the device such as browser type, browser headers, operating system type, locale, and so on. Fingerprint data represents the data collected for a device during the login process that is required to identify the device whenever it is used to log in. The fingerprinting process produces a fingerprint that is unique to the user and designed to protect against the "replay attacks" and the "cookie based registration bypass" process. The fingerprint details help in identifying a device, check whether it is secure, and determine the risk level for the authentication or transaction.

A customer typically uses these devices to log in: PC, notebook, mobile phone, smart phone, or other web-enabled machines.

Knowledge Based Authentication (KBA)

Knowledge-based authentication (KBA) is a secondary authentication method that provides an infrastructure based on registered challenge questions.

It enables end-users to select questions and provide answers which are used to challenge them later on.

Security administration include:

  • Registration logic to manage the registration of challenge questions and answers

  • Answer Logic to intelligently detect the correct answers in the challenge response process

  • Validations for answers given by a user at the time of registration

For information, see "Managing Knowledge-Based Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

KeyPad

Virtual keyboard for entry of passwords, credit card number, and so on. The KeyPad protects against Trojan or keylogging.

LDAPScheme

Authentication scheme used to protect Access Manager-related resources (URLs) for most directory types based on a form challenge method.

Multi-Level Authentication

Every authentication scheme requires an authentication level. The lower this number, the less stringent the scheme. A higher level number indicates a more secure authentication mechanism.

Single sign-on (SSO) capability enables users to access more than one protected resource or application with a single sign in. After a successful user authentication at a specific level, the user can access one or more resources protected by one or more application domains. However, the authentication schemes used by the application domains must be at the same level (or lower). When a user accesses a resource protected with an authentication level that is greater than the level of his current SSO token, he is re-authenticated. In the Step Up Authentication case, the user maintains his current level of access even if failing the challenge presented for the higher level. This is "additional authentication".

For information, see "Managing Authentication and Shared Policy Components" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Oracle Access Protocol (OAP)

Oracle Access Protocol (OAP) enables communication between Access System components (for example, OAM Server, WebGate) during user authentication and authorization. This protocol was formerly known as NetPoint Access Protocol (NAP) or COREid Access Protocol.

One-time Password (OTP)

One-time Password is a risk-based challenge solution consisting of a server generated one time password delivered to an end user via a configured out of band channel. Supported OTP delivery channels include short message service (SMS), eMail, and instant messaging. OTP can be used to compliment KBA challenge or instead of KBA. As well both OTP and KBA can be used alongside practically any other authentication type required in a deployment. Oracle Adaptive Access Manager also provides a challenge processor framework. This framework can be used to implement custom risk-based challenge solutions combining third party authentication products or services with OAAM real-time risk evaluations.

For information, see "Setting Up OTP Anywhere" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Access Manager and Oracle Adaptive Access Manager TAP Integration

In Access Manager and OAAM TAP Integration, OAAM Server acts as a trusted partner application. The OAAM Server uses the Trusted authentication protocol (TAP) to communicate the authenticated user name to the OAM Server after it performs strong authentication, risk and fraud analysis and OAM Server will own the responsibility of redirecting to the protected resource.

OAAM Admin

Administration Web application for all environment and Adaptive Risk Manager and Adaptive Strong Authenticator features.

OAMAdminConsoleScheme

Authentication scheme for Oracle Access Management Console.

OAAMAdvanced

Authentication scheme that protects resources with an external context type. This authentication scheme is used when complete integration with OAAM is required. A Webgate must front end the partner.

OAAMBasic

Authentication scheme that protects resources with a default context type. This scheme should be used when OAAM Basic integration with Access Manager is required. Here, advanced features like OTP are not supported.

OAAM Server

Adaptive Risk Manager and Adaptive Strong Authenticator features, Web services, LDAP integration and user Web application used in all deployment types except native integration

Policies

Policies contain security rules and configurations used to evaluate the level of risk at each checkpoint.

For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Post-authentication rules

Post-authentication - Rules are run after a user is successfully authenticated.

For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Pre-authentication rules

Pre-authentication - Rules are run before a user completes the authentication process.

For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

Profile

The customer's registration information including security phrase, image, challenge questions, challenge (question and OTP) counters, and OTP.

Protection level

There are three protection levels in which to choose from:

  • Protected (the default). Protected resources are associated with a protected-level Authentication policy that uses a variety of authentication schemes (LDAP, or example). Authorization policies are allowed for protected resources. Responses, constraints, auditing, and session management are enabled for protected resources using a policy that protects the resource.

  • Unprotected. Unprotected resources are associated with an unprotected-level Authentication policy (level 0) that can use a variety of authentication schemes (LDAP, for example). Authorization policies are allowed for unprotected resources, and a basic one is needed to allow such access. However, an elaborate policy with constraints and responses is irrelevant. Responses, constraints, and auditing are enabled for Unprotected resources using a policy that protects the resource. Only Session Management is not enabled. Access to Unprotected resources incur an OAM Server check from WebGate, which can be audited.

  • Excluded (these are public). Only HTTP resource types can be excluded. Typically security insensitive files like Images (*.jpg, *.png), protection level Excluded resources do not require an OAM Server check for Authentication, Authorization, Response processing, Session management, and Auditing. Excluded resources cannot be added to any user-defined policy in the Oracle Access Management Console. The WebGate does not contact the OAM Server while allowing access to excluded resources; therefore, such access is not audited. Most regular resource validations apply to Excluded resources. However, excluded resources are not listed when you add resources to a policy. There is no Authentication or Authorization associated with the resource. Note: If a resource protection level is modified from "Protected" to "Excluded" and a policy exists for that resource, modification will fail until the resource is first disassociated with the policy.

Registration

Registration is the enrollment process, the opening of a new account, or other event where information is obtained from the user.

During the Registration process, the user is asked to register for questions, image, phrase and OTP (email, phone, and so on) if the deployment supports OTP. Once successfully registered, OTP can be used as a secondary authentication to challenge the user.

Risk score

OAAM risk scoring is a product of numerous fraud detection inputs such as a valid user, device, location, and so on. These inputs are weighted and analyzed within the OAAM fraud analytics engine. The policy generates a risk score based on dozens of attributes and factors. Depending on how the rules in a policy are configured, the system can yield an elevated risk score for more risky situations and lower scores for lower-risk situations. The degree of elevation can be adjusted with the weight assigned to the particular risk. The risk score is then used as an input in the rules engine. The rules engine evaluates the fraud risk and makes a decision on the action to take.

Rules

Fraud rules are used to evaluate the level of risk at each checkpoint. For information on policies and rules, see "OAAM Security and Autolearning Policies" in the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.

Single sign-on (SSO)

Single sign-on (SSO) is a process that gives users the ability to access multiple protected resources (Web pages and applications) with a single authentication.

Step Up Authentication

Step Up Authentication occurs when a user is attempting to access a resource more sensitive than ones he had already accessed in this session. To gain access to the more sensitive resource, a higher level of assurance is required. Oracle Access Management resources are graded by authentication level, which defines the relative sensitivity of a resource.

For example, if a user accesses a corporate portal home page that is defined as authentication level 3, a basic password authentication is required. The time card application that links off the portal home is more sensitive than the portal home page, so the application is defined as authentication level 4, which requires basic password and risk-based authentication provided by Oracle Adaptive Access Manager. So, if a user logs in to the portal with a valid user name and password, and then clicks the time card link, his device is fingerprinted and risk analysis determines if additional authentication, such as a challenge question, is required to allow him access.

Strong Authentication

An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.

Using more than one factor is sometimes called strong authentication or multi-factor authentication.

TAP

TAP stands for Trusted authentication protocol. This is to be used, when authentication is performed by a third party and Access Manager asserts the token sent back. After asserting the token, Access Manager creates its cookie and continues the normal single-sign on flow. A trust mechanism exists between the OAM Server and the external third party which performs the authentication. In this scenario, Access Manager acts as an asserter and not authenticator.

TAPScheme

This is the authentication scheme that is used to protect resources in an Access Manager and OAAM integration that uses TAP. If you want two TAP partners with different tapRedirectUrls, create a new authentication scheme using the Oracle Access Management Console and use that scheme.

When configured, this authentication scheme can collect context-specific information before submitting the request to the Access Server. Context-specific information can be in the form of an external call for information.

TextPad

Personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing. TextPad is often deployed as the default for all users in a large deployment then each user individually can upgrade to another device if they wish. The personal image and phrase a user registers and sees every time they login to the valid site serves as a shared secret between user and server.

Virtual authentication device

A personalized device for entering a password or PIN or an authentication credential entry device. The virtual authentication devices harden the process of entering and transmitting authentication credentials and provide end users with verification they are authenticating on the valid application.

Web Agent

A single sign-on agent (also known as a policy-enforcement agent, or simply an agent) is any front-ending entity that acts as an access client to enable single sign-on across enterprise applications.

To secure access to protected resources, a Web server, Application Server, or third-party application must be associated with a registered policy enforcement agent. The agent acts as a filter for HTTP requests, and must be installed on the computer hosting the Web server where the application resides.

Individual agents must be registered with Access Manager 11g to set up the required trust mechanism between the agent and OAM Server. Registered agents delegate authentication tasks to the OAM Server.

WebGate

Web server plug-in that acts as an access client. WebGate intercepts HTTP requests for Web resources and forwards them to the OAM Server for authentication and authorization


9.3 Integration Roadmap

Table 9-3 lists the high-level tasks for integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

Table 9-3 Integration Flow for Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

Number Task Information

1

Verify that all required components have been installed and configured prior to integration.

For information, see "Integration Prerequisites".

2

Install Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on different WebLogic servers.

For information, see "Install Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager".

3

Integrate Access Manager and Oracle Identity Manager.

For information, see "Integrate Access Manager and Oracle Identity Manager".

4

Enable LDAP synchronization for Oracle Identity Manager. This is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

For information, see "Enable LDAP Synchronization for Oracle Identity Manager".

5

Integrate Access Manager and Oracle Adaptive Access Manager.

For information, see "Integrate Access Manager and Oracle Adaptive Access Manager".

6

Set up the integration between OAAM and OIM.

For information, see "Integrate Oracle Identity Manager and Oracle Adaptive Access Manager".

7

Perform additional configuration that you may need depending on your requirements.

For information, see "Other Configuration Tasks".


9.4 Integration Prerequisites

Prior to integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager, you must have installed all the required components, including any dependencies, and configured the environment in preparation of the integration tasks that follow.

Note:

Key installation and configuration information is provided in this section. However, not all component prerequisite, dependency, and installation instruction is duplicated here. Adapt information as required for your environment.

For complete installation information, follow the instructions in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Table 9-4 lists the required components that must be installed and configured before the Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration tasks are performed.

Table 9-4 Access Manager, OAAM, and OIM Integration Required Components

Component Information

Oracle Database

Ensure that you have an Oracle Database installed on your system before installing Oracle Identity and Access Management. The database must be up and running to install the relevant Oracle Identity and Access Management components.

For more information, see "Database Requirements" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Repository Creation Utility (RCU)

Install and run the Repository Creation Utility to create the schemas for Access Manager, OAAM, and OIM in a database. You must use the Repository Creation Utility that is version compatible with the products you are installing.

Oracle Fusion Middleware Repository Creation Utility (RCU) is available on the Oracle Technology Network (OTN) Web site. For more information about using RCU, see "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and Oracle Fusion Middleware Repository Creation Utility User's Guide.

Oracle Virtual Directory

The instructions in this chapter assumes that the Oracle Internet Directory is configured as the Identity Store and is front-ended by Oracle Virtual Directory.

For more information on configuring the OVD, see Chapter 6, "Configuring Oracle Virtual Directory for Integration with Oracle Access Management Access Manager" and Chapter 4, "Configuring Oracle Virtual Directory for Integration with Oracle Identity Manager."

Oracle Internet Directory

The instructions in this chapter assumes the that Oracle Internet Directory is configured as the Identity Store and is front-ended by Oracle Virtual Directory.

For more information, see Chapter 5, "Integrating Oracle Internet Directory with Access Manager."

Oracle WebLogic Servers for Access Manager, Oracle Adaptive Access Manager, Oracle Identity Manager, and Oracle HTTP Server

Prior to installing the WebLogic Server, ensure that your machines meet the system, patch, kernel, and other requirements that the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server specifies.

Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager can be configured on the same WebLogic domain or separate WebLogic domains. By default, the Access Manager and OAAM applications are configured on separate WebLogic domains.

For more information on installing WebLogic Servers, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and Installing Oracle WebLogic Server.

Oracle SOA Suite and patches

For more information on installing and configuring the SOA Suite, see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite

Oracle HTTP Server

For more information on installing the HTTP Server, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Oracle Access Manager 10g or Access Manager 11g agent (WebGate) for Oracle HTTP Server 11g on the Oracle HTTP Server 11g instance.

For information on installing the Oracle HTTP Server WebGate, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

IdentityManagerAccessGate 10gWebGate profile

The integration of Access Manager and Oracle Adaptive Access Manager requires that the IdentityManagerAccessGate 10gWebGate profile exist. You can validate this through the Oracle Access Management Console by navigating to System Configuration, then Agents, then 10gWebGates.


The steps below are based on the assumption that Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.

Note:

If so preferred, Oracle Access Manager and Oracle Adaptive Access Manager can be installed in separate domains or on the same WebLogic domain.

For multiple domain installation, the oaam.csf.useMBeans property must be set to true. Refer to "Oracle Adaptive Access Manager Command-Line Interface Scripts" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager for information on setting this parameter.

During the integration steps below, for reference we will refer to the WLS Domain which contains Oracle Access Manager as OAM_DOMAIN_HOME, and the WLS Domain which contains OAAM as OAAM_DOMAIN_HOME.

9.5 Install Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager

Install Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on different WebLogic servers with Oracle Access Manager and Oracle Adaptive Access Manager configured in the same or separate WebLogic domains.

Table 9-5 Required Components for Integration

Component Information

Access Manager

For information on installing and configuring Access Manager, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" and "Configuring Oracle Access Management" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

At installation, Access Manager is configured with the database policy store. The Access Manager and Oracle Adaptive Access Manager wiring requires the database policy store.

Oracle Adaptive Access Manager and Access Manager can be in a new WebLogic administration domain or in an existing one. They can be on the same domain or separate domains.

OAAM

For information on installing and configuring Oracle Adaptive Access Manager, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" and "Configuring Oracle Adaptive Access Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

OIM

For more information, see "Installing and Configuring Oracle Identity and Access Management" and "Configuring Oracle Identity Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note: When configuring Oracle Identity Manager, the LDAP directory must be preconfigured before you can use it as an Identity Store. Ensure that all installation instructions are followed, including any prerequisites for enabling LDAP synchronization. For more information, see:

in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note: You must create wlfullclient.jar when installing Oracle Identity Manager. This file must be present before performing the integration steps.


9.6 Integrate Access Manager and Oracle Identity Manager

Integration between Oracle Identity Manager and Access Manager is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

For more information, see Chapter 7, "Integrating Access Manager and Oracle Identity Manager."

9.7 Enable LDAP Synchronization for Oracle Identity Manager

Enabling LDAP synchronization for Oracle Identity Manager is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.

Oracle Adaptive Access Manager will be working off the same directory with which Oracle Identity Manager is synchronizing.

Note:

The UID must match the CN of the newly created user in the LDAP store; otherwise, a login failure occurs.

For information about enabling LDAP synchronization for Oracle Identity Manager, see Chapter 3, "Enabling LDAP Synchronization in Oracle Identity Manager."

9.8 Integrate Access Manager and Oracle Adaptive Access Manager

This task involves integrating the Access Manager and Oracle Adaptive Access Manager components as part of integrating Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager to deliver password management and challenge-related functionality to Access Manager-protected applications.

Note:

In the integration of Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the IdentityManagerAccessGate profile should already exist since it is configured during the Access Manager and Oracle Identity Manager integration (see Section 9.6, "Integrate Access Manager and Oracle Identity Manager").

You configure the Access Manager and Oracle Adaptive Access Manager integration so that the OAAM server acts as a trusted partner application. The OAAM server uses the Trusted Authentication Protocol (TAP) to communicate the authenticated user name to the OAM Server after it performs strong authentication, and risk and fraud analysis. In this integration, the OAM Server is responsible for redirecting to the protected resource.

For information on integrating Oracle Adaptive Access Manager and Access Manager, refer to Chapter 8, "Integrating Access Manager and Oracle Adaptive Access Manager."

Table 9-6 lists the high-level tasks for integrating Access Manager and Oracle Adaptive Access Manager and provides references to where the instructions are located.

The configuration instructions assume Access Manager and Oracle Adaptive Access Manager are integrated using the out-of-the box integration.

Table 9-6 Integration Flow for Access Manager and Oracle Adaptive Access Manager

Number Task Information

1

Verify that all required components have been installed and configured prior to integration.

For information, see "Integration Prerequisites".

2

Ensure the Access Manager and OAAM Administration Consoles and managed servers are running.

For information, see "Restarting the Servers".

3

Create the OAAM Admin users and OAAM groups. Before you can access the OAAM Administration Console, you must create administration users.

For information, see "Creating the OAAM Admin Users and OAAM Groups".

4

Import the OAAM base snapshot. A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. For Oracle Adaptive Access Manager to be functional, you must import the snapshot into the system.

For information, see "Importing Oracle Adaptive Access Manager Snapshot".

5

Verify that Oracle Adaptive Access Manager is set up correctly by accessing the OAAM Server.

For information, see "Validating Initial Configuration of Oracle Adaptive Access Manager".

6

Register the WebGate agent. The WebGate is an out-of-the-box access client. This Web server access client intercepts HTTP requests for Web resources and forwards these to the OAM 11g Server.

For information, see "Registering WebGate Using the Oracle Access Management Console"

7

Register the OAAM server to act as a trusted partner application to Access Manager. A partner application is any application that delegates the authentication function to Access Manager 11g.

For information, see "Registering the OAAM Server as a Partner Application to Access Manager"

8

Set the agent password. When Access Manager is installed, a default agent profile called IAMSuiteAgent is created. This profile is used by Oracle Adaptive Access Manager when integrating with Access Manager. When the IAMSuiteAgent profile is first created, it has no password. You must set a password before the profile can be used by Oracle Adaptive Access Manager for integration.

For information, see "Setting the Agent Password"

9

Verify TAP partner registration using the Oracle Access Management tester.

For information, see "Verifying TAP Partner Registration".

10

Set up TAP integration properties in OAAM.

For information, see "Setting Up Access Manager TAP Integration Properties in OAAM".


9.9 Integrate Oracle Identity Manager and Oracle Adaptive Access Manager

This section describes how to integrate Oracle Identity Manager and Oracle Adaptive Access Manager for the three-way integration of Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager:

9.9.1 Set Oracle Identity Manager Properties for Oracle Adaptive Access Manager

In Oracle Identity Manager, the OIM.ChangePasswordURL and OIM.ChangePasswordURL properties must be set to valid OAAM URLs, and OIM.DisableChallengeQuestions must be set to true for Oracle Adaptive Access Manager to provide the challenge questions functionality instead of Oracle Identity Manager.

To modify Oracle Identity Manager properties, take these steps:

  1. Log in to the Oracle Identity Manager System Administrative Console.

  2. Click Configuration in System Management and under System Management, click the System Configuration link.

  3. In the pop-up window, click on Advanced Search.

  4. Set the following properties and click Save.

    Note:

    For the URLs, use the hostnames as they were configured in Access Manager. For example, if a complete hostname (with domain name) was provided during Access Manager configuration, use the complete hostname for the URLs.

    Table 9-7 Oracle Identity Manager Redirection

    Keyword Property Name and Value

    OIM.DisableChallengeQuestions

    TRUE

    OIM.ChangePasswordURL

    URL for change password page in Oracle Adaptive Access Manager

    (http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimChangePassword.jsp

    In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server.

    OIM.ChallengeQuestionModificationURL

    URL for challenge questions modification page in Oracle Adaptive Access Manager

    (http://oaam_server_managed_server_host:oaam_server_managed_server_port/oaam_server/oimResetChallengeQuestions.jsp)


  5. Restart the Oracle Identity Manager managed server.

9.9.2 Update OAAM Properties to Enable Integration Between Oracle Identity Manager and OAAM

To set OAAM properties for Oracle Identity Manager:

  1. Log in to the OAAM Admin Console:

    http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin

    You must log in as a user with access to the Properties Editor.

  2. In the navigation tree, click Environment and double-click Properties. The Properties search page is displayed.

  3. To set a property value, enter its name in the Name field and click Search. The current value is shown in the search results window.

  4. Click Value. Enter the new value and click Save.

For the following properties, set the values according to your deployment:

Table 9-8 Configuring Oracle Identity Manager Property Values

Property Name Property Values

bharosa.uio.default.user.management.provider.classname

com.bharosa.vcrypt.services.OAAMUserMgmtOIM

oaam.oim.auth.login.config

${oracle.oaam.home}/../designconsole/config/authwl.conf

oaam.oim.url

t3://OIM-Managed-Server:OIM-Managed-Port

For example, t3://host.mycorp.com:14000

oaam.oim.xl.homedir

${oracle.oaam.home}/../designconsole

bharosa.uio.default.signon.links.enum.selfregistration.url

The URL for Self Registrations is as follows:

http://OIM-Managed-Server-Host:OIM-Managed-Server-Port/identity/faces/register?&backUrl=back-URL

bharosa.uio.default.signon.links.enum.trackregistration.url

The URL for Track Registrations is as follows:

http://OIM-Managed-Server-Host:OIM-Managed-Server-Port/identity/faces/trackregistration?&backUrl=back-URL

bharosa.uio.default.signon.links.enum.trackregistration.enabled

true

bharosa.uio.default.signon.links.enum.selfregistration.enabled

true

oaam.oim.csf.credentials.enabled

true

This property enables the configuring of credentials in the Credential Store Framework as opposed to maintaining them using the Properties Editor. This step is performed so that credentials can be securely stored in CSF.

oaam.oim.passwordflow.unlockuser

true

This property enables automatic unlocking of the user in the Forgot Password flow.


9.9.3 Configure Oracle Identity Manager Credentials in the Credential Store Framework

Oracle Adaptive Access Manager must have the credentials of an OIM Administrator in order to perform various activities. A key for Oracle Identity Manager WebGate credentials is created in MAP oaam. So that the OIM credentials can be securely stored in the Credential Store Framework, follow the steps below to add a password credential to the OAAM domain.

  1. Log in to the Oracle Fusion Middleware Enterprise Manager Console:

    http://weblogic_host:administration_port/em.

    You must log in as a WebLogic Administrator. For example, WebLogic.

  2. Expand the Base_Domain icon in the navigation tree in the left pane.

  3. Select your domain name, right click, and select the menu option Security and then the option Credentials in the sub menu.

  4. Click Create Map.

  5. Click oaam to select the map, then click Create Key.

  6. In the pop-up dialog, ensure that Select Map is oaam.

  7. Provide the following properties and click OK.

    Table 9-9 Oracle Identity Manager Credentials

    Name Value

    Map Name

    oaam

    Key Name

    oim.credentials

    Key Type

    Password

    UserName

    User name of Oracle Identity Manager Administrator

    Password

    Password of Oracle Identity Manager Administrator


9.9.4 Configure Cross Domain Trust Between Oracle Identity Manager and Oracle Adaptive Access Manager

If Oracle Identity Manager and Oracle Adaptive Access Manager are in separate domains, you must configure cross domain trust.

Configure Cross-Domain Trust in the Oracle Adaptive Access Manager Domain

  1. Log in to WebLogic Administration Console of Oracle Adaptive Access Manager.

  2. Click the domain and select the Security tab.

  3. Expand the Advanced section.

  4. Select Cross domain security enabled.

  5. Select a shared secret and type it in the Credential and Confirm Credential fields.

  6. Save the configuration changes.

Configure Cross-Domain Trust in the Oracle Identity Manager Domain

  1. Log in to WebLogic Administration Console of Oracle Identity Manager.

  2. Click the domain and select the Security tab.

  3. Expand the Advanced section.

  4. Select Cross domain security enabled.

  5. Select a shared secret and type it in the Credential and Confirm Credential fields.

    Use the same shared secret you used when you were configuring cross-domain trust in the OAAM domain.

  6. Save the configuration changes.

9.10 Other Configuration Tasks

This section contains additional topics pertaining to Access Manager, OAAM, and OIM integration configuration and management. Depending on your requirements, you may need to perform tasks in addition to those documented above.

For information related to Access Manager and OAAM integration, refer to Section 8.5, "Other Access Manager and OAAM Integration Configuration Tasks."

9.11 Troubleshooting Common Problems

This section describes common problems you might encounter in an Access Manager, OAAM, and OIM integrated environment, and explains how to solve them. It contains the following topics:

In addition to this section, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.

For information about additional troubleshooting resources, see Section 1.7, "Using My Oracle Support for Additional Troubleshooting Information."

9.11.1 User Encounters a Non-Working URL

You encounter a non-working URL. For example, you click the Forgot Password link, but are redirected to the login page.

Cause

Policies and challenge questions are not available as expected in your Oracle Adaptive Access Manager environment.

Solution

Ensure that the default base policies and challenge questions shipped with Oracle Adaptive Access Manager have been imported into your system. For details, see "Setting Up the Oracle Adaptive Access Manager Environment" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

9.11.2 User is Redirected in a Loop After User Enters Wrong Password

A user is re-directed in a loop when he enters an incorrect password.

Cause

Value for the login page is incorrect.

Solution

If redirect loops occur when users enter incorrect passwords, then verify that the oaam.uio.login.page property is set properly in the OAAM Properties page. The value for the oaam.uio.login.page property should be set to /oaamLoginPage.jsp. For information on setting properties in Oracle Adaptive Access Manager, see "Using the Properties Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

9.11.3 Two User Sessions are Created upon Successful Authentication

Access Manager creates two concurrent sessions when the user logs in through OAAM and is successfully authenticated through Access Manager.

Cause

In an Access Manager, OAAM, and OIM integrated environment, any authentication results in two user sessions being created in Oracle Access Management Access Manager (visible in Oracle Access Management Console under Session Management, and in the OAM_SESSIONS table in MDS).

One session is created by the IAMSuiteAgent (which is configured in OAAM as the java agent as part of the OAAM-OAM configuration); and the other session is created by the actual WebGate (within the OHS web tier).

Solution

Check the value of the property oaam.uio.oam.authenticate.withoutsession.