This chapter explains how Oracle Access Management Access Manager (Access Manager) integrates with Oracle Identity Navigator. Using this integration scenario, you can protect Oracle Identity Navigator with Access Manager using a Webgate agent. The instructions in this chapter assume that Oracle Internet Directory is configured as the Identity Store. Other component configurations are possible. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations
Note:
This is a specific example of Access Manager used to protect URLs. Although it outlines the general approach for this type of configuration, you are not limited to using the exact steps and components used here. For example, Oracle Internet Directory is one of several identity stores certified with Access Manager 11g.
Note:
Beginning with release 11.1.1.5.0, Oracle Identity Navigator is protected by the domain agent out-of-the-box. In earlier releases, this was not the case; manual configuration was required to protected the URLs.
This chapter contains this section:
You can use Access Manager to SSO-enable the Oracle Identity Navigator Administration Console using any Access Manager authentication scheme as the challenge method.
The prerequisites are as follows:
Oracle HTTP Server has been installed.
When installing Oracle HTTP Server, deselect Oracle WebCache and associated selected components with WebLogic domain.
Access Manager 11g has been installed and configured properly.
Oracle HTTP Server 11g has been installed and configured as a front-ending proxy web server for Oracle Identity Navigator.
Access Manager 11g Webgate for Oracle HTTP Server 11g has been installed on the Oracle HTTP Server 11g.
See Also:
Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for details about installation of the listed components.
The high-level SSO-enablement steps are as follows:
Use the Oracle Access Management Administration Console to configure a new resource for the agent under which the Oracle Identity Navigator URL is to be protected. For information, see Configure a New Resource for the Agent.
Configure Oracle HTTP Server to point to the Access Manager domain which has the resources and policies configured. For information, see Configure Oracle HTTP Server for the Access Manager Domain.
Use the Oracle WebLogic Server Administration Console to add the two new identity providers, namely OAMIdentityAsserter and the OIDAuthenticator. For information, see Add New Identity Providers.
Use Oracle Directory Services Manager (ODSM) to grant administrator privileges to the login user. For information, see Add New Identity Providers.
Use a WLST command to enable access to more than one application using multiple tabs in a browser session. For information, see Configure Access to Multiple Applications
Perform these steps in the Oracle Access Management administration console:
Select the Policy Configuration tab.
Under Application Domains, select the agent under which the Oracle Identity Navigator URL is to be protected (for example, -OIMDomain).
Choose Resources and click the create icon to add a new resource. Enter the type, host identifier and value, (/oinav/…/*) and click the Apply button.
Choose Protected Policy or the policy whose authentication schema is the LDAP schema. In the resources table, click the add icon and choose the Oracle Identity Navigator URL (/oinav/…/*) from the drop-down list.
Repeat the step for Authorization Policy.
Perform these steps to ensure that Oracle HTTP Server front ends the Oracle WebLogic Server container where Oracle Identity Navigator is installed.
Navigate to the Oracle HTTP Server server config
directory, for example, /scratch/mydir1/oracle/product/11.1.1/as_1/instances/instance1/config/OHS/ohs1
), and find the mod_wl_ohs.conf
file.
In the <IfModule mod_weblogic.c>
block, add the host and the port number of the Oracle Identity Navigator URL to be protected. For example:
MatchExpression /oinav* WebLogicHost=host WebLogicPort=port
Restart the Oracle HTTP Server server in the Oracle HTTP Server install bin
directory, for example, /scratch/mydir1/oracle/product/11.1.1/as_1/instances/instance1/bin
) by executing the following command:
-./opmnctl restartproc ias=component=ohs1
Perform these steps to add two new identity providers and grant administrator privileges to the login user:
Using the Oracle WebLogic Server Administration Console, navigate to Security Realms, then myreleam, then Providers.
Add these two providers: OAMIdentityAsserter and OIDAuthenticator.
Set the Control Flag of the OAMIdentityAsserter to Required
Update the following settings in the OIDAuthenticator:
Set the Control Flag to Sufficient
Select the Provider specific tab and make the necessary changes, supplying the host, port, and other credentials of the Oracle Internet Directory server. Configure the correct LDAP setting in the OID Authenticator.
The users and Groups in the LDAP will be reflected in the console.
Use Oracle Directory Services Manager (ODSM) to give the administrator privilege to the login user:
Create a user in the LDAP server that is associated with Access Manager, for example: uid=testuser,cn=users,dc=us,dc=oracle,dc=com
Create an Administrators group in the LDAP directory, namely cn=Administrators,cn=groups,dc=us,dc=oracle,dc=com
Assign the Administrators role to the user, testuser
, by adding the user to the Administrator group.
You can now test an SSO by this user to Oracle Identity Navigator.
Re-order the providers as follows:
OAMIdentityAsserter
Authenticator
Default Authenticator
Default Identity Asserter
Restart Oracle WebLogic Server.
Enter the protected Oracle Identity Navigator URL, which will have the host and port from the Oracle HTTP Server install:
http://OHSHost:OHSPort/oinav/faces/idmNag.jspx
The following applies when SSO protection is provided by an 11g OAM Server. Perform these steps to configure access to applications using multiple tabs in a single browser session by changing to FORM cache mode.
Stop the Access Manager Managed Servers.
Execute the following online Access Manager WLST command:
configRequestCacheType(type='FORM')
Restart the Access Manager Managed Servers.