The Oracle Access Management Access Manager (Access Manager), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) integration provides control access to resources with Access Manager, strong multi-factor authentication and advanced real-time fraud prevention with OAAM, and self-service password management with OIM.
This chapter describes how to integrate Oracle Access Management Access Manager (Access Manager), Oracle Identity Manager (OIM), and Oracle Adaptive Access Manager.
This chapter contains these sections:
Section 9.5, "Integrating Access Manager and Oracle Identity Manager"
Section 9.6, "Enabling LDAP Synchronization for Oracle Identity Manager"
Section 9.7, "Integrating Access Manager and Oracle Adaptive Access Manager"
Section 9.8, "Integrating Oracle Identity Manager and Oracle Adaptive Access Manager"
In the Oracle Access Management Access Manager (Access Manager), Oracle Adaptive Access Manager (OAAM), and Oracle Identity Manager (OIM) integration, the secure password collection features of the last two products are added to Access Manager-protected applications.
The range of secure password collection and challenge-related functionality include:
Fine control over the authentication process and full capabilities of pre-authentication and post-authentication checking against OAAM policies. Access Manager acts as the authenticating and authorizing service, while Oracle Adaptive Access Manager provides the rich, strong authenticators and performs risk and fraud analysis
Robust challenge question feature set in Oracle Adaptive Access Manager that replaces the more limited set in Oracle Identity Manager
Control of password validation, storage, and propagation duties and workflow capabilities
Ability to create and reset the password without assistance for expired and forgotten passwords
Secure access to multiple applications with one authentication step
In 11g Release 2 (11.1.2.1.0), Access Manager does not provide its own identity service; instead, Access Manager:
Consumes identity services provided by Oracle Identity Manager, LDAP directories, and other sources; and
Integrates with Oracle Identity Manager and Oracle Adaptive Access Manager to deliver a range of secure password collection functionality to Access Manager-protected applications.
Responsibilities are divided as follows:
Table 9-1 Responsibilities for Each Component in Integration
| Component | Responsibilities |
|---|---|
|
Oracle Adaptive Access Manager |
Responsible for:
|
|
Oracle Identity Manager |
Responsible for:
|
|
Access Manager |
Responsible for:
|
In the integration scenario, Access Manager acts as the authenticating and authorizing module, while Oracle Adaptive Access Manager provides strong authenticators and performs the risk and fraud analysis.
There are two ways that Access Manager can leverage the strong authentication capabilities of Oracle Adaptive Access Manager:
OAAM Basic Integration with Access Manager
Access Manager users who want to add login security, including Knowledge Based Authentication (KBA), may use OAAM Basic integration with Access Manager (OAAM Basic Integration). This option still requires an OAAM Admin Server, but it does not require the deployment of a separate OAAM Server. The functionality is accessed through native OAAM calls. The OAAM Basic Integration option has a smaller footprint than the OAAM Advanced Integration with Access Manager (OAAM Advanced Integration) option.
The OAAM Basic Integration differs from the OAAM Advanced Integration in that it does not provide access to more advanced features such as One-Time Password (OTP) through Short Message Service (SMS), email, or Instant messaging (IM). In addition, this native integration is not customizable beyond basic screen branding.
OAAM Advanced Integration with Access Manager
Access Manager users who want advanced features and customizations beyond that available with native integration may use OAAM Advanced Integration with Access Manager (OAAM Advanced Integration). Leveraging the Java Oracle Access Protocol (OAP) library, the integration of Access Manager and Oracle Adaptive Access Manager requires a full OAAM deployment.
For implementation details, see Chapter 8, "Integrating Oracle Adaptive Access Manager with Access Manager".
You can implement password management features for Access Manager-protected applications by integrating Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager.
This section explains the deployment options for password management. For more information about the scenarios that are supported by each deployment, and the flow that achieves each scenario see, Section 1.5, "Common Integration Scenarios".
In the context of password management, Access Manager works in different deployment modes:
Access Manager and Oracle Identity Manager integrated for authentication and password management.
For details, see Section 1.5.3.1, "Access Manager Integrated with Oracle Identity Manager."
Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager integrated for authentication, password management, fraud detection, and additional capabilities.
For details of the processing flow, see, Section 1.5, "Common Integration Scenarios".
For implementation details, see Section 9.3, "Integration Roadmap."
Access Manager also provides a password policy management feature through the Oracle Access Management Console. The password policy is applied to all resources protected by Access Manager. This feature is not used in the Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration documented in this chapter. For more information about this Oracle Access Management feature, see "Managing Common Services, Certificate Validation, and Password Policy" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
This section provides key definitions, acronyms, and abbreviations that are related to the Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager integration.
Table 9-2 Advanced Integration Terms
| Term | Definition |
|---|---|
|
Oracle Adaptive Access Manager provides functionality to calculate the risk of an access request, an event or a transaction, and determine proper outcomes to prevent fraud and misuse. The outcome can be an action, which is an event activated when a rule is triggered. For example: block access, challenge question, ask for PIN or password, and so on. For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
|
Advanced integration with Access Manager |
The "Advanced" option is an integration of Access Manager and full deployment of Oracle Adaptive Access Manager with or without integrating Oracle Identity Manager.
|
|
Alert |
Alerts are messages that indicate the occurrence of an event. An event can be that a rule was triggered, a trigger combination was met or an override was used. Alert groups are used as results within rules so that when a rule is triggered all of the alerts within the groups are created. For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
Authentication |
Authentication is the process of verifying a person's, device's, or application's identity. Authentication deals with the question "Who is trying to access my services?" |
|
Authentication Level |
Access Manager supports various authentication levels to which resources can be configured so as to provide discrete levels of security required to access various resources. Discrete authentication levels distinguish highly protected resources from other resources. The TAP token sent by Access Manager provides parameters related to the authentication level. The trust level of the authentication scheme reflects the challenge method and degree of trust used to protect transport of credentials from the user. The trust level is expressed as an integer value between 0 (no trust) and 99 (highest level of trust). Note: After a user is authenticated for a resource at a specified level, the user is automatically authenticated for other resources in the same application domain or in different application domains, if the resources have the same or a lower trust level as the original resource. Current Authentication level is the current authentication level of the user. Target Authentication level is the authentication level required to access the protected resource. |
|
Authorization |
Authorization regards the question "Who can access what resources offered by which components?" |
|
Authentication Scheme |
Access to a resource or group of resources can be governed by a single authentication process known as an authentication scheme. An authentication scheme is a named component that defines the challenge mechanism required to authenticate a user. Each authentication scheme must also included a defined authentication module. When you register a partner (either using the Oracle Access Management Console or the remote registration tool), the application domain that is created is seeded with a policy that uses the authentication scheme that is set as the default scheme. You can choose any of the existing authentication schemes as the default for use during policy creation. |
|
Authentipad Checkpoint |
The Authentipad checkpoint determines the type of device to use based on the purpose of the device. |
|
Basic Integration of Access Manager and OAAM |
Access Manager users wishing to add login security, including Knowledge Based Authentication (KBA), may use the Basic (native) integration option. This option will still require an OAAM Admin Server, but it does not require a separate deployment of the OAAM Server (the functionality is accessed through native OAAM calls); therefore, the footprint is reduced. The native integration does not provide access to more advanced features such as One-Time Password (OTP) through SMS, email, or IM. The native integration is not customizable beyond basic screen branding. |
|
Blocked |
A user is blocked when a policy has found certain conditions to be "true" and is set up to respond to these conditions with a "Block" action. If those conditions change, the user may no longer be "blocked." The "Blocked" status is not necessarily permanent and therefore may or may not require an administrator action to resolve. |
|
Challenge Parameters |
Challenge parameters are short text strings consumed and interpreted by WebGates and Credential Collector modules to operate in the manner indicated by those values. The syntax for specifying any challenge parameter is: <parameter>=<value> This syntax is not specific to any WebGate release (10g versus 11g). Authentication schemes are independent of WebGate release. |
|
Challenge Questions |
Challenge Questions are a finite list of questions used for secondary authentication. During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the user's "registered questions." When rules in OAAM Admin trigger challenge questions, OAAM Server displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other virtual authentication devices, where the challenge question is embedded into the image of the authenticator, or simple HTML. |
|
Checkpoint |
A checkpoint is a specified point in a session when Oracle Adaptive Access Manager collects and evaluates security data using the rules engine. Examples of checkpoints are:
For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Management. |
|
Delegated Authentication Protocol |
The Delegated Authentication Protocol (DAP) challenge mechanism indicates that Access Manager does an assertion of the token that it receives, which differs from the standard challenge "FORM" mechanism with the external option. |
|
Device |
Device is a computer, PDA, cell phone, kiosk, and other web-enabled device used by a user |
|
Device fingerprinting |
Device fingerprinting collects information about the device such as browser type, browser headers, operating system type, locale, and so on. Fingerprint data represents the data collected for a device during the login process that is required to identify the device whenever it is used to log in. The fingerprinting process produces a fingerprint that is unique to the user and designed to protect against the "replay attacks" and the "cookie-based registration bypass" process. The fingerprint details help in identifying a device, check whether it is secure, and determine the risk level for the authentication or transaction. A customer typically uses these devices to log in: PC, notebook, mobile phone, smart phone, or other web-enabled machines. |
|
Knowledge Based Authentication (KBA) |
Knowledge-based authentication (KBA) is a secondary authentication method that provides an infrastructure based on registered challenge questions. It enables end-users to select questions and provide answers which are used to challenge them later on. Security administration include:
For information, see "Managing Knowledge-Based Authentication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
KeyPad |
Virtual keyboard for entry of passwords, credit card number, and so on. The KeyPad protects against Trojan or keylogging. |
|
LDAPScheme |
The Authentication scheme used to protect Access Manager-related resources (URLs) for most directory types based on a form challenge method. |
|
Multi-Level Authentication |
Every authentication scheme requires an authentication level. The lower this number, the less stringent the scheme. A higher level number indicates a more secure authentication mechanism. Single sign-on (SSO) capability enables users to access more than one protected resource or application with a single sign in. After a successful user authentication at a specific level, the user can access one or more resources protected by one or more application domains. However, the authentication schemes used by the application domains must be at the same level (or lower). When a user accesses a resource protected with an authentication level that is greater than the level of his current SSO token, he is re-authenticated. In the Step Up Authentication case, the user maintains his current level of access even if failing the challenge presented for the higher level. This is "additional authentication". For information, see "Managing Authentication and Shared Policy Components" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. |
|
Oracle Access Protocol (OAP) |
Oracle Access Protocol (OAP) enables communication between Access System components (for example, OAM Server, WebGate) during user authentication and authorization. This protocol was formerly known as NetPoint Access Protocol (NAP) or COREid Access Protocol. |
|
One-time Password (OTP) |
One-time Password is a risk-based challenge solution consisting of a server generated one time password delivered to an end user via a configured out of band channel. Supported OTP delivery channels include short message service (SMS), email, and instant messaging. OTP can be used to compliment KBA challenge or instead of KBA. As well both OTP and KBA can be used alongside practically any other authentication type required in a deployment. Oracle Adaptive Access Manager also provides a challenge processor framework. This framework can be used to implement custom risk-based challenge solutions combining third party authentication products or services with OAAM real-time risk evaluations. For information, see "Setting Up OTP Anywhere" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
Access Manager and Oracle Adaptive Access Manager TAP Integration |
In Access Manager and OAAM TAP Integration, OAAM Server acts as a trusted partner application. The OAAM Server uses the Trusted authentication protocol (TAP) to communicate the authenticated user name to the OAM Server after it performs strong authentication, risk and fraud analysis and OAM Server will own the responsibility of redirecting to the protected resource. |
|
OAAM Admin |
OAAM Administration Console. Web application to administer all environment and Adaptive Risk Manager and Adaptive Strong Authenticator features. |
|
OAMAdminConsoleScheme |
Authentication scheme for Oracle Access Management Console. |
|
OAAMAdvanced |
Authentication scheme that protects resources with an external context type. This authentication scheme is used when complete integration with OAAM is required. A WebGate must front end the partner. |
|
OAAMBasic |
Authentication scheme that protects resources with a default context type. This scheme should be used when OAAM Basic integration with Access Manager is required. Here, advanced features like OTP are not supported. |
|
OAAM Server |
Runtime component that includes the rules engine and end user interface flows. It provides adaptive risk manager and adaptive strong authentication features, Web services, LDAP integration, and user Web application which is used in all deployment types except native integration |
|
Policies |
Policies contain security rules and configurations used to evaluate the level of risk at each checkpoint. For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
Post-authentication rules |
Rules are run after a user is successfully authenticated. For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
Pre-authentication rules |
Rules are run before a user completes the authentication process. For information, see "Managing Policies, Rules, and Conditions" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
Profile |
The customer's registration information including security phrase, image, challenge questions, challenge (question and OTP) counters, and OTP. |
|
Protection level |
There are three protection levels in which to choose from:
|
|
Registration |
Registration is the enrollment process, the opening of a new account, or other event where information is obtained from the user. During the Registration process, the user is asked to register for questions, image, phrase and OTP (email, phone, and so on) if the deployment supports OTP. Once successfully registered, OTP can be used as a secondary authentication to challenge the user. |
|
Risk score |
OAAM risk scoring is a product of numerous fraud detection inputs such as a valid user, device, location, and so on. These inputs are weighted and analyzed within the OAAM fraud analytics engine. The policy generates a risk score based on dozens of attributes and factors. Depending on how the rules in a policy are configured, the system can yield an elevated risk score for more risky situations and lower scores for lower-risk situations. The degree of elevation can be adjusted with the weight assigned to the particular risk. The risk score is then used as an input in the rules engine. The rules engine evaluates the fraud risk and makes a decision on the action to take. |
|
Fraud rules are used to evaluate the level of risk at each checkpoint. For information on policies and rules, see the "OAAM Policy Concepts and Reference" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager. |
|
|
Single sign-on (SSO) |
Single sign-on (SSO) is a process that gives users the ability to access multiple protected resources (Web pages and applications) with a single authentication. |
|
Step Up Authentication |
Step Up Authentication occurs when a user is attempting to access a resource more sensitive than ones he had already accessed in this session. To gain access to the more sensitive resource, a higher level of assurance is required. Oracle Access Management resources are graded by authentication level, which defines the relative sensitivity of a resource. For example, if a user accesses a corporate portal home page that is defined as authentication level 3, a basic password authentication is required. The time card application that links off the portal home is more sensitive than the portal home page, so the application is defined as authentication level 4, which requires basic password and risk-based authentication provided by Oracle Adaptive Access Manager. So, if a user logs in to the portal with a valid user name and password, and then clicks the time card link, his device is fingerprinted and risk analysis determines if additional authentication, such as a challenge question, is required to allow him access. |
|
Strong Authentication |
An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Using more than one factor is sometimes called strong authentication or multi-factor authentication. |
|
TAP |
TAP stands for Trusted authentication protocol. This is to be used, when authentication is performed by a third party and Access Manager asserts the token sent back. After asserting the token, Access Manager creates its cookie and continues the normal single-sign on flow. A trust mechanism exists between the OAM Server and the external third party which performs the authentication. In this scenario, Access Manager acts as an asserter and not authenticator. |
|
TAPScheme |
This is the authentication scheme that is used to protect resources in an Access Manager and OAAM integration that uses TAP. If you want two TAP partners with different tapRedirectUrls, create a new authentication scheme using the Oracle Access Management Console and use that scheme. When configured, this authentication scheme can collect context-specific information before submitting the request to the Access Server. Context-specific information can be in the form of an external call for information. |
|
TextPad |
Personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing. TextPad is often deployed as the default for all users in a large deployment then each user individually can upgrade to another device if they wish. The personal image and phrase a user registers and sees every time they login to the valid site serves as a shared secret between user and server. |
|
Virtual authentication device |
A personalized device for entering a password or PIN or an authentication credential entry device. The virtual authentication devices harden the process of entering and transmitting authentication credentials and provide end users with verification they are authenticating on the valid application. |
|
Web Agent |
A single sign-on agent (also known as a policy-enforcement agent, or simply an agent) is any front-ending entity that acts as an access client to enable single sign-on across enterprise applications. To secure access to protected resources, a Web server, Application Server, or third-party application must be associated with a registered policy enforcement agent. The agent acts as a filter for HTTP requests, and must be installed on the computer hosting the Web server where the application resides. Individual agents must be registered with Access Manager 11g to set up the required trust mechanism between the agent and OAM Server. Registered agents delegate authentication tasks to the OAM Server. |
|
WebGate |
Web server plug-in that acts as an access client. WebGate intercepts HTTP requests for Web resources and forwards them to the OAM Server for authentication and authorization |
Table 9-3 lists the high-level tasks for integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
Table 9-3 Integration Flow for Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
| Number | Task | Information |
|---|---|---|
|
1 |
Verify that all required components have been installed and configured prior to integration. |
For information, see "Integration Prerequisites". |
|
2 |
Integrate Access Manager and Oracle Identity Manager. |
For information, see "Integrating Access Manager and Oracle Identity Manager". |
|
3 |
Enable LDAP synchronization for Oracle Identity Manager. This is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager. |
For information, see "Enabling LDAP Synchronization for Oracle Identity Manager". |
|
4 |
Integrate Access Manager and Oracle Adaptive Access Manager. |
For information, see "Integrating Access Manager and Oracle Adaptive Access Manager". |
|
5 |
Set up the integration between OAAM and OIM. |
For information, see "Integrating Oracle Identity Manager and Oracle Adaptive Access Manager". |
|
6 |
Perform additional configuration that you may need depending on your requirements. |
For information, see "Performing Other Configuration Tasks". |
Prior to integrating Oracle Access Management Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager, you must have installed all the required components, including any dependencies, and configured the environment in preparation of the integration tasks that follow.
Note:
Key installation and configuration information is provided in this section. However, not all component prerequisite, dependency, and installation instruction is duplicated here. Adapt information as required for your environment.
For complete installation information, follow the instructions in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Table 9-4 lists the required components that must be installed and configured before the Oracle Access Management Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integration tasks are performed.
Table 9-4 Access Manager, OAAM, and OIM Integration Required Components
| Component | Information |
|---|---|
|
Oracle Database |
Ensure that you have an Oracle Database installed on your system before installing Oracle Identity and Access Management. The database must be up and running to install the relevant Oracle Identity and Access Management components. For more information, see "Database Requirements" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. For information about certified databases, see the "Database Requirements" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document. |
|
Repository Creation Utility (RCU) |
Install and run the Repository Creation Utility to create the schemas for Access Manager, OAAM, and OIM in a database. You must use the Repository Creation Utility that is version compatible with the products you are installing. Note: To create database schemas for Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) components, you must use the 11g Release 2 (11.1.2.1.0) version of the Oracle Fusion Middleware Repository Creation Utility. Oracle Fusion Middleware Repository Creation Utility (RCU) is available on the Oracle Technology Network (OTN) Web site. For more information about using RCU, see "Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and Oracle Fusion Middleware Repository Creation Utility User's Guide. For information about RCU requirements for Oracle Databases, see "RCU Requirements for Oracle Databases" in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document. |
|
Oracle Virtual Directory |
The instructions in this chapter assumes that the Oracle Internet Directory is configured as the Identity Store and is front-ended by Oracle Virtual Directory. For more information on configuring the OVD, see Chapter 6, "Configuring Oracle Virtual Directory for Integration with Oracle Access Management Access Manager" and Chapter 4, "Configuring Oracle Virtual Directory for Integration with Oracle Identity Manager." |
|
Oracle Internet Directory |
The instructions in this chapter assumes the that Oracle Internet Directory is configured as the Identity Store and is front-ended by Oracle Virtual Directory. For more information, see Chapter 5, "Integrating Oracle Internet Directory with Access Manager." |
|
Oracle WebLogic Servers for Access Manager, Oracle Adaptive Access Manager, Oracle Identity Manager, and Oracle HTTP Server |
Prior to installing the WebLogic Server, ensure that your machines meet the system, patch, kernel, and other requirements. Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager can be configured on the same WebLogic Domain or separate WebLogic Domains. By default, the Access Manager and OAAM applications are configured on separate WebLogic Domains. For complete information about installing Oracle WebLogic Server, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server. |
|
Access Manager |
For information on installing and configuring Access Manager, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" and "Configuring Oracle Access Management" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Install Oracle Access Management Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager on different WebLogic servers. Oracle Adaptive Access Manager and Access Manager can be in a new WebLogic Domain or in an existing one. They can be on the same domain or separate WebLogic Domains. At installation, Access Manager is configured with the database policy store. The Access Manager and Oracle Adaptive Access Manager wiring requires the database policy store. |
|
OAAM |
For information on installing and configuring Oracle Adaptive Access Manager, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" and "Configuring Oracle Adaptive Access Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. |
|
OIM |
For more information, see "Installing and Configuring Oracle Identity and Access Management" and "Configuring Oracle Identity Manager" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Note: When configuring Oracle Identity Manager, the LDAP directory must be preconfigured before you can use it as an Identity Store. Ensure that all installation instructions are followed, including any prerequisites for enabling LDAP synchronization. For more information, see: in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. Note: You must create |
|
Oracle SOA Suite and patches |
For more information on installing and configuring the SOA Suite, see Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite |
|
Oracle HTTP Server |
For more information on installing the HTTP Server, see Oracle Fusion Middleware Installation Guide for Oracle Web Tier. |
|
Oracle Access Manager 10g or Access Manager 11g agent (WebGate) for Oracle HTTP Server 11g on the Oracle HTTP Server 11g instance. |
Prior to installing the WebGate with Access Manager, review Oracle Fusion Middleware Supported System Configurations from the Oracle Technology Network to locate the certification information for the 10g or 11g WebGate you want to use for your deployment. For information on installing and registering 10g WebGates to use with Access Manager 11g, see "Registering and Managing 10g WebGates with Access Manager 11g" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. For information on installing and registering 11g WebGate for use with Access Manager 11g, see "Installing and Configuring Oracle HTTP Server 11g WebGate for OAM" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager. Note: Oracle HTTP Server 11g Release 2 WebGate for Access Manager is not intended for use in Oracle Identity and Access Management environments where you want to set up integration among Oracle Identity and Access Management components. |
|
IdentityManagerAccessGate 10gWebGate profile |
The integration of Access Manager and Oracle Adaptive Access Manager requires that the IdentityManagerAccessGate 10gWebGate profile exist. You can validate this through the Oracle Access Management Console by navigating to System Configuration, then Agents, then 10gWebGates. |
The steps below are based on the assumption that Access Manager and Oracle Identity Manager are integrated using the out-of-the box integration.
Note:
If so preferred, Oracle Access Management Access Manager and Oracle Adaptive Access Manager can be installed in separate domains or on the same WebLogic Domain.
For multiple domain installation, the oaam.csf.useMBeans property must be set to true. Refer to "Set Up the Credential Store Framework (CSF) Configuration" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager for information on setting this parameter.
During the integration steps below, for reference we will refer to the WebLogic Server Domain which contains Oracle Access Management Access Manager as OAM_DOMAIN_HOME, and the WebLogic Server Domain which contains OAAM as OAAM_DOMAIN_HOME.
Integration between Oracle Identity Manager and Access Manager is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
For more information, see Chapter 7, "Integrating Access Manager and Oracle Identity Manager."
Enabling LDAP synchronization for Oracle Identity Manager is required for integration between Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager.
Oracle Adaptive Access Manager will be working off the same directory with which Oracle Identity Manager is synchronizing.
Note:
The UID must match the CN of the newly created user in the LDAP store; otherwise, a login failure occurs.
For information about enabling LDAP synchronization for Oracle Identity Manager, see Chapter 3, "Enabling LDAP Synchronization in Oracle Identity Manager."
This task involves integrating the Access Manager and Oracle Adaptive Access Manager components as part of integrating Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager to deliver password management and challenge-related functionality to Access Manager-protected applications.
Note:
In the integration of Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager, the IdentityManagerAccessGate profile should already exist since it is configured during the Access Manager and Oracle Identity Manager integration (see Section 9.5, "Integrating Access Manager and Oracle Identity Manager").
You configure the Access Manager and Oracle Adaptive Access Manager integration so that the OAAM server acts as a trusted partner application. The OAAM server uses the Trusted Authentication Protocol (TAP) to communicate the authenticated user name to the OAM Server after it performs strong authentication, and risk and fraud analysis. In this integration, the OAM Server is responsible for redirecting to the protected resource.
For information on integrating Oracle Adaptive Access Manager and Access Manager, refer to Chapter 8, "Integrating Oracle Adaptive Access Manager with Access Manager."
Table 9-5 lists the high-level tasks for integrating Access Manager and Oracle Adaptive Access Manager and provides references to where the instructions are located.
The configuration instructions assume Access Manager and Oracle Adaptive Access Manager are integrated using the out-of-the box integration.
Table 9-5 Integration Flow for Access Manager and Oracle Adaptive Access Manager
| Number | Task | Information |
|---|---|---|
|
1 |
Verify that all required components have been installed and configured prior to integration. |
For information, see "Integration Prerequisites". |
|
2 |
Ensure the Access Manager and OAAM Administration Consoles and managed servers are running. |
For information, see "Restarting the Servers". |
|
3 |
Create the OAAM Admin users and OAAM groups. Before you can access the OAAM Administration Console, you must create administration users. |
For information, see "Creating the OAAM Admin Users and OAAM Groups". |
|
4 |
Import the OAAM base snapshot. A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. For Oracle Adaptive Access Manager to be functional, you must import the snapshot into the system. |
For information, see "Importing the Oracle Adaptive Access Manager Snapshot". |
|
5 |
Validate that Access Manager was set up correctly. You should be able to log in to the Oracle Access Management Console successfully. |
For information, see "Validating Initial Configuration of Access Manager" |
|
6 |
Verify that Oracle Adaptive Access Manager is set up correctly by accessing the OAAM Server. |
For information, see "Validating Initial Configuration of Oracle Adaptive Access Manager". |
|
7 |
Register the WebGate agent with Access Manager 11g to set up the required trust mechanism between the Agent and OAM Server. After registration, the Agent collaborates communication between the OAM Server and its services and acts as a filter for HTTP/HTTPS requests. The Agent intercepts requests for resources protected by Access Manager and works with Access Manager to fulfill access requirements. |
For information on installing and registering 10g WebGates to use with Access Manager 11g, see "Registering and Managing 10g WebGates with Access Manager 11g" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. For information on installing and registering 11g WebGate for use with Access Manager 11g, see "Installing and Configuring Oracle HTTP Server 11g WebGate for OAM" in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager. |
|
8 |
Register the OAAM server to act as a trusted partner application to Access Manager. A partner application is any application that delegates the authentication function to Access Manager 11g. |
For information, see "Registering the OAAM Server as a Partner Application to Access Manager" |
|
9 |
Set the agent password. When Access Manager is installed, a default agent profile called IAMSuiteAgent is created. This profile is used by Oracle Adaptive Access Manager when integrating with Access Manager. When the IAMSuiteAgent profile is first created, it has no password. You must set a password before the profile can be used by Oracle Adaptive Access Manager for integration. |
For information, see "Adding a Password to the IAMSuiteAgent Profile". |
|
10 |
Update the IAMSuiteAgent. |
For information, see "Updating the Domain Agent Definition If Using Domain Agent for Another Console". |
|
11 |
Verify TAP partner registration using the Oracle Access Management tester. |
For information, see "Verifying TAP Partner Registration". |
|
12 |
Set up TAP integration properties in OAAM. |
For information, see "Setting Up Access Manager TAP Integration Properties in OAAM". |
|
13 |
Configure the integration to use OAAM TAPScheme to protect Identity Management product resources in the IAMSuiteAgent application domain. |
For information, see "Configuring Integration to Use TAPScheme to Protect Identity Management Product Resources in the IAMSuiteAgent Application Domain". |
|
14 |
Configure the authentication scheme in the policy-protected resource policy to protect a resource with the OAAM TAPScheme. |
For information, see "Configuring a Resource to be Protected with TAPScheme". |
|
15 |
Validate the Access Manager and Oracle Adaptive Access Manager Integration. |
For information, see "Validating the Access Manager and Oracle Adaptive Access Manager Integration" |
This section describes how to integrate Oracle Identity Manager and Oracle Adaptive Access Manager for the three-way integration of Access Manager, Oracle Identity Manager, and Oracle Adaptive Access Manager:
Set Oracle Identity Manager Properties for Oracle Adaptive Access Manager
Update OAAM Properties to Enable Integration Between Oracle Identity Manager and OAAM
Configure Oracle Identity Manager Credentials in the Credential Store Framework
Configure Cross Domain Trust Between Oracle Identity Manager and Oracle Adaptive Access Manager
In Oracle Identity Manager, the OIM.ChangePasswordURL and OIM.ChangePasswordURL properties must be set to valid OAAM URLs, and OIM.DisableChallengeQuestions must be set to true for Oracle Adaptive Access Manager to provide the challenge questions functionality instead of Oracle Identity Manager.
To modify Oracle Identity Manager properties, take these steps:
Log in to the Oracle Identity Manager System Administrative Console.
Click Configuration in System Management and under System Management, click the System Configuration link.
In the pop-up window, click on Advanced Search.
Set the following properties and click Save.
Note:
For the URLs, use the hostnames as they were configured in Access Manager. For example, if a complete hostname (with domain name) was provided during Access Manager configuration, use the complete hostname for the URLs.
Table 9-6 Oracle Identity Manager Redirection
| Keyword | Property Name and Value |
|---|---|
|
OIM.DisableChallengeQuestions |
|
|
OIM.ChangePasswordURL |
URL for change password page in Oracle Adaptive Access Manager http://oaam_server_managed_server_host: oaam_server_managed_server_port/ oaam_server/oimChangePassword.jsp In a high availability (HA) environment, set this property to point to the virtual IP URL for the OAAM server. |
|
OIM.ChallengeQuestionModificationURL |
URL for challenge questions modification page in Oracle Adaptive Access Manager http://oaam_server_managed_server_host: oaam_server_managed_server_port/ oaam_server/oimResetChallengeQuestions.jsp |
Restart the Oracle Identity Manager managed server.
To set OAAM properties for Oracle Identity Manager:
Log in to the OAAM Admin Console:
http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
You must log in as a user with access to the Properties Editor.
In the navigation tree, click Environment and double-click Properties. The Properties search page is displayed.
To set a property value, enter its name in the Name field and click Search. The current value is shown in the search results window.
Click Value. Enter the new value and click Save.
For the following properties, set the values according to your deployment:
Table 9-7 Configuring Oracle Identity Manager Property Values
| Property Name | Property Values |
|---|---|
|
bharosa.uio.default.user.management.provider.classname |
com.bharosa.vcrypt.services.OAAMUserMgmtOIM |
|
oaam.oim.auth.login.config |
${oracle.oaam.home}/../designconsole/
config/authwl.conf
|
|
oaam.oim.url |
t3://OIM-Managed-Server:OIM-Managed-Port For example: t3://host.mycorp.example.com:14000 |
|
oaam.oim.xl.homedir |
${oracle.oaam.home}/../designconsole
|
|
bharosa.uio.default.signon.links.enum.selfregistration.url |
The URL for Self Registrations is as follows: http://OIM-Managed-Server-Host: OIM-Managed-Server-Port/identity/faces/ register?&backUrl=http://OIM-Managed-Server-Host:OIM-Managed-Server-Port/identity Note: If Oracle HTTP Server is configured in front of OIM, then the Oracle HTTP Server host and port should be used in the value instead of the OIM managed server host and port. For example: http://OHS-HOST:OHS-PORT/identity/faces/register?&backUrl=http://OHS-HOST:OHS-PORT/identity |
|
bharosa.uio.default.signon.links.enum.trackregistration.url |
The URL for Track Registrations is as follows: http://OIM-Managed-Server-Host: OIM-Managed-Server-Port/identity/faces/ trackregistration?&backUrl=http://OIM-Managed-Server-Host:OIM-Managed-Server-Port/identity Note: If Oracle HTTP Server is configured in front of OIM, then the Oracle HTTP Server host and port should be used in the value instead of the OIM managed server host and port. For example: http://OHS-HOST:OHS-PORT/identity/faces/trackregistration?&backUrl=http://OHS-HOST:OHS-PORT/identity |
|
bharosa.uio.default.signon.links.enum.trackregistration.enabled |
true |
|
bharosa.uio.default.signon.links.enum.selfregistration.enabled |
|
|
oaam.oim.csf.credentials.enabled |
This property enables the configuring of credentials in the Credential Store Framework as opposed to maintaining them using the Properties Editor. This step is performed so that credentials can be securely stored in CSF. |
|
oaam.oim.passwordflow.unlockuser |
This property enables automatic unlocking of the user in the Forgot Password flow. |
Oracle Adaptive Access Manager must have the credentials of an OIM Administrator in order to perform various activities. A key for Oracle Identity Manager WebGate credentials is created in MAP oaam. So that the OIM credentials can be securely stored in the Credential Store Framework, follow the steps below to add a password credential to the OAAM domain.
Log in to the Oracle Fusion Middleware Enterprise Manager Console:
http://weblogic_host:administration_port/em
You must log in as a WebLogic Administrator. For example, WebLogic.
Expand the Base Domain in the navigation tree in the left pane.
Select your domain name, right-click, and select the menu option Security and then the option Credentials in the submenu.
Click Create Map.
Click oaam to select the map, and then click Create Key.
In the pop-up dialog, ensure that Select Map is oaam.
Provide the following properties and click OK.
If Oracle Identity Manager and Oracle Adaptive Access Manager are in separate domains, you must configure cross domain trust.
Configure Cross-Domain Trust in the Oracle Adaptive Access Manager Domain
Log in to WebLogic Administration Console of Oracle Adaptive Access Manager.
Click the domain and select the Security tab.
Expand the Advanced section.
Select Cross domain security enabled.
Select a shared secret and type it in the Credential and Confirm Credential fields.
Save the configuration changes.
Configure Cross-Domain Trust in the Oracle Identity Manager Domain
Log in to WebLogic Administration Console of Oracle Identity Manager.
Click the domain and select the Security tab.
Expand the Advanced section.
Select Cross domain security enabled.
Select a shared secret and type it in the Credential and Confirm Credential fields.
Use the same shared secret you used when you were configuring cross-domain trust in the OAAM domain.
Save the configuration changes.
This section contains additional topics pertaining to Access Manager, OAAM, and OIM integration configuration and management. Depending on your requirements, you may need to perform tasks in addition to those documented above.
For information related to Access Manager and OAAM integration, refer to Section 8.5, "Other Access Manager and OAAM Integration Configuration Tasks."
This section describes common problems you might encounter in an Access Manager, OAAM, and OIM integrated environment, and explains how to solve them. It contains the following topics:
User is Redirected in a Loop After User Enters Wrong Password
Two User Sessions are Created upon Successful Authentication
Forgot Password Flow Unavailable for Single Login Page Deployments
OAAM Test Login URL Fails After Access Manager and OAAM Integration
In addition to this section, review the Oracle Fusion Middleware Error Messages Reference for information about the error messages you may encounter.
For information about additional troubleshooting resources, see Section 1.7, "Using My Oracle Support for Additional Troubleshooting Information."
You encounter a non-working URL. For example, you click the Forgot Password link, but are redirected to the login page.
Policies and challenge questions are not available as expected in your Oracle Adaptive Access Manager environment.
Ensure that the default base policies and challenge questions shipped with Oracle Adaptive Access Manager have been imported into your system. For details, see "Setting Up the Oracle Adaptive Access Manager Environment" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
A user is re-directed in a loop when he enters an incorrect password.
Value for the login page is incorrect.
If redirect loops occur when users enter incorrect passwords, then verify that the oaam.uio.login.page property is set properly in the OAAM Properties page. The value for the oaam.uio.login.page property should be set to /oaamLoginPage.jsp. For information on setting properties in Oracle Adaptive Access Manager, see "Using the Properties Editor" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
Access Manager creates two concurrent sessions when the user logs in through OAAM and is successfully authenticated through Access Manager.
In an Access Manager, OAAM, and OIM integrated environment, any authentication results in two user sessions being created in Oracle Access Management Access Manager (visible in Oracle Access Management Console under Session Management, and in the OAM_SESSIONS table in MDS).
One session is created by the IAMSuiteAgent and the other session is created by WebGate.
Check the value of the property oaam.uio.oam.authenticate.withoutsession.
The Forgot Password flow is not available for single login page deployments.
The test login URL /oaam_server is used to verify that the OAAM configuration is working before proceeding with the integration of Access Manager. This URL is not intended for use after the integration of Access Manager and OAAM.