This appendix describes post-installation enablement of a centralized LDAP store for use with Oracle Access Manager. Oracle Internet Directory is featured in this discussion. However, tasks are the same regardless of your chosen LDAP provider.
Oracle Access Manager addresses each user population and LDAP directory store as an identity domain. Each identity domain maps to a configured LDAP User Identity Store that is registered with Oracle Access Manager. Multiple LDAP stores can be used with each one relying on a different supported LDAP provider.
During initial WebLogic Server domain configuration, the Embedded LDAP is configured as the one and only User Identity Store for Oracle Access Manager. Within the Embedded LDAP, the Administrators group is created, with
weblogic seeded as the default Administrator:
Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager Console, remote registration, and custom administrative commands in WLST.
Users attempting to access an OAM-protected resource can be authenticated against any store, not necessarily the only one designated as the Default User Identity Store.
Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.
After registering a User Identity Store with Access Manager, administrators can reference the store in one or more authentication modules, which form the basis for Oracle Access Manager Authentication Schemes and Policies. When you register a partner (either using the Oracle Access Manager Console or the remote registration tool), an application domain can be created and seeded with a policy that uses the designated default Authentication Scheme. When a user attempts to access an Oracle Access Manager-protected resource, she is authenticated against the store designated by the authentication module.
The following topics are covered:
The following overview identifies various tasks required when integrating Oracle Internet Directory 22.214.171.124 with Oracle Access Manager 126.96.36.199.
Prepare your environment for this integration:
Install Oracle Internet Directory 188.8.131.52, as described in "Installing Oracle Identity and Access Management (184.108.40.206.0)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Install and set up Oracle Access Manager with the desired LDAP directory, as described in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management. (see also "Configuring Oracle Internet Directory").
Extend the LDAP directory schema for Access Manager, and create Users and Groups in the LDAP directory as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Create Authentication Providers for your LDAP provider and Configure WebLogic Server to use them to avoid multiple login pages when accessing the Oracle Access Manager Console:.
Whether you authenticate through Oracle Access Manager Console or directly through the WebLogic Server Administration Console, confirm that all authentication providers are set to SUFFICIENT for single sign-on:
Click Security Realms, myrealm, then click Providers.
Click New, enter a name, and select a type. For example:
In the Authentication Providers table, click the newly added authenticator.
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT, then click Save.
Click the Provider Specific tab, then specify the following values for your deployment:
Host: LDAP host. For example:
Port: LDAP host listening port.
Principal: LDAP administrative user. For example:
Credential: LDAP administrative user password.
User Base DN: Same search base as the LDAP user.
All Users Filter: For example:
User Name Attribute: Set as the default attribute for username in the LDAP directory. For example:
Group Base DN: The group searchbase (same as User Base DN)
Do not set the All Groups filter; the default works fine as is.
From Security Realms, myrealm, Providers, click Authentication, click DefaultIdentityAsserter to see the configuration page.
Click the Common tab and set the Control Flag to SUFFICIENT.
On the Summary page where providers are listed, click the Reorder button
On the Reorder Authentication Providers page, select a provider name and use the arrows beside the list to order the providers as follows:
Click OK to save your changes
Activate Changes: In the Change Center, click Activate Changes, then Restart Oracle WebLogic Server.
The following procedure guides as you set up an LDAP Authentication Method that points to your registered User Identity Store and an Authentication Scheme that uses this LDAP module for Form or Basic authentication.
OAMAdminConsoleScheme is used in this example on the presumption that you designated your new LDAP store as the System Store. Your environment might be different.
Ensure that the designated User Identity Store contains any user credentials required for authentication.
Register Oracle Internet Directory with Oracle Access Manager, as described in Managing User Identity Stores in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Define Authentication Modules and Plug-ins: From System Configuration tab, Access Manager Settings section, expand the Authentication Modules node.
LDAP Modules: Open LDAP Authentication module, select your User Identity Store, and click Apply.
Custom Authentication Modules: In
LDAPPlugin Steps (stepUI,
UserIdentificationPlugIn), specify your KEY_IDENTITY_STORE_REF, and click Apply. For example:
Repeat this step for the stepUA
UserAuthenticationPlugIn plug-in, and Apply your changes, as shown here:
Define Authentication Scheme Challenge Methods: Form and Basic Challenge Methods require a reference to the LDAP Authentication Module or Plug-in that points to your User Identity Store. For example:
OAMAdminConsoleSchemeor any Form or Basic scheme)
Confirm that the Authentication Module references the LDAP module or plug-in that points to your Identity Store.
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.
Oracle Access Manager policies protect specific resources. The policies and resources are organized in an Application Domain.
This section describes how to configure authentication policies to use the Authentication Scheme that points to your User Identity Store.
From the Oracle Access Manager Console, open:
Locate and open the desired Application Domain (or click the Create (+) button, enter a unique name, and save it).
Define Resources and Policies: Define (or edit) the following elements for your application domain and environment, as described in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management:
Resource Definitions: Before you can add a resource to a policy, you must define the resource within the Application Domain. See "Adding and Managing Resource Definitions for Use in Policies".
Authentication Policies: On the Policy page, select the scheme that references the LDAP module or plug-in that points to your registered Oracle Internet Directory User Identity Store. Add specific resources and complete the policy for your environment. See "Defining Authentication Policies for Specific Resources".
Authorization Policies: Create or modify an Authorization Policy for specific resources and include any Responses and Constraints you need. See "Defining Authorization Policies for Specific Resources" as described in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Token Issuance Policies: Choose the desired User Identity Store when setting Identity Conditions in Token Issuance Policies. See "Managing Token Issuance Policies and Constraints with Oracle Access Manager" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
The procedure here provides several methods for confirming that Agent registration and authentication and authorization policies are operational. The procedures are nearly identical for both OAM Agents and OSSO Agents (
mod_osso). However, OSSO Agents use only the authentication policy and not the authorization policy.
Using a Web browser, enter the URL for an application protected by the registered Agent to confirm that the login page appears (proving that the authentication redirect URL was specified appropriately). For example:
Confirm that you are redirected to the login page.
On the Sign In page, enter a valid username and password when asked, and click Sign In.
Confirm that you are redirected to the resource and proceed as follows:
Success: If you authenticated successfully and were granted access to the resource; the configuration is working properly.
Failure: If you received an error during login or were denied access to the resource, check the following:
Authentication Failed: Sign in again using valid credentials.
Access to URL ... denied: This userID is not authorized to access this resource.
Resource not Available: Confirm that the resource is available.
Wrong Redirect URL: Verify the redirect URL in the Oracle Access Manager Console.