This appendix describes how to integrate Oracle Identity Manager 11gR2PS2(11.1.2.2.0) with Oracle Access Management (OAM) 10g on Oracle WebLogic Application Server. This integration only enables basic Single Sign On (SSO) login/logout use cases, and does not enable full OIM-OAM integration use cases, for example password management.
This appendix contains the following sections:
Before integrating Oracle Identity Manager with OAM, perform the following prerequisites steps:
Oracle Identity Manager 11gR2PS2 is installed and configured. Oracle Identity Manager must be frontended with OHS or reverse-proxy, which hosts OAM 10g Webgate.
OAM 10g server and Webgate 10g are installed and configured. OAM SSO login and logout pages and configurations are in place.
Identity information in Oracle Identity Manager is synchronized with LDAP server. For example, the LDAP synchronization can be used for this purpose.
To configure Oracle Identity Manager domain for SSO:
Set the OIM ssoEnabled flag to true. To do so:
Login to Oracle Enterprise Manager.
Navigate to OIM Domain.
Right-click OIMDomain, and select System MBean Browser.
Click the search icon, enter ssoconfig
, and search.
In the details page, look for the SSOEnabled
flag, and select true from the dropdown .
Click Apply to save the change.
Configure authentication providers.
This step would configure the security providers in OIM domain in such a way that the SSO login, and OIM client-based login works fine. For this, OAMIDAsserter
and OIDAuthenticator
must be setup. Note that OIDAuthenticator
is configured in order to authenticate/assert users against Oracle Internet Directory (OID). To authenticate/assert users against any other directory server, which is also used by OAM for authentication, corresponding authenticator must be configured instead of OIDAuthenticator
.
To configure the authentication providers:
Login to WebLogic Administrative Console, and navigate to Security realms, myrealm, Providers
, Authentication
.
Click New to add OAMIDAsserter
of type OAMIdentityAsserter
. Click OK. Edit OAMIDAsserter
, which has just been added, and set the Control
flag to REQUIRED
. Ensure the Chosen Active Type is OAM_REMOTE_USER
, and then save the configuration.
Click New to add OIMSignatureAuthenticator
of type OIMSignatureAuthenticator
. Click OK. Edit OIMSignatureAuthenticator
and set the Control
flag to SUFFICIENT
. Save the configuration. Ensure that the no properties are displayed in the provider-specific configuration tab.
Click New to add OIDAuthenticator
of type OracleInternetDirectoryAuthenticator
. Click OK. Edit OIDAuthenticator
and set the Control
flag to SUFFICIENT
. Save the configuration. Then, open the provider-specific configuration tab, set the following attributes (only), and save the configuration.
Host: OID_HOST_NAME Port: OID_PORT Principal: cn=orcladmin Credential/Confirm Credential: ORCLADMIN_PASSWORD User Base DN: cn=Users,dc=us,dc=oracle,dc=com All Users Filter: (&(uid=*)(objectclass=inetOrgPerson)) User From Name Filter: (&(uid=%u)(objectclass=inetOrgPerson)) UserNameAttribute: uid User Object class: inetOrgPerson Use retrieved use name as principal: true Group Base DN: cn=Groups,dc=us,dc=oracle,dc=com All groups filter: (&(cn=*)(objectclass=groupOfUniqueNames)) Group from name filter: (&(cn=%g)(objectclass=groupOfUniqueNames))
Note:
OIDAuthenticator must be replaced by the appropriate LDAP provider-specific authenticator that is based on the LDAP provider used by Oracle Identity Manager and OAM.Remove OIMAuthenticationProvider
, which is already configured.
Re-order the remaining authentication providers in the following sequence:
OAMIDAsserter
OIMSignatureAuthenticator
OIDAuthenticator
DefaultAuthenticator
DefaultIdentityAsserter
Activate all the changes done, and then restart all the servers configured in OIM domain.
Configure SSO logout for Oracle Identity Manager, as shown:
<IDM_ORACLE_HOME>/common/bin/wlst.sh connect() addOAMSSOProvider(loginuri= "/${app.context}/adfAuthentication" , logouturi= "/oamsso/logout.html" , autologinuri= "/obrar.cgi" ) exit()
Note:
The connect() call prompts for Admin server URL and WebLogic administrator username and password.
If a custom logout URL is configured, then logouturi
must be changed appropriately before running the wlst
command.
Configure OIM resource policies in OAM 10g server. To do so:
Protect the following OIM resources:
/sysadmin/adfAuthentication
/identity/adfAuthentication
/Nexaweb
/xlWebApp
/oim
Unprotect the following OIM resources:
/identity/.../*
/sysadmin/.../*
/identity
/sysadmin
/SchedulerService-web
Table H-1 describes how to validate the integration.
Table H-1 Validating the Integration
Validation | Steps and Output |
---|---|
End-user login to Oracle Identity Manager through SSO |
Expected output: Login is successful, and all the links work as expected. |
Client-based login to Oracle Identity Manager |
Expected output: Login to the Design Console is successful. For this, LDAPAuthenticator must be configured properly for SSO login. |
Signature-based authentication |
Expected output: Signature login is successful if you can see the following details on the screen: Scheduler Current Status: STARTED Last Error: NONE If login is successful, and the value of |