This chapter explains how Oracle Access Management Access Manager leverages identity federation to create an authenticated session with a federation partner.
This chapter contains these sections:
This section provides background about federation with Access Manager. Topics include:
Identity federation is available in two architectures:
As a federation engine, known as Oracle Access Management Identity Federation, built into Oracle Access Management (11g Release 2 (11.1.2).
As a standalone, self-contained federation server, known as Oracle Identity Federation, that enables single sign-on and authentication in a multiple-domain identity network (11g Release 1 (11.1.1).
The SP integration Engine included with Oracle Identity Federation consists of a servlet that processes requests from the server to create a user authenticated session at the Identity and Access Management (IAM) server. The engine includes several internal plug-ins that allow it to interact with different IAM servers, including Access Manager (formerly Oracle Access Manager).
See Also:
For details about naming conventions and name changes in Oracle Access Management, see Introduction to Oracle Access Management in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management .
Various deployment options are available for leveraging identity federation with Access Manager to create an authenticated user session.
The Oracle Fusion Middleware framework supports these integrated approaches to cross-domain single sign-on:
An Oracle Access Management Identity Federation engine built into the Access Manager server. All configuration is performed in Access Manager.
This approach is available in 11g Release 2 (11.1.2.2.0). The engine supports both Service Provider (SP) and Identity Provider (IdP) modes.
Separate Oracle Identity Federation and Oracle Access Manager servers that can be integrated to provide federation capabilities. Management and configuration of both servers is required for this integration.
This approach is available in 11g Release 1 (11.1.1).
Under this approach, Oracle Identity Federation provides two deployment scenarios for Oracle Access Manager:
Oracle Identity Federation 11g Release 1 (11.1.1) integrated with Oracle Access Manager 10g
Oracle Identity Federation 11g Release 1 (11.1.1) integrated with Access Manager 11g
Table 4-1 summarizes the options available to integrate the identity federation products with Oracle Access Management Access Manager and provides links to deployment procedures:
Table 4-1 Deployment Options involving Oracle Access Manager
Access Manager Version | Description | Additional Information |
---|---|---|
Oracle Access Management Access Manager 11gR2 |
Access Manager contains a built-in federation engine that supports both SP and IdP mode functionality configurable through the Access Manager administration console. |
Introduction to Federation within Oracle Access Suite Console in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management |
Oracle Access Manager 11gR1 |
The stand-alone Oracle Identity Federation 11g Release 1 server integrates with the Access Manager 11g server. |
Integrating Oracle Identity Federation in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager |
Oracle Access Manager 10g |
The stand-alone Oracle Identity Federation 11g Release 1 server integrates with the Oracle Access Manager 10g server. |
Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation |
Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
This section describes how to integrate Access Manager 11g Release 2 (11.1.2.2.0) with Oracle Identity Federation 11g Release 1 (11.1.1). This is also referred to as Access Manager 11gR2 with Oracle Identity Federation 11gR1.
Two integration modes are described in this chapter:
SP Mode
This mode enables Oracle Identity Federation to authenticate the user via Federation SSO and propagate the authentication state to Access Manager, which maintains the session information.
Authentication Mode
This mode enables Access Manager to authenticate the user on behalf of Oracle Identity Federation.
Figure 4-1 describes the processing flow in each mode:
In the SP mode, Oracle Identity Federation uses the federation protocols to identify a user, and requests Access Manager to create an authenticated session at Access Manager.
In the authentication mode, Oracle Identity Federation delegates authentication to Access Manager through the use of a WebGate agent protecting an Oracle Identity Federation resource. Once the user is authenticated, the WebGate will assert the user's identity by an HTTP Header that Oracle Identity Federation will read to identify the user.
The integration between Access Manager and Oracle Identity Federation requires the following tasks:
Ensure that the necessary components, including Oracle WebLogic Server and Identity Management (IdM) components, are installed and operational. For details, see Section 4.2.4.
Register Oracle HTTP Server as a partner with Access Manager to protect a resource. For details, see Section 4.2.5.
Configure the Oracle Identity Federation server to function as a service provider (SP) and/or as an identity provider (IdP) with Access Manager. For details, see Section 4.2.6.
Configure Access Manager to delegate authentication to Oracle Identity Federation and/or to authenticate a user on behalf of Oracle Identity Federation, For details, see Section 4.2.7.
You must install the following components prior to undertaking the integration tasks:
Oracle WebLogic Server
Oracle HTTP Server 11g
Access Manager 11g
Oracle Identity Federation 11g
WebGate (required in authentication mode)
Note:
Refer to the Certification Matrix for platform and version details.
Ensure that the administration and managed servers are up and running.
For testing purposes, identify or create a resource to be protected. For example, create an index.html
file to serve as a test resource.
Access the Fusion Middleware Control console for the Oracle Identity Federation server using a URL of the form:
http://oif_host:oif_em_port/em
Verify that all the servers are running.
This section shows how you can register Oracle HTTP Server and 11g WebGate with Access Manager, depending on the protection mechanism you have chosen.
Follow these steps to register Oracle HTTP Server and Access Manager 11g WebGate with Access Manager for authentication:
Note:
In this procedure, MW_HOME
represents the Oracle Fusion Middleware Home directory.
Locate the OAM11GRequest.xml
file or the OAM11GRequest_short.xml
file, which resides in the directory:
MW_HOME/Oracle_IDM1/oam/server/rreg/input
Make the necessary changes to the file.
Locate the oamreg.sh
script, which resides in the directory:
MW_HOME/Oracle_IDM1/oam/server/rreg/bin
Execute the script using the command string:
Note:
The user is weblogic
, and you must supply the password.
./oamreg.sh inband input/OAM11GRequest.xml
or
./oamreg.sh inband input/OAM11GRequest_short.xml
Using the Access Manager console, create a resource representing the Oracle Identity Federation URL to be protected by Access Manager for authentication. This URL contains the hostname and port of the Oracle Identity Federation server, and the path to the resource, which is mode-dependent:
http(s)://oif-host:oif-port/fed/user/authnoam11g
Protect this resource with an authentication policy and an authorization policy.
Restart Oracle HTTP Server:
Oracle_WT1/instances/instance1/bin/opmnctl restartproc process-type=OHS
This section describes how to configure Oracle Identity Federation to be integrated with Access Manager:
In SP mode, Access Manager will delegate authentication to Oracle Identity Federation for Federation SSO.
In Authentication mode, Oracle Identity Federation will delegate authentication to Access Manager.
This section contains these topics:
Oracle Identity Federation and Access Manager must use the same LDAP directory:
The LDAP directory to be used must be defined in Access Manager as the default Identity Store.
The Oracle Identity Federation User Data Store must reference the LDAP directory to be used.
Take these steps to verify the data store configuration:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Data Stores.
Ensure that the user data store points to the same directory as the default Access Manager identity store.
Note:
Section 4.3 describes scripts that you can execute to automatically perform the manual operations shown here.
Take these steps to configure the Oracle Identity Federation Authentication Engine to retrieve information provided by the WebGate 11g agent:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Authentication Engines.
Enable the Access Manager 11g authentication engine.
Select WebGate 11g as the Agent Type.
Enter OAM_REMOTE_USER
as the User Unique ID Header.
In the Default Authentication Engine drop-down list, select Oracle Access Manager 11g.
Configure logout:
If Oracle Identity Federation is also going to be integrated with Access Manager in SP mode, then disable logout as the logout integration with Access Manager 11g will be performed with the OAM11g SP engine.
If Oracle Identity Federation is not going to be integrated with Access Manager in SP mode:
Enable logout
Enter the following as the URL:
http(s)://oam_host:oam_port/oam/server/logout
Click Apply.
This section lists the steps that need to be performed to configure Oracle Identity Federation in SP mode for Access Manager, so that Oracle Identity Federation can send assertion tokens and direct session management to Access Manager.
Note:
Section 4.3 describes scripts that you can execute to automatically perform the manual operations shown here.
The steps to achieve this are as follows:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Service Provider Integration Modules.
Select the Oracle Access Manager 11g tab.
Configure the page as follows:
Check the Enable SP Module box.
In the Default SP Integration Module drop-down, select Oracle Access Manager 11g.
Check the Logout Enabled box.
Configure these URLs:
Login URL : http(s)://oam_host:oam_port/oam/server/dap/cred_submit Logout URL: http(s)://oam_host:oam_port/oam/server/logout
where oam_host and oam_port are the host and port number of the Access Manager server respectively.
Set Username Attribute value to "cn" to match the Access Manager username attribute.
Click Apply.
Click Regenerate.
This action generates a keystore file that contains the keys used to encrypt and decrypt the tokens that are exchanged between the Access Manager and Oracle Identity Federation servers. Be sure to save the keystore file using the Save As dialog.
Copy the keystore file to a location within the installation directory of Access Manager.
Note:
Make a note of the location, since you will need to refer to it later.
This section describes how to configure Access Manager to integrate with Oracle Identity Federation:
In SP mode, Access Manager will delegate authentication to Oracle Identity Federation for Federation SSO.
In Authentication mode, Oracle Identity Federation will delegate authentication to Access Manager.
This section contains these topics:
This task configures Access Manager to redirect the user to Oracle Identity Federation for authentication when OIFScheme
is used to protect a resource using Federation single sign-on. The steps needed to achieve this are as follows:
Log in to the Access Manager Administration Console.
Select the Policy Configuration tab.
Select and open the OIFScheme
.
In the Challenge URL field, modify the value of OIF-Host
and OIF-Port
:
http(s)://oif-host:oif-port/fed/user/spoam11
Confirm that the value of the Context Type drop-down is set to "external".
Click Apply to save the changes.
If Oracle Identity Federation is used in SP mode only, or authentication and SP mode, refer to Section 4.2.7.2.1.
If Oracle Identity Federation is used in authentication mode only, refer to Section 4.2.7.2.2.
Note:
Section 4.3 describes scripts that you can execute to automatically perform the manual operations shown here to register Oracle Identity Federation as a trusted partner.
Copy the keystore file to a directory under the middleware home in which the Access Manager server is installed.
Use a WLST command to update the OIFDAP
partner block in the oam-config.xml
configuration file. The steps and syntax are as follows:
Enter the shell environment by executing:
$DOMAIN_HOME/common/bin/wlst.sh
Connect to the Access Manager administration server with the following command syntax:
connect('weblogic','password','host:port')
Execute the command to update the partner block in the configuration file:
registerOIFDAPPartner(keystoreLocation=location of keystore file, logoutURL=logoutURL)
where logoutURL
is the Oracle Identity Federation logout URL that is invoked when the Access Manager server logs out the user.
For example:
registerOIFDAPPartner(keystoreLocation="/home/pjones/keystore", logoutURL="http://abcdef0123.in.mycorp.com:1200/fed/user/spslooam11g?doneURL=http://abc1234567.in.mycorp.com:6001/oam/pages/logout.jsp")
Use a WLST command to update the OIFDAP
partner block in the oam-config.xml
configuration file. The steps and syntax are as follows:
Enter the shell environment by executing:
$DOMAIN_HOME/common/bin/wlst.sh
Connect to the Access Manager administration server with the following command syntax:
connect('weblogic','password','host:port')
Execute the command to update the partner block in the configuration file:
registerOIFDAPPartnerIDPMode(logoutURL=logoutURL)
where logoutURL
is the Oracle Identity Federation logout URL that is invoked when the Access Manager server logs out the user.
For example:
registerOIFDAPPartnerIDPMode(logoutURL="http://abcdef0123.in.mycorp.com:1200/fed/user/authnslooam11g?doneURL=http://abc1234567.in.mycorp.com:6001/oam/pages/logout.jsp")
After the integration of Access Manager and Oracle Identity Federation in SP mode, a resource can now be protected with OIFScheme
, which will trigger a Federation single sign-on operation when an unauthenticated user requests access to a resource protected by that scheme.
In an Application Domain of the Policy Configuration tab, define an Authentication Policy using the OIFScheme
, and protect a resource with that authentication policy.
The final configuration task is to test whether the integration is correctly configured. The steps differ between authentication mode and SP mode.
Take these steps to test for correct configuration in SP mode:
Establish federated trust between Oracle Identity Federation and a remote Identity Provider (IdP).
Set that identity provider as the default SSO identity provider.
Try accessing the protected resource.
When set up correctly, you should be redirected to the IdP for authentication. Verify that user credentials are required on this page.
Enter valid credentials on the login page.
Note:
The user should exist in both the IdP security domain and the Oracle Identity Federation/Access Manager security domain.
Check that you are redirected to the protected page.
Verify that the following cookies are created:
OAM_ID
ORA_OSFS_SESSION
OHS Cookie
Take these steps to test for correct configuration in authentication mode:
Establish federated trust between Oracle Identity Federation and a remote service provider.
Initiate federation single sign-on from the service provider.
Verify that you are redirected to the Access Manager login page at the IdP. On this page user credentials are requested.
Enter the relevant credentials and process the page.
Verify that you are redirected to the service provider domain.
This section describes scripts that automate some of the Oracle Identity Federation configuration tasks described in Section 4.2 for Oracle Access Manager integration .
The automated steps make the integration smoother and faster than a purely manual procedure.
This section contains these topics:
The prerequisite procedure is performed before you do anything else for integration. Ensure that the following have been done:
The following components are installed:
Oracle WebLogic Server
Oracle HTTP Server
Oracle Access Manager 11g
Oracle Identity Federation 11g
Note:
Refer to the Certification Matrix for platform and version details.
For guidance on integration prerequisites, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Oracle Identity Federation 11g and Oracle HTTP Server are integrated; that is, Oracle HTTP Server is configured as the front end to the Oracle Identity Federation server.
For details, see "Deploying Oracle Identity Federation with Oracle HTTP Server" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
The SSO agent is already created and integrated with Access Manager 11g .
Ensure that the administration and managed servers are up and running.
Access the Fusion Middleware Control console for the Oracle Identity Federation server using a URL of the form:
http://oif_host:oif_em_port/em
Verify that all the servers are running.
This section describes the procedure that automates some tasks in the integration of Oracle Access Manager with Oracle Identity Federation. The procedure is performed by executing python scripts provided in the distribution.
Section 4.2.6, "Configure Oracle Identity Federation" describes the tasks that you can automate with scripts.
The scripts perform the following tasks/procedures:
Automation of all Oracle Identity Federation configuration
Registration of Oracle Identity Federation as DAP partner in Access Manager
Addition of Oracle Identity Federation URLs as protected resources in the policy domain.
You need to copy certain files to the Access Manager host. The files are as follows:
setupOIFOAMConfig.sh
,
setupOIFOAMIntegration.py
locale specific resource bundle oifWLSTResourceBundle
_locale.properties
Create a directory to save these files or copy into an existing directory, in the Access Manager host machine. For example, /scratch/scripts
(linux) or c:\temp\scripts
(Windows).
The script takes in named parameters as inputs (order of inputs does not matter). The inputs mostly have default values if not passed in.
Table 4-2 shows the inputs needed by the scripts:
Table 4-2 Inputs for the OAM-OIF 11gR1 Integration Scripts
Parameter | Description | Default | Required? |
---|---|---|---|
oifHost |
Hostname of Oracle Identity Federation managed server |
None |
Yes |
oifPort |
Port number of Oracle Identity Federation Managed server |
7499 |
No |
oifAdminHost |
Hostname of Oracle Identity Federation Admin server |
oifHost |
No |
oifAdminPort |
Port number of Oracle Identity Federation Admin server |
7001 |
No |
oamAdminHost |
Hostname of Access Manager Admin server |
localhost |
No |
oamAdminPort |
Port number of Access Manager Admin server |
7001 |
No |
agentType |
Agent type used, such as webgate10g, webgate11g, |
webgate11g |
No |
Note:
The agent type is the agent created in Access Manager using the rreg
tool or through the Access Manager console.
The automation is run by executing the script file setupOIFOAMConfig.sh
(Unix) or setupOIFOAMConfig.cmd
(Windows).
The steps are as follows:
The following steps show how to run the script. Substitute the sample parameter values with appropriate values.
In a command line prompt set the DOMAIN_HOME
:
export DOMAIN_HOME=path to domain home
If Oracle Identity Federation administration and managed server are on the same host and the agent type is non-default (for example, webgate10g), execute the command:
./setupOIFOAMConfig.sh oifHost=myhost oifPort=portnum oamAdminHost=myhost2 oamAdminPort=portnum2 agentType=webgate10g
If Oracle Identity Federation administration and managed server are on different hosts, with a default agent type (webgate11g), execute the command:
./setupOIFOAMConfig.sh oifHost=myhost oifPort=portnum oifAdminHost=myhost2 oifAdminPort=portnum2 oamAdminHost=myhost3 oamAdminPort=portnum3
If Oracle Identity Federation administration and managed server are on the same host, and all defaults apply from Table 4-2, execute the command:
./setupOIFOAMConfig.sh oifHost=myhost oamAdminHost=myhost2
The following steps show how to run the script. Substitute the sample parameter values with appropriate values.
In a command line prompt set the DOMAIN_HOME
:
set DOMAIN_HOME=path to oam domain home
If Oracle Identity Federation administration and managed server are on the same host and the agent type is non-default (for example, webgate10g), execute the command:
setupOIFOAMConfig.cmd "oifHost=myhost" "oifPort=portnum" "oamAdminHost=myhost2" "oamAdminPort=portnum2" "agentType=webgate10g"
If Oracle Identity Federation administration and managed server are on different hosts, with a default agent type (webgate11g), execute the command:
setupOIFOAMConfig.cmd "oifHost=myhost" "oifPort=portnum" "oifAdminHost=myhost2" "oifAdminPort=portnum2" "oamAdminHost=myhost3" "oamAdminPort=portnum3"
If Oracle Identity Federation administration and managed server are on the same host, and all defaults apply from Table 4-2, execute the command:
setupOIFOAMConfig.cmd "oifHost=myhost" " "oamAdminHost=myhost3"