1/25
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New
Updates in August 2014 Documentation Refresh for 11
g
Release 2 (11.1.2.2.0)
Updates in February 2014 Documentation Refresh for 11
g
Release 2 (11.1.2.2.0)
Updates and New Features for 11g Release 2 (11.1.2.2.0)
Updates in September 2013 Documentation Refresh for 11
g
Release 2 (11.1.2.1.0)
Updates in July 2013 Documentation Refresh for 11
g
Release 2 (11.1.2.1.0)
Updates in May 2013 Documentation Refresh for 11
g
Release 2 (11.1.2.1.0)
New and Changed Features for 11
g
Release 2 (11.1.2.1.0)
Updates in November 2012 Documentation Refresh for 11
g
Release 2 (11.1.2)
Updates in August 2012 Documentation Refresh for 11
g
Release 2 (11.1.2)
New and Changed Features for 11
g
Release 2 (11.1.2)
Other Significant Changes in this Document for 11
g
Release 2 (11.1.2)
Part I IdM Integration Topology
1
Introduction
1.1
Prerequisites to Integration
1.2
Integration Topologies
1.2.1
Basic Integration Topologies
1.2.1.1
Single Domain Architecture
1.2.1.2
Double (Split) Domain Architecture
1.2.1.3
The Three Tier Architecture
1.2.1.4
Understanding the Web Tier
1.2.1.5
Understanding the Application Tier
1.2.1.6
Understanding the Data Tier
1.2.2
The Enterprise Integration Topology
1.2.3
Using Multiple Directories for an Identity Store
1.2.4
Integration Terminology
1.3
About Oracle Identity Management Components
1.3.1
Oracle Internet Directory
1.3.2
Oracle Virtual Directory
1.3.3
Oracle Access Management Access Manager
1.3.3.1
A Note About IDMDomain Agents and Webgates
1.3.4
Oracle Identity Manager
1.3.5
Oracle Adaptive Access Manager
1.3.6
Oracle Access Management Identity Federation
1.3.7
Oracle Identity Navigator
1.4
Integration Quick Links
1.5
Common Integration Scenarios
1.5.1
Resource Protection and Credential Collection Scenarios (Advanced Integration)
1.5.1.1
Case 1: The User is Authenticated by Access Manager with Oracle Adaptive Access Manager Performing Step Up Authentication
1.5.1.2
Case 2: User is Not Authenticated by Access Manager
1.5.1.3
Case 3: User is Authenticated by Access Manager and Oracle Adaptive Access Manager Does Not Perform Step Up Authentication
1.5.2
Resource Protection and Credential Collection Scenario (Basic Integration)
1.5.3
Password Management Scenarios
1.5.3.1
Access Manager Integrated with Oracle Identity Manager
1.5.3.2
Self-Registration
1.5.3.3
Password Change
1.5.3.4
Forgot Password
1.5.3.5
Account Lock and Unlock
1.5.3.6
Challenge Setup
1.5.3.7
Challenge Reset
1.6
System Requirements and Certification
1.7
Using My Oracle Support for Additional Troubleshooting Information
Part II Core Integrations
2
Integrating Access Manager and Oracle Identity Manager
2.1
About the Integration
2.2
Integration Roadmap
2.3
Integration Prerequisites
2.4
Configuring the Identity Store
2.4.1
Extending Directory Schema for Access Manager
2.4.2
Creating Users and Groups for Access Manager
2.4.3
Creating Users and Groups for Oracle Identity Manager
2.4.3.1
Updating the OVD Adapters With the Newly Created OIM Admin User
2.4.4
Creating Users and Groups for Oracle WebLogic Server
2.5
Configuring Access Manager for Integration
2.6
Integrating Access Manager with Oracle Identity Manager
2.7
Configuring Oracle HTTP Server to Front-End Resources on OIM
2.8
Add OIM Resource Policies to the OAM Configuration
2.9
Starting Servers with Domain Agent Removed
2.10
Additional Configuration Tasks
2.10.1
Migrating from the Domain Agent to 10
g
WebGate with OHS 11
g
2.10.1.1
Creating a Single Keystore for Integrating Access Manager with Oracle Identity Manager
2.11
Validating the Integration
2.11.1
Validate OIM SSOConfig
2.11.2
Validate Security Provider Configuration
2.11.3
Validate OIM Domain Credential Store
2.11.4
Validate Event Handlers for SSO
2.11.5
Validate SSO Logout Configuration
2.12
Testing the Integration
2.13
Troubleshooting Common Problems
2.13.1
Single Sign-On Issues
2.13.1.1
Checking HTTP Headers
2.13.1.2
User is Re-Directed to Wrong Login Page
2.13.1.3
Login Fails
2.13.1.4
Oracle Access Management Console Login Page Does Not Display
2.13.1.5
Authenticated User is Re-Directed to Oracle Identity Manager Login Page
2.13.1.6
User is Re-Directed to Oracle Identity Manager Login Page
2.13.1.7
New User is Not Re-Directed to Change Password
2.13.1.8
User is Re-Directed in a Loop
2.13.2
Auto-Login Issues
2.13.2.1
TAP Protocol Issues
2.13.2.2
NAP Protocol Issues
2.13.3
Session Termination Issues
2.13.4
Account Self-Locking Issues
2.13.5
Miscellaneous Issues
2.13.5.1
Client Based Login to Oracle Identity Manager Fails
2.13.5.2
Logout Throws 404 Error
3
Integrating Access Manager, OAAM, and OIM
3.1
About Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager Integration
3.1.1
Deployment Options for Strong Authentication
3.1.2
Deployment Options for Password Management
3.2
Definitions, Acronyms, and Abbreviations
3.3
Integration Roadmap
3.4
Integration Prerequisites
3.5
Integrating Access Manager and Oracle Identity Manager
3.6
Enabling LDAP Synchronization for Oracle Identity Manager
3.7
Integrating Access Manager and Oracle Adaptive Access Manager
3.8
Integrating Oracle Identity Manager and Oracle Adaptive Access Manager
3.8.1
Set Oracle Identity Manager Properties for Oracle Adaptive Access Manager
3.8.2
Update OAAM Properties to Enable Integration Between Oracle Identity Manager and OAAM
3.8.3
Configure Oracle Identity Manager Credentials in the Credential Store Framework
3.8.4
Configure Cross Domain Trust Between Oracle Identity Manager and Oracle Adaptive Access Manager
3.9
Performing Other Configuration Tasks
3.10
Troubleshooting Common Problems
3.10.1
User Encounters a Non-Working URL
3.10.2
User is Redirected in a Loop After User Enters Wrong Password
3.10.3
Two User Sessions are Created upon Successful Authentication
3.10.4
OAAM Test Login URL Fails After Access Manager and OAAM Integration
Part III External SSO Solutions
4
Integrating with Identity Federation
4.1
Background and Integration Overview
4.1.1
About Oracle Access Management Identity Federation
4.1.2
Deployment Options for Identity Federation
4.1.3
References
4.2
Integration with Access Manager 11gR2
4.2.1
Architecture
4.2.2
Overview of Integration Tasks
4.2.3
Prerequisites
4.2.4
Additional Setup
4.2.5
Register Oracle HTTP Server with Access Manager
4.2.6
Configure Oracle Identity Federation
4.2.6.1
Verify the User Data Store
4.2.6.2
Configure Oracle Identity Federation Authentication Engine
4.2.6.3
Configure Oracle Identity Federation SP Integration Module
4.2.7
Configure Access Manager
4.2.7.1
Configure OIFScheme
4.2.7.2
Register Oracle Identity Federation as a Trusted Access Manager Partner
4.2.8
Protecting a Resource with OIFScheme
4.2.9
Test the Configuration
4.2.9.1
Test SP Mode Configuration
4.2.9.2
Test Authentication Mode Configuration
4.3
Scripts for Integration Tasks
4.3.1
Perform the Preliminary Procedure
4.3.2
Additional Setup
4.3.3
Execute the Automated Procedure
4.3.3.1
Scope of the Automated Process
4.3.3.2
Copy the Scripts to the Access Manager Machine
4.3.3.3
Understand the inputs to the Scripts
4.3.3.4
Run the Scripts
Part IV Monitoring
5
Integrating with Oracle Identity Navigator
5.1
Enabling Single Sign-On
5.1.1
Configure a New Resource for the Agent
5.1.2
Configure Oracle HTTP Server for the Access Manager Domain
5.1.3
Add New Identity Providers
5.1.4
Configure Access to Multiple Applications
Part V Additional Identity Store Configuration
6
Configuring an Identity Store with Multiple Directories
6.1
Overview of Configuring Multiple Directories as an Identity Store
6.2
Configuring Multiple Directories as an Identity Store: Split Profile
6.2.1
Prerequisites
6.2.2
Repository Descriptions
6.2.3
Setting Up Oracle Internet Directory as a Shadow Directory
6.2.4
Directory Structure Overview - Shadow Join
6.2.5
Configuring Oracle Virtual Directory Adapters for Split Profile
6.2.6
Configuring a Global Consolidated Changelog Plug-in
6.2.7
Validating the Oracle Virtual Directory Changelog
6.3
Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories
6.3.1
Directory Structure Overview for Distinct User and Group Populations in Multiple Directories
6.3.2
Configuring Oracle Virtual Directory Adapters for Distinct User and Group Populations in Multiple Directories
6.3.2.1
Create Enterprise Directory Adapters
6.3.2.2
Create Application Directory Adapters
6.3.3
Creating a Global Plug-in
6.4
Additional Configuration Tasks
Part VI Appendices
A
Verifying Adapters for Multiple Directory Identity Stores by Using ODSM
A.1
Verifying Oracle Virtual Directory Adapters for Split Profile by Using ODSM
A.1.1
Verifying User Adapter for Active Directory Server
A.1.2
Verifying Shadowjoiner User Adapter
A.1.3
Verifying JoinView Adapter
A.1.4
Verifying User/Role Adapter for Oracle Internet Directory
A.1.5
Verifying Changelog adapter for Active Directory Server
A.1.6
Verifying Changelog Adapter for Oracle Internet Directory
A.1.7
Configuring a Global Consolidated Changelog Plug-in
A.1.8
Validate Oracle Virtual Directory Changelog
A.2
Verifying Adapters for Distinct User and Group Populations in Multiple Directories by Using ODSM
A.2.1
User/Role Adapter A1
A.2.2
User/Role Adapter A2
A.2.3
Changelog Adapter C1
A.2.4
Changelog Adapter for Active Directory
A.2.5
Changelog Adapter C2
A.2.6
Verifying Oracle Virtual Directory Global Plug-in
A.2.7
Configuring a Global Consolidated Changelog Plug-in
B
The idm.conf File
B.1
About the idm.conf File
B.1.1
The Default Access Zone
B.1.2
The External Access Zone
B.1.3
The Internal Services Zone
B.1.4
The Administrative Services Zone
B.2
Example idm.conf File
C
Integrating Oracle Adaptive Access Manager with Access Manager
C.1
About Access Manager and Oracle Adaptive Access Manager Integration
C.2
Definitions, Acronyms, and Abbreviations
C.3
OAAM Basic Integration with Access Manager
C.3.1
Prerequisites for OAAM Basic Integration with Access Manager
C.3.2
Starting the WebLogic Server
C.3.3
Configuring OAAM Basic Integration with Access Manager
C.4
OAAM Advanced Integration with Access Manager
C.4.1
Roadmap for OAAM Advanced Integration with Access Manager
C.4.2
Prerequisites for OAAM Advanced Integration with Access Manager
C.4.3
Restarting the Servers
C.4.4
Creating the OAAM Admin Users and OAAM Groups
C.4.5
Importing the Oracle Adaptive Access Manager Snapshot
C.4.6
Validating Initial Configuration of Access Manager
C.4.7
Validating Initial Configuration of Oracle Adaptive Access Manager
C.4.8
Registering the WebGate with Access Manager 11
g
Using the Oracle Access Management Console
C.4.8.1
Prerequisites for WebGate Registration
C.4.8.2
Configure Oracle HTTP Server with WebGate
C.4.8.3
Register the WebGate as a Partner with Access Manager 11
g
Using the Oracle Access Management Console
C.4.8.4
Restarting the Oracle HTTP Server WebGate
C.4.8.5
Validating the WebGate Setup
C.4.9
Registering the OAAM Server as a Partner Application to Access Manager
C.4.10
Adding a Password to the IAMSuiteAgent Profile
C.4.11
Updating the Domain Agent Definition If Using Domain Agent for Another Console
C.4.12
Verifying TAP Partner Registration
C.4.12.1
Verifying the Challenge URL
C.4.12.2
Adding the MatchLDAPAttribute Challenge Parameter in the TAPScheme
C.4.12.3
Validating the IAMSuiteAgent Setup
C.4.13
Setting Up Access Manager TAP Integration Properties in OAAM
C.4.14
Configuring Integration to Use TAPScheme to Protect Identity Management Product Resources in the IAMSuiteAgent Application Domain
C.4.15
Configuring a Resource to be Protected with TAPScheme
C.4.15.1
Creating a New Resource under the Application Domain
C.4.15.2
Creating a New Authentication Policy that Uses TAPScheme to Protect the Resource
C.4.16
Validating the Access Manager and Oracle Adaptive Access Manager Integration
C.5
Other Access Manager and OAAM Integration Configuration Tasks
C.5.1
Changing the Authentication Level of the TAPScheme Authentication Scheme
C.5.2
Setting Up Oracle Adaptive Access Manager and Access Manager Integration When Access Manager is in Simple Mode
C.5.2.1
Configuring Simple Mode Communication with Access Manager
C.5.2.2
Setting OAAM Properties for Access Manager for Simple Mode
C.5.3
Configuring Identity Context Claims in the Access Manager and OAAM TAP Integration
C.5.4
Enabling Oracle Adaptive Access Manager to Transfer Data to Access Manager over HTTP Post-Based Front Channel
C.5.5
Disabling OAAM Administration Console Protection
C.5.6
Disabling Step Up Authentication
C.5.7
Changing the Oracle Adaptive Access Manager Password Length Limit
C.5.8
Adding Customizations Using the OAAM Extensions Shared Library
C.5.9
Enabling the Single Login Page Flow
C.6
Resource Protection Scenario
C.6.1
Resource Protection Scenario: Changing Authentication Level of TAPScheme
C.6.2
Resource Protection Scenario: Removing OAAM Administration Console from Protected Higher Level Policy
C.6.3
Resource Protection Scenario: Creating a New Policy that Uses TAPScheme to Protect the Resource
C.6.4
Resource Protection Scenario: Creating an New OAAM User
C.6.5
Resource Protection Scenario: Login Flow
C.6.6
Resource Protection Scenario: Step Up Authentication Flow
C.7
Troubleshooting Common Problems
C.7.1
OAAM Basic Integration with Access Manager
C.7.1.1
Internet Explorer 7 and OAAM Basic Integration with Access Manager
C.7.1.2
Access Manager and Oracle Adaptive Access Manager Integration and Changes in the Console
C.7.1.3
OTP Challenge Not Supported in OAAM Basic integration with Access Manager
C.7.1.4
Using ConfigureOAAM WLST Command to Create the Datasource in OAAM Basic Integration with Access Manager
C.7.2
Login Failure
C.7.2.1
Non-ASCII Credentials
C.7.2.2
Mixed Case Logins
C.7.2.3
Cookie Domain Definition
C.7.2.4
OAAM Test Login URL /oaam_server Fails After Access Manager and Oracle Adaptive Access Manager Integration
C.7.3
Identity Store
C.7.3.1
Username Attribute Incorrect Setting
C.7.3.2
In the Access Manager and Oracle Adaptive Access Manager Integration TAP Could Not Modify User Attribute
C.7.3.3
No Synchronization Between Database and LDAP
C.7.4
Miscellaneous
C.7.4.1
Integration Failure Due to Network Delay
C.7.4.2
Changing the TAP Token Version to 2.1
C.7.4.3
Resource Protected by OAAMAdvanced Scheme Is Not Accessible in Access Manager 11.1.1.4.0 and OAAM 11.1.1.5.0 Integration
C.7.4.4
Additional Properties to Set If Using OAAMAdvanced Scheme
C.7.4.5
Accessing LDAP Protected Resource as a Test
D
Using the idmConfigTool Command
D.1
About the Tool
D.1.1
When to Use the Tool
D.1.2
Tasks performed by the Tool
D.1.3
Components Supported by the Tool
D.1.4
Location
D.1.5
Webgate Types Supported
D.1.6
Single- and Cross-Domain Scenarios
D.2
Set Up Environment Variables
D.3
Syntax and Usage
D.3.1
Command Syntax
D.3.2
Requirements
D.3.3
Generated Files
D.3.4
Using the Properties File
D.3.4.1
About the properties File
D.3.4.2
List of Properties
D.3.5
Log File Cleanup
D.4
Command Options and Properties
D.4.1
preConfigIDStore Command
D.4.2
prepareIDStore Command
D.4.2.1
prepareIDStore mode=OAM
D.4.2.2
prepareIDStore mode=OIM
D.4.2.3
prepareIDStore mode=OAAM
D.4.2.4
prepareIDStore mode=WLS
D.4.2.5
prepareIDStore mode=WAS
D.4.2.6
prepareIDStore mode=APM
D.4.2.7
prepareIDStore mode=fusion
D.4.2.8
prepareIDStore mode=all
D.4.3
configPolicyStore Command
D.4.4
configOAM Command
D.4.5
configOIM Command
D.4.6
postProvConfig Command
D.4.7
upgradeLDAPUsersForSSO Command
D.4.8
validate IDStore Command
D.4.9
validate PolicyStore Command
D.4.10
validate OAM Command (11g)
D.4.11
validate OAM Command (10g)
D.4.12
validate OIM command
D.4.13
configOVD Command
D.4.14
ovdConfigUpgrade Command
D.4.15
disableOVDAccessConfig Command
D.4.16
upgradeOIMTo11gWebgate
D.5
Additional Tasks for OUD Identity Store in an HA Environment
D.5.1
Creating the Global ACI for Oracle Unified Directory
D.5.2
Creating Indexes on Oracle Unified Directory Replicas
E
Enabling LDAP Synchronization in Oracle Identity Manager
E.1
Enabling Postinstallation LDAP Synchronization
E.2
Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes
E.3
Filtering Data in Incremental Reconciliation
E.4
Creating Users in Oracle Identity Manager and Not in LDAP When LDAP Synchronization is Enabled
E.5
Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager
E.6
Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server
E.6.1
Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory
E.6.2
Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet
E.6.3
Enabling SSL Between Identity Virtualization Library (libOVD) and OID
E.7
Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP
E.8
Disabling LDAP Synchronization
E.9
Creating OVD Adapters
E.9.1
Creating Oracle Virtual Directory Adapters for Oracle Internet Directory and Active Directory
E.9.2
Using the UserManagement Plug-In
E.9.2.1
Configuration Parameters
E.9.3
Using the Changelog Plug-In
E.9.3.1
Deploying the Release 11.1.1.4.0 Changelog Plug-In
E.9.3.2
Deploying Changelog Plug-Ins from Prior Releases
E.9.3.3
Configuration Parameters
E.9.4
Troubleshooting Tips
E.10
Managing Identity Virtualization Library (libOVD) Adapters
E.11
Enabling Access Logging for Identity Virtualization Library (libOVD)
E.12
Configuring LDAP Authentication When LDAP Synchronization is Enabled
F
Configuring Oracle Virtual Directory for Integration with Oracle Access Management Access Manager
F.1
Creating and Configuring Oracle Virtual Directory Adapters
F.1.1
Creating and Configuring an LDAP Adapter
F.1.1.1
Creating an LDAP Adapter
F.1.1.2
Configuring an LDAP Adapter
F.1.2
Creating and Configuring a Database Adapter
F.1.2.1
Creating a Database Adapter
F.1.2.2
Configuring a Database Adapter
F.1.3
Creating and Configuring a Custom Adapter
F.1.3.1
Creating a Custom Adapter
F.1.3.2
Configuring Custom Adapters
F.2
Using the OAMPolicyControl Plug-In with Oracle Access Manager 10g
F.2.1
Configuration Parameters
Index
Scripting on this page enhances content navigation, but does not change the content in any way.