In this scenario, Access Manager gets integrated with SharePoint Server using SharePoint Security Token Service (STS). This includes the ISAPI WebGate installation on IIS, as well as Access Manager configuration and steps needed to achieve the HeaderVar integration.
Note:
Only 64-bit ISAPI WebGates are supported for this integration.
The following overview introduces the tasks that you must perform for this integration, including prerequisites, and where to find the information you need for each task.
Task overview: Integrating with Microsoft SharePoint Server Configured with LDAP Membership Provider
Preparing for this integration:
Install "Required Microsoft Components", as described.
Create a SharePoint Web site, as described in "Creating a New Web Application in Microsoft SharePoint Server".
Configure the SharePoint site collection, as described in "Creating a New Site Collection for Microsoft SharePoint Server".
Configure the created Web site with LDAP directory using Claim-Based Authentication type (which uses the LDAP Membership Provider), as described in your SharePoint documentation.
Ensure that users who are present in the LDAP directory can log in to the SharePoint Web site and get proper roles.
Test the configuration to ensure that users who are present in the LDAP directory can log in to the SharePoint Web site and get proper roles, as described in your SharePoint documentation.
Perform all tasks described in "Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider".
This task includes installing a 10g WebGate for IIS and configuring a WebGate.dll
for the individual SharePoint Web site.
Add an authentication scheme for this integration, as described in "Configuring an Authentication Scheme for Use With LDAP Membership Provider".
Update the Application Domain that protects the SharePoint Web Site, as described in "Updating the Application Domain Protecting the SharePoint Web Site".
In the new Application Domain, create an authorization rule for this integration, as described in "Creating an Authorization Response for Header Variable SP_SSO_UID".
Perform all steps in "Creating an Authorization Response for the OAMAuthCookie".
Perform all steps in "Configuring and Deploying OAMCustomMembershipProvider".
Synchronize directory servers, if needed, as described in "Ensuring Directory Servers are Synchronized".
Configure single-sign-on for office documents as described in "Configuring Single Sign-On for Office Documents".
Configure single sign-off, as described in "Configuring Single Sign-off for Microsoft SharePoint Server".
Finish by testing your integration to ensure it operates without problem, as described in "Testing the Integration".
The previous scenario, "Integrating With Microsoft SharePoint Server", describes how to use Windows authentication. In that scenario, authentication and authorization are performed for users residing in Active Directory. Access Manager used Windows impersonation for integration.
For the integration described in this section, support for the LDAP Membership Provider is achieved by using a HeaderVar-based integration. The ISAPI WebGate filter intercepts HTTP requests for Web resources and works with the OAM Server to authenticate the user who made the request. When authentication is successful, WebGate creates an ObSSOCookie and sends it to the user's browser to facilitate single sign-on (SSO). The WebGate also sets SP_SSO_UID
as a HeaderVar
action for this user session. The Oracle Custom Membership provider in SharePoint validates the ObSSOCookie using the HTTP validation method, whereby the Access Manager Custom Membership Provider makes an HTTP/HTTPS request to a protected resource. Access Manager then validates and compares the user login returned on Authorization success with SP_SSO_UID
.
See Also:
"Introduction to Integrating With the SharePoint Server" for a look at processing differences between this integration and the other integrations described in this chapter.
Requirements: This integration requires that Microsoft SharePoint Server:
Must be integrated with the LDAP Membership ProviderMust not use Windows authentication
Must not have IISImpersonationModule.dll
configured at the Web site using Claim Based Authentication
See Also:
You can prepare your installation for integration with Microsoft SharePoint Server Configured with LDAP Membership Provider.
Prerequisites
Perform Step 1 of the previous "About Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider".
To prepare your deployment for integration that includes LDAP Membership Provider
Install Oracle Identity Management and Access Manager.
Provision and install an ISAPI WebGate.
Configure Webgate.dll
at the SharePoint Web site that you want to protect. For example:
Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager
Under Web Sites, double click the name of the SharePoint Web site to protect.
In the Middle pane, double click ISAPI Filters and click Add in the right pane.
Enter the filter name as Oracle WebGate
.
Enter the following path to the Webgate.dll
file.
WebGate_install_dir/access/oblix/apps/Webgate/bin/Webgate.dll
Save and apply these changes.
Double click Authentication in the middle pane.
Verify that the following Internet Information Services settings are correct: Anonymous Authentication and Forms Authentication is enabled, and Windows Authentication is disabled.
Note:
For Claim-based Authentication to work with Access Manager, Windows Authentication for the SharePoint Site must be disabled.
Save and Apply these changes.
Go to the Web sites level to protect and create an /access application that points to the newly installed WebGate_install_dir. For instance:
Under Web Sites, right-click the name of the Web site to be protected.
Select Add application named with the alias "access" that points to the appropriate WebGate_install_dir\access.
Under Access Permissions, check Read, Run Scripts, and Execute.
Save and apply these changes.
Proceed to "Configuring an Authentication Scheme for Use With LDAP Membership Provider".
When your integration includes the LDAP Membership Provider, only three Access Manager authentication methods are supported.
To configure an authentication scheme for SharePoint with LDAP Membership Provider:
The Application Domain was created when you provisioned the IIS WebGate to protect the Microsoft SharePoint Server Web site for the integration scenario with LDAP Membership Provider.
Within an Application Domain, resource definitions exist as a flat collection of objects. Each resource is defined as a specific type, and the URL prefix that identifies a document or entity stored on a server and available for access by a large audience. The location is specified using an existing shared Host Identifier.
Note:
For this integration, leave empty the URL Prefix. Do not enter a region to be appended to the URL prefix.
You need to use the authentication scheme that you created earlier. To validate the ObSSOCookie, you must create another policy for a resource protected by a WebGate; for example: /ValidateCookie. This resource should be deployed on a Web server protected by a WebGate and you should be able to access it after providing correct Access Manager credentials: http(s)://
host:port/
ValidateCookie
This example uses SharePoint w/LDAP-MP as the Application Domain name. Your environment will be different.
Note:
Step 4 includes an alternative Authentication Scheme to protect the SharePoint Web site with a Form authentication scheme.
To update the Application Domain protecting the root SharePoint Web site
You can add an Authorization Response for the integration configured with LDAP Membership Provider.
For this integration, you add the following Header Variable to the Application Domain as Responses for Authorization success:
Type = Header Name = SP_SSO_UID Return Attribute = $user.userid
In this case:
The Return Attribute is the login attribute used in Login
This authorization rule protects the root SharePoint Web site "/ "
To create an authorization response for SharePoint with LDAP Membership Provider
You can add the Header Variable named OAMAuthCookie
to the Application Domain as Responses under Authorization success.
The Header Variable:
Type = Cookie Name = OAMAuthCookie Return Attribute = $user.userid
To create a Application Domain to protect the validation URL
You can use the Access Manager Authentication Module to authenticate and authorize the user
You can specify a default login page bundled in this file:
WebGate_install_dir\
access\oblix\apps\Webgate\ OAMCustomMembershipProvider\samples\Sample.Default.aspx
To configure SharePoint to use OAM authentication Module
If you want to enable logs for the Oracle Custom Membership Provider, you must configure the DebugFile
parameter in the configuration file for the Oracle Custom Membership Provider.
For example: a sample entry for the DebugFile=
Location_of_logs_file":
type = "Oracle.CustomMembershipProvider, OAMCustomMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=52e6b93f6f0427a1" DebugFile="c:\Debug.txt"
Users in the directory server configured for Access Manager should be synchronized with the directory server used by SharePoint if these are different.
This is the same task that you perform for other integration scenarios in this chapter. When your SharePoint integration includes an LDAP Membership Provider, however, you can use a directory server that supports LDAP commands.
See Also: