Unless explicitly stated, this section introduces components required for integrations described in this chapter. It includes the following topics:
References to specific versions and platforms are for demonstration purposes. For the latest Access Manager certification information, see the certification matrix on Oracle Technology Network at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
Access Manager provides access and security functions, including Web-based single sign-on, policy management, reporting, and auditing.
When integrated with Microsoft SharePoint Server, Access Manager handles user authentication through an ISAPI filter and an ISAPI Module, which enables single sign-on between the two products. The components in Table 59-1 are required to integrate with Microsoft SharePoint Server (or Microsoft SharePoint Server configured with LDAP Membership Provider.)
Table 59-1 Component Requirements
Component | Description |
---|---|
10g WebGate |
The ISAPI version 10g WebGate must reside on the same computer as the SharePoint Server. Within the context of this integration, this WebGate is an ISAPI filter that intercepts HTTP requests for Web resources and forwards them to the OAM Server to authenticate the user who made the request. If authentication is successful, the WebGate creates an ObSSOCookie and sends it to the user's browser, thus facilitating single sign-on. The WebGate also sets impersonate as a HeaderVar action for this user session. For LDAP Membership Provider Scenario: See "Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider". |
|
This IIS-native module is installed with the WebGate. The After a WebGate installation, you must configure For LDAP Membership Provider Scenario: Do not configure |
Directory Server |
Access Manager can be connected to any supported directory server including, but not limited to, LDAP and Active Directory. Access Manager can even connect to the same instance of Active Directory used by SharePoint Server. In any case, the directory is not required on the same machine as SharePoint Server and the protecting WebGate. |
OAM Server |
The integration also requires installation of the OAM Server with which the WebGate protecting your SharePoint Server installation is configured to inter-operate. Except for the WebGate protecting SharePoint Server, your components do not need to reside on the machine hosting SharePoint Server. See Also: "Preparing for Integration With SharePoint Server". |
Minimum requirements dictate a 64-bit, four cores processor.
However, references to specific versions and platforms are for demonstration purposes. For the latest Access Manager certification information, see the following Microsoft library location for Microsoft SharePoint Server:
https://technet.microsoft.com/en-us/library/cc262485.aspx
The SharePoint multi-purpose platform allows for managing and provisioning of intranet portals, extranets, and Web sites; document management and file management; collaboration spaces; social networking tools; enterprise search and intelligence tooling; process and information integration; and third-party developed solutions.
Note:
Minimum requirements dictate a 64-bit, four cores processor. However, references to specific versions and platforms are for demonstration purposes. For the latest Access Manager certification information, see Oracle Technology Network at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
Table 59-2 describes the other components required for this integration.
See Also:
The following library location for Microsoft SharePoint Server and access to applicable software:
http://technet.microsoft.com/en-us/library/cc262485.aspx
Table 59-2 Microsoft Requirements for this Integration
Component | Description |
---|---|
Custom Login Page for SharePoint site |
When the user tries to access a SharePoint site configured to use Form Based Authentication, the user is redirected to a login page where the user enters his or her credentials (user name and password). The custom login page passes the credentials to the SharePoint site. |
SharePoint site |
You create the SharePoint site using the SharePoint Central Administration application. The site is configured to use Form Based Authentication as the authentication method by following the steps mentioned in The SharePoint site passes the user credentials to the SharePoint STS that generates SAML token upon successful ObSSOCookie validation by the custom membership provider. The SharePoint site also generates FedAuth cookie upon receiving the SAML token from SharePoint STS. The SharePoint site passes the FedAuth cookie to the user so that he/she can access the SharePoint site. |
SharePoint Security Token Service (STS) |
The SharePoint site passes the user credentials (user name and password) to SharePoint STS, which invokes the custom membership provider and passes the credentials to it. Once the custom membership provider validates the ObSSOCookie passed to it, the SharePoint STS generates the SAML token for the user that is passed to the SharePoint Relying Party (RP). |
Custom Membership Provider for SharePoint STS |
The SharePoint STS invokes the membership provider (configured with Form Based Authentication). STS passes the user credentials and the URL for the IIS resource (configured in The membership provider is customized such that it returns success if the ObSSOCookie value passed to it is valid. The custom membership provider library ( The |
IIS resource for Cookie validation |
Configure the URL for the IIS resource in the SharePoint site's For the HTTP validation method, the WebGate intercepts the request sent by the custom membership provider, extracts the ObSSOCookie from the request, and validates it. If the cookie is valid, then the request is redirected to the IIS resource, which returns the response with a 200 (OK) status code to the custom membership provider. Otherwise, a 403 (Forbidden) error code is returned to the custom membership provider. |