In cases where an Oracle Virtual Directory deployment is not viable, and it is acceptable to perform search failover based on some order or hierarchy when finding the user, you can configure Access Manager.
Users with valid Oracle Access Management Administrator credentials can register each Active Directory Global Catalog (ADGC), with relevant search bases and naming attributes, as an individual User Identity Store for Oracle Access Management.
A fully-configured Microsoft Active Directory authentication service should be set up with User accounts for mapping Kerberos services, Service Principal Names (SPNs) for those accounts, and Key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3).
dc
component.However, if the mapping is different, you can specify the correct mapping as a semi-colon (;) separated list of name:value tokens. For example:
LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com
Users with valid Oracle Access Management Administrator credentials can perform the following task to replace or update KerberosPlugin steps with steps that point to the ADGCs you have created. These will operate in tandem with their counterparts (if the initial step and ADGC fail, the secondary ADGC is used). Before you begin, be sure to complete the sections About Preparing Your Active Directory and Kerberos Topology and Confirming Access Manager Operations.
In the Oracle Access Management Console, click Application Security at the top of the window.
Click Authentication Modules in the Plug-ins section.
Click Search, locate the KerberosPlugin plug-in and open it for editing.
On the KerberosPlugin page, click the Steps tab.
Steps Tab: Replace stepKTA, as described here, then click Save.
Click stepKTA then click the Delete (x) button to remove this step.
Click the Add (+) button and add the following step to the plug-in:
Element | Description |
---|---|
Name |
stepKTA |
Class |
KerberosTokenAuthenticator |
New stepKTA Details:
Confirm that this new stepKTA includes the parameter KEY_DOMAIN_DNS2DN_MAP
(created earlier) and enter values for your deployment:
Element | Description |
---|---|
KEY_DOMAIN_DNS2DN_MAP |
LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com |
Service Principal |
HTTP/oam11g.example.com@LM.EXAMPLE.COM |
keytab.conf |
keytab.conf location for stepKTA. For example: /refresh/home/oam.keytab |
krb5.conf |
krb5.conf location for stepKTA. /etc/krb5.conf |
stepUIF: Step Details (configure as follows and save):
Element | Description |
---|---|
KEY_IDENTITY_STORE_REF |
ADGC1-ORACLE |
KEY_SEARCHBASE_URL |
{KEY_USERDOMAIN} |
KEY_LDAP_FILTER |
(samAccountName={KEY_USERNAME}) NOTE: For untrusted, multi-domain Active Directory environments, use the |
stepUI and stepUA: Step Details (configure these steps and save):
Element | Description |
---|---|
KEY_IDENTITY_STORE_REF |
ADGC1-ORACLE |
Save the changes.
Add stepUIF2: This will operate in tandem and execute if stepUIF fails:
Element | Description |
---|---|
KEY_IDENTITY_STORE_REF |
ADGC2-SPRITE |
KEY_SEARCHBASE_URL |
{KEY_USERDOMAIN} |
KEY_LDAP_FILTER |
(samAccountName= {KEY_USERNAME}) NOTE: For untrusted, multi-domain Active Directory environments, use the |
Add stepUI2: This will operate in tandem and execute if stepUI fails:
Element | Description |
---|---|
KEY_IDENTITY_STORE_REF |
ADGC2-SPRITE |
Add stepUA2: This executes when stepUI2 succeeds:
Element | Description |
---|---|
KEY_IDENTITY_STORE_REF |
ADGC1-EXAMPLE and ADGC2-SPRITE, respectively |
Add Step Details: Common Configuration, Plugins, KerberosTokenAutheticator.
Enter values for your deployment:
Element | Description |
---|---|
keytab.conf |
keytab.conf location for stepKTA. For example: |
krb5.conf |
krb5.conf location for stepKTA. For example: |
Restart the OAM Cluster.
Proceed with "Configuring Access Manager for Windows Native Authentication".