A Integrating Oracle Internet Directory with Oracle Access Manager

This appendix describes post-installation enablement of a centralized LDAP store for use with Oracle Access Manager. Oracle Internet Directory is featured in this discussion. However, tasks are the same regardless of your chosen LDAP provider.

Oracle Access Manager addresses each user population and LDAP directory store as an identity domain. Each identity domain maps to a configured LDAP User Identity Store that is registered with Oracle Access Manager. Multiple LDAP stores can be used with each one relying on a different supported LDAP provider.

During initial WebLogic Server domain configuration, the Embedded LDAP is configured as the one and only User Identity Store for Oracle Access Manager. Within the Embedded LDAP, the Administrators group is created, with weblogic seeded as the default Administrator:

• Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager, remote registration, and custom administrative commands in WLST.

• Users attempting to access an Oracle Access Manager-protected resource can be authenticated against any store, not necessarily the only one designated as the Default User Identity Store.

• Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.

After registering a User Identity Store with Access Manager, administrators can reference the store in one or more authentication modules, which form the basis for Oracle Access Manager Authentication Schemes and Policies. When you register a partner (either using the Oracle Access Manager Console or the remote registration tool), an application domain can be created and seeded with a policy that uses the designated default Authentication Scheme. When a user attempts to access an Oracle Access Manager-protected resource, she is authenticated against the store designated by the authentication module.

The following topics are covered:

• Installing and Setting Up Required Components

• Defining Authentication in Oracle Access Manager for Oracle Internet Directory

• Managing Oracle Access Manager Policies that rely on your LDAP Store

• Validating Authentication and Access

A.1 Installing and Setting Up Required Components

You have to complete series of tasks when integrating Oracle Internet Directory 11.1.1.7 or newer with Oracle Access Manager 11.1.2.3 or newer.

Before you follow the steps to prepare your environment for this integration, see

• Configuring Access Manager for Windows Native Authentication

• For Installing Oracle Internet Directory 11.1.1.9, see Installing and Configuring Oracle Identity Management.

• For Installing and setting up Oracle Access Manager with the desired LDAP directory, see Managing Data Sources and Configuring Oracle Internet Directory.

• For Extending the LDAP directory schema for Access Manager and create Users and Groups in the LDAP directory, see Configuring Oracle Identity Manager Server.

To integrate Integrating Oracle Internet Directory 11.1.1.9 with Oracle Access Manager 11.1.2.3:

1. Prepare your environment for this integration:
   1. Install Oracle Internet Directory 11.1.1.9.
   2. Install and set up Oracle Access Manager with the desired LDAP directory.
   3. Extend the LDAP directory schema for Access Manager and create Users and Groups in the LDAP directory.
2. Create Authentication Providers for your LDAP provider and Configure WebLogic Server to use them to avoid multiple login pages when accessing the Oracle Access Manager Console. Whether you authenticate through Oracle Access Manager Console or directly through the WebLogic Server Administration Console, confirm that all authentication providers are set to SUFFICIENT for single sign-on:
   1. Click Security Realms, myrealm, then click Providers.
   2. Click New, enter a name, and select a type.
      For example:

      Name: OID Authenticator

      Type: OracleInternetDirectoryAuthenticator

      OK

   3. In the Authentication Providers table, click the newly added authenticator.
   4. On the Settings page, click Common tab, set the Control Flag to SUFFICIENT, then click Save.
   5. Click Provider Specific tab, then specify the following values for your deployment:

      Host: LDAP host. For example: example

      Port: LDAP host listening port. 3060

      Principal: LDAP administrative user. For example: cn=*********

      Credential: LDAP administrative user password. ********

      User Base DN: Same search base as the LDAP user.

      All Users Filter: For example: (&(uid=*)(objectclass=person))

      User Name Attribute: Set as the default attribute for username in the LDAP directory. For example: uid

      Group Base DN: The group searchbase (same as User Base DN)

      Note:

      Do not set the All Groups filter; the default works fine as is.

      Click Save.

3. Set DefaultIdentityAsserter:
   1. From Security Realms, myrealm, Providers, click Authentication, click DefaultIdentityAsserter to see the configuration page.
   2. Click Common tab and set the Control Flag to SUFFICIENT.
   3. Click Save.
4. Reorder Providers:
   1. On Summary page, where providers are listed, click Reorder.
   2. On Reorder Authentication Providers page, select a provider name and use the arrows beside the list to order the providers as follows:

      WebLogic Provider

      IAMSuiteAgent

      OracleInternetDirectoryAuthenticator

      DefaultIdentityAsserter

   3. Click OK, to save your changes.
5. Activate Changes: In the Change Center, click Activate Changes, then Restart Oracle WebLogic Server.
6. Proceed to the next section.

A.2 Defining Authentication in Oracle Access Manager for Oracle Internet Directory

You have to set up an LDAP Authentication Method that points to your registered User Identity Store and an Authentication Scheme that uses this LDAP module for Form or Basic authentication.

OAMAdminConsoleScheme is used in this example on the presumption that you designated your new LDAP store as the System Store. Your environment might be different.

As a prerequisite, see Installing and Setting Up Required Components.

Ensure that the designated User Identity Store contains any user credentials required for authentication.

Note:

Before you perform the steps to use the identity store for authentication with Access Manager, for

• Registering Oracle Internet Director, see Registering and Managing User Identity Stores

• Defining Authentication Modules and Plug-ins, see Native LDAP Authentication Modules and Orchestrating Multi-Step Authentication with Plug-in Based Modules

• Defining Authentication Scheme Challenge Methods, see Creating an Authentication Scheme

To use your identity store for authentication with Access Manager perform the following steps.

1. Register Oracle Internet Directory with Oracle Access Manager.

2. Define Authentication Modules and Plug-ins: From System Configuration tab, Access Manager Settings section, expand the Authentication Modules node.

   1. LDAP Modules: Open LDAP Authentication module, select your User Identity Store, and click Apply.

   2. Custom Authentication Modules: In LDAPPlugin Steps (stepUI, UserIdentificationPlugIn), specify your KEY_IDENTITY_STORE_REF, and click Apply.

      For example,

      Authentication Modules

      Custom Authentication module

      LDAPPlugin

      Steps tab

      stepUI UserIdentificationPlugIn

      Repeat this step for the stepUA UserAuthenticationPlugIn plug-in, and Apply your changes, as shown here:

3. Define Authentication Scheme Challenge Methods: Form and Basic Challenge Methods require a reference to the LDAP Authentication Module or Plug-in that points to your User Identity Store.

   For example:

   Oracle Access Manager Console

   Policy Configuration tab

   Shared Components node

   Authentication Schemes node

   DesiredScheme (OAMAdminConsoleScheme or any Form or Basic scheme)

   1. Confirm that the Authentication Module references the LDAP module or plug-in that points to your Identity Store.

   2. Click Apply to submit the changes (or close the page without applying changes).

   3. Dismiss the Confirmation window.

4. Proceed to the next section.

A.3 Managing Oracle Access Manager Policies that rely on your LDAP Store

Oracle Access Manager policies protect specific resources. The policies and resources are organized in an Application Domain.

You have perform series of steps to configure authentication policies to use the Authentication Scheme that points to your User Identity Store.

As a prerequisite, see Defining Authentication in Oracle Access Manager for Oracle Internet Directory

Note:

Before you perform the steps to create an application domain and policies that use LDAP authentication, for

• Resource Definitions, see Adding and Managing Policy Resource Definitions.

• Authentication Policies, see Defining Authentication Policies for Specific Resources.

• Authorization Policies, see Defining Authorization Policies for Specific Resources.

• Token Issuance Policies. See Managing Token Issuance Policies, Conditions, and Rules.

To create an application domain and policies that use LDAP authentication:

1. From the Oracle Access Manager Console, open:

   Oracle Access Manager Console

   Policy Configuration tab

   Application Domains node

2. Locate and open the desired Application Domain (or click Create (+), enter a unique name, and save it).
3. Define Resources and Policies: Define (or edit) the following elements for your application domain and environment.
   1. Resource Definitions: Before you can add a resource to a policy, you must define the resource within the Application Domain.
   2. Authentication Policies: On the Policy page, select the scheme that references the LDAP module or plug-in that points to your registered Oracle Internet Directory User Identity Store. Add specific resources and complete the policy for your environment.
   3. Authorization Policies: Create or modify an Authorization Policy for specific resources and include any Responses and Constraints you need.
   4. Token Issuance Policies: Choose the desired User Identity Store when setting Identity Conditions in Token Issuance Policies.
4. Proceed to the next section.

A.4 Validating Authentication and Access

The procedure here provides several methods for confirming that Agent registration and authentication and authorization policies are operational. The procedures are nearly identical for both OAM Agents and OSSO Agents (mod_osso). However, OSSO Agents use only the authentication policy and not the authorization policy.

To verify authentication and access:

1. Using a Web browser, enter the URL for an application protected by the registered Agent to confirm that the login page appears (proving that the authentication redirect URL was specified appropriately). For example:

   http://myWebserverHost.example.com:8100/resource1.html
   

2. Confirm that you are redirected to the login page.
3. On the Sign In page, enter a valid username and password when asked, and click Sign In.
4. Confirm that you are redirected to the resource and proceed as follows:

   • Success: If you authenticated successfully and were granted access to the resource; the configuration is working properly.

   • Failure: If you received an error during login or were denied access to the resource, check the following:

     • Authentication Failed: Sign in again using valid credentials.

     • Access to URL... denied: This userID is not authorized to access this resource.

     • Resource not Available: Confirm that the resource is available.

     • Wrong Redirect URL: Verify the redirect URL in the Oracle Access Manager Console.