| Oracle® Access Manager Integration Guide 10g (10.1.4.2) Part Number E10356-01 |
|
|
View PDF |
| Oracle® Access Manager Integration Guide 10g (10.1.4.2) Part Number E10356-01 |
|
|
View PDF |
The Microsoft Content Management Server (MCMS) is an enterprise Web content management system for authoring and delivery. This chapter explains how to integrate with the Microsoft Content Management Server (MCMS) 2002.
This chapter discusses the following topics:
About Oracle Access Manager and the MCMS
Support and Requirements
Request Processing by the Integration
Integrating with the MCMS
Oracle Access Manager provides a full range of identity management and security functions, including: Web-based single sign-on (SSO), user self-service and self-registration, user provisioning, reporting and auditing, policy management, dynamic groups, and delegated administration. Oracle Access Manager integrates with all leading directory servers, application servers, Web servers, and enterprise applications.
The Microsoft Content Management Server (MCMS) is an enterprise Web content management system for authoring and delivery. The MCMS streamlines the Web publishing process, enables you to build, deploy, and maintain content-rich Web sites, and enables users to manage their own content. The role-based distributed publishing model of the MCMS includes a multi-level approval workflow, automatic content scheduling and archiving, and content indexing. Developers can create Content Management Server–based applications using ASP.NET and the Microsoft .NET Framework.
The MCMS provides its own authentication mechanisms that leverage IIS and may require an additional login. After integrating Oracle Access Manager with MCMS, the Access System handles authentication and single-sign on with the site created using MCMS. Access System-authenticated users enjoy single sign-on access to MCMS resources and to Access System-protected resources.
The integration with MCMS requires authentication schemes based on Windows Impersonation. In addition, Oracle Access Manager supports URL-level authorization. MCMS performs application-level authorization based on the roles you set up in the MCMS.
The MCMS is often used with the Microsoft SharePoint Portal Server (SPPS) for developing and managing Web content. The Microsoft Content Management Server 2002 Connector for SharePoint Technologies enables you integrate the Content Management Server with the Microsoft Office® SharePoint Portal Server. The connector enables sharing of key publishing and search technologies. For details about integrating with the SharePoint Portal Server, see "Integrating with SharePoint Portal Server 2003".
The MCMS integration relies on the Windows impersonation feature, which enables a trusted user in the Windows server domain to assume the identity of any user requesting an MCMS target resource. This trusted impersonator maintains the identity context of the user while accessing the resource on behalf of the user.
Impersonation is transparent to the user; access appears to take place directly, as if the MCMS resource were a resource within the Access System domain. For more information, see "Setting Up Impersonation".
Any references to specific versions and platforms in this chapter are made for demonstration purposes.
Successful integration with MCMS requires both Oracle Access Manager and Microsoft components, which must be installed and configured to support impersonation as well as integration. The following topics provide requirements:
Any references to specific versions and platforms in this chapter are for demonstration purposes.
To see the supported versions and platforms for this integration, refer to Metalink as follows.
To view information on Metalink
Go to the following URL:
Click the Certify tab.
Click View Certifications by Product.
Select the Application Server option and click Submit.
Choose Oracle Application Server and click Submit.
The following components are required to integrate with MCMS. With the exception of a WebGate, all components may reside on different machines or the same machine as the MCMS.
Identity Server
WebPass
Policy Manager
Access Server
WebGate installed with the MCMS on a Windows Server 2003
The ISAPI WebGate includes the IISImpersonationExtension.dll, which you need to configure manually to enable impersonation for the MCMS integration.
The Oracle Access Manager IISImpersonationExtension.dll is an IIS wildcard extension that checks whether the Authorization Success Action headerVar has been set to impersonate. If it has been, the dll creates a Kerberos U4S2Self ticket so that the special trusted user in the MCMS Active Directory can impersonate the user who originally made the request.
Any references to specific versions and platforms in this chapter are made for demonstration purposes. For the latest support information, see the Certify tab at https://metalink.oracle.com.
Oracle Access Manager supports the Microsoft Content Management Server with:
Windows Server
Microsoft IIS Web Server
Active Directory (the domain controller must be on a Windows 2003 Server)
MSSQL supported by the MCMS
Optional: Microsoft SharePoint Portal Services
Oracle Access Manager uses the Windows impersonation feature to facilitate user access to MCMS resources.
Process overview: Request processing with MCMS integration
The user requests access to an MCMS resource.
The WebGate protecting MCMS intercepts the request, determines whether the target resource is protected, and if it is, challenges the user for authentication credentials.
The user supplies credentials and the Access Server validates them.
Upon validation, the WebGate sets an ObSSOCookie in the user's browser, thus enabling single sign-on.
The WebGate also sets an HTTP header variable called impersonate, whose value is set to the authenticated user's LDAP uid (samaccountname, if the user account exists in Active Directory, or userPrincipalName, if the user account exists in a multi-domain Active Directory forest).
Note:
At this point, IIS considers the user to be anonymous, since the impersonation has not yet been set.The Oracle Access Manager ISAPI wildcard extension IISImpersonationExtension.dll checks for the Authorization Success Action header variable named impersonate.
When such a header variable exists, the wildcard extension obtains a Kerberos ticket for the user.
This Service for User to Self (S4U2Self) impersonation token enables the designated trusted user to assume the identity of the requesting user and obtain access to the target resource through IIS and MCMS.
Authorization is performed by the MCMS based on the roles setup in the MCMS.
When authorization is successful, the user is granted access to the resource.
You need to complete several procedures to integrate with the Content Management Server.
Note:
The procedures in this chapter illustrate how to integrate with the MCMS using a sample Web site (the Microsoft WoodgroveNet Web site). References to specific versions and platforms are for demonstration purposes. See "Support and Requirements".Task overview: Integrating with MCMS
Install Oracle Access Manager, as described in "Installing Oracle Access Manager" .
Install the Microsoft components, as described in "Installing Microsoft Components".
Integrate with the MCMS, as described in "Integrating with the MCMS".
Configure Impersonation, as described in "Setting Up Impersonation".
Finish the MCMS integration, as described in "Completing the MCMS Integration" .
Test the integration, as described in "Testing the MCMS Integration".
The ISAPI Webgate for MCMS must be installed on the machine that hosts the MCMS. All other Oracle Access Manager components can reside together on the machine hosting the MCMS or on any other machine.
If both Oracle Access Manager and MCMS are set up for different instances of Active Directory, both instances must belong to the same Active Directory domain.
To install Oracle Access Manager for the integration
Install an Identity Server and a WebPass, then set up the Identity System, as described in the Oracle Access Manager Installation Guide.
Install and set up the Policy Manager and one or more instances of the Access Server, as described in the Oracle Access Manager Installation Guide.
Install WebGates, as described in the Oracle Access Manager Installation Guide.
Note:
One WebGate must be installed on the machine hosting the MCMS, as described in "Integrating with the MCMS".Except where noted, all MCMS components from Microsoft must be installed on the same host machine.
To install Microsoft components
On a machine Windows Server 2003 with IIS v6.0, complete the following activities to install the MCMS using instructions in your Microsoft documentation:
Create Windows user accounts.
Create a database in MSSQL and grant rights to the system administrator account.
Create two Web sites.
Install the MCMS 2002 SP1a.
Configure the database with the MCMS 2002 Database Configuration Application (DCA).
Configure the MCMS server using the Server Configuration Application (SCA).
Update the maximum upload size settings in the web.config file.
Install Site Manager.
On a Windows 2003 Server host, install Active Directory for the MCMS using instructions in your Active Directory documentation.
Ensure your MCMS installation is working properly using instructions in your Microsoft documentation as you:
Download a sample WoodGroveNet Web site and install it on the MCMS site to use as a test vehicle for the procedures in this chapter.
Ensure you can log in to the Site Manager, Server Configuration Application, and the sample WoodGroveNet Web site.
Optional: Install the Microsoft Content Management Server 2002 Connector for SharePoint Technologies, as described in your Microsoft documentation
For details about integrating with the SPPS, see "About Oracle Access Manager and the SharePoint Server".
After installing Oracle Access Manager and the MCMS, as described earlier, you need to complete the following steps to integrate the two environments.
On the Windows 2003 Server machine hosting the MCMS, install an ISAPI WebGate using instructions in the Oracle Access Manager Installation Guide.
The IISImpersonationExtension.dll is installed automatically in:
WebGate_install_dir\access\Oblix\apps\webgate\bin\
Where WebGate_install_dir is the directory where you installed the WebGate.
Install a WebGate on the MCMS site, and impersonation.dll in the WoodGroveNet site.
See "Setting Up Impersonation" for details.
If MCMS is not installed on default site, do the following:
On the MCMS site, right-click, select New, then select Virtual Directory.
Set the virtual directory alias to "access" and click Next.
Enter the following path:
WebGate_install_dir\access
Click Next.
Set the permissions, then click Next.
Click Finish.
The integration with the MCMS requires Windows impersonation.
Note:
Use the procedures in "Enabling Impersonation with the Access System" on page 20-1 and in "Setting Up Impersonation" to implement impersonation in your environment. Details are not repeated in this chapter.Task overview: Setting up impersonation for the MCMS
Create a trusted user account for only impersonation in the Active Directory connected to MCMS, as described in "Creating a Trusted User Accounts"
Give the trusted user the special right to act as part of the operating system, as described in "Assigning Rights to the Trusted User".
Bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user, as described in "Binding the Trusted User to Your WebGate" .
Add a header variable named impersonate to Authorization Success Action in the policy domain for impersonation, as described in "Adding an Impersonation Action to a Policy Domain".
Configure IIS by adding IISImpersonationExtension.dll to your IIS configuration, as described in "Adding an Impersonation dll to IIS".
Test impersonation, as described in "Testing Impersonation".
Proceed as described in "Completing the MCMS Integration".
After confirming that impersonation is set up properly, you need to perform the following steps to complete the integration, ensure that everything is working properly, and confirm that you have single-sign on access.
To complete the MCMS integration
Move the two ISAPI filters installed at the IIS Top Level Web site by MCMS to the two virtual Web sites created for MCMS, as follows:
MCMS HTML Packager Filter
C:\Program Files\Microsoft Content Management Server\Server\bin\ REHTMLPackager.dll
MCMS ISAPI Filter
C:\Program Files\Microsoft Content Management Server\ Server\bin\REAuthFilt.dll
Complete following steps to finish the impersonation implementation for the MCMS integration:
Perform the steps in "Configuring IIS Security" to set up the environment for the impersonation implementation.
Perform the steps in "Configuring the Wildcard Extension" for each MCMS virtual server for which you wish to enable integration.
Give appropriate rights to users for viewing different sections of the Web site using the Site Manager.
Using the Policy Manager, create Policies to protect the WoodGroveNet top-level resource.
After you complete the tasks to enable integration, it is a good idea to test the integration to verify things are working as expected.
This section contains the following topics:
It is important to verify that a user can access MCMS resources through Access System authentication and MCMS authorization.
To test your MCMS integration using the WoodGroveNet application
Open the file Web.config in an editor.
The path to this file is as follows:
MCMS_InstallDir\Sample Data\WoodgroveNet\
In this file, change the authentication mode from forms to Windows.
Save the file Web.config and restart IIS.
Navigate to a WoodGroveNet Web site using your browser.
The Access System challenges you for credentials.
Log in by supplying the necessary credentials.
Confirm that you have access.
Optional: Check the Event Viewer to confirm that the access request was successful.
You test single sign-on by demonstrating that a user who has just supplied credentials and accessed an MCMS resource can (before the ObSSOCookie expires) access a non-MCMS resource without having to supply credentials a second time. For this test you can use an Access System-defined resource.
When single sign-on is working, you should be granted access to the page without having to supply credentials a second time.
To test single sign-on for your MCMS integration
Create a new resource and protect it with a policy domain (or use one you have already created.
Using a browser, navigate to the resource.
If you have already passed authentication, you should be granted access to the page without having to supply credentials a second time.
