This chapter describes how to configure single sign-on for administration consoles. The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Manager Console
Oracle Identity Manager Console
Oracle APM Console
Oracle Adaptive Access Manager Admin Console
This chapter includes the following topics:
Before configuring single sign-on, ensure that the following tasks have been performed.
Create a WebLogic administrative use in an LDAP directory, as described in Section 19.1.1
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.
By default, when the Oracle WebLogic Server is installed and configured, the WebLogic admin user is created in its local LDAP store with the username weblogic
. For an enterprise deployment, it is required to have all users, groups provisioned in an LDAP user directory such as Oracle Internet Directory that is a part of the centralized Identity Management Domain. This section provides details for provisioning a new administrator user and group for managing the Identity Management WebLogic Domain. This section describes the following:
Section 19.1.1.1, "Provisioning Admin Users and Groups in an LDAP Directory"
Section 19.1.1.2, "Assigning the Admin Role to the Admin Group"
Section 19.1.1.3, "Updating the boot.properties File on IDMHOST1 and IDMHOST2"
As mentioned in the introduction to this section, users and groups from multiple WebLogic domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic admin
user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique distinguished name within the directory tree. In this guide, the admin
user and group for the IDM WebLogic Domain will be provisioned with the DNs below:
Admin User DN:
cn=weblogic_idm,cn=Users,dc=mycompany,dc=com
Admin Group DN:
cn=IDM Administrators, cn=Groups,dc=mycompany,dc=com
Follow the steps below to provision the admin
user and admin
group in Oracle Internet Directory:
Create an ldif
file named admin_user.ldif
with the contents shown below and then save the file:
dn: cn=weblogic_idm, cn=Users, dc=us, dc=mycompany, dc=com orclsamaccountname: weblogic_idm givenname: weblogic_idm sn: weblogic_idm userpassword: Welcome1 obver: 10.1.4.0 mail: weblogic_idm objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 uid: weblogic_idm cn: weblogic_idm description: Admin User for the IDM Domain
Run the ldapadd
command located under the ORACLE_HOME
/bin/
directory to provision the user in Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f admin_user.ldif
Create an ldif
file named admin_group.ldif
with the contents shown below and then save the file:
dn: cn=IDM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com displayname: IDM Administrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_idm,cn=users,dc=mycompany,dc=com cn: IDM Administrators description: Administrators Group for the IDM Domain in OID
Run the ldapadd
command located under the ORACLE_HOME
/bin/
directory to provision the group in Oracle Internet Directory. For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
welcome1 -c -v -f admin_group.ldif
After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain. Follow the steps below to assign the Admin role to the Admin group:
Log into the WebLogic Administration Server Console.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm
, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page.
On the Global Roles page, click the Admin Role to bring up the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the IDM Administrators Group
as an entry.
Click Save to finish adding the Admin Role to the IDM Administrators Group
.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm
user.
The boot.properties
file for the Administration Server and the Managed Servers should be updated with the WebLogic admin
user created in Oracle Internet Directory. Follow the steps below to update the boot.properties
file.
For the Administration Server on IDMHOST1
On IDMHOST1, go the following directory:
ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
For example:
cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
Rename the existing boot.properties
file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Stopping and Starting the Servers
Stop the Administration Server and the wls_ods1
and wls_ods2
managed Servers as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Verify that the server processes have been successfully stopped.
On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh
script located under the ORACLE_BASE
/admin/
domainName
/aserver/
domainName
/servers/serverName/security/bin
directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile
parameter:
./startWebLogic.sh >logfile 2>&1 &
For example:
./startWebLogic.sh > \
ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/logs/aserver.out\
2>&1 &
Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.
Log in using the credentials of the weblogic_idm
user.
Start the wls_ods1
and wls_ods2
Managed Servers using the WebLogic Administration Console.
This section explains how to configure single sign-on for administration consoles using Oracle Access Manager 10g.
Make sure that the following tasks have been performed before moving on to the next section:
Install and configure Oracle Access Manager as described in Chapter 10.
Ensure that the policy protecting the Policy Manager ("/access") has been created and enabled. If this is not enabled, use the Policy Manager console to enable it, as described in Section 19.2.1.1.
Determine the host identifier value. It is required for enabling single sign-on.
Follow these steps to enable policy protecting the Policy Manager:
Open a web browser and bring up the Policy Manager Console using the following URL:
http://oamadminhost.mycompany.com:7777/access/oblix
Click the Policy Manager link.
On the Policy Manager landing page, click the My Policy Domains link.
On the My Policy Domains page, click the Policy Manager link.
On the General tab on the Policy Manager page, click Modify.
Click Yes to enable the "/access" policy.
Click the Save button to save the changes.
The WebGates in the IDM Domain also need to act as delegated authentication WebGates, that is, they receive authentication requests from external applications or domains in the enterprise. To enable delegated authentication, the form authentication scheme created by the OAM Configuration Tool must be modified to add the Challenge Redirect parameter.
Follow the steps below to add the challenge redirect parameter to the Form authentication scheme:
Use a web browser to display the Access Console using the URL below:
http://oamadminhost.mycompany.com:7777/access/oblix
Click the Access System Console link and log in using the credentials for the orcladmin
user.
On the main page, click the Access System Configuration tab.
On the Access System Configuration page, click the Authentication Management link on the left hand side.
On the Authentication Management page, under the List all Authentication Schemes table, click the link for form authentication scheme created by the tool. The form authentication scheme created by the tool is called OraDefaultFormAuthNScheme
.
On the Details for Authentication Scheme page, click Modify to modify the configuration of the authentication scheme.
On the Modifying Authentication Scheme page, update the Challenge Redirect parameter with the Single Sign-On virtual host configured in the load balancer. Use https://sso.mycompany.com
to update the Challenge Redirect parameter.
Click Save to save the updated configuration.
To validate that the configuration was successful, follow the steps below:
Using a web browser, bring up either the Oracle WebLogic Administration Console or Oracle Enterprise Manager Fusion Middleware Control:
URL for the WebLogic Administration Server Console:
http://admin.mycompany.com:7777/console
URL for the Enterprise Manager Oracle Fusion Middleware Control:
http://admin.mycompany.com:7777/em
This will redirect your web browser to https://sso.mycompany.com
for authentication.
Log into the console using the administrator
user's credentials. For example: orcladmin
, password
.
Then you will be redirected back to the WebLogic Administration Console login page. Log in using weblogic
, password
.
The next part of the process is to validate the policy domain configuration and the AccessGate configuration.
Follow these steps to verify that the policy domain was created properly:
In a web browser, enter this URL to access the Oracle Access Manager console:
http://oamadminhost.mycompany.com:port/access/oblix
Click Policy Manager.
Click the My Policy Domains link on the left panel. You will see a list of all the policy domains, which includes the domain you just created. For example: IDMEDG
. In the third column, URL prefixes, you will see the URIs you specified when creating the policy domain).
Click the link to the policy domain you just created. This displays the General area of this domain.
Click the Resources tab. On this tab you can see the URIs you specified. Click other tabs to view other settings.
Follow these steps to verify that the AccessGate was configured properly:
In the Oracle Access Manager console, click the Access System Console link. This link is a toggle. When it is the Access System Console link and you click it, it becomes the Policy Manager link. When it is the Policy Manager link and you click it, it becomes the Access System Console link.
Click the Access System Configuration tab.
Click the AccessGate Configuration link on the left panel.
Enter some search criteria and click Go.
When the name of the AccessGate for the domain you created appears (it may have the suffix _AG when created by the OAM Configuration Tool, for example, IDMEDG_AG), click it to view the details of the AccessGate you created.
This section describes the steps for setting up Oracle WebLogic Server authenticators.
Follow these steps to set up the Oracle Internet Directory authenticator:
ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/config.xml
Begin by backing up these relevant configuration files:
ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/config.xml ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/fmwconfig/jps-config.xml ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/fmwconfig/system-jazn-data.xml
Back up the ORACLE_BASE
/admin/IDMDomain/aserver/IDMDomain
/servers/adminServer/boot.properties
file for the Administrator Server.
Follow these steps to configure the Identity Store to use LDAP, setting the proper authenticator using the WebLogic Administration Server Console:
Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.
Click the Security Realms link on the left navigational bar.
Click the myrealm default realm entry to configure it.
Click the Providers tab within the realm.
Note that there is a DefaultAuthenticator provider configured for the realm.
Click the New button to add a new provider.
Enter a name for the provider, such as "OIDAuthenticator" for a provider that will authenticate the user to the Oracle Internet Directory.
Select the "OracleInternetDirectoryAuthenticator" type from the list of authenticators.
Click OK.
On the Providers screen, click the newly created OIDAuthenticator.
Set the Control Flag to SUFFICIENT. This indicates that if a user can be authenticated successfully by this authenticator, then it is should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT also. In particular, check the DefaultAuthenticator and set that to SUFFICIENT.
Click Save to save this setting.
Click the Provider Specific tab to enter the details for the LDAP server.
Enter the details specific to your LDAP server, as shown in the following table:
Parameter | Value | Description |
---|---|---|
Host | The LDAP server's server ID. For example: oid.mycompany.com |
|
Port | The LDAP server's port number. For example: 636 |
|
Principal | The LDAP user DN used to connect to the LDAP server. For example: cn=orcladmin |
|
Credential | The password used to connect to the LDAP server | |
SSL Enabled | Checked | Specifies whether SSL protocol is used when connecting to LDAP server. |
User Base DN | Specify the DN under which your Users start. For example: cn=users,dc=mycompany,dc=com |
|
Group Base DN | Specify the DN that points to your Groups node. For example: cn=groups,dc=mycompany,dc=com |
|
Use Retrieved User Name as Principal | Checked | Must be turned on. |
Click Save when done.
Click Activate Changes to propagate the changes.
The console displays a message that a restart is required for the changes to take effect. Do not restart the servers as indicated; this will be done after setting up all the WebLogic Authenticators, as described in Section 19.2.4.4, "Stopping and Starting the WebLogic Administration Servers and Managed Servers."
Follow these steps to set up the OAM ID Asserter:
Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.
Navigate to SecurityRealms > Default Realm Name > Providers.
Click New and select OAMIdentityAsserter from the drop down menu.
Name the asserter, for example: OAMIDAsserter
Then click OK.
Click the newly-added asserter to see the configuration screen for OAM Identity Asserter.
Set the Control Flag to REQUIRED, and then click Save.
Configure the additional attributes below for the OAM Identity Asserter on the Provider Specific tab:
Application Domain: Provide the Oracle Access Manager policy domain name. Use the app_domain
parameter passed to the OAM Configuration Tool. For example: IDMEDG
.
Primary Access Server: Provide Oracle Access Manager server endpoint information in the host:port format. For example: oamhost1.mycompany.com:6023
AccessGate Name: Name of the AccessGate (for example, IDMEDG_WD). Provide the AccessGate name created by the OAM Configuration Tool.
AccessGate Password: Password for the AccessGate, if one was provided.
Accept the default values for all the other attributes, unless required for your environment.
Save the settings.
Click Activate Changes to propagate the changes.
Follow the steps below to reorder the providers in the order shown below:
Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.
Navigate to SecurityRealms > Default Realm Name > Providers.
Ensure that the Control Flag for each authenticator is set correctly.
Click Reorder under the Authentication Providers table.
On the Reorder Authentication Providers page, reorder the providers as shown below:
OAM Identity Asserter (REQUIRED) > OID Authenticator (SUFFICIENT) > Default Authenticator (SUFFICIENT) > DefaultIdentityAsserter
Save the settings.
Click Activate Changes to propagate the changes.
The WebLogic Administration Server and the associated Managed Servers must be restarted for the configuration changes to take effect. Follow the steps below to stop and then start the WebLogic Administration Server and the Managed Servers (wls_ods1
and wls_ods2
):
Stop the Administration Server and the wls_ods1
and wls_ods2
managed servers as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Verify that the server processes have been successfully stopped.
On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh
script located under the ORACLE_BASE
/admin/IDMDomain/aserver/IDMDomainStatus/bin
directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile
parameter.
./startWebLogic.sh >logfile 2>&1 &
For example:
./startWebLogic.sh > \ /admin/IDMDomain/aserver/IDMDomainStatus/servers/AdminServer/logs/aserver.out\ 2>&1 &
Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.
Log into the console using the administrator
user's credentials.
Start the wls_ods1
and wls_ods2
Managed Servers using the WebLogic Administration Console, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
To validate the setup, open a web browser and go the following URLs:
http://admin.mycompany.com:7777/console http://admin.mycompany.com:7777/em
The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm
user to log in.