This chapter contains the following topics:
Section 15.2, "Configuring Oracle Identity Federation on OIFHOST1"
Section 15.3, "Configuring Oracle Identity Federation on OIFHOST2"
Section 15.4, "Post-Installation Steps for Oracle Identity Federation"
Section 15.5, "Provisioning the Managed Servers on the Local Disk"
Section 15.6, "Enabling Oracle Identity Federation Integration with LDAP Servers"
Section 15.7, "Configuring Oracle Identity Federation to work with the Oracle Web Tier"
Oracle Identity Federation is a self-contained, standalone federation server that enables single sign-on and authentication in a multiple-domain identity network and supports the broadest set of federation standards. This allows users to federate in heterogeneous environments and business associations, whether they have implemented other Oracle Identity Management products in their solution set or not.
It can be deployed as a multi-protocol hub acting as both an Identity Provider (IdP) and Service Provider (SP).
Acting as an SP, Oracle Identity Federation enables you to manage your resources while off loading actual authentication of users to an IdP, without having to synchronize users across security domains out of band. Once authenticated at the IdP, the SP can allow or deny access to users for the SP's applications depending upon the local access policies.
Before proceeding with Oracle Identity Federation configuration, ensure that the following tasks have been performed.
Installing and upgrading the software on OIFHOST1 and OIFHOST2 as described in Section 4.5.3, Section 4.5.4, and Section 4.6.1 .
Running the Repository Creation Utility (RCU) to create and configure the collection of schemas used by OIF as described in Chapter 3.
Creating the Identity Management Domain as described in Chapter 6.
Installing and configuring Oracle Internet Directory as described in Chapter 7. Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory is used as the User Store and the Federation Store
Installing and configuring Oracle HTTP Server on WEBHOST1 and WEBHOST2 as described in Chapter 5
Associating the Identity Management Domain created with an External LDAP Store as describd in Section 17.1. This is required because Oracle Identity Federation is being extended on a node where the Administration Server is not running.
1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.
2. If you plan on provisioning the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."
On UNIX:
Ensure that port 7499 is not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "7499"
If the port is in use (if the command returns output identifying the port), you must free it.
On UNIX:
Remove the entries for port 7499 in the /etc/services file and restart the services, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
If you plan to provision the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."
Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.
Edit the staticports.ini file that you copied to the temporary directory to assign the following custom port:
#The port for OIF Server port OIF Server Port No = 7499
Start the Oracle Identity Management 11g Configuration Assistant located under the ORACLE_HOME/bin directory as follows:
On UNIX, issue this command:
./config.sh
On Windows, double-click config.exe
On the Welcome screen, click Next.
On the Select Domain screen, select Extend Existing Domain and specify these values:
HostName: adminvhn.mycompany.com
Port: 7001
UserName: weblogic
User Password: weblogic_user_password
Click Next.
A dialog box with the following message appears:
The selected domain is not a valid Identity Management domain or the installer cannot determine if it is a valid domain. If you created the domain using the Identity Management installer, you can ignore this message and continue. If you did not create the domain using the Identity Management installer, refer to the Identity Management documentation for information on how to verify the domain is valid.
This is a benign warning that you can ignore.
Click Yes to continue.
On the Specify Installation Location screen, specify the following values:
Oracle Middleware Home Location: /u01/app/oracle/product/fmw
This value is prefilled and cannot be updated.
Oracle Home Directory: idm
This value is prefilled and cannot be updated
WebLogic Server Directory: /u01/app/oracle/product/fmw/wlserver_10.3
Oracle Instance Location: /u01/app/oracle/admin/oif_inst1
Instance Name: oif_inst1
Note:
Ensure that the Oracle Home Location directory path for OIFHOST1 is the same as the Oracle Home Location path forOIFHOST2. For example, if the Oracle Home Location directory path for OIFHOST1 is: /u01/app/oracle/product/fmw/oif, then the Oracle Home Location directory path for OIFHOST2 must also be /u01/app/oracle/product/fmw/oif.Click Next.
On the Specify Oracle Configuration Manager Details screen, specify the values shown in the example below:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Select I wish to receive security updates via My Oracle Support.
Click Next.
On the Configure Components screen, de-select all the components except Oracle Identity Federation components. Select only Oracle Identity Federation from the Oracle Identity Federation components. Do not select Oracle HTTP Server. Select Clustered.
Click Next.
On the Configure Ports screen, select Specify Ports using Configuration File. Provide the path to the staticports.ini file that you copied to the temporary directory.
Click Next.
On the Specify OIF Details screen, specify these values:
PKCS12 Password: password
Confirm Password: Confirm the password
Server Id: oif_server1
Click Next.
On the Select OIF Advanced Flow Attributes screen, specify these values:
Authentication Type: LDAP
User Store: LDAP
Federation Store: LDAP
User Session Store: RDBMS (default selection, which cannot be changed for a cluster)
Message Store: RDBMS (default selection, which cannot be changed for a cluster.
Configuration Store: RDBMS (default selection, which cannot be changed for a cluster.
Note:
When you chooseRDBMS for the session, message, and configuration data stores during an Advanced installation, the installer creates one data source for all three data stores. If you want to have separate databases for each of these stores, you must configure this after the installation.Click Next.
On the Authentication LDAP Details screen, specify the following values:
LDAP Type: Select Oracle Internet Directory from the drop down.
LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldap://host:port or ldaps://host:port. For example: ldaps://oid.mycompany.com:636
LDAP Bind DN: cn=orcladmin
LDAP Password: orcladmin_password
User Credential ID Attribute: uid
User Unique ID Attribute: orclguid
Person Object Class: inetOrgPerson
Base DN: dc=us,dc=oracle,dc=com
Click Next.
On the LDAP Attributes for User Data Store screen, specify the following values:
LDAP Type: Select Oracle Internet Directory from the drop down.
LDAP URL: The LDAP URL to connect to your LDAP store in the following format: ldap://host:port or ldaps://host:port. For example: ldaps://oid.mycompany.com:636
LDAP Bind DN: cn=orcladmin
LDAP Password: orcladmin_password
User Description Attribute: uid
User ID Attribute: orclguid
Person Object Class: inetOrgPerson
Base DN: dc=mycompany,dc=com
Click Next.
On the LDAP Attributes for Federation Data Store screen, specify the following values:
LDAP Type: Select Oracle Internet Directory from the drop down.
LDAP URL: Provide the LDAP URL to connect to your LDAP store in the following format: ldap://host:port or ldaps://host:port. For example: ldaps://oid.mycompany.com:636
LDAP Bind DN: cn=orcladmin
LDAP Password: orcladmin_password
User Federation Record Context: cn=myfed,dc=mycompany,dc=com
Container Object Class: The type of User Federation Record Context that Oracle Identity Federation should use when creating the LDAP container, if it does not exist already. If that field is empty, its value will be set to applicationprocess. For Microsoft Active Directory this field must be set to container.
Click Next.
On the Transient Store Database Details screen, specify the values shown in the example below:
Host Name: The connect string to your database. For example:
infradbhost1-vip.mycompany.com:1521:idmdb1^infradbhost2-vip.mycompany.com:1521:idmdb2@idmedg.mycompany.com
Note:
The Oracle RAC database connect string information needs to be provided in the formathost1:port1:instance1^host2:port2:instance2@servicename. During this installation, it is not required for all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed.It is required that the information provided above is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each Oracle RAC instance, and the service name provided must be configured for all the specified Oracle RAC instances.Any incorrect information entered in the Oracle RAC database connect string has to be corrected manually after the installation.UserName: The username for the OIF Schema. For example: edg_oif
Password: oif_user_password
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not correct, click Back to modify selections on previous screens. Then click Configure.
On the Configuration Progress screen, view the progress of the configuration.
On the Configuration Complete screen, click Finish to confirm your choice to exit.
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management in the Oracle Fusion Middleware documentation library for the platform and version you are using.
If you plan to provision the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."
Ensure that port 7499 is not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "7499"
If the port is in use (if the command returns output identifying the port), you must free it.
On UNIX:
Remove the entries for port 7499 in the /etc/services file and restart the services, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.
Edit the staticports.ini file that you copied to the temporary directory to assign the following custom port:
#The port for OIF Server portOIF Server Port No = 7499
Start the Oracle Identity Management 11g Configuration Assistant located under the ORACLE_HOME/bin directory as follows:
On UNIX, issue this command:
./config.sh
On Windows, double-click config.exe
On the Welcome screen, click Next.
On the Select Domain screen, select the Expand Cluster option and specify these values:
HostName: ADMINVHN.mycompany.com
Port: 7001
UserName: weblogic
User Password: weblogic_user_password
Click Next.
A dialog box with the following message appears:
The selected domain is not a valid Identity Management domain or the installer cannot determine if it is a valid domain. If you created the domain using the Identity Management installer, you can ignore this message and continue. If you did not create the domain using the Identity Management installer, refer to the Identity Management documentation for information on how to verify the domain is valid.
This is a benign warning that you can ignore.
Click Yes to continue.
On the Specify Installation Location screen, specify the following values:
Oracle Middleware Home Location: /u01/app/oracle/product/fmw (This value is prefilled and cannot be updated.)
Oracle Home Directory: oif (This value is prefilled and cannot be updated.)
WebLogic Server Directory: /u01/app/oracle/product/fmw/wlserver_10.3
Oracle Instance Location: /u01/app/oracle/admin/oif_inst2
Instance Name: oif_inst2
Note:
Ensure that the Oracle Home Location directory path forOIFHOST1 is the same as the Oracle Home Location path for OIFHOST2. For example, if the Oracle Home Location directory path for OIFHOST1 is: /u01/app/oracle/product/fmw/oif, then the Oracle Home Location directory path for OIFHOST2 must also be /u01/app/oracle/product/fmw/oif.Click Next.
On the Specify Oracle Configuration Manager Details screen, specify the following values:
Email Address: The email address for your My Oracle Support account
Oracle Support Password: The password for your My Oracle Support account
Select: I wish to receive security updates via My Oracle Support
Click Next.
On the Configure Components screen, de-select all the components except for Oracle Identity Federation components. Select only Oracle Identity Federation from the Oracle Identity Federation components. Do not select Oracle HTTP Server.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not correct, click Back to modify selections on previous screens. Then click Configure.
On the Configuration Progress screen, view the progress of the configuration.
On the Installation Complete screen, click Finish to confirm your choice to exit.
Follow the post-installation steps in this section to complete the installation and configuration of the Oracle Identity Federation application
Copy the Oracle Identity Federation configuration directory from OIFHOST1 to OIFHOST2. That is, copy the directory:
MW_HOME /user_projects/domains/IDMDomain/config/fmwconfig/servers/wls_oif1/applications
on:
OIFHOST1
to:
MW_HOME/user_projects/domains/IDMDomain/config/fmwconfig/servers/wls_oif2/applications
on:
OIFHOST2.
For example, from OIFHOST1, execute the following is command:
scp -rp MW_HOME/user_projects/domains/IDMDomain/config/fmwconfig/servers/wls_oif1/applicationsuser@OIFHOST2:/MW_HOME/user_projects/domains/IDMDomain/config/fmwconfig/servers/wls_oif2/applications
Set the listen address for the WLS_OIF1 and WLS_OIF2 Managed Servers to the host name of their respective nodes using the Oracle WebLogic Administration Server:
Using a web browser, bring up the Oracle WebLogic Administration Server console and log in using the weblogic user credentials.
In the left pane of the WebLogic Administration Server Console, click Lock & Edit to edit the server configuration.
In the left pane of the WebLogic Server Administration Console, expand Environment and select Servers.
On the Summary of Servers page, click the link for the wls_oif1 Managed Server.
On the Settings page for the wls_oif1 Managed Server, update the Listen Address to oifhost1.mycompany.com. This is the host name of the server where wls_ods1 is running.
Click Save to save the configuration.
Repeat Steps 2 to 6 to update the Listen Address for the wls_oif2 Managed Server to oifhost2.mycompany.com. This is host name of the server where wls_oif2 is running.
Click Activate Changes to update the server configuration.
Follow these steps to start the newly created wls_oif2 Managed Server in a cluster on OIFHOST2:
In the left pane of the Oracle WebLogic Server Administration Console, expand Environment and select Clusters.
Click the cluster (cluster_oif) containing the Managed Server (wls_oif2) you want to stop.
Select Control.
Under Managed Server Instances in this Cluster, select the Managed Server (wls_oif2) you want to start and click Start.
On the Cluster Life Cycle Assistant page, click Yes to confirm.
WebLogic Node Manager starts the server on the target machine. When the Node Manager finishes its start sequence the server's state is indicated in the State column in the Server Status table.
Due to certain limitations, the Oracle Configuration Wizard creates the domain configuration under the ORACLE_HOME. In this EDG, the Oracle Home is on shared disk and it is a best practice recommendation to separate the domain configuration from the Oracle Home. This section provides the steps to seperate the domain. Proceed as follows:
Stop the Administration Server and the Managed Servers (wls_ods1 and wls_ods2) as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
On IDMHOST1, pack the Managed Server domain using the pack command located under the ORACLE_HOME/common/bin directory. Make sure to pass the managed=-true flag to pack the managed server. Type:
ORACLE_HOME/common/bin/pack.sh -managed=true \ -domain=path_to_adminServer_domain -template=templateName.jar \ -template_name=templateName
For example
ORACLE_HOME/common/bin/pack.sh -managed=true \ -domain=/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain \ -template=/u01/app/oracle/product/fmw/templates/managedServer.jar \ -template_name=ManagedServer_Template
Copy the Managed Server template directory from IDMHOST1 to both OIFHOST1 and OIFHOST2. For Example:
Copy to OIFHOST1:
scp -rp /u01/app/oracle/products/fmw/templates user@OIFHOST1://u01/app/oracle/products/fmw/templates
Copy to OIFHOST2:
scp -rp /u01/app/oracle/products/fmw/templates user@OIFHOST2://u01/app/oracle/products/fmw/templates
Unpack the Managed Server to the local disk on OIFMHOST1 using the unpack command located under the ORACLE_COMMON_HOME/common/bin directory.
ORACLE_HOME/common/bin/unpack.sh -domain=path_to_domain_on_localdisk \ -template=templateName.jar -app_dir=path_to_appdir_on_localdisk
For example:
ORACLE_HOME/common/bin/unpack.sh \-domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain \-template=/u01/app/oracle/product/fmw/templates/managedServer.jar \-app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
Unpack the Managed Server to the local disk on IDMHOST2 using the unpack command located under the ORACLE_HOME/common/bin directory.
ORACLE_HOME/common/bin/unpack.sh -domain=path_to_domain_on_localdisk \ -template=templateName.jar -app_dir=path_to_appdir_on_localdisk
For example:
ORACLE_HOME/common/bin/unpack.sh \-domain=/u01/app/oracle/admin/IDMDomain/mserver/IDMDomain \-template=/u01/app/oracle/product/fmw/templates/managedServer.jar \-app_dir=/u01/app/oracle/admin/IDMDomain/mserver/applications
Start the Node Manager on OIFHOST1 and OIFHOST2 using the startNodeManager.sh script located under the WL_HOME/server/bin directory. For Example:
/u01/app/oracle/product/fmw/wlserver_10.3/server/bin/startNodeManager.sh > /tmp/nm.log &
Start the Administration server by following the steps in Section 18.1, "Starting and Stopping Oracle Identity Management Components."
Validate that the Administration Server started up successfully by opening a browser accessing the Administration Console at http://ADMINVHN.us.oracle.com:7001/console.
Also validate Enterprise Manager by opening a browser and accessing Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.us.oracle.com:7001/em.
Start the Managed Servers on IDMHOST1 and IDMHOST2 by using the Administration Console. Follow the steps in the Starting Managed Servers section
Delete the MW_HOME/user_projects directory on OIFHOST1 and OIFHOST2. This directory is created by the Oracle Universal Installer when the domain is originally configured and is no longer required after the provisioning the Managed Server to the local disk.
By default, Oracle Identity Federation is not configured to be integrated with LDAP Servers deployed in a high availability configuration. To integrate Oracle Identity Federation with highly available LDAP Servers to serve as user data store, federation data store, or authentication engine, you must configure Oracle Identity Federation based on the LDAP server's function.
Enter the WLST script environment for Oracle Identity Federation, then set the following properties as needed:
To integrate the user data store with a highly available LDAP Server, set the userldaphaenabled boolean property from the datastore group to true; otherwise set it to false:
setConfigProperty('datastore','userldaphaenabled', 'true', 'boolean')
To integrate the federation data store with a highly available LDAP Server, set the fedldaphaenabled boolean property from the datastore group to true; otherwise set it to false:
setConfigProperty('datastore', 'fedldaphaenabled','true', 'boolean')
To integrate the LDAP authentication engine with a highly available LDAP Server, set the ldaphaenabled boolean property from the authnengines group to true; otherwise set it to false:
setConfigProperty('authnengines','ldaphaenabled', 'true', 'boolean')
This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier
Before proceeding, ensure that the following tasks have been performed:
Oracle Web Tier has been installed on WEBHOST1 and WEBHOST2.
Oracle Access Manager has been installed and configured on IDMHOST1 and IDMHOST2.
Loadbalancer has been configured with a virtual hostname (sso.myconpany.com) pointing to the webservers on WEBHOST1 and WEBHOST2.
Loadbalancer has been configured with a virtual hostname (admin.mycompany.com) pointing to webservers WEBHOST1 and WEBHOST2.
To configure the Oracle Identity Federation application to use the load balancer VIP, follow these steps:
From the OIF menu in Oracle Enterprise Manager Fusion Middleware Control, select Administration, and then Server Properties.
Change the host name and port to reflect the load balancer host and port.
From the OIF menu in Oracle Enterprise Manager Fusion Middleware Control, select Administration, and then Identity Provider.
Change the URL to http://LoadBalancerHost:LoadBalancerPort.
From the OIF menu in Oracle Enterprise Manager Fusion Middleware Control, select Administration, and then Service Provider.
Change the URL to http://LoadBalancerHost:LoadBalancerPort.
Repeat these steps for each Managed Server where Oracle Identity Federation is deployed.
On each of the web servers on WEBHOST1 and WEBHOST2, create a file called oif.conf in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. Edit this file and add the following lines:
<Location /fed> SetHandler weblogic-handler WebLogicCluster oifhost1.mycompany.com:7499,oifhost2.mycompany.com:7499 </Location>
Restart the Oracle HTTP Server, as described inSection 18.1, "Starting and Stopping Oracle Identity Management Components."
If the configuration is correct, you can access the following URLs from a web browser:
https://sso.mycompany.com/fed/sp/metadata
https://sso.mycompany.com/fed/idp/metadata
Follow the instructions in the "Obtain Server Metadata" and "Add Trusted Providers" sections of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation to import metadata from the Service Provider into the Identity Provider and the Identity Provider metadata into the Service Provider
Go to the following URL and do a Single Sign-On operation:
http://SP_Host:SP_port/fed/user/testspsso