3 Integrating with Oracle Identity Navigator

This chapter describes how Oracle Access Manager integrates with Oracle Identity Navigator. It contains this topic:

3.1 Enabling Single Sign-On

You can use Oracle Access Manager to SSO-enable the Oracle Identity Navigator Administration Console using the Kerberos authentication scheme with Windows Native Authentication (WNA) as the challenge method.

The prerequisites are as follows:

  • Oracle HTTP Server has been installed.

    When installing Oracle HTTP Server, uncheck Oracle WebCache and associated selected components with WebLogic domain.

  • Oracle Access Manager 11g has been installed and configured properly.

  • Oracle HTTP Server 11g has been installed and configured as a front-ending proxy web server for Oracle Identity Navigator.

  • Oracle Access Manager 11g webgate for Oracle HTTP Server 11g has been installed on the Oracle HTTP Server 11g.

The high-level SSO-enablement steps are as follows:

  • Use the Oracle Access Manager Administration Console to configure a new resource for the agent under which the Oracle Identity Navigator URL is to be protected.

  • Configure Oracle HTTP Server to point to the Oracle Access Manager domain which has the resources and policies configured.

  • Use the Administration Console to add the two new identity providers, namely the Oracle Access Manager Identity Asserter and the Oracle Internet Directory Authenticator.

  • Use Oracle Directory Services Manager (ODSM) to grant administrator privileges to the login user.

These steps are detailed in subsequent sub-sections.

3.1.1 Configure a New Resource for the Agent

At the Oracle Access Manager console:

  1. Select the Policy Configuration tab.

  2. Under Application Domains, select the agent under which the Oracle Identity Navigator URL is to be protected for example, -OIMDomain)

  3. Choose Resources and click the create icon to add a new resource. Enter the type, host identifier and value, (/oinav/…/*) and click the Apply button.

  4. Choose Protected Policy (or the policy whose authentication schema is the LDAP schema). In the resources table, click the add icon and choose the Oracle Identity Navigator URL (/oinav/…/*) from the drop-down list.

  5. Repeat the step for Authorization Policy.

3.1.2 Configure Oracle HTTP Server for the Oracle Access Manager Domain

Take these steps to ensure that Oracle HTTP Server points to the Oracle Access Manager domain where the resources and policies are configured:

  1. Navigate to the Oracle HTTP Server server config directory (for example, /scratch/mydir1/oracle/product/11.1.1/as_1/instances/instance1/config/OHS/ohs1), and find the mod_wl_ohs.conf file.

  2. In the <IfModule mod_weblogic.c> block, add the host and the port number of the Oracle Identity Navigator URL that is to be protected. For example:

    MatchExpression /oinav* WebLogicHost=host WebLogicPort=port
  3. Restart the Oracle HTTP Server server in the OHS install bin directory (for example, /scratch/mydir1/oracle/product/11.1.1/as_1/instances/instance1/bin) by executing the following command:

    -./opmnctl restartproc ias=component=ohs1

3.1.3 Add New Identity Providers

Take these steps to add two new identity providers and grant administrator privileges to the login user:

  1. Using the Administration Console, navigate to Security Realms, then myreleam, then Providers.

  2. Add these two providers: OAM Identity Asserter and OID Authenticator.

  3. Set the Control Flag of the OAM Identity Asserter to Required

  4. Update the following settings in the OID Authenticator:

    • Set the Control Flag to Sufficient

    • Select the Provider specific tab and make the necessary changes, supplying the host, port, and other credentials of the Oracle Internet Directory server. Configure the correct LDAP setting in OID Authenticator.

    The users and Groups in the LDAP will be reflected in the console.

  5. Use Oracle Directory Services Manager (ODSM) to give the administrator privilege to the login user:

    1. Create a user in the LDAP server that is associated with the NGAM, for example: uid=testuser,cn=users,dc=us,dc=oracle,dc=com

    2. Create an Administrators group in the LDAP directory, namely cn=Administrators,cn=groups,dc=us,dc=oracle,dc=com

    3. Assign the Administrators role to the user, testuser, by adding the user to the Administrator group.

    4. You can now test an SSO by this user to Oracle Identity Navigator.

  6. Re-order the providers as follows:

    1. OAMIdentityAsserter

    2. Authenticator

    3. Default Authenticator

    4. Default Identity Asserter

  7. Restart Oracle WebLogic Server.

  8. Enter the protected Oracle Identity Navigator URL, which will have the host and port from the Oracle HTTP Server install: