Skip Headers
Oracle® OpenSSO STS Administrator's Guide
Release 11gR1. Version 11.1.1.3.0
Part Number E17844-01
Go to Documentation Home
Home		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

8 Deploying OpenSSO STS with Other Oracle Products

The following topics are contained in this chapter:

8.1 Configuring Administrator Single Sign-On with Oracle Access Manager

You can deploy OpenSSO STS in an environment where Oracle Access Manager already exists. When OpenSSO STS and Oracle Access Manager are configured for single sign-on, an administrator who has authenticated to Oracle Access Manager can access OpenSSO STS without having to present credentials a second time. The administrator single sign-on use case requires that Oracle HTTP Server is deployed in the environment to act as a proxy for OpenSSO STS, and OpenSSO STS must be configured with the Oracle Access Manager authentication module. The following diagram illustrates a typical single sign-on topology.

Figure 8-1 Single Sign-On Using Oracle Access Manager and OpenSSO STS

Description of Figure 8-1 follows
Description of "Figure 8-1 Single Sign-On Using Oracle Access Manager and OpenSSO STS"

In this topology, Oracle WebGate is installed on the Oracle HTTP Server. The HTTP Server must be configured in proxy mode for OpenSSO STS, and OpenSSO STS must be deployed on a supported web container.

When an administrator attempts to access OpenSSO STS, Oracle WebGate intercepts the request. Then Oracle Access Manager presents a login page. The administrator presents credentials, which are then authenticated to Oracle Access Manager. Once the administrator has been authenticated, the access request is redirected to the browser, and then to OpenSSO STS. OpenSSO STS is configured with the Oracle Access Manager authentication module, enabling Oracle Access Module to validate the administrator based on a list of allowed users. If the administrator is on the list of allowed users, then the administrator can access the OpenSSO STS console without having to present credentials.

8.1.1 To Configure Administrator Single Sign-On with Oracle Access Manager

The following list summarizes high-level steps you must take to configure administrator single sign-on with Oracle Access Manager. Follow the detailed installation and configuration instructions in the documentation for each Oracle product in your environment. See http://www.oracle.com/technology/documentation/index.html.

  1. Install OpenSSO STS on Oracle WebLogic Server.

  2. Install Oracle Access Manager.

  3. Install Oracle HTTP Server and configure it to proxy for OpenSSO STS.

  4. Install Oracle Webgate on Oracle HTTP Server.

  5. Configure single sign-on between Oracle HTTP Server and Oracle Access Manager to protect the OpenSSO STS login URL:

    http://HostName.Domain.com:port/openssosts/UI/Login?module=OAMAuthModule

  6. Configure Oracle HTTP Server for proxying.

    Edit $OH_INSTANCE_DIR/config/OHS/ohs1/mod_w1_ohs.conf to include the following:

    WebLogicHost:HostName.Domain.com
WeblogiPort: 7001
MatchExpression: openssosts

  7. Access the Webgate URL using the OpenSSO STS URI (the proxy URL). Example:

    http://HostName.Domain.com:port/openssosts/UI/Login?module=OAMAuthModule

    The browser redirects the user request to the Oracle Access Manager console.

  8. Log in to Oracle Access Manager using OpenSSO STS administrator credentials.

    By default, Oracle Access Manager sets the remote user as OAM_REMOTE_USER. The OpenSSO STS validates OAM_REMOTE_USER, and provides access to the OpenSSO STS administration console.

8.2 Configuring OpenSSO STS to Work with Oracle Internet Directory and Oracle Virtual Directory

Both Oracle Internet Directory and Oracle Virtual Directory are LDAP-compliant directory services. You can add an LDAP authentication module to OpenSSO STS, and then configure the LDAP authentication module to use either Oracle Internet Directory or Oracle Virtual Directory as a user data store.

The following figure illustrates a topology in which Oracle Internet Directory is the sole user directory used for authentication and attribute retrieval.

Figure 8-2 OpenSSO STS Integrated with Oracle Internet Directory

Description of Figure 8-2 follows
Description of "Figure 8-2 OpenSSO STS Integrated with Oracle Internet Directory"

Oracle Virtual Directory provides an abstraction layer that enables external directories to connect to OpenSSO STS. When OpenSSO STS receives a WS-Trust request with a UserName token (or UserName On-Behalf-Of token) as either an inbound or outbound token, OpenSSO STS validates the user, though Oracle Virtual Directory, against one of the connected directories. The following figure illustrates a typical topology using Oracle Virtual Directory and two LDAP directories.

Figure 8-3 OpenSSO STS Integrated with Oracle Virtual Directory

Description of Figure 8-3 follows
Description of "Figure 8-3 OpenSSO STS Integrated with Oracle Virtual Directory"

An inbound request is sent through Oracle Web Services Manager client in the form of a SOAP request. OpenSSO STS receives the request and authenticates it, through Oracle Virtual Directory, against Oracle Internet Directory. OpenSSO STS reads the attributes from the UserName token, and generates a SAML assertion response.

8.2.1 To Configure Oracle Internet Directory or Oracle Virtual Directory for User Authentication

The following summarizes high-level steps you must take to configure Oracle Internet Directory for user authentication.

  1. In the OpenSSO STS console, add and configure an Oracle Internet Directory or Oracle Virtual Directory authentication module instance.

    See Section 6.3.10, "To Add an New LDAP Authentication Module Instance" and Section 6.3.11, "To Configure an LDAP Authentication Module Instance."

  2. Create and configure an authentication chain for inbound security tokens.

    See Section 6.4.1, "To Create a New Authentication Chain."

  3. Create and configure an authentication chain for outbound security tokens.

    See Section 6.4.1, "To Create a New Authentication Chain."

  4. Configure the Security Token Service.

    See Section 4.2, "To Configure the Security Token Service."

    The OpenSSO STS authentication service determines the security mechanism registered by the web service provider, and retrieves the appropriate security tokens.

  5. Enable both inbound and outbound authentication chains based on the authentication chain security mechanism specified when the web service provider agent profile was created.

    See Section 4.4, "To Register a Web Service Provider to OpenSSO STS."

8.2.2 To Configure SAML Attribute Generation and Retrieval

Each time you add a web service provider to OpenSSO STS, you must be sure that the web service provider is configured for SAML attribute retrieval, and that SAML attribute mapping is defined in OpenSSO STS. The following summarizes high-level steps you must take to use Oracle Internet Directory or Oracle Virtual Directory for SAML attribute generation and retrieval in a web service provider.

  1. Add a new LDAP data store and configure it to communicate with Oracle Internet Directory or Oracle Virtual Directory.

    See Section 5.3.1, "To Add a New User Data Store."

  2. In the web service provider profile, configure the SAML attribute mapping.

    See Section 5.2, "Managing OpenSSO STS Sites."

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us