15 Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.

This chapter includes the following topics:

15.1 Overview of Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

If you have not integrated Oracle Access Management Access Manager with Oracle Identity Manager, you must first create WebLogic Security Providers. Then proceed as follows.

You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle Traffic Director intercepts requests for the consoles and forwards them to Access Manager for validation

The administration consoles referred to in the chapter title are:

  • Oracle Enterprise Manager Fusion Middleware Control

  • Oracle WebLogic Server Administration Console

  • Oracle Access Management Console

  • Oracle Identity Manager Console

15.2 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:

  1. Configuring Oracle Traffic Director, as described in Chapter 7, "Installing and Configuring Oracle Traffic Director for an Enterprise Deployment."

  2. Configuring Access Manager, as described in Chapter 11, "Extending the Domain to Include Oracle Access Management."

  3. Provisioning Weblogic Administrators in LDAP as described in Section 10.4, "Preparing the Identity Store."

15.3 Configuring WebLogic Security Providers

When you run idmConfigTool with the configOAM or configOIM option, the tool creates security providers in the domain IDMDomain. These security providers restrict access to the consoles in those domains based on the security policies of Access Manager. If you have other domains, you must create security providers in those domains manually and then update them as described in the following sections.


Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.

If you have used the Oracle Weblogic console to shut down all of the Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.

To start WLS_OAM1 manually, use the command:

MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001

This section contains the following topics:

15.3.1 Updating Oracle Unified Directory Authenticator

When the OUD authenticator is created, it is created with some missing information, which must be added. If you are using OUD as your identity store, you must add this information by performing the following steps.

  1. Log in to the WebLogic Administration Console.

  2. Click Security Realms from the Domain structure menu.

  3. Click Lock and Edit in the Change Center.

  4. Click myrealm.

  5. Click on Providers.

  6. Click on OUDAuthenticator.

  7. Click on Provider Specific tab.

  8. On the Provider Specific screen update the following values:

    • All Users Filter: (&(uid=*)(objectclass=person))

    • User From Name Filter: (&(uid=%u)(objectclass=person))

    • User Name Attribute: uid

    • Static Group Object Class: groupofuniquenames

    • Static Member DN Attribute: uniquemember

    • Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))

    • Dynamic Group Name Attribute: cn

    • Dynamic Group Object Class: groupOfURLs

    • Dynamic Member URL Attribute: memberURL

  9. Click Save.

  10. Click Activate Changes.

15.3.2 Reordering the Security Providers

This section sets up an Access Manager asserter to enable you to delegate responsibility for credential collection to Access Manager.

  1. Log in to the WebLogic Administration Console at the URL listed in Section 16.2, "About Identity Management Console URLs."

  2. Click Security Realms from the Domain structure menu.

  3. Click Lock and Edit in the Change Center.

  4. Click myrealm.

  5. Select the Providers tab.

  6. Click Reorder.

  7. Using the arrows on the right hand side order the providers such that the order is:

    • OAMIDAsserter

    • OIM Signature Authenticator, if present

    • OIMAuthenticationProvider, if present

    • OUD Authenticator

    • Default Authenticator

    • Default Identity Asserter


    Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.

  8. Click OK.

  9. Click Activate Changes.

  10. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

15.4 Assigning WLSAdmins Group to WebLogic Administration Groups

In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.

In Section 10.4, "Preparing the Identity Store" you created a user called weblogic_idm and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.

Perform this step for each domain in the topology.

  1. Log in to the WebLogic Administration Server Console at the URL listed in Section 16.2, "About Identity Management Console URLs."

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.

  6. On the Global Roles page, click the Admin role to go to the Edit Global Role page:

    1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

    2. On the Choose a Predicate page, select Group from the list for predicates and click Next.

    3. On the Edit Arguments Page, Specify WLSAdmins in the Group Argument field and click Add.

  7. Click Finish to return to the Edit Global Rule page.

  8. The Role Conditions table now shows the WLSAdmins Group as an entry.

  9. Click Save to finish adding the Admin role to the WLSAdmins Group.

  10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

15.5 Authorize Access Manager Administrators to Access APM Console

By default, only users in the WebLogic administrators group can access the APM console. After SSO is enabled, you will login as an Access Manager Administrator.

To enable this functionality perform the following steps:

  1. Log in to the APM console at http://ADMIN.mycompany.com/apm as WebLogic administrator.

  2. Click the System Configuration tab.

  3. Click Add in the External Role Mapping box.

  4. Click Search.

  5. Select OAMAdministrators from the returned search results.

  6. Click Add Selected.

  7. Click Add Principals.

15.6 Updating the boot.properties File

Update the boot.properties file for the Administration Server with the WebLogic admin user created in LDAP.

You must update boot.properties on each Administration Server node. Follow the steps in the following sections to update the file.

This section contains the following topics:

15.6.1 Update the Administration Servers on All Domains

  1. On each of the servers in the topology, go the directory:


    For example:

    cd ASERVER_HOME/servers/AdminServer/security
  2. Rename the existing boot.properties file.

  3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:


    For example:

    password=Password for weblogic_idm user


    When you start the Administration Server, the username and password entries in the file get encrypted.

    For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

15.6.2 Restarting the Servers

Restart the WebLogic Administration Server and all managed servers, as described in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

15.7 Installing and Configuring WebGate 11g

This section describes how to install and configure WebGate.

This section contains the following topics:

15.7.1 Prerequisites

Ensure that the following tasks have been performed before installing the Oracle Web Gate:

  1. Install and configure the Oracle Traffic Director as described in Chapter 7.

  2. Ensure Oracle Access Management Access Manager has been configured as described in Chapter 11.

15.7.2 Installing Oracle WebGate on WEBHOST1 and WEBHOST2

Before starting the installer ensure that Java is installed on your machine. To install Oracle WebGate, run complete the following steps on WEBHOST1 and WEBHOST2.

  1. Start the WebGate installer by issuing the command:


    You are asked to specify the location of the Java Development Kit for example:


  2. On the Welcome screen, click Next.

  3. On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates, or search for updates locally.

    Click Next.

  4. If the prerequisites fail because of missing 32-bit libraries, you can safely ignore this failure.

  5. Click Next.

  6. On the Installation Location Screen, enter the following information:

    Oracle Home Directory: WEBGATE_ORACLE_HOME

    Click Next.

  7. On the installation summary screen, click Install.

  8. Click Next.

  9. Click Finish.

  10. Execute the deployWebGateInstance.sh command from the following directory:


    Make sure this tool has executable permission.

    For example:

    ./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/webgate/ -oh WEBGATE_ORACLE_HOME -ws otd  

    Expected output:

    Copying files from WebGate Oracle Home to WebGate Instancedir
  11. Set the environment variable LD_LIBRARY_PATH to:


    For example:

    export LD_LIBRARY_PATH=/u02/private/oracle/config/webgate/lib 


    The deployed location of webgate must be the same on every host.

  12. Edit the properties in the sso.mycompany.com-obj.conf and admin.mycompany.com-obj.conf files using the EditObjConf tool located in the following directory:


    For example, on WEBHOST1, run the following:

    ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/sso.mycompany.com-obj.conf -oh WEBGATE_ORACLE_HOME -w /u02/private/oracle/config/webgate -ws otd
    ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/admin.mycompany.com-obj.conf -oh WEBGATE_ORACLE_HOME -w /u02/private/oracle/config/webgate/webgate -ws otd
    ./EditObjConf -f WEB_ORACLE_INSTANCE/net-IDM/config/idminternal.mycompany.com-obj.conf -oh WEBGATE_ORACLE_HOME -w /u02/private/oracle/config/webgate/webgate -ws otd

    Expected output:

    WEB_ORACLE_INSTANCE/config/magnus.conf has been backed up as WEB_ORACLE_INSTANCE/config/magnus.conf.ORIG 
    WEB_ORACLE_INSTANCE/config/instance_config_name-obj.conf has been backed up as WEB_ORACLE_INSTANCE/instance_config_name-obj.conf.ORIG
  13. Register WebGate to the OAM 11g Server by copying the WebGate artifacts Located in the following directory:


    to the following directories:

    Copy aaa_cert.pem and aaa_key.pem to:



    Copy cwallet.sso, ObAccessClient.xml and password.xml to:


    To copy the artifacts run the following commands:

    cp ASERVER_HOME/output/Webgate_IDM_11g/aaa* to  /u02/private/oracle/config/webgate/webgate/config/simple
    cp ASERVER_HOME/output/Webgate_IDM_11g/password.xml to  /u02/private/oracle/config/webgate/webgate/config/
    cp ASERVER_HOME/output/Webgate_IDM_11g/ObAccessClient.xml to  /u02/private/oracle/config/webgate/webgate/webgate/config/
    cp ASERVER_HOME/output/Webgate_IDM_11g/cwallet.sso to  /u02/private/oracle/config/webgate/webgate/config/
  14. Add LD_LIBRARY_PATH to Oracle Traffic Director Start Scripts.

    To prevent you having to enter the LD_LIBRARY_PATH each time you start Oracle traffic Director, add it to the OTD start script:

    1. Edit the startserv file located in the following directory

    2. Locate the following line:

      # Set LD_LIBRARY_PATH for Solaris and Linux 
    3. Add the following line immediately after:


      After editing, the file appears as follows:

      # Set LD_LIBRARY_PATH for Solaris and Linux
    4. Save this file.


Configuring webgate in this way directly modifies the Oracle Traffic Director (OTD) configuration files. These changes are not reflected in the OTD configuration store. When you go back into and modify the OTD configuration, you are notified that there is a discrepancy between that config store and the values on disk. It will ask you what you want to do. YOU MUST inform OTD that you wish to pull the configuration from the files, and NOT push the configuration back to the files. Selecting the wrong option removes the webgate configuration you just performed.

15.8 Restarting the Oracle Traffic Director Instance

Use the startserv command to start, or the stopserv command to stop your Oracle Traffic Director instance.

To stop the server, run the following command:


To start the server, run the following command:



To restart the Oracle Traffic Director instance, stop all running instances, and then run the start command.

15.9 Validating WebGate and the Access Manager Single Sign-On Setup

To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 16.1, "Starting and Stopping Oracle Identity Management Components."

You now see the Oracle Access Management Login page displayed. Enter your OAM administrator user name (for example, oamadmin) and password and click Login. Then you see the Oracle Access Management console displayed.


After logging into the Oracle Access Management Console, and before trying to log in to the WebLogic Console, ensure that you log out of the OAM Console, as the user oamadmin does not have the access rights to access the WebLogic Console.

To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 16.2, "About Identity Management Console URLs."

The Oracle Access Management Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in. Once logged in, you can move back and forth between the WebLogic Console and Fusion Middleware Control without being prompted for a password.

15.10 Backing Up Single Sign-on

Back up the Web Tier and WebLogic domain, as described in Section 16.6, "Backing Up the Oracle IDM Enterprise Deployment."