This chapter describes options for co-locating Oracle Access Manager with Sun OpenSSO Enterprise in the same environment. For more detailed information about configuring end-to-end Oracle Access Manager single sign-on using OpenSSO, see the Sun OpenSSO Enterprise 8.0 Integration Guide.
The following topics are contained in this chapter:
Oracle Access Manager (previously known as Oblix NetPoint and Oracle COREid) is an enterprise single sign-on product with many of the same features as Sun OpenSSO Enterprise and CA SiteMinder (previously known as Netegrity SiteMinder). Many companies have Oracle Access Manager already deployed and want to keep existing functionality even after installing OpenSSO Enterprise.
Oracle has two solutions for web-based single sign-on. One solution is to use the legacy Oracle Access Manager single sign-on product, previously known as Oblix Access, which is integrated in the Oracle Application Server. This chapter focuses on this first solution.
Another solution is to use the Oracle Access Manager product with OpenSSO Enterprise. Oracle Access Manager is usually used for both single sign-on and delegated administration. This second solution is out of the scope of this document.
Oracle Access Manager and OpenSSO Enterprise typically co-exist in the following use cases:
Simple Single Sign-On
Major components are OpenSSO Enterprise, an OpenSSO Enterprise Policy Agent, a custom OpenSSO Enterprise authentication module, Oracle Access Manager, and Oracle WebGate.
Federated Single Sign-On in an Identity Provider Environment
Major components are OpenSSO Enterprise, an OpenSSO Enterprise Policy Agent, a custom OpenSSO Enterprise authentication module, Oracle Access Manager, and Oracle WebGate.
Federated Single Sign-On in a Service Provider Environment
Major components are OpenSSO Enterprise, a custom OpenSSO Enterprise authentication module, Oracle Access Manager, a custom Oblix plug-in, and Oracle WebGate.
Single logout for any these of these use cases can be implemented in many ways.
Logical architecture diagrams and process flow diagrams for these deployment options are described in the following section “Understanding the Business Use Cases.”
This chapter describes the conceptual integration between the two products, OpenSSO Enterprise and Oracle Access Manager. In real deployments the use cases vary widely. In the deployment architecture diagrams below (see Understanding Typical Business Use Cases), the common data store is used between two products when they are co-located. The examples in this chapter focus primarily on mutual validation of user sessions. However, the same model can be extended to attribute exchange and other state information. For example, sessions can be managed independently. But and managing session timeouts are outside the scope of this document.
In the deployment examples in this chapter, the logout is assumed to be relatively simple and involves validating both OpenSSO Enterprise and Oracle Access Manager sessions as POST Logout processes.
For federated single sign-on, the examples in this chapter use SAMLv2 protocols. Similar functionality can be achieved using other federation protocols such as ID-FF, WS-Federation, SAML1 and so forth.
The following use cases focus on single sign-on enablement and do not describe authorization options:
Simple single sign-on integration is useful when an Oracle Access Manager instance is already deployed and configured to protect intranet enterprise applications. Additionally, OpenSSO Enterprise is deployed to protect the same intranet applications by honoring the user session obtained by Oracle Access Manager. In the following illustration, both OpenSSO Enterprise and Oracle Access Manager share the same user repository for user profile verification. OpenSSO Enterprise can also be configured to use the Ignore Profile option if it relies on the Oracle Access Manager session for attributes.
The following figure illustrates architecture in the simple single sign-on use case.
The following figure illustrates the process flow among components in the Identity Provider environment and Service Provider environment.
The SAML, ID-FF, and WS-Federation protocols provide cross-domain single sign-on among multiple trusted business entities. These protocols are also used in Identity Federation. Identity Federation involves an Identity Provider, also known as an authentication provider, and a Service Provider where the user authentication session at the Identity Provider is consumed. The following are common use cases in which Oracle Access Manager is enabled for federation protocols:
Enabling Oracle Access Manager for federation protocols in a Service Provider environment
Enabling Oracle Access Manager for federation protocols in an Identity Provider environment
In this example, Oracle Access Manager is the authentication provider in an Identity Provider environment and protects some of the intranet applications. OpenSSO Enterprise in this deployment resolves the single sign-on issues among enterprise applications in partner environments while Oracle Access Manager provides authentication.
The following two figures illustrate the process flow among components in the Identity Provider environment and Service Provider environment.
In this deployment, Oracle Access Manager is installed and configured in Service Provider Environment to protect legacy applications.
The following two figures illustrate the process flow among components in the Identity Provider environment and Service Provider environment.
The setup requires OpenSSO Enterprise 8.0 and the corresponding Policy Agents. OpenSSO Enterprise is supported on various containers. But you have to choose a container that supports both OpenSSO Enterprise and Oracle Access Manager Web Gate. The Oracle Access Manager Software is available online for temporary evaluation. For validation, this document used following software:
Sun OpenSSO Enterprise 8.0
Sun Web Server 6.1 SP5 Sun Directory Server 5.2 SP2
Oracle Access Manager 10g (10.1.4.0.1)
Oracle Access Manager Agents (Web Gate) 10g (10.1.4.0.1)
Oracle Access Manager SDK 10g (10.1.4.0.1)
Custom codes (Bundled in the OpenSSO Enterprise zip)
The OpenSSO Enterprise bundle ships integration bits along with OpenSSO Enterprise WAR file. The instructions on configuring the authentication modules are contained in the corresponding README files.
As you design your deployment architecture, be sure to consider the benefits, tradeoffs. The following lists may help you determine if enabling federation using Oracle Access Manager and OpenSSO Enterprise is appropriate to meet your business needs.
OpenSSO Enterprise allows you to continue using an existing Oracle Access Manager deployment for authentication while leveraging the more advanced features of OpenSSO Enterprise.
OpenSSO Enterprise quickly enables federation protocols for Oracle Access Manager with few changes to the existing infrastructure.
OpenSSO Enterprise supports a variety of industry standard protocols such as SAMLv2 , ID-FF, ID-WSF, WS-Federation, XACML, WS-*, and others.
OpenSSO Enterprise supports any generic LDAP repository for users, and can work with the existing Oracle Access Manager database.
OpenSSO Enterprise leverages its own configuration data store, which minimizes the need to migrate data from a different data store.
In general, when integrating any two access management products, you must consider the increased costs in resources and maintenance.
When co-locating Oracle Access Manager and OpenSSO Enterprise, session management for both the products must be synchronized.
Full integration requires you to set up session synchronization, possibly by using notification mechanisms effectively.
Administrators must be trained and proficient in the use of both products.