| Oracle® OpenSSO 8.0 Update 2 Release Notes Release 8.0 Part Number E28339-03 |
|
|
View PDF |
| Oracle® OpenSSO 8.0 Update 2 Release Notes Release 8.0 Part Number E28339-03 |
|
|
View PDF |
This chapter provides instructions for implementing single sign-on using OpenSSO 8.0 Update 2 and Oracle Access Manager 10g or 11g.
This information supplements conceptual information contained in Chapter 3, Integrating Oracle Access Manager, in the Sun OpenSSO Enterprise 8.0 Integration Guide. This use case provides a single sign-on experience to OpenSSO-protected applications by honoring an Oracle Access Manager session. The configured OpenSSO authentication module generates an OpenSSO session based on the Oracle Access Manager session.
Be sure you have access to the following components before you attempt to install OpenSSO 8.0 Update 2 for integration with Oracle Access Manager:
This zip file contains the opensso.war file, integration source code, configuration files and other tools that are required for OpenSSO 8.0 Update 2 installation and configuration.
The OpenSSO Agent is used when an application protected by OpenSSO can actually use the authentication session established by Oracle Access Manager.
Download Oracle Access Manager from Oracle web site. See the http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html page.
Download Oracle Webgate for a container that is supported by both OpenSSO and Oracle Webgate. At this time, Web Server 7.x is the only container that is supported by both the products.
See the http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.htmlpage.
Download Oracle Access Manager. The SDK is required to compile and build OpenSSO Authentication Modules for Oracle Access Manager integration.
See the See the http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html page
(Optional) The OpenSSO C-SDK is required for creating an authentication module in Oracle Access Manager itself to generate an OAM session. This may not be a common use case from OpenSSO perspective. See Where is the C SDK? in Sun OpenSSO Enterprise 8.0 C API Reference for Application and Web Policy Agent Developers.
The opensso/integrations/oracle directory contains source and configurations to compile and build custom authentication modules and other plugins. See Chapter 3, Integrating Oracle Access Manager, in Sun OpenSSO Enterprise 8.0 Integration Guide for use case options and related information. The following table summarizes the files under opensso/integrations/oracle directory and descriptions for each file.
README.htmlThis is the file you're reading now.
build.xmlAn ant build file for building a custom authentication module for Oracle Access Manager in OpenSSO
configConfiguration files required for creating an authentication module for Oracle Access Manager in OpenSSO.
OblixAuthService.xml
Authentication service file for Oracle Access Manager authentication module
OblixAuthModule.xml
Authentication module callbacks for Oracle Access Manager.
This is an empty file by default, but it must be present for configuration purposes.
OblixAuth.properties
Properties file that stores internationalization keys for the authentication
libThis directory is empty by default. This lib directory must contain the following libraries to compile the source libraries.
jobaccess.jar
Copy this file from the Oracle Access Manager SDK.
openfedlib.jar, amserver.jar, and opensso-sharedlib.jar
Copy these files from opensso.war
servlet.jar or javaee.jar
Copy the GlassFish lib directory. Ideally, any JAR file that has standard Java EE classes such as javax.servlet.http.Cookie is fine.
sourceDirectory containing the following source files:
com/sun/identity/authentication/oblix/OblixAuthModule.java
com/sun/identity/authentication/oblix/OblixAuthModule.java
com/sun/identity/authentication/oblix/OblixPrincipal.java
com/sun/identity/saml2/plugins/OAMAdapter.java
This class is a SAML2 Plugin Adapter for SAML Service Providers. This class does the remote authentication to Oracle Access Manager using the OpenSSO Session service.
This directory contains source files for Oblix Authentication Scheme for OpenSSO. This is a C-based authentication module and leverages the OpenSSO C-SDK for validation.
oam/solaris/authn_api.c
This file implements Oblix custom authentication scheme for OpenSSO.
oam/solaris/include/*.h
All the header files that are required to compile auth scheme.
oam/solaris/AMAgent.properties
Sample OpenSSO Agent configuration file. This is required for the authentication scheme to validate the OpenSSO session.
Use the ant script to build the source files. A compatible ant script must be installed and configured in the PATH.
Run the following command:
cd $openssozipdir/integrations/oracle; ant -f build.xml
This command builds source files and generates fam_oam_integration.jar into the $openssozipdir/integrations/oracle/dist directory.
Bundle the authentication module into the OpenSSO WAR file.
Create a temporary directory and unwar the opensso.war. Example:
# mkdir /export/tmp # cd /export/tmp # jar -xvf opensso.war
From now on, /export/tmp is used as a WAR staging area, and is represented with a marco $WAR_DIR.
Copy $openssozipdir/integrations/oracle/dist/fam_oam_integration.jar to $WAR_DIR/WEB-INF/lib.
Copy $openssozipdir/integrations/oracle/config/OblixAuth.properties to$WAR_DIR/WEB-INF/classes.
Copy $openssozipdir/integrations/oracle/config/OblixAuthModule.xml to $WAR_DIR/config/auth/default, and also to the directory$WAR_DIR/config/auth/default_en.
Re-war opensso.war using jar cvf opensso.war from $WAR_DIR.
Note: This is not a common use case. You do not have to build this unless it is required, such as in a SAML2 service provider use case.
To build the Oblix authentication scheme, you must customize the makefile. Also, since this is a C-based authentication module, it is operating system-dependent.
Before You Begin
The authentication scheme files are located under the $openssozipdir/integrations/oracle/oamauth/solaris directory.
Download and configure the OpenSSO C-SDK 2.2 version.
The authn_api.c file contains a reference to AMAgent.propeties file. Modify the file accordingly.
Customize makefile for your environment.
For example, specify the gcc compile location. Also edit the LDFLAGS to point to your OpenSSO C-SDK lib directory.
Run the make command.
The make command should result in an authn_api.so file.
Before you begin:Web Server 7.x must already be installed and configured. For the Web Server installation instructions, see the following documentation library: http://docs.oracle.com/cd/E18958_01/index.htm.
Install OpenSSO on Web Server 7.x.
Install an OpenSSO Policy Agent on a supported container and configure the agent to work with OpenSSO.
For installation instructions, see the Policy Agent 3.0 guide for the agent you are using. These guides are available in the following documentation collection:
Install and configure Oracle Access Manager.
See the Oracle Access Manager Installation Guide 10g (10.1.4.3):
Install and configure Oracle Access Manager SDK with Oracle Access Manager.
See the Oracle Access Manager Installation Guide 10g (10.1.4.3):
Install Oracle Webgate on the same web container where OpenSSO server is installed. (Web Server 7.x)
Configure OpenSSO so that it protects only deployURI/UI/* of the OpenSSO web application. Example:/opensso/UI/.../*
For Oracle Access Manager policies, resources and other configuration details, check the Oracle Access Manager administration guide. Unprotect every other URL in OpenSSO Enteprise. This is for simple single sign-on integration scenario, but evaluate policies based on full integration and other deployment dependencies.
Configure the Authentication Module in OpenSSO.
Access the OpenSSO console.
The browser redirects to Oracle Access Manager for authentication. After successful authentication, OpenSSO presents a login page. Log in using the OpenSSO admin user name and password.
Import the Oracle Authentication Module service XML file into the OpenSSO configuration.
The authentication module service can be loaded from command line ssoadm utility, and as well as browser based ssoadm.jsp.
Access http://host:port/opensso/ssoadm.jsp.
Choose the create-service option.
Copy and paste the XML file from $openssozipdir/integrations/oracle/config/OblixAuthService.xml and click Submit.
This loads the authentication module service into the OpenSSO configuration.
Register the authentication module into the authentication Core service.
The Core service contains a list of authenticators. Choose the register-auth-module option in http://host:port/opensso/ssoadm.jsp. Enter com.sun.identity.authentication.oblix.OblixAuthModule as the authentication module class name.
Verify that the authentication module is registered to the default realm.
Access OpenSSO using the URL http://host:port/opensso. In the OpenSSO console, click the default realm, and then click the Authentication tab. Click New to create a new authentication module named OblixAuth.
On the Authentication tab, select the OblixAuth authentication module.
Configure the Oblix SDK directory. Enable Check Remote User Header Only, and specify the remote header name as OAM_REMOTE_USER. This parameter is configurable based on the deployment.
(Optional) Enable the Ignore Profile option in the OpenSSO core authentication service.
In the OpenSSO console, go to Configuration> Core> Realm Attributes> User Profile . Choose Ignored, and then click Save.
This configuration prevents OpenSSO from searching for an existing user profile after successful authentication. However, if the user repository used by OpenSSO and Oracle Access Manager are exactly same, then this step is not necessary. Go to Admin Console -> Configuration -> Core -> Realm Attributes -> User Profile. Choose Ignored, and then click Save.
Edit the web server start script to include Oracle Access Manager SDK shared libraries.
Update LD_LIBRARY_PATH in the startserv script to include the shared libraries from $ACCESSDKDIR/oblix/lib.
Restart the Web Server that contains both OpenSSO and Oracle Webgate.
Update the Login URL for Web Agent value as http://openssohost:openssoport/deployURI/UI/Login?module=OblixAuth.
Access the protected resource from the OpenSSO-protected application. The browser should redirect you to the Oracle Access Manager Login Page if you are not already authenticated. After successful login, it creates an OpenSSO session, and finally redirects back to the Policy Agent-protected application URL . Based on the policy, you are allowed or denied access to the protected application.
This is useful when the Oracle Access Manager session must be generated upon validating the OpenSSO session. See Chapter 3, Integrating Oracle Access Manager, in the Sun OpenSSO Enterprise 8.0 Integration Guide for information about relevant use cases.
The Oblix Authentication Schemes are exposed as C authentication modules, and this authentication scheme uses OpenSSO C-SDK 2.2 version to validate the OpenSSO Session. The OpenSSO Authentication Scheme in Oblix uses a configuration for the OpenSSO client-side configuration in AMAgent.properties. This file must be customized before configuring the authentication module. The build instructions specify the location of this file. The compiled authn_api.so and other C-SDK libraries must be copied to the $OAM_INSTALL_DIR/access/oblix/lib directory before configuring the Authentication Scheme. The Sun OpenSSO 8.0 Integration Guide shows a sample screen shot illustrating how to configure the Oracle Authentication Scheme, and this should be used as a reference only. For more details, see the latest Oracle Access Manager documentation.
This section provides instructions for implementing single sign-on using OpenSSO 8.0 Update 2 and Oracle Access Manager versions 10.1.4.0.1. and 11g. This information supplements conceptual information contained in Chapter 3, Integrating Oracle Access Manager, in the Sun OpenSSO Enterprise 8.0 Integration Guide. This use case provides a single sign-on experience to OpenSSO-protected applications by honoring an Oracle Access Manager session. The configured OpenSSO authentication module generates an OpenSSO session based on the Oracle Access Manager session.
|
 Copyright © 2010, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|