You can implement an SSO authentication mechanism for Oracle SES by using Oracle Access Manager.
Ensure that the following components are installed:
OAM 10.1.4.3.0 or higher. See Oracle Access Manager Installation Guide.
Oracle HTTP Server (OHS) 11g.
Oracle Internet Directory (OID) or any LDAP server supported by OAM for which there is a corresponding Oracle SES Identity plugin.
See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. Also see "Configuring OID" for information on configuring OID.
Oracle HTTP Server WebGate.
You must install OAM and add an entry for WebGate in OAM before installing WebGate. Oracle Access Manager Installation Guide provides detailed information about installing WebGate. Follow the steps as provided in this guide. However, for some steps, such as creating a WebGate instance and installing WebGate, you must provide certain OAM SSO-specific parameters, as listed in "Installing and Configuring WebGate".
To implement the OAM-SSO authentication on Oracle SES, you must configure OHS, Oracle SES, OAM, and OID (for version 10g only).
This section is applicable only if OID 10g (version 10.1.4.3.0 or higher) is used in the SES-OAM integration. This configuration is required because the Oracle SES parameter sso_user_guid_header must be used to send the ORCLGUID attribute from OAM to SES, and this can be done only with OID version 10.1.4.3.0 or higher.
Note:
Configuring OID is not required for OID versions 11g and higher.To configure OID:
Add the following to the LDIF file:
dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory changetype: modify add: orclallattrstodn orclallattrstodn: cn=orcladmin
Import the LDIF file into OID by using the following command:
$LDAP_HOME/bin/ldapmodify -D cn=orcladmin -w password -h host -p port -c -v -f ldifFile
To verify that the changes you made to the LDIF file are reflected, use the following command:
$LDAP_HOME/bin/ldapsearch -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -h host -p port -w password -D "cn=orcladmin" "objectclass=*"
You should see orclallattrstodn as an attribute of the dsaconfig entry.
Restart the OAM Access Server and the OAM Identity Server:
$OAM_HOME/as/access/oblix/apps/common/bin/restart_access_server $OAM_HOME/is/identity/oblix/apps/common/bin/restart_ois_server
To configure OHS, perform the following tasks:
Edit mod_wl_ohs.conf to include the following. The file is available at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/, where instance1 refers to the instance name of OHS.
<IfModule weblogic_module>
WebLogicHost [SES host name]
WebLogicPort [SES HTTP port]
WLLogFile Convenient Location of the log
</IfModule>
<Location /search/query>
SetHandler weblogic-handler
</Location>
<Location /search/admin>
SetHandler weblogic-handler
</Location>
# For monitor SES URL
<Location /monitor>
SetHandler weblogic-handler
</Location>
# For Help links in Admin side
<Location /search/ohw>
SetHandler weblogic-handler
</Location>
For example, if your SES host is sesHost and the port is 8001:
<IfModule weblogic_module>
WebLogicHost sesHost
WebLogicPort 8001
WLLogFile /scratch/exampleuser/weblogic.log
</IfModule>
<Location /search/query>
SetHandler weblogic-handler
</Location>
<Location /search/admin>
SetHandler weblogic-handler
</Location>
<Location /monitor>
SetHandler weblogic-handler
</Location>
<Location /search/ohw>
SetHandler weblogic-handler
</Location>
Edit httpd.conf located at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/ to include the following at the end of the file:
# Include configuration for mod_weblogic
include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mod_wl_ohs.conf"
Ensure that this line of code is on a single line.
Restart the HTTP server.
$ORACLEOHS_HOME/instances/instance1/bin/opmnctl restartproc process-type=OHS
A WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. See Oracle Access Manager Installation Guide for more information on installing a WebGate.
While installing WebGate, you must configure some parameters for the OAM SSO authentication.
Provide the following values while defining a WebGate instance in the Access System Console:
AccessGateName: Set as SESAccessGate
Description: Set as Secure Enterprise Search Access Gate
HostName: This is the host name on which OHS is installed.
AccessGate Password: Set a password.
Port: This is the port number set during OHS installation.
Transport Security: Set to Open.
Preferred HTTP Host: The domain for OHS. For example, if the OHS hostname is myhost.oracle.com, then the domain is oracle.com.
Ensure that Access Management Service is on.
Provide the following parameters while specifying the WebGate configuration details:
WebGate ID: Enter SESAccessGate.
WebGate Password: The same as AccessGate password.
Access Server ID: Obtain this from Access System Console.
DNS hostname: Obtain this from Access System Console.
Port number: Obtain this from Access System Console.
Perform the following tasks:
Create a login page for Oracle HTTP Server. For example, ORACLEOHS_HOME/ohs/htdocs/login/login.html:
<html>
<head>
<title>SES-OAM Test Login Page</title>
<body bgcolor="white">
<h1 align="center">SES-OAM SSO Login Page: Sign-In</h1>
<form method="POST" action="/myaction/test.html">
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="usernamevar"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="passwordvar"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</html>
Define a form-based authentication in OAM Policy Manager:
From http://OAMHost:OAMPort/access/oblix, select Access System Console, then Access System Configuration, and then Authentication Management.
Create Form Login method with the following options:
Name: OAMFormLogin
Description: OAM Form-based login
Level: 1
Challenge Method: Form
Challenge Parameter
form: /login/login.html
creds: usernamevar passwordvar
action: /myaction/test.html
passthrough: no
SSL Required: No
Enabled: Yes
Set up the following plugins under the Plugins tab:
credential_mapping:
obMappingBase="o=company,c=us",obMappingFilter="(&(&(objectclass=gensiteorgperson)(genuserid=%usernamevar%))(|(!(obuseraccountcontrol=*))(obuseraccountcontrol=ACTIVATED)))"
validate_password:
obCredentialPassword="passwordvar"
where obMappingBase is the base DN in the user search in the LDAP directory server, and obMappingFilter is the LDAP filter used to search for a user with a given user ID. The directory login attribute is an attribute defined in the Identity System using a Semantic login type.
Ensure that a default step exists in the Steps tab to use the credential_mapping and validate_password plugins.
Create a policy in the Policy Manager to protect the query application login link using the form authentication created in the previous step:
From http://OAMHost:OAMPort/access/oblix, select Policy Manager, and then Create Policy Domain.
Protect an HTTP resource with /search/query/formlogin.uix as the URL prefix.
In the Authorization Rules tab, add the role myrole. Also set the following:
Enabled: Yes
Allow takes precedence: Yes
Under Actions tab for myrole, first add the following return action:
Type: HeaderVar
Name: HTTP_USER_GUID
Return Attribute: orclguid
Then add the following return action:
Type: HeaderVar
Name: HTTP_USER_NAME
Return Attribute: uid
Under Allow Access tab, ensure that anyone is allowed access.
Enable the new policy under My Policy Domains.
Click Default Rules, and under Authentication Rule, add a rule to use the form login scheme as the Authentication Scheme.
Under Authorization Expression, ensure that myrole is selected for Default Rules.
Create a policy in Policy Manager to protect the HTTP resource "/search/query/" for OAM 10g and the HTTP resource "/search/.../*" for OAM 11g, with the Anonymous Authentication option. The steps are identical to the previous step. However, for step 3g, the form login scheme must be Anonymous Authentication under Authentication Rule.
Configure Oracle SES to use the SSO parameter settings in Table 11-7. To modify the settings, edit ORACLE_HOME/search/tools/weblogic/deploy/plans/QueryPlan.xml.
See Example 11-2, "SSO Parameters in QueryPlan.xml".
See Also:
"Configuring Centralized Logout for 11g [or 10g] WebGate with OAM 11g Servers" in the "Oracle Access Manager Access Administration GuideTable 11-7 Oracle SES Parameter Settings in QueryPlan.xml
| Parameter | Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
User name that is sent in Example: |
|
|
Optional when OAM 10g is used. Depends upon the version of WebGate when OAM 11g is used: WebGate 10g
WebGate 11g
Where:
|
Example 11-2 SSO Parameters in QueryPlan.xml
<variable> <name>sso_enabled</name> <value>true</value> <description>Whether SSO is enabled: true or false. The default is false. </description> </variable> <variable> <name>sso_vendor_name</name> <value>oam</value> <description>The SSO vendor name. Supported values are osso or oam.</description> </variable> <variable> <name>sso_user_guid_header</name> <value>HTTP_USER_GUID</value> <description>The HTTP header name that the SSO server uses to pass the user GUID to SES. The value in the header should match the value of the users canonical attribute for the active identity plugin.</description> </variable> <variable> <name>sso_username_header</name> <value>HTTP_USER_NAME</value> <description>The HTTP header name that the SSO server uses to pass the search username to SES. The value in the header should match the value of the users authentication attribute for the active identity plugin. Specify REMOTE_USER to use getRemoteUser in the HTTP request to retrieve the username.</description> </variable> <variable> <name>sso_public_username</name> <value>OblixAnonymous</value> <description>Specify the username of the public user if the SSO server is configured to send a public user name in the sso_username_header for unprotected or anonymously protected resources.</description> </variable> <variable> <name>sso_logout_return_url</name> <value>/oamsso/logout.html?end_url=/search/query/search</value> <description>Specify a URL to redirect to after a user logs out.</description> </variable>
Redeploy the query application with the modified deployment plan. To redeploy, run the following command from ORACLE_HOME/search/tools/weblogic/deploy/
>./deployer.sh -serverURL t3://<URL of the weblogic server>:<port> -user Weblogic Username -password SES Admin Password -name Name of the app -plan Location of the deployment plan -process <redeploy or deploy>
For example, if you install Oracle SES on the host myWlsServer and port 6666, and the Oracle SES admin password is welcome1, then you need to issue the following command:
> ./deployer.sh -serverURL t3://myWlsServer:6666/ -user weblogic -password welcome1 -name search_query -plan $ORACLE_HOME/search/tools/weblogic/deploy/plans/QueryPlan.xml -process redeploy