Configuring Secure Search with OAM Single Sign-On

You can implement an SSO authentication mechanism for Oracle SES by using Oracle Access Manager.

Ensure that the following components are installed:

To implement the OAM-SSO authentication on Oracle SES, you must configure OHS, Oracle SES, OAM, and OID (for version 10g only).

Configuring OID

This section is applicable only if OID 10g (version or higher) is used in the SES-OAM integration. This configuration is required because the Oracle SES parameter sso_user_guid_header must be used to send the ORCLGUID attribute from OAM to SES, and this can be done only with OID version or higher.


Configuring OID is not required for OID versions 11g and higher.

To configure OID:

  1. Add the following to the LDIF file:

    dn: cn=dsaconfig, cn=configsets,cn=oracle internet directory
    changetype: modify
    add: orclallattrstodn
    orclallattrstodn: cn=orcladmin
  2. Import the LDIF file into OID by using the following command:

    $LDAP_HOME/bin/ldapmodify -D cn=orcladmin -w password -h host -p port -c -v -f ldifFile
  3. To verify that the changes you made to the LDIF file are reflected, use the following command:

    $LDAP_HOME/bin/ldapsearch -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -h host -p port -w password -D "cn=orcladmin" "objectclass=*"

    You should see orclallattrstodn as an attribute of the dsaconfig entry.

  4. Restart the OAM Access Server and the OAM Identity Server:


Configuring Oracle HTTP Server

To configure OHS, perform the following tasks:

  1. Edit mod_wl_ohs.conf to include the following. The file is available at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/, where instance1 refers to the instance name of OHS.

    <IfModule weblogic_module>
         WebLogicHost [SES host name]
         WebLogicPort [SES HTTP port]
         WLLogFile Convenient Location of the log
    <Location /search/query>
         SetHandler weblogic-handler
    <Location /search/admin>
         SetHandler weblogic-handler
    # For monitor SES URL
    <Location /monitor>
         SetHandler weblogic-handler
    # For Help links in Admin side
    <Location /search/ohw>
         SetHandler weblogic-handler

    For example, if your SES host is sesHost and the port is 8001:

    <IfModule weblogic_module>
         WebLogicHost sesHost
         WebLogicPort 8001
         WLLogFile /scratch/exampleuser/weblogic.log
    <Location /search/query>
         SetHandler weblogic-handler
    <Location /search/admin>
         SetHandler weblogic-handler
    <Location /monitor>
         SetHandler weblogic-handler
    <Location /search/ohw>
         SetHandler weblogic-handler
  2. Edit httpd.conf located at ORACLEOHS_HOME/instances/instance1/config/OHS/ohs1/ to include the following at the end of the file:

    # Include configuration for mod_weblogic
    include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mod_wl_ohs.conf"

    Ensure that this line of code is on a single line.

  3. Restart the HTTP server.

    $ORACLEOHS_HOME/instances/instance1/bin/opmnctl restartproc process-type=OHS

Installing and Configuring WebGate

A WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization. See Oracle Access Manager Installation Guide for more information on installing a WebGate.

While installing WebGate, you must configure some parameters for the OAM SSO authentication.

Creating a WebGate Instance

Provide the following values while defining a WebGate instance in the Access System Console:

  • AccessGateName: Set as SESAccessGate

  • Description: Set as Secure Enterprise Search Access Gate

  • HostName: This is the host name on which OHS is installed.

  • AccessGate Password: Set a password.

  • Port: This is the port number set during OHS installation.

  • Transport Security: Set to Open.

  • Preferred HTTP Host: The domain for OHS. For example, if the OHS hostname is, then the domain is

  • Ensure that Access Management Service is on.

Installing WebGate

Provide the following parameters while specifying the WebGate configuration details:

  • WebGate ID: Enter SESAccessGate.

  • WebGate Password: The same as AccessGate password.

  • Access Server ID: Obtain this from Access System Console.

  • DNS hostname: Obtain this from Access System Console.

  • Port number: Obtain this from Access System Console.

Updating the WebGate Web Server Configuration

Use the option to automatically update the Web Server configuration.

Integrating OAM with Oracle SES

Perform the following tasks:

  1. Create a login page for Oracle HTTP Server. For example, ORACLEOHS_HOME/ohs/htdocs/login/login.html:

    <title>SES-OAM Test Login Page</title>
    <body bgcolor="white">
    <h1 align="center">SES-OAM SSO Login Page: Sign-In</h1>
    <form method="POST" action="/myaction/test.html">
      <table border="0" cellspacing="5">
          <th align="right">Username:</th>
          <td align="left"><input type="text" name="usernamevar"></td>
          <th align="right">Password:</th>
          <td align="left"><input type="password" name="passwordvar"></td>
          <td align="right"><input type="submit" value="Log In"></td>
          <td align="left"><input type="reset"></td>
  2. Define a form-based authentication in OAM Policy Manager:

    1. From http://OAMHost:OAMPort/access/oblix, select Access System Console, then Access System Configuration, and then Authentication Management.

    2. Create Form Login method with the following options:

      Name: OAMFormLogin

      Description: OAM Form-based login

      Level: 1

      Challenge Method: Form

      Challenge Parameter

      form: /login/login.html

      creds: usernamevar passwordvar

      action: /myaction/test.html

      passthrough: no

      SSL Required: No

      Enabled: Yes

    3. Set up the following plugins under the Plugins tab:





      where obMappingBase is the base DN in the user search in the LDAP directory server, and obMappingFilter is the LDAP filter used to search for a user with a given user ID. The directory login attribute is an attribute defined in the Identity System using a Semantic login type.

    4. Ensure that a default step exists in the Steps tab to use the credential_mapping and validate_password plugins.

  3. Create a policy in the Policy Manager to protect the query application login link using the form authentication created in the previous step:

    1. From http://OAMHost:OAMPort/access/oblix, select Policy Manager, and then Create Policy Domain.

    2. Protect an HTTP resource with /search/query/formlogin.uix as the URL prefix.

    3. In the Authorization Rules tab, add the role myrole. Also set the following:

      Enabled: Yes

      Allow takes precedence: Yes

    4. Under Actions tab for myrole, first add the following return action:

      Type: HeaderVar

      Name: HTTP_USER_GUID

      Return Attribute: orclguid

      Then add the following return action:

      Type: HeaderVar

      Name: HTTP_USER_NAME

      Return Attribute: uid

    5. Under Allow Access tab, ensure that anyone is allowed access.

    6. Enable the new policy under My Policy Domains.

    7. Click Default Rules, and under Authentication Rule, add a rule to use the form login scheme as the Authentication Scheme.

    8. Under Authorization Expression, ensure that myrole is selected for Default Rules.

  4. Create a policy in Policy Manager to protect the HTTP resource "/search/query/" for OAM 10g and the HTTP resource "/search/.../*" for OAM 11g, with the Anonymous Authentication option. The steps are identical to the previous step. However, for step 3g, the form login scheme must be Anonymous Authentication under Authentication Rule.

  5. Configure Oracle SES to use the SSO parameter settings in Table 11-7. To modify the settings, edit ORACLE_HOME/search/tools/weblogic/deploy/plans/QueryPlan.xml.

    See Example 11-2, "SSO Parameters in QueryPlan.xml".

    See Also:

    "Configuring Centralized Logout for 11g [or 10g] WebGate with OAM 11g Servers" in the "Oracle Access Manager Access Administration Guide

    Table 11-7 Oracle SES Parameter Settings in QueryPlan.xml

    Parameter Value










    User name that is sent in sso_username_header when anonymous authentication is used.

    Example: OblixAnonymous


    Optional when OAM 10g is used.

    Depends upon the version of WebGate when OAM 11g is used:

    WebGate 10g


    WebGate 11g



    oam_logout_url is the OAM Logout URL.

    oam_logout_target_url is the OAM Logout Target URL.

    return_url is a page of your choosing that is displayed after users log out. For example, to return to the main search page, set return_url to /search/query/search.

    Example 11-2 SSO Parameters in QueryPlan.xml

     <description>Whether SSO is enabled: true or false. The default is false. </description>
     <description>The SSO vendor name. Supported values are osso or oam.</description>
     <description>The HTTP header name that the SSO server uses to pass the user GUID to SES. The value in the header should match the value of the users canonical attribute for the active identity plugin.</description>
     <description>The HTTP header name that the SSO server uses to pass the search username to SES. The value in the header should match the value of the users authentication attribute for the active identity plugin. Specify REMOTE_USER to use getRemoteUser in the HTTP request to retrieve the username.</description>
     <description>Specify the username of the public user if the SSO server is configured to send a public user name in the sso_username_header for unprotected or anonymously protected resources.</description>
      <description>Specify a URL to redirect to after a user logs out.</description>
  6. Redeploy the query application with the modified deployment plan. To redeploy, run the following command from ORACLE_HOME/search/tools/weblogic/deploy/

    >./ -serverURL t3://<URL of the weblogic server>:<port>  -user Weblogic Username -password SES Admin Password -name Name of the app -plan Location of the deployment plan -process <redeploy or deploy>

    For example, if you install Oracle SES on the host myWlsServer and port 6666, and the Oracle SES admin password is welcome1, then you need to issue the following command:

    > ./ -serverURL t3://myWlsServer:6666/ -user weblogic -password welcome1 -name search_query -plan $ORACLE_HOME/search/tools/weblogic/deploy/plans/QueryPlan.xml -process redeploy