This chapter describes how to integrate Oracle Access Manager with Oracle Identity Federation to create an authenticated session.
This chapter contains these sections:
This section provides background about the integration procedure. Topics include:
About Oracle Identity Federation
Oracle Identity Federation is a standalone, self-contained federation server that enables single sign-on and authentication in a multiple-domain identity network.
The SP integration Engine included with Oracle Identity Federation consists of a servlet that processes requests from the server to create a user authenticated session at the Identity and Access Management (IAM) server. The engine includes several internal plug-ins that allow it to interact with different IAM servers, including Oracle Access Manager.
Two integration modes are described in this chapter:
SP Mode
This mode enables Oracle Identity Federation to authenticate the user and propagate the authentication state to Oracle Access Manager, which maintains the session information.
Authentication Mode
This mode enables Oracle Access Manager to authenticate the user.
Figure 4-1 describes the processing flow in each mode.
In the SP mode, Oracle Identity Federation uses the federation protocols to identify a user, and requests the authentication module to create an authenticated session at Oracle Access Manager. To integrate in SP mode, see "SP Mode Integration Procedure".
In the authentication mode, Oracle Access Manager looks up the user identity in the LDAP store and obtains a session cookie so that the user can access the requested resource, which is protected by either mod_osso or Oracle Access Manager 11g WebGate. To integrate in authentication mode, see "Authentication Mode Integration Procedure".
The tasks required to integrate Oracle Access Manager with Oracle Identity Federation are similar for both modes, with some variation.
Configuring the SP mode requires the following tasks:
Ensure that the necessary components, including Oracle WebLogic Server and Identity Management (IdM) components, are installed and operational.
For details, see Section 4.1.3 and Section 4.1.4.
Register Oracle HTTP Server as a partner with Oracle Access Manager to protect a resource.
For details, see Section 4.2.
Configure the Oracle Identity Federation server to function as a service provider (SP) with Oracle Access Manager.
For details, see Section 4.3.1.
Configure the Oracle Access Manager server to delegate the authentication to Oracle Identity Federation.
For details, see Section 4.3.2.
Test the integration.
For details, see Section 4.5.1.
Authentication Mode Integration Procedure
Configuring the authentication mode requires the following tasks:
Ensure that the necessary components, including Oracle WebLogic Server and Identity Management (IdM) components, are installed and operational.
For details, see Section 4.1.3 and Section 4.1.4.
Register Oracle HTTP Server as a partner with the Oracle Access Manager server to protect a resource.
For details, see Section 4.2.
Configure the Oracle Identity Federation server to function as an identity provider (IdP) with Oracle Access Manager.
For details, see Section 4.4.
Test the integration.
For details, see Section 4.5.2.
You must install the following components prior to undertaking the integration tasks:
Oracle WebLogic Server
Oracle HTTP Server 11g
Oracle Access Manager 11g
Oracle Identity Federation 11g
mod_osso (required in authentication mode)
Note:
Refer to the Certification Matrix for platform and version details.Ensure that the administration and managed servers are up and running.
For testing purposes, identify or create a resource to be protected; for example, create an index.html file to serve as a test resource.
Access the Fusion Middleware Control console for the Oracle Identity Federation server using a URL of the form:
http://oif_host:oif_em_port/em
Verify that all the servers are running.
This section shows how you can register Oracle HTTP Server and either 11g WebGate or mod_osso with Oracle Access Manager, depending on the protection mechanism you have chosen.
This section contains these topics:
Register Oracle HTTP Server and mod_osso with Oracle Access Manager
Register Oracle HTTP Server and WebGate with Oracle Access Manager
Follow these steps to register Oracle HTTP Server and mod_osso with Oracle Access Manager:
Note:
MW_HOME represents the Oracle Fusion Middleware Home directory.Locate the OSSORequest.xml
file in the directory:
MW_HOME/Oracle_IDM1/oam/server/rreg/input
Make the necessary changes to the file by setting the host, port, and agent name to appropriate values. The server address is the Oracle Access Manager admin server address and AgentBaseURL must have the Oracle HTTP Server host and port.
Locate the oamreg.sh
script, which resides in:
MW_HOME/Oracle_IDM1/oam/server/rreg/bin
Execute the script using this command string (user is weblogic
, and you must supply the password):
./oamreg.sh inband input/OSSORequest.xml
Configure mod_osso with static directives. For instructions see "Configuring mod_osso with Static Directives" in the Oracle Fusion Middleware Application Security Guide.
The script executed in Step 3 generates an osso.conf
file in the directory:
MW_HOME/Oracle_IDM1/oam/server/rreg/output/AgentName
Copy the file to the following location:
Oracle_WT1/instances/instance1/config/OHS/ohs1/moduleconf/osso/
Locate the mod_osso.conf
file in the directory:
Oracle_WT1/instances/instance1/config/OHS/ohs1/moduleconf
Add these directives to the file:
OssoSecureCookies offOssoConfigFile path_to_osso.conf_file
Uncomment the Location
tag and fill in the protected resource path.
In authentication mode:
<Location /fed/user/authnosso> require valid-user AuthType Osso </Location>
In SP mode:
<Location /protected-url-context/protected-url-path>
require valid-user
AuthType Osso
</Location>
Restart Oracle HTTP Server.
Oracle_WT1/instances/instance1/bin/opmnctl restartproc process-type=OHS
Integrating Oracle Access Manager 11g WebGate with Oracle Identity Federation requires:
Integrating Oracle Identity Federation with Oracle Access Manager 11g in SP mode (as described in Section 4.3), using the Oracle Single Sign-On (OSSO) SP engine
Enabling logout in the OSSO SP engine: the logout integration with Oracle Access Manager 11g will be performed using the OSSO SP engine, instead of the authentication engine.
Follow these steps to register Oracle HTTP Server andOracle Access Manager 11g WebGate with Oracle Access Manager for authentication:
Note:
In this procedure,MW_HOME
represents the Oracle Fusion Middleware Home directory.Locate the OAM11GRequest.xml file or the OAM11GRequest_short.xml file, which resides in the directory:
MW_HOME/Oracle_IDM1/oam/server/rreg/input
Make the necessary changes to the file.
Locate the oamreg.sh script, which resides in the directory:
MW_HOME/Oracle_IDM1/oam/server/rreg/bin
Execute the script using the command string:
Note:
The user isweblogic
, and you must supply the password../oamreg.sh inband input/OAM11GRequest.xml
or
./oamreg.sh inband input/OAM11GRequest_short.xml
Using the Oracle Access Manager console, create a resource representing the Oracle Identity Federation URL to be protected by Oracle Access Manager for authentication. This URL contains the hostname and port of the Oracle Identity Federation server, and the path to the resource, which is mode-dependent.
For example, in authentication mode:
https://oif-host:oif-port/fed/user/authnoam
And in SP mode:
https://oif-host:oif-port/protected-url-path
Protect this resource with an authentication policy and an authorization policy.
Restart Oracle HTTP Server:
Oracle_WT1/instances/instance1/bin/opmnctl restartproc process-type=OHS
This section describes the remaining steps to integrate Oracle Identity Federation and Oracle Access Manager so that Oracle Identity Federation acts as the SP.
This section contains these topics:
Take these steps to configure Oracle Identity Federation when acting as SP:
Take these steps to generate metadata at the IdP and SP respectively:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Security and Trust.
Click the Provider Metadata tab.
In the Generate Metadata section of the page, using the Provider Type drop-down, select Service Provider.
Click Generate. This creates metadata for the service provider.
Repeat Steps 4 and 5 to generate metadata for the identity provider.
Take these steps to register providers:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Federations.
Click Add. The Add Trusted Provider dialog appears.
Check the Load Metadata box.
Click Choose File, and select the metadata file you generated for the IdP in Section 4.3.1.1, "Generate Provider Metadata".
Repeat the procedure to load metadata for the SP.
Verify that both providers appear in the list of trusted providers:
Take these steps to configure the data store:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Data Stores.
Specify the details of the user data store, as in this example:
In this task, the authentication engine is configured to point to a user data store, enabling Oracle Identity Federation to validate users against that store.
For details, see Section 4.4.4.
This task sets the Identity Provider (IdP) that was created in an earlier task as the default IdP. Take these steps to achieve this task:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Service Provider.
Check the Enable Service Provider box.
For Default SSO Identity Provider, specify the IdP set up in Section 4.3.1.2, "Register the Providers".
Click Apply.
Having generated the IdP/SP metadata and registered those modules, the final task of configuring Oracle Identity Federation for the integration is to provide the Oracle Access Manager server details, so that Oracle Identity Federation can send assertion tokens and direct session management to Oracle Access Manager.
The steps to achieve this are as follows:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Service Provider Integration Modules.
Select the Oracle Single Sign-On tab.
Configure the page as follows:
In the Default SP Integration Module drop-down, select Oracle Single Sign On.
Check the Enable SP Module box.
Check the Logout Enabled box.
Configure these URLs:
Login URL : http://oam_host:oam_port/oam/server/dap/cred_submit Logout URL : http://oam_host:oam_port/oam/server/logout
where oam_host and oam_port are the host and port number of the Oracle Access Manager server respectively.
Set Username Attribute value to "cn" to match the Oracle Access Manager username attribute.
Click Regenerate.
This action generates a keystore file that contains the keys used to encrypt and decrypt the tokens that are exchanged between the Oracle Access Manager and Oracle Identity Federation servers.
Be sure to save the keystore file using the Save As dialog.
Copy the keystore file to a location within the installation directory of Oracle Access Manager.
Note:
Make a note of the location, since you will need to refer to it later.As a result of performing the task in Section 4.2, "Register Oracle HTTP Server with Oracle Access Manager", clients seeking access to a protected resource are directed to Oracle Access Manager for authentication.
The final task in the integration procedure is to configure Oracle Access Manager to redirect the user to Oracle Identity Federation for authentication. The steps needed to achieve this are as follows:
Log in to the Oracle Access Manager Admin Console.
Select the Policy Configuration tab.
Protect the resource by selecting 'OIFScheme' in the Authentication Scheme drop-down.
Click Apply.
Update the authentication scheme.
In the Policy Configuration tab, in the Shared Components tree, select Authentication Schemes, then OIFScheme
.
Take these actions:
In the Challenge URL field, modify the value of OIFHost
and port
.
Confirm that the value of the Context Type drop-down is set to "external
".
Click Apply to save the changes.
Copy the keystore file to a directory under the middleware home in which the Oracle Access Manager server is installed.
Use a WLST command to update the OIFDAP partner block in the oam-config.xml
configuration file. The syntax is as follows:
Enter the shell environment by executing:
$DOMAIN_HOME/common/bin/wlst.sh
Connect to the Oracle Access Manager administration server with the following command syntax:
connect('weblogic','password','host:port')
Execute the command to update the partner block in the configuration file:
registerOIFDAPPartner(keystoreLocation=location of keystore file, logoutURL=logoutURL)
where logoutURL
is the Oracle Identity Federation logout URL to invoke when the Oracle Access Manager server logs out the user.
For example:
registerOIFDAPPartner(keystoreLocation="/home/pjones/keystore", logoutURL="http://abcdef0123.in.mycorp.com:1200/fed/user/spsloosso?doneURL= http://abc1234567.in.mycorp.com:6001/ngam/pages/logout.jsp")
Add the federated user to the LDAP directory.
Access the Oracle Access Manager administration console with the following syntax:
http://weblogic_host:weblogic_admin_port/console
Navigate to Security Realms, then Users and Groups, then New to create a new user.
Note:
Both Oracle Identity Federation and Oracle Access Manager must be able to identify this user; that is, the data store configured against the authentication engine in Section 4.3.1.4 must contain this user.Restart the administration server and managed servers.
To verify the action you took in Step 7 above, examine the $OAM_HOME/oam/server/config/oam-config.xml
file to confirm that the properties in the OIFDAPPartner
block were updated as mandated in that step. The logout URL should be of the form:
http://oifhost:oifport/fed/user/spsloosso?doneURL=URLEncoded(host:port/ngam/pages/logout.jsp
If the configuration is correct, a logout initiated from Oracle Access Manager will cause logout in Oracle Identity Federation.
The following tasks are required to configure Oracle Identity Federation when acting as IdP:
Take these steps to generate provider metadata:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Server Properties.
Change the host name and port number to the Oracle HTTP Server host and port respectively.
Save the changes.
Navigate to Administration, then Security and Trust.
Click the Provider Metadata tab.
In the Generate Metadata section of the page, using the Provider Type drop-down, select Identity Provider.
Click Generate. This creates metadata for the identity provider.
Take these steps to register the providers:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Federations.
Click Add. The Add Trusted Provider dialog appears.
Check the Load Metadata box.
Click Choose File, and select the metadata file you generated for the IdP in Section 4.4.1.
Repeat the procedure to load metadata for the SP.
Verify that both providers appear in the list of trusted providers.
For details about this step, see Section 4.3.1.3.
This task depends on whether you are configuring an OSSO agent or an Oracle Access Manager 11g Webgate agent.
The steps to configure an OSSO agent are as follows:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Authentication Engines.
In the Default Authentication Engine drop-down, select Oracle Single Sign-On.
Click Apply.
You can also protect Oracle Identity Federation with an Oracle Access Manager 11g WebGate and thus challenge the user through WebGate instead of using mod_osso
: in this case, Oracle Identity Federation's Oracle Access Manager authentication engine is used for the integration.
Integrating WebGate with Oracle Identity Federation requires:
Integrating Oracle Identity Federation with Oracle Access Manager 11g in SP mode (as described in Section 4.3), using the OSSO SP Engine
Enabling logout in the OSSO SP engine: the logout integration with Oracle Access Manager 11g will be performed using the OSSO SP engine, instead of the authentication engine.
The steps to configure a WebGate 11g agent are as follows:
Locate the Oracle Identity Federation instance in Fusion Middleware Control.
Navigate to Administration, then Authentication Engines.
Enable the Oracle Access Manager authentication engine.
Enter OAM_REMOTE_USER
as the User Unique ID Header.
In the Default Authentication Engine drop-down list, select Oracle Access Manager.
Disable logout, since the logout integration with Oracle Access Manager 11g will be performed with the OSSO SP Engine.
Click Apply.
The final configuration task is to test whether the integration is correctly configured. The steps differ between authentication mode and SP mode.
Take these steps to test for correct configuration in SP mode:
Try accessing the protected resource.
When set up correctly, you should be redirected to an Oracle Identity Federation login page. Verify that user credentials are required on this page.
Enter valid credentials on the login page.
Note:
The user should exist in both the Oracle Identity Federation Data Store and in the Oracle Access Manager store.Check that you are redirected to the protected page.
Verify that the following cookies are created:
OAM_ID ORA_OSFS_SESSION OHS Cookie
Take these steps to test for correct configuration in authentication mode:
Start single sign-on (SSO) from the SP test page.
Verify that you are redirected to the Oracle Access Manager login page at the IdP. On this page user credentials are requested.
Enter the relevant credentials and process the page.
Verify that you are redirected to the SP test result page.