This chapter provides information to help you integrate with Oracle Access Manager 11g any Oracle ADF applications within the same Identity Management domain.
This chapter provides the following topics:
Introduction to Oracle Platform Security Services and Oracle Application Developer Framework
Integrating OAM 11g With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
This section provides the following topics:
A single sign-on (SSO) solution must provide a standard way for applications to login and logout users. After successful authentication, the SSO service is responsible to redirect the user to the appropriate URL.
The Oracle Platform Security Services (OPSS) SSO Framework provides a way to integrate applications in a domain with an SSO solution. Specifically, it provides applications with a common set of APIs across SSO products to handle login, auto login, and logout.
The Oracle Application Developer Framework (ADF) and applications that are coded to Oracle ADF standards interface with the OPSS SSO Framework. For more information about Oracle ADF, see "Oracle Application Developer Framework".
The Oracle Access Manager SSO solution is available out-of-the-box and provides the following to applications that are coded to Oracle ADF standards and the OPSS SSO Framework:
Login (application-driven): Upon accessing a part of a secured artifact that requires authentication, the application triggers authentication and redirects the user to be authenticated by the appropriate solution.
Auto login: A user who has initially accessed an application anonymously registers an account with the application (Oracle Identity Manager, for instance); upon a successful registration, the user is redirected to the authentication URL; the user can also be automatically logged in without being prompted.
Global logout: When a user logs out of one application, the logout propagates across to any other application that is enabled by the solution.
Note:
The OPSS SSO framework does not support multi-level authentication.For more information about choosing an SSO solution, and the Oracle Access Manager 10g solution, see Oracle Fusion Middleware Application Security Guide, chapter 11, "Configuring Single Sign-On in Oracle Fusion Middleware."
The Oracle Application Development Framework is an end-to-end application framework that builds on Java EE standards and open-source technologies to simplify and accelerate implementing service-oriented applications.
The development and run-time environment required to deploy and manage ADF applications is similar in many ways to the environment required for other Java EE applications.
The difference between a typical Java EE environment and an environment that supports Oracle ADF applications is the availability of the Oracle ADF run-time libraries:
In Oracle Fusion Middleware 11g, an Oracle WebLogic Server domain, by default, does not contain the Oracle ADF run-time libraries. However, you can optionally configure or extend your domain to include the Java Run-time Files (JRF). The Oracle ADF run-time libraries are included as part of the JRF component.
The Oracle WebLogic Server domain can be extended with the Java Run-time Files (JRF) domain template, which includes the required Oracle ADF libraries, and other important Oracle-specific technologies.
In Oracle Application Server 10g, each instance of OC4J automatically provided the Oracle ADF run-time libraries required to support Oracle ADF applications.
For information about the types of Java EE environments available in 10g and instructions for upgrading those environments to Oracle Fusion Middleware 11g, refer to the Oracle Fusion Middleware Upgrade Guide for Java EE.
This section describes how to integrate a Web application that uses Oracle ADF security and the OPSS SSO Framework with an Oracle Access Manager 11g SSO security provider for user authentication.
Before the Web application can be run, you must configure the domain-level jps-config.xml
file on the application's target Oracle WebLogic Server for the Oracle Access Manager security provider.
The domain-level jps-config.xml
file is in the following path and should not be confused with the deployed application's jps-config.xml file:
domain_home/config/fmwconfig/jps-config.xml
Note:
Do not confuse the domain-leveljps-config.xml
file with the deployed application's jps-config.xml file.You can use an Oracle JRF WLST script to configure the domain-level jps-config.xml file, either before or after the Web application is deployed. This Oracle JRF WLST script is named as follows:
Linux: wlst.sh
Windows: wlst.cmd
The Oracle JRF WLST script is available in the following path if you are running through JDev:
$JDEV_HOME/oracle_common/common/bin/
In a standalone JRF WebLogic installation, the path is:
$Middleware_home/oracle_common/wlst
Note:
The Oracle JRF WLST script is required. When running WLST for Oracle Java Required Files (JRF), do not use the WLST script under $JDEV_HOME/wlserver_10.3/common/bin.addOAMSSOProvider(loginuri, logouturi, autologinuri)
Table C-1 defines the expected value for each argument in the addOAMSSOProvider command line. addOAMSSOProvider
Table C-1 addOAMSSOProvider Command-line Arguments
Argument | Definition |
---|---|
loginuri |
Specifies the URI of the login page Note: For ADF security enabled applications, "/<context-root>/adfAuthentication" should be provided for the 'loginuri' parameter. Here is the flow:
|
logouturi |
Specifies the URI of the logout page Note: For ADF security enabled applications, logouturi should be configured based on logout guidelines in Chapter 15. The
|
autologinuri |
Specifies the URI of the autologin page. |
The procedure to configure domain-level jps-config.xml for a Fusion Web application with Oracle ADF Security enabled is part of a larger task. With the exception of the command syntax, all tasks are the same for Oracle Access Manager 10g and 11g.
See Also:
Oracle Fusion Middleware Application Security Guide chapter "Configuring Single Sign-On in Oracle Fusion Middleware" for all tasks involving Oracle Access Manager 10g SSO providers
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference "Infrastructure Security Commands" chapter
All tasks involving Oracle Access Manager 10g SSO are described in the Oracle Fusion Middleware Application Security Guide chapter "Configuring Single Sign-On in Oracle Fusion Middleware."
The SSO service configuration entered with the procedure described in Appendix C, "Integrating Oracle ADF Applications with Oracle Access Manager 11g SSO" is written to the file jps-config.xml
. The data specified includes:
A particular SSO service
The auto-login and auto-logout URIs
The authentication level
The query parameters contained in the URLs returned by the selected SSO service
The appropriate settings for token generation
The following fragment of a jps-config.xml
file illustrates the configuration of an OAM 11g SSO provider. Some values are merely placeholders for actual content. Your configuration should contain values for your implementation.
See Also:
"SSO Provider Configuration Details"Example C-1 Sample SSO Configuration for OAM 11g
<propertySets> <propertySet name = "props.auth.url"> <property name = "login.url.BASIC" value = "http://host:port/oam_login.cgi?level=BASIC"/> <property name = "login.url.FORM" value = "http://host:port/oam_login.cgi?level=FORM"/> <property name = "login.url.DIGEST" value = "http://host:port/oam_login.cgi?level= DIGEST"/> <property name = "autologin.url" value = " http://host:port/obrar.cgi"/> <property name = "logout.url" value = "http://host:port/logout.cgi"/> <property name = "param.login.successurl" value = "successurl"/> <property name = "param.login.cancelurl" value = "cancelurl"/> <property name = "param.autologin.targeturl" value = "redirectto"/> <property name = "param.autologin.token" value = "cookie"/> <property name = "param.logout.targeturl" value = "targeturl"/> </propertySet> <propertySet name="props.auth.uri"> <property name="login.url.BASIC" value="/${app.context}/adfauthentication?level=BASIC" /> <property name="login.url.FORM" value="/${app.context}/adfauthentication?level=FORM" /> <property name="login.url.DIGEST" value="/${app.context}/adfauthentication?level=DIGEST" /> <property name="autologin.url" value="/obrar.cgi" /> <property name="logout.url" value="/${oamsso/logout.html" /> </propertySet> <propertySet name = "props.auth.level"> <property name = "level.anonymous" value = "0"/> <property name = "level.BASIC" value = "1"/> <property name = "level.FORM" value = "2"/> <property name = "level.DIGEST" value = "3"/> </propertySet> <propertySets> <serviceProviders> <serviceProvider name = "sso.provider" class = "oracle.security.jps.internal.sso.SsoServiceProvider" type = "SSO"> <description>SSO service provider</description> </serviceProvider> </serviceProviders> <serviceInstances> <serviceInstance name = "sso" provider = "sso.provider"> <propertySetRef ref = "props.auth.url"/> <propertySetRef ref = "props.auth.level"/> <property name = "default.auth.level" value = "2"/> <property name = "token.type" value = "OAMSSOToken"/> <property name = "token.provider.class" value = "oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl"/> </serviceInstance> </serviceInstances> <jpsContexts default = "default"> <jpsContext name = "default"> <serviceInstanceRef ref = "sso"/> </jpsContext> </jpsContexts>
Note the following important points:
Any SSO provider must define the URI for at least the FORM login with the property login.url.FORM
. The value need not be a URL.
If the application supports a self-registration page URI or URL, it must be specified with the property autologin.url
.
If the SSO solution supports a global logout URI or URL, it must be specified with the property logout.url
. The OAM solution supports global logout.
The following properties, illustrated in Example C-1, are optional:
param.login.successurl
param.login.cancelurl
param.autologin.targeturl
param.login.token
param.logout.targeturl
The use of the variable app.context
in URI specifications, in values within the property set props.auth.uri
for instance, is allowed for only ADF applications when integrating with the Oracle Access Manager solution.
The property sso.provider.class
within a service instance of the SSO provider is the fully qualified name of the class implementing a specific SSO solution.
In the case of the OAM solution, the provided class name is oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl
.
The property name default.auth.level
within a service instance of the SSO provider must be set to "2", as illustrated in Example C-1.
The property token.type
within a service instance of the SSO provider is required.
This token type identifies the token set on the HTTP request by the SSO provider upon a successful authentication; the SSO provider uses this token, after the first time, to ensure that the user does not need to be reauthenticated and that his sign-on is still valid. In the case of the OAM solution, the token type must be OAMSSOToken
, as illustrated in Example C-1.
The property token.provider.class
within a service instance of the SSO provider is the fully qualified name of the token class, and it is provider-specific.
An application that implements a self-registration logic and wants to auto login a user after successful self-registration, it must call the OPSS autoLogin API; in turn, to allow this call, it must grant that application a code source permission named CredentialMapping
with class JpsPermission
.
The following fragment of the file system-jazn-data.xml
illustrates the specification of this permission to the application MyApp
:
<grant> <grantee> <codesource> <url>file:${domain.home}/servers/MyApp/-</url> </codesource> </grantee> <permissions> <permission> <class>oracle.security.jps.JpsPermission</class> <name>CredentialMapping</name> </permission> </permissions> </grant>
As mentioned earlier in this chapter, it is the application that triggers authentication and redirects the user to be authenticated by the appropriate solution. For instance, when the application determines that a user is accessing a part of a secured artifact that requires authentication application-driven authentication is triggered, in this case using Oracle Access Manager 11g SSO.
To confirm application-driven authentication during run time
Create the application based on the Oracle ADF framework.
Configure the Oracle Access Manager SSO Security provider, as described in "Integrating OAM 11g With Web Applications Using Oracle ADF Security and the OPSS SSO Framework".
Access the protected field and confirm that the application triggers authentication.