4 Configuring Oracle Identity Analytics for Web Access Control

This chapter describes how to authenticate with Oracle Identity Analytics using Web Access Components. It contains the following sections:

4.1 Overview

Oracle Identity Analytics can be integrated with Web Access Control solutions such as Sun Access Manager, CA's eTrust SiteMinder, Novell's ICHAIN, and so on. This enables Oracle Identity Analytics to follow enterprise standards for web application security.

4.2 Configuring Oracle Identity Analytics For Web Access Control

The following two configuration changes need to be made in Oracle Identity Analytics:

  1. Setting up the correct HTTP header variable name in security-context.xml

  2. Setting up the logout URL

4.2.1 To Set Up the http Reader

Web Access Control Solutions send user information as part of the http header variable. This header variable, which is the user name, holds a unique identity for the user being authenticated. This user name should be the same as the Oracle Identity Analytics user.

As shown in the following snippet from the security-context.xml configuration file (under the WEB-INF folder in Oracle Identity Analytics), Oracle Identity Analytics is configured to use the value of the sm-user http header variable to authorize a user.

Change the property of "preAuthEnabled" to "true" and also change "sm-user" for "preAuthUsernameHeaderKey" and "preAuthPasswordHeaderKey" to the header variable sent by the Web Access Control Solution.

<bean id="preAuthAwareAuthenticationProcessingFilter"
          class="com.vaau.commons.springframework.security.filter.PreAuthAwareAuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="authenticationFailureUrl" value="/welcome.action?login_error=true"/>
        <property name="defaultTargetUrl" value="/secure/checkExpiredCredentials.action"/>
        <property name="filterProcessesUrl" value="/j_acegi_security_check"/>
        <property name="formUsernameParameterKey" value="j_username"/>
        <property name="formPasswordParameterKey" value="j_password"/>
        <property name="preAuthEnabled" value="true"/>
        <property name="preAuthUsernameHeaderKey" value="sm-user"/>
        <property name="preAuthPasswordHeaderKey" value="sm-user"/>
        <!--SM_USER -->
        <property name="exceptionMappings">
            <props>
                <prop key="org.springframework.security.BadCredentialsException">/welcome.action?login_error=true</prop>
                <prop key="org.springframework.security.CredentialsExpiredException">/passwordExpired.action</prop>
            </props>
        </property>
    </bean>

4.2.2 To Set Up the Logout URL

For a user to completely log out from the session, the Oracle Identity Analytics default logout URL needs to be modified with the logout URL for the Web Access Control Solution.

To configure the logout URL in Oracle Identity Analytics, change the following entry in the header.jspf file under the WEB-INF/jspf folder.

Current information in line 111-122 in the header.jspf file:

<tr>
   <td height="22">
       <div align="center" style="font-size:10px;">
               <a href="<%=ctx%>/secure/home/home.action" class="hoverUnderline"
        style="color:#000000">Home</a>
               <a href="<%=ctx%>/logout.action" class="hoverUnderline"
        style="color:#000000">Logout</a>
               <a href="<%=ctx%>/docs/userguide/index.html" target="_blank"
 class="hoverUnderline" style="color:#000000">Help</a>
      </div>
   </td>
</tr>

Line 111-122 in the header.jspf file after the modification:

<tr>
   <td height="22">
       <div align="center" style="font-size:10px;">
<a href="<%=ctx%>/secure/home/home.action" class="hoverUnderline"
                   style="color:#000000">Home</a> |
                <a href="www.vaau.com/logout.jsp" class="hoverUnderline"
                   style="color:#000000">Logout</a> |
                <a href="<%=ctx%>/docs/userguide/index.html" target="_blank"
class="hoverUnderline" style="color:#000000">Help</a>
       </div>
   </td>
</tr>

4.3 To Access Oracle Identity Analytics When Using Web Access Control

End-users should use the following URL to access Oracle Identity Analytics:

http://OiaHost:Port/rbacx/j_acegi_security_check

Note:

If the SSO solution allows for setting up a specific redirect URL for each application, then the SSO solution should be configured to redirect to the URL provided above.

Because this URL is protected by the SSO solution, the end-user is redirected to the SSO login screen, and, once successfully authenticated, re-directed to the URL provided. At this point, Oracle Identity Analytics can verify the HTTP header and allow the end-user to access the application.