This chapter describes how to configure single sign-on (SSO) for administration consoles in an Identity Management Enterprise deployment.
This chapter includes the following topics:
Section 15.4, "Assigning WLSAdmins Group to WebLogic Administration Groups"
Section 15.5, "Authorize Access Manager Administrators to Access APM Console"
Section 15.8, "Validating WebGate and the Access Manager Single Sign-On Setup."
If you have not integrated Oracle Access Management Access Manager with Oracle Identity Manager, you must first create WebLogic Security Providers. Then proceed as follows.
You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Access Manager for validation
The administration consoles referred to in the chapter title are:
Oracle Enterprise Manager Fusion Middleware Control
Oracle WebLogic Server Administration Console
Oracle Access Management Console
Oracle Identity Manager Console
Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:
Configuring Oracle HTTP Server, as described in Chapter 10, "Installing and Configuring Oracle Web Tier for an Enterprise Deployment."
Configuring Access Manager, as described in Chapter 11, "Extending the Domain to Include Oracle Access Management."
Provisioning Weblogic Administrators in LDAP as described in Section 9.4, "Preparing the Identity Store."
When you run idmConfigTool with the configOAM or configOIM option, the tool creates security providers in the domains IDMDomain and OIMDomain. These security providers restrict access to the consoles in those domains based on the security policies of Access Manager. If you have other domains, you must create security providers in those domains manually and then update them as described in the following sections.
Note:
Once you have enabled single sign-on for the administration consoles, ensure that at least one OAM Server is running to enable console access.
If you have used the Oracle Weblogic console to shut down all of the Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again.
To start WLS_OAM1 manually, use the command:
MSERVER_HOME/bin/startManagedWeblogic.sh WLS_OAM1 t3://ADMINVHN:7001
This section describes how to update the security providers to enable single sign on access to the administration consoles. This section should be performed in all domains, which have security providers including ancillary domains which have had them created manually.
This section contains the following topics:
When the OUD authenticator is created, it is created with some missing information, which must be added. If you are using OUD as your identity store, you must add this information by performing the following steps.
Log in to the WebLogic Administration Console.
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Click on Providers.
Click on OUDAuthenticator.
Click on Provider Specific tab.
On the Provider Specific screen update the following values:
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
User Name Attribute: uid
Static Group Object Class: groupofuniquenames
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: groupOfURLs
Dynamic Member URL Attribute: memberURL
Click Save.
Click Activate Changes.
This section sets up an Access Manager asserter to enable you to delegate responsibility for credential collection to Access Manager.
Log in to the WebLogic Administration Console at the URL listed in Section 17.2, "About Identity Management Console URLs."
Click Security Realms from the Domain structure menu.
Click Lock and Edit in the Change Center.
Click myrealm.
Select the Providers tab.
Click Reorder.
Using the arrows on the right hand side order the providers such that the order is:
OAMIDAsserter
OIM Signature Authenticator, if present
OIMAuthenticationProvider, if present
OUD Authenticator, OVDAuthenticator or OIDAuthenticator
Default Authenticator
Default Identity Asserter
Note:
Oracle Identity Manager providers only exist if Oracle Identity Manager has been configured.
Click OK.
Click Activate Changes.
Restart WebLogic Administration Server and all the Managed Servers, as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components."
In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.
In Section 9.4, "Preparing the Identity Store" you created a user called weblogic_idm and assigned it to the group WLSAdmins. To be able to manage WebLogic using this account you must add the WLSAdmins group to the list of Weblogic Administration groups. This section describes how to add the WLSAdmins Group to the list of WebLogic Administrators.
Perform this step for each domain in the topology.
Log in to the WebLogic Administration Server Console at the URL listed in Section 17.2, "About Identity Management Console URLs.".
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the list for predicates and click Next.
On the Edit Arguments Page, Specify WLSAdmins in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the WLSAdmins Group as an entry.
Click Save to finish adding the Admin role to the WLSAdmins Group.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.
By default, only users in the WebLogic administrators group can access the APM console. After SSO is enabled, you will login as an Access Manager Administrator.
To enable this functionality perform the following steps:
Log in to the APM console at http://ADMIN.mycompany.com/apm as WebLogic administrator.
Click the System Configuration tab.
Click Add in the External Role Mapping box.
Click Search.
Select OAMAdministrators from the returned search results.
Click Add Selected.
Click Add Principals.
Update the boot.properties file for the Administration Server with the WebLogic admin user created in LDAP.
You must update boot.properties on each administration server node. Follow the steps in the following sections to update the file.
This section contains the following topics:
On each of the servers in the topology, go the directory:
ASERVER_HOME/servers/serverName/security
For example:
cd ASERVER_HOME/servers/AdminServer/security
Rename the existing boot.properties file.
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=adminUser password=adminUserPassword
For example:
username=weblogic_idm
password=Password for weblogic_idm user
Note:
When you start the Administration Server, the username and password entries in the file get encrypted.
For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.
Restart the WebLogic Administration server and all managed servers, as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components."
This section describes how to install and configure WebGate.
This section contains the following topics:
Ensure that the following tasks have been performed before installing the Oracle Web Gate:
Install and configure the Oracle Web Tier as described in Chapter 10.
Ensure Oracle Access Management Access Manager has been configured as described in Chapter 11.
Before starting the installer ensure that Java is installed on your machine.
Start the WebGate installer by issuing the command:
./runInstaller
You are asked to specify the location of the Java Development Kit for example:
WEB_MW_HOME/jrockit_version
On the Welcome screen, click Next.
On the Prerequisites screen, after all the checks have successfully completed, click Next.
On the Installation Location Screen, enter the following information:
Oracle Middleware Home: WEB_MW_HOME
Oracle Home Directory: webgate
Click Next.
On the installation summary screen, click Install.
Click Next.
Click Finish.
Deploy WebGate to Oracle HTTP, as follows:
Execute the command deployWebGateInstance which is located in:
WEBGATE_ORACLE_HOME/webgate/ohs/tools/deployWebGate
The command takes the following arguments:
Oracle HTTP Instance configuration Directory
WebGate Home Directory
For example:
./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
Set the library path and change directory.
On Linux systems, set the library path to include the WEB_ORACLE_HOME/lib directory, for example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
Then change directory to: WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools
Run the following command to copy the file apache_webgate.template from the WebGate home directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf.
On Linux, type:
./EditHttpConf -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
Copy the files ObAccessClient.xml, cwallet.sso, and password.xml, which were generated when you created the agent from the directory ASERVER_HOME/output/Webgate_IDM_11g on IDMHOST1, to the directory WEB_ORACLE_INSTANCE/config/OHS/component_name/webgate/config
The files aaa_key.pem and aaa_cert.pem were generated when you created the agent from the directory ASERVER_HOME/output/Webgate_IDM_11g on IDMHOST1. Copy the files aaa_key.pem and aaa_cert.pem to the WebGate instance directory WEB_ORACLE_INSTANCE/config/OHS/component_name/webgate/config/simple.
Restart the Oracle HTTP Server as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components."
To validate that WebGate is functioning correctly, open a web browser and go the OAM console URL listed in Section 17.2, "About Identity Management Console URLs."
You now see the Oracle Access Management Login page displayed. Enter your OAM administrator user name (for example, oamadmin) and password and click Login. Then you see theOracle Access Management console displayed.
To validate the single sign-on setup, open a web browser and go the WebLogic Administration Console and to Oracle Enterprise Manager Fusion Middleware Control at the URLs listed in Section 17.2, "About Identity Management Console URLs."
The Oracle Access Management Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.
Back up the Web Tier and WebLogic domain, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."