1/27
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New
Updates in November 2012 Documentation Refresh for 11
g
Release 2 (11.1.2)
Updates in August 2012 Documentation Refresh for 11
g
Release 2 (11.1.2)
New and Changed Features for 11
g
Release 2 (11.1.2)
Other Significant Changes in this Document for 11
g
Release 2 (11.1.2)
Part I IdM Integration Topology and Tools
1
Introduction
1.1
Prerequisites to Integration
1.2
Integration Topologies
1.2.1
Basic Integration Topologies
1.2.1.1
Single Domain Architecture
1.2.1.2
Double (Split) Domain Architecture
1.2.1.3
The Three Tier Architecture
1.2.1.4
Understanding the Web Tier
1.2.1.5
Understanding the Application Tier
1.2.1.6
Understanding the Data Tier
1.2.2
The Enterprise Integration Topology
1.2.3
Using Multiple Directories for an Identity Store
1.2.4
Integration Terminology
1.3
About Oracle Identity Management Components
1.3.1
Oracle Internet Directory
1.3.2
Oracle Virtual Directory
1.3.3
Oracle Access Management Access Manager
1.3.3.1
A Note About IDMDomain Agents and Webgates
1.3.4
Oracle Identity Manager
1.3.5
Oracle Adaptive Access Manager
1.3.6
Oracle Access Management Identity Federation
1.3.7
Oracle Identity Navigator
1.4
Integration Quick Links
1.5
Common Integration Scenarios
1.5.1
Resource Protection and Credential Collection Scenarios (Advanced Integration)
1.5.1.1
Case 1: The User is Authenticated by Access Manager with Oracle Adaptive Access Manager Performing Step Up Authentication
1.5.1.2
Case 2: User is Not Authenticated by Access Manager
1.5.1.3
Case 3: User is Authenticated by Access Manager and Oracle Adaptive Access Manager Does Not Perform Step Up Authentication
1.5.2
Resource Protection and Credential Collection Scenario (Basic Integration)
1.5.3
Password Management Scenarios
1.5.3.1
Access Manager Integrated with Oracle Identity Manager
1.5.3.2
Self-Registration
1.5.3.3
Password Change
1.5.3.4
Forgot Password
1.5.3.5
Account Lock and Unlock
1.5.3.6
Challenge Setup
1.5.3.7
Challenge Reset
1.6
System Requirements and Certification
1.7
Using My Oracle Support for Additional Troubleshooting Information
2
Using the idmConfigTool Command
2.1
About the Tool
2.1.1
When to Use the Tool
2.1.2
Tasks performed by the Tool
2.1.3
Components Supported by the Tool
2.1.4
Location
2.1.5
Webgate Types Supported
2.1.6
Single- and Cross-Domain Scenarios
2.2
Set Up Environment Variables
2.3
Syntax and Usage
2.3.1
Command Syntax
2.3.2
Requirements
2.3.3
Generated Files
2.3.4
Using the Properties File
2.3.4.1
About the properties File
2.3.4.2
List of Properties
2.3.5
Using the Tool for OUD Identity Stores
2.3.5.1
Creating the Global ACI for OUD
2.3.5.2
Creating Indexes on OUD Replicas
2.4
Command Options and Properties
2.4.1
preConfigIDStore Command
2.4.2
prepareIDStore Command
2.4.2.1
prepareIDStore mode=OAM
2.4.2.2
prepareIDStore mode=OIM
2.4.2.3
prepareIDStore mode=OAAM
2.4.2.4
prepareIDStore mode=WLS
2.4.2.5
prepareIDStore mode=fusion
2.4.2.6
prepareIDStore mode=all
2.4.3
configPolicyStore Command
2.4.4
configOAM Command
2.4.5
configOIM Command
2.4.6
postProvConfig Command
2.4.7
upgradeLDAPUsersForSSO Command
2.4.8
validate IDStore Command
2.4.9
validate PolicyStore Command
2.4.10
validate OAM Command (11g)
2.4.11
validate OAM Command (10g)
2.4.12
validate OIM command
2.4.13
configOVD Command
2.4.14
ovdConfigUpgrade Command
2.4.15
disableOVDAccessConfig Command
2.4.16
upgradeOIMTo11gWebgate
2.5
Examples
Part II Core Integrations
3
Enabling LDAP Synchronization in Oracle Identity Manager
3.1
Enabling Postinstallation LDAP Synchronization
3.2
Customizing User Creation Through Oracle Identity Manager With Different Custom Object Classes
3.3
Creating Identity Virtualization Library (libOVD) Adapters and Integrating With Oracle Identity Manager
3.4
Enabling SSL Between Identity Virtualization Library (libOVD) and the Directory Server
3.4.1
Enabling SSL Between Identity Virtualization Library (libOVD) and Microsoft Active Directory
3.4.2
Enabling SSL Between Identity Virtualization Library (libOVD) and iPlanet
3.4.3
Enabling SSL Between Identity Virtualization Library (libOVD) and OID
3.5
Provisioning Users and Roles Created Before Enabling LDAP Synchronization to LDAP
3.6
Disabling LDAP Synchronization
3.7
Creating OVD Adapters
3.8
Managing Identity Virtualization Library (libOVD) Adapters
3.9
Enabling Access Logging for Identity Virtualization Library (libOVD)
3.10
Configuring LDAP Authentication When LDAP Synchronization is Enabled
4
Configuring Oracle Virtual Directory for Integration with Oracle Identity Manager
4.1
Creating Oracle Virtual Directory Adapters for Oracle Internet Directory and Active Directory
4.2
Using the UserManagement Plug-In
4.2.1
Configuration Parameters
4.3
Using the Changelog Plug-In
4.3.1
Deploying the Release 11.1.1.4.0 Changelog Plug-In
4.3.2
Deploying Changelog Plug-Ins from Prior Releases
4.3.3
Configuration Parameters
4.4
Troubleshooting Tips
5
Integrating Oracle Internet Directory with Access Manager
5.1
Introduction
5.2
Prerequisites
5.3
Registering Oracle Internet Directory With Access Manager
5.3.1
About the LDAP Store Registration Page
5.3.2
Registering a User Identity Store with Access Manager
5.3.3
Designating the System Store, Administrators, or the Default Store
5.4
Setting Up Authentication Providers with WebLogic Server
5.5
Configuring Authentication Between Access Manager and Your User Identity Store
5.5.1
About Access Manager Authentication Modules, Plug-ins, and Schemes
5.5.2
Defining Authentication in Access Manager for Your User Identity Store
5.5.3
Managing Access Manager Policies that Rely on Your LDAP Store
5.6
Validating Authentication and Access
6
Configuring Oracle Virtual Directory for Integration with Oracle Access Management Access Manager
6.1
Creating and Configuring Oracle Virtual Directory Adapters
6.1.1
Creating and Configuring an LDAP Adapter
6.1.1.1
Creating an LDAP Adapter
6.1.1.2
Configuring an LDAP Adapter
6.1.2
Creating and Configuring a Database Adapter
6.1.2.1
Creating a Database Adapter
6.1.2.2
Configuring a Database Adapter
6.1.3
Creating and Configuring a Custom Adapter
6.1.3.1
Creating a Custom Adapter
6.1.3.2
Configuring Custom Adapters
6.2
Using the OAMPolicyControl Plug-In
6.2.1
Configuration Parameters
7
Integrating Access Manager and Oracle Identity Manager
7.1
About the Integration
7.2
Integration Roadmap
7.3
Integration Prerequisites
7.4
Configuring the Identity Store
7.4.1
Extending Directory Schema for Access Manager
7.4.2
Creating Users and Groups for Access Manager
7.4.3
Creating Users and Groups for Oracle Identity Manager
7.4.4
Creating Users and Groups for Oracle WebLogic Server
7.5
Configuring Access Manager for Integration
7.6
Integrating Access Manager with Oracle Identity Manager
7.7
Configuring Oracle HTTP Server
7.8
Configuring Centralized Logout
7.9
Starting Servers with Domain Agent Removed
7.10
Additional Configuration Tasks
7.10.1
Migrating from the Domain Agent to 10
g
Webgate with OHS 11
g
7.10.1.1
Update Webgate Type and ID
7.10.1.2
Set the Webgate Preferred Host
7.10.1.3
Create the Oracle Identity Manager SSO Keystore
7.10.2
Updating SOA Server Default Composite
7.11
Validating the Integration
7.11.1
Validate OIM SSOConfig
7.11.2
Validate Security Provider Configuration
7.11.3
Validate OIM Domain Credential Store
7.11.4
Validate Event Handlers for SSO
7.11.5
Validate SSO Logout Configuration
7.12
Testing the Integration
7.13
Troubleshooting Common Problems
7.13.1
Single Sign-On Issues
7.13.1.1
Checking HTTP Headers
7.13.1.2
User is Re-Directed to Wrong Login Page
7.13.1.3
Login Fails
7.13.1.4
Oracle Access Management Console Login Page Does Not Display
7.13.1.5
Authenticated User is Re-Directed to Oracle Identity Manager Login Page
7.13.1.6
User is Re-Directed to Oracle Identity Manager Login Page
7.13.1.7
New User is Not Re-Directed to Change Password
7.13.1.8
User is Re-Directed in a Loop
7.13.2
Auto-Login Issues
7.13.2.1
TAP Protocol Issues
7.13.2.2
NAP Protocol Issues
7.13.3
Session Termination Issues
7.13.4
Account Self-Locking Issues
7.13.5
Miscellaneous Issues
7.13.5.1
Client Based Login to Oracle Identity Manager Fails
7.13.5.2
Logout Throws 404 Error
8
Integrating Access Manager and Oracle Adaptive Access Manager
8.1
About Access Manager and Oracle Adaptive Access Manager Integration
8.2
Definitions, Acronyms, and Abbreviations
8.3
OAAM Basic Integration with Access Manager
8.3.1
Prerequisites
8.3.2
Start WebLogic Server
8.3.3
Configuring OAAM Basic Integration with Access Manager
8.4
OAAM Advanced Integration with Access Manager
8.4.1
Integration Roadmap
8.4.2
Integration Prerequisites
8.4.3
Restarting the Servers
8.4.4
Creating the OAAM Admin Users and OAAM Groups
8.4.5
Importing Oracle Adaptive Access Manager Snapshot
8.4.6
Validating Initial Configuration of Access Manager
8.4.7
Validating Initial Configuration of Oracle Adaptive Access Manager
8.4.8
Registering WebGate Using the Oracle Access Management Console
8.4.8.1
Pre-requisites for WebGate Registration
8.4.8.2
Configure the 11
g
WebGate
8.4.8.3
Register the 11
g
WebGate as a Partner Using the Oracle Access Management Console
8.4.8.4
Restarting the OHS WebGate
8.4.8.5
Validating the WebGate Setup
8.4.9
Registering the OAAM Server as a Partner Application to Access Manager
8.4.10
Setting the Agent Password
8.4.10.1
Adding a Password to the IAMSuiteAgent Profile in the Oracle Access Management Console
8.4.10.2
Updating the IAMSuiteAgent in the WebLogic Administration Console
8.4.11
Verifying TAP Partner Registration
8.4.11.1
Verifying the Challenge URL
8.4.11.2
Adding the MatchLDAPAttribute Challenge Parameter in the TAPScheme
8.4.11.3
Validating the IAMSuiteAgent Setup
8.4.12
Setting Up Access Manager TAP Integration Properties in OAAM
8.4.13
Configuring a Resource to be Protected with TAPScheme
8.4.13.1
Creating a New Resource under the Application Domain
8.4.13.2
Create a New Authentication Policy that Uses TAPScheme to Protect the Resource
8.4.14
Validating the Access Manager and Oracle Adaptive Access Manager Integration
8.5
Other Access Manager and OAAM Integration Configuration Tasks
8.5.1
Configuring Integration to Use TAPScheme to Protect IDM Product Resources in the IAM Suite Application Domain
8.5.2
Changing the Authentication Level of the TAPScheme Authentication Scheme
8.5.3
Setting Up Oracle Adaptive Access Manager and Access Manager Integration When Access Manager is in Simple Mode
8.5.3.1
Configuring Simple Mode Communication with Access Manager
8.5.3.2
Setting OAAM Properties for Access Manager for Simple Mode
8.5.4
Configuring Identity Context Claims in the Access Manager and OAAM TAP Integration
8.5.5
Disabling OAAM Administration Console Protection
8.5.6
Disabling Step Up Authentication
8.6
Resource Protection Use Case
8.6.1
Changing Authentication Level of TAPScheme
8.6.2
Removing OAAM Administration Console from Protected Higher Level Policy
8.6.3
Creating a New Policy that Uses TAPScheme to Protect the Resource
8.6.4
Creating an New OAAM User
8.6.5
Login Flow Example
8.6.6
Step Up Authentication Flow
8.7
Troubleshooting Common Problems
8.7.1
OAAM Basic Integration with Access Manager
8.7.1.1
Internet Explorer 7 and OAAM Basic Integration with Access Manager
8.7.1.2
Access Manager and OAAM Integration and Changes in the Console
8.7.1.3
OTP Challenge Not Supported in OAAM Basic integration with Access Manager
8.7.1.4
Using ConfigureOAAM WLST to Create the Datasource in OAAM Basic Integration with Access Manager
8.7.2
Login Failure
8.7.2.1
Non-ASCII Credentials
8.7.2.2
Mixed Case Logins
8.7.2.3
Cookie Domain Definition
8.7.3
Identity Store
8.7.3.1
Username Attribute Incorrect Setting
8.7.3.2
In the Access Manager and OAAM Integration TAP Could Not Modify User Attribute
8.7.3.3
No Synchronization Between Database and LDAP
8.7.4
Miscellaneous
8.7.4.1
Integration Failure Due to Network Delay
8.7.4.2
Changing the TAP Token Version to 2.1
8.7.4.3
Resource Protected by OAAMAdvanced Scheme Is Not Accessible in Access Manager 11.1.1.4.0 and OAAM 11.1.1.5.0 Integration
8.7.4.4
Additional Properties to Set If Using OAAMAdvanced Scheme
8.7.4.5
Accessing LDAP Protected Resource as a Test
9
Integrating Access Manager, OAAM, and OIM
9.1
About Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager Integration
9.1.1
Deployment Options for Strong Authentication
9.1.2
Deployment Options for Password Management
9.2
Definitions, Acronyms, and Abbreviations
9.3
Integration Roadmap
9.4
Integration Prerequisites
9.5
Install Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
9.6
Integrate Access Manager and Oracle Identity Manager
9.7
Enable LDAP Synchronization for Oracle Identity Manager
9.8
Integrate Access Manager and Oracle Adaptive Access Manager
9.9
Integrate Oracle Identity Manager and Oracle Adaptive Access Manager
9.9.1
Set Oracle Identity Manager Properties for Oracle Adaptive Access Manager
9.9.2
Update OAAM Properties to Enable Integration Between Oracle Identity Manager and OAAM
9.9.3
Configure Oracle Identity Manager Credentials in the Credential Store Framework
9.9.4
Configure Cross Domain Trust Between Oracle Identity Manager and Oracle Adaptive Access Manager
9.10
Other Configuration Tasks
9.11
Troubleshooting Common Problems
9.11.1
User Encounters a Non-Working URL
9.11.2
User is Redirected in a Loop After User Enters Wrong Password
9.11.3
Two User Sessions are Created upon Successful Authentication
Part III External SSO Solutions
10
Integrating with Identity Federation
10.1
Background and Integration Overview
10.1.1
About Oracle Access Management Identity Federation
10.1.2
Deployment Options for Identity Federation
10.1.3
References
10.2
Integration with Access Manager 11gR2
10.2.1
Architecture
10.2.2
Overview of Integration Tasks
10.2.3
Prerequisites
10.2.4
Additional Setup
10.2.5
Register Oracle HTTP Server with Access Manager
10.2.6
Configure Oracle Identity Federation
10.2.6.1
Verify the User Data Store
10.2.6.2
Configure Oracle Identity Federation Authentication Engine
10.2.6.3
Configure Oracle Identity Federation SP Integration Module
10.2.7
Configure Access Manager
10.2.7.1
Configure OIFScheme
10.2.7.2
Register Oracle Identity Federation as a Trusted Access Manager Partner
10.2.8
Protecting a Resource with OIFScheme
10.2.9
Test the Configuration
10.2.9.1
Test SP Mode Configuration
10.2.9.2
Test Authentication Mode Configuration
Part IV Monitoring
11
Integrating with Oracle Identity Navigator
11.1
Enabling Single Sign-On
11.1.1
Configure a New Resource for the Agent
11.1.2
Configure Oracle HTTP Server for the Access Manager Domain
11.1.3
Add New Identity Providers
11.1.4
Configure Access to Multiple Applications
Part V Additional Identity Store Configuration
12
Configuring an Identity Store with Multiple Directories
12.1
Overview of Configuring Multiple Directories as an Identity Store
12.2
Configuring Multiple Directories as an Identity Store: Split Profile
12.2.1
Prerequisites
12.2.2
Repository Descriptions
12.2.3
Setting Up Oracle Internet Directory as a Shadow Directory
12.2.4
Directory Structure Overview - Shadow Join
12.2.5
Configuring Oracle Virtual Directory Adapters for Split Profile
12.2.6
Configuring a Global Consolidated Changelog Plug-in
12.2.7
Validating the Oracle Virtual Directory Changelog
12.3
Configuring Multiple Directories as an Identity Store: Distinct User and Group Populations in Multiple Directories
12.3.1
Directory Structure Overview for Distinct User and Group Populations in Multiple Directories
12.3.2
Configuring Oracle Virtual Directory Adapters for Distinct User and Group Populations in Multiple Directories
12.3.2.1
Create Enterprise Directory Adapters
12.3.2.2
Create Application Directory Adapters
12.3.3
Creating a Global Plug-in
12.4
Additional Configuration Tasks
Part VI Appendices
A
Verifying Adapters for Multiple Directory Identity Stores by Using ODSM
A.1
Verifying Oracle Virtual Directory Adapters for Split Profile by Using ODSM
A.1.1
Verifying User Adapter for Active Directory Server
A.1.2
Verifying Shadowjoiner User Adapter
A.1.3
Verifying JoinView Adapter
A.1.4
Verifying User/Role Adapter for Oracle Internet Directory
A.1.5
Verifying Changelog adapter for Active Directory Server
A.1.6
Verifying Changelog Adapter for Oracle Internet Directory
A.1.7
Configuring a Global Consolidated Changelog Plug-in
A.1.8
Validate Oracle Virtual Directory Changelog
A.2
Verifying Adapters for Distinct User and Group Populations in Multiple Directories by Using ODSM
A.2.1
User/Role Adapter A1
A.2.2
User/Role Adapter A2
A.2.3
Changelog Adapter C1
A.2.4
Changelog Adapter for Active Directory
A.2.5
Changelog Adapter C2
A.2.6
Verifying Oracle Virtual Directory Global Plug-in
A.2.7
Configuring a Global Consolidated Changelog Plug-in
B
The idm.conf File
B.1
About the idm.conf File
B.1.1
The Default Access Zone
B.1.2
The External Access Zone
B.1.3
The Internal Services Zone
B.1.4
The Administrative Services Zone
B.2
Example idm.conf File
Index
Scripting on this page enhances content navigation, but does not change the content in any way.