Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 6 (11.1.6) Part Number E21032-18 |
|
|
PDF · Mobi · ePub |
This chapter describes how to extend the Identity Management domain to include Oracle Identity Federation in an enterprise deployment.
Installing Oracle Identity Federation is optional. You should only perform the steps in this chapter if you intend to use Oracle Identity Federation. This chapter sets up Oracle Identity Federation in Service Provider (SP) mode. Note that the steps in this chapter are complete only with respect to configuring Oracle Identity and Access Management.
You must fully configure your Identity Provider before you switch on Federation in Section 16.12.3, "Switching from Local Authentication to Federation SSO." The steps to configure your Identity Provider are outside the scope of this document.
This chapter contains the following topics:
Section 16.1, "Overview of Extending the Domain to Include Oracle Identity Federation"
Section 16.3, "Configuring Oracle Identity Federation on IDMHOST1"
Section 16.5, "Configuring Oracle Identity Federation on IDMHOST2"
Section 16.6, "Provisioning the Managed Servers on the Local Disk"
Section 16.9, "Enabling Oracle Identity Federation Integration with LDAP Servers"
Section 16.10, "Configuring Oracle Identity Federation to work with the Oracle Web Tier"
Section 16.12, "Integrating Oracle Identity Federation with Oracle Access Manager 11g"
Section 16.13, "Backing Up the Application Tier Configuration"
Oracle Identity Federation is a self-contained, standalone federation server that enables single sign-on and authentication in a multiple-domain identity network and supports the broadest set of federation standards. This enables users to federate in heterogeneous environments and business associations, whether they have implemented other Oracle Identity Management products in their solution set or not.
Before proceeding with Oracle Identity Federation configuration, ensure that you have done the following.
Install and upgrade the software on IDMHOST1 and IDMHOST2 as described in Section 6.3.3, "Installing Oracle WebLogic Server and Creating the Fusion Middleware Home" and Section 6.3.4, "Installing Oracle Identity Management."
Run the Repository Creation Utility (RCU) to create and configure the collection of schemas used by Oracle Identity Federation as described in Chapter 7, "Preparing the Database for an Enterprise Deployment."
Create the Identity Management domain as described in Chapter 9, "Creating the Domain for an Enterprise Deployment."
Install and configure Oracle Internet Directory as described in Chapter 10, "Extending the Domain to Include Oracle Internet Directory.".Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory is used as the User Store and the Federation Store
Install and configure Oracle HTTP Server on WEBHOST1 and WEBHOST2 as described in Chapter 8, "Configuring the Web Tier for an Enterprise Deployment."
Associate the Identity Management domain created with an External LDAP Store as described in Section 11.4.2, "Reassociating the Policy and Credential Store." This is required because Oracle Identity Federation is being extended on a node where the Administration Server is not running.
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.
If you plan on provisioning the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 4.3, "About Recommended Locations for the Different Directories."
On UNIX:
Ensure that port 7499
(OIF_PORT
in Section A.3) is not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "7499"
If the port is in use (if the command returns output identifying the port), you must free it.
On UNIX:
Remove the entries for port 7499
in the /etc/services
file and restart the services, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Create a file containing the ports used by Oracle Internet Directory. On Disk1 of the installation media, locate the file stage/Response/staticports.ini
. Copy it to a file called oif_ports.ini
. Delete all entries in oif_ports.ini
except for Oracle Identity Federation Server Port
. Change the value of that port to 7499
.
Note:
If the port name in the file is slightly different from those listed in this step, use the name in the file.
Start the Oracle Identity Management 11g Configuration Wizard located under the IDM_ORACLE_HOME
/bin directory
as follows:
On UNIX, issue this command:
./config.sh
On Windows, double-click config.exe
On the Welcome screen, click Next.
On the Select Domain screen, select Extend Existing Domain and specify these values:
HostName: ADMINVHN.mycompany.com
Port: 7001
(WLS_ADMIN_PORT
)
UserName: weblogic
User Password: weblogic_user_password
Click Next.
A dialog box with the following message appears:
The selected domain is not a valid Identity Management domain or the installer cannot determine if it is a valid domain. If you created the domain using the Identity Management installer, you can ignore this message and continue. If you did not create the domain using the Identity Management installer, refer to the Identity Management documentation for information on how to verify the domain is valid.
This is a benign warning that you can ignore.
Click Yes to continue.
On the Specify Installation Location screen, specify the following values:
Oracle Middleware Home Location: OIF_MW_HOME
This value is prefilled and cannot be updated.
Oracle Home Directory: idm
This value is prefilled and cannot be updated
WebLogic Server Directory: OIF_MW_HOME
/wlserver_10.3
Oracle Instance Location: OIF_ORACLE_INSTANCE
n
Instance Name: oif1
Click Next.
On the Specify Security Updates screen (if shown), specify the values shown in this example:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Select I wish to receive security updates via My Oracle Support.
Click Next.
On the Configure Components screen, de-select all the components except Oracle Identity Federation components. Select only Oracle Identity Federation from the Oracle Identity Federation components. Do not select Oracle HTTP Server. Select Clustered.
Click Next.
On the Configure Ports screen, you use the oif_ports.ini
file you created in Step 2 to specify the ports to be used. This enables you to bypass automatic port configuration.
Select Specify Ports using a Configuration File.
In the file name field specify oif_ports.ini
.
Click Save, then click Next.
On the Specify OIF Details screen, specify these values:
PKCS12 Password: password
Confirm Password: Confirm the password
Server Id: WLS_OIF1
Click Next.
On the Select OIF Advanced Flow Attributes screen, specify these values:
Authentication Type: LDAP
User Store: LDAP
Federation Store: RDBMS
User Session Store: RDBMS
(default selection, which cannot be changed for a cluster)
Message Store: RDBMS
(default selection, which cannot be changed for a cluster)
Configuration Store: RDBMS
(default selection, which cannot be changed for a cluster)
Note:
When you choose RDBMS
for the session, message, and configuration data stores during an Advanced installation, the installer creates one data source for all three data stores. If you want to have separate databases for each of these stores, you must configure this after the installation by using the OUI Config Wizard.
Click Next.
On the Authentication LDAP Details screen, specify the following values:
LDAP Type: Select Oracle Internet Directory if you have an Oracle Internet Directory only topology without Oracle Virtual Directory. Otherwise select Oracle Virtual Directory.
LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldaps://LDAP_LBR_HOST:
LDAP_LBR_SSL_PORT
. For example: ldaps://IDSTORE.mycompany.com:636
LDAP Bind DN: cn=orcladmin
LDAP Password: orcladmin_password
User Credential ID Attribute: uid
User Unique ID Attribute: uid
Person Object Class: inetOrgPerson
Base DN: dc=mycompany,dc=com
Click Next.
On the LDAP Attributes for User Data Store screen, specify the following values:
LDAP Type: Select Oracle Internet Directory if you have an Oracle Internet Directory only topology without Oracle Virtual Directory. Otherwise select Oracle Virtual Directory.
LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldaps://LDAP_LBR_HOST:
LDAP_LBR_SSL_PORT
. For example: ldaps://IDSTORE.mycompany.com:636
LDAP Bind DN: cn=orcladmin
LDAP Password: orcladmin_password
User Description Attribute: uid
User ID Attribute: uid
Person Object Class: inetOrgPerson
Base DN: dc=mycompany,dc=com
Click Next.
On the Specify Federation Store Database Details screen, specify the following values.
Host Name: The connect string to your database. For example:
IDMDBHOST1-VIP.mycompany.com:1521:idmdb1^IDMDBHOST2-VIP.mycompany.com:1521:idmdb2@OIFEDG.mycompany.com
Notes:
The Oracle RAC database connect string information must be provided in the format:
host1
:
port1
:
instance1
^
host2
:
port2
:
instance2
@
servicename
During this installation, it is not required for all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed.
It is required that the information provided is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each Oracle RAC instance, and the service name provided must be configured for all the specified Oracle RAC instances.
Any incorrect information entered in the Oracle RAC database connect string has to be corrected manually after the installation.
If you are using Oracle Database 11.2, replace the vip
address and port with the 11.2 SCAN address and port.
UserName: The username for the OIF Schema. For example: edg_oif
Password: oif_user_password
Click Next.
On the Transient Store Database Details screen, specify the values shown in this example:
Host Name: The connect string to your database. For example:
IDMDBHOST1-VIP.mycompany.com:1521:idmdb1^IDMDBHOST2-VIP.mycompany.com:1521:idmdb2@OIFEDG.mycompany.com
UserName: The username for the OIF Schema. For example: edg_oif
Password: oif_user_password
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not correct, click Back to modify selections on previous screens. Then click Configure.
On the Configuration Progress screen, view the progress of the configuration.
On the Configuration Complete screen, click Finish to confirm your choice to exit.
Run the oif-upgrade-11.1.1.2.0-11.1.1.6.0.py
script as described in "Updating Configuration Properties in Oracle Identity Federation" in Oracle Fusion Middleware Patching Guide.
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management in the Oracle Fusion Middleware documentation library for the platform and version you are using.
If you plan to provision the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 4.3, "About Recommended Locations for the Different Directories."
Ensure that port 7499
(OIF_PORT
in Section A.3) is not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "7499"
If the port is in use (if the command returns output identifying the port), you must free it.
On UNIX:
Remove the entries for port 7499
in the /etc/services
file and restart the services, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Start the Oracle Identity Management 11g Configuration Wizard located under the IDM_ORACLE_HOME
/bin
directory as follows:
On UNIX, issue this command:
./config.sh
On Windows, double-click config.exe
On the Welcome screen, click Next.
On the Select Domain screen, select the Expand Cluster option and specify these values:
HostName: ADMINVHN.mycompany.com
Port: 7001
UserName: weblogic
User Password: weblogic_user_password
Click Next.
A dialog box with the following message appears:
The selected domain is not a valid Identity Management domain or the installer cannot determine if it is a valid domain. If you created the domain using the Identity Management installer, you can ignore this message and continue. If you did not create the domain using the Identity Management installer, refer to the Identity Management documentation for information on how to verify the domain is valid.
This is a benign warning that you can ignore.
Click Yes to continue.
On the Specify Installation Location screen, specify the following values:
Oracle Middleware Home Location: OIF_MW_HOME
(This value is prefilled and cannot be updated.)
Oracle Home Directory: idm
(This value is prefilled and cannot be updated.)
WebLogic Server Directory: OIF_MW_HOME
/wlserver_10.3
Oracle Instance Location: OIF_ORACLE_INSTANCE
Instance Name: oif2
Click Next.
On the Specify Security Updates screen (if shown), specify the values shown in this example:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Select I wish to receive security updates via My Oracle Support.
Click Next.
On the Configure Components screen, de-select all the components except Oracle Identity Federation components. Select only Oracle Identity Federation from the Oracle Identity Federation components. Do not select Oracle HTTP Server.
Click Next.
On the Configure Ports screen, you use the oif_ports.ini
file you created in Section 16.3, "Configuring Oracle Identity Federation on IDMHOST1" to specify the ports to be used. This enables you to bypass automatic port configuration.
Select Specify Ports using a Configuration File.
In the file name field specify oif_ports.ini
.
Click Save, then click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not correct, click Back to modify selections on previous screens. Then click Configure.
On the Configuration Progress screen, view the progress of the configuration.
On the Installation Complete screen, click Finish to confirm your choice to exit.
Due to certain limitations, the Oracle Configuration Wizard creates the domain configuration under the Identity Management Oracle home. In this deployment guide, the Oracle home is on shared disk and it is a best practice recommendation to separate the domain configuration from the Oracle home. This section provides the steps to separate the domain. Proceed as follows:
From IDMHOST1, copy the applications directory under the ASERVER_HOME
/config/fmwconfig/servers/wls_oif1
directory to the ASERVER_HOME
/config/fmwconfig/servers/wls_oif2
directory.
cp -rp ASERVER_HOME/config/fmwconfig/servers/wls_oif1/applications user@IDMHOST1:ASERVER_HOME/config/fmwconfig/servers/wls_oif2
On IDMHOST1, pack the Managed Server domain using the pack command located under the ORACLE_COMMON_HOME
/common/bin
directory. Make sure to pass the -managed=true
flag to pack the Managed Server. Type:
ORACLE_COMMON_HOME/common/bin/pack.sh -managed=true \
-domain=path_to_adminServer_domain -template=templateName.jar \
-template_name=templateName
For example
ORACLE_COMMON_HOME/common/bin/pack.sh -managed=true \ -domain=ASERVER_HOME\ -template=managedServer.jar \ -template_name=ManagedServer_Template
Copy the Managed Server template directory from IDMHOST1 to IDMHOST2. For Example:
scp -rp /templates user@IDMHOST2:/templates
Unpack the Managed Server to the local disk on IDMHOST1 using the unpack
command located under the ORACLE_COMMON_HOME
/common/bin
directory.
ORACLE_COMMON_HOME/common/bin/unpack.sh -domain=path_to_domain_on_localdisk \
-template=templateName.jar -app_dir=path_to_appdir_on_localdisk \
-overwrite_domain=true
For example:
ORACLE_COMMON_HOME/common/bin/unpack.sh \ -domain=MSERVER_HOME \ -template=managedServer.jar \ -app_dir=MSERVER_HOME/applications \ -overwrite_domain=true
Unpack the Managed Server to the local disk on IDMHOST2 using the unpack
command located under the ORACLE_COMMON_HOME
/bin
directory.
ORACLE_COMMON_HOME/common/bin/unpack.sh -domain=path_to_domain_on_localdisk \
-template=templateName.jar -app_dir=path_to_appdir_on_localdisk \
-overwrite_domain=true
For example:
ORACLE_COMMON_HOME/common/bin/unpack.sh \ -domain=MSERVER_HOME \ -template=managedServer.jar \ -app_dir=MSERVER_HOME/applications \ -overwrite_domain=true
Restart the Administration server by following the steps in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validate that the Administration Server started up successfully by opening a browser accessing the Administration Console at http://ADMINVHN.mycompany.com:7001/console
.
Also validate Enterprise Manager by opening a browser and accessing Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em
.
Restart the Managed Servers WLS_OIF1 and WLS_OIF2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Validate the configuration of Oracle Identity Federation on IDMHOST1 and IDMHOST2 by accessing the SP metatadata on each host.
On IDMHOST1, access the SP metadata by going to:
http://IDMHOST1.mycompany.com:7499/fed/sp/metadata
On IDMHOST2, access the SP metadata by going to:
http://IDMHOST2.mycompany.com:7499/fed/sp/metadata
All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage Oracle Identity Federation with this tool, you must configure the EM agents with the correct monitoring credentials. Update the credentials for the EM agents associated with IDMHOST1 and IDMHOST2. Follow these steps to complete this task:
Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://
ADMINVHN
.mycompany.com:7001/em
. Log in as the WebLogic user.
From the Domain Home Page, navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets.
Click the Configure link for the Target Type Identity Federation Server to go to the Configure Target Page.
On the Configure Target Page, click Change Agent and choose the correct agent for the host.
Update the WebLogic monitoring user name and the WebLogic monitoring password. Enter weblogic
as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.
Click OK to save your changes.
By default, Oracle Identity Federation is not configured to be integrated with LDAP Servers deployed in a high availability configuration. To integrate Oracle Identity Federation with highly available LDAP Servers to serve as user data store, federation data store, or authentication engine, you must configure Oracle Identity Federation based on the LDAP server's function.
Proceed as follows to integrate Oracle Identity Federation with an LDAP Server deployed in a high availability configuration
On IDMHOST1, set environment variables as follows:
Set DOMAIN_HOME
to MSERVER_HOME
.
Set IDM_ORACLE_HOME
to DIR_ORACLE_HOME
.
Set Oracle Identity Federation-specific environment variables by executing the setOIFEnv.sh
script. This script is located under the IDM_ORACLE_HOME
/fed/scripts
directory.
For example:
cd $IDM_ORACLE_HOME/fed/scripts . setOIFEnv.sh
On IDMHOST1, run the WLST
script located under the ORACLE_COMMON_HOME
/bin directory.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Connect to one of the Oracle Identity Federation Managed Servers:
connect()
Enter the username and password to connect to the Oracle Identity Federation Managed Servers. This is the same as the WebLogic Administration user name and password.
Enter the URL to connect to the Oracle Identity Federation Managed Server:
t3://IDMHOST1.mycompany.com:7499
Then enter the following properties, as needed:
To integrate the user data store with a highly available LDAP Server, set the userldaphaenabled
boolean property from the datastore
group to true
:
setConfigProperty('datastore','userldaphaenabled', 'true', 'boolean') Update was successful for: userldaphaenabled
Validate the user data store is integrated with a highly available LDAP store by running:
getConfigProperty('datastore', 'userldaphaenabled') Value(s) for property: true
The userldaphaenabled property must return true
.
To integrate the LDAP authentication engine with a highly available LDAP Server, set the ldaphaenabled
boolean property from the authnengines
group to true
:
setConfigProperty('authnengines','ldaphaenabled', 'true', 'boolean') Update was successful for: ldaphaenabled
Validate the LDAP authentication engine is integrated with a highly available LDAP store by running:
getConfigProperty('authnengines','ldaphaenabled') Value(s) for property: true
The ldaphaenabled
property for the authnengines
group must return true
.
Note:
On IDMHOST1, delete the following directories:
ASERVER_HOME/config/fmwconfig/servers/wls_oif1/applications
ASERVER_HOME/config/fmwconfig/servers/wls_oif2/applications
This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier.
This section contains the following topics:
Before proceeding, ensure that the following tasks have been performed:
Oracle Web Tier has been installed on WEBHOST1 and WEBHOST2.
Oracle Access Manager has been installed and configured on IDMHOST1 and IDMHOST2.
The load balancer has been configured with a virtual host name (sso.myconpany.com
) pointing to the web servers on WEBHOST1 and WEBHOST2.
The load balancer has been configured with a virtual host name (ADMIN.mycompany.com
) pointing to web servers WEBHOST1 and WEBHOST2.
To configure the Oracle Identity Federation application to use the load balancer VIP, follow these steps:
Log in to the Oracle Enterprise Manager Fusion Middleware Control console using the credentials of the Administrative user (for example: weblogic)
.
Navigate to an OIF node in Oracle Enterprise Manager Fusion Middleware Control. the OIF nodes are under Identity and Access in the navigation tree.
From the OIF menu, select Administration, and then Server Properties.
Change the host name to SSO.mycompany.com
and the port to 443
(HTTP_SSL_PORT
).
Select SSL Enabled.
Click Apply.
From the OIF menu in Oracle Enterprise Manager Fusion Middleware Control, select Administration, and then Service Provider.
Change the URL to:
https://SSO.mycompany.com:443/fed/sp
Click Apply.
If you are adding OIF to an existing domain, include OIF in the Web Tier configuration as described inSection 8.3.3, "Create Virtual Hosts to Support Identity Management."
If the configuration is correct, you can access the following URL from a web browser:
https://SSO.mycompany.com/fed/sp/metadata
You should see metadata.
In Service Provider (SP) mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
This section provides the steps to integrate OIF with OAM11g in authentication mode and SP mode.
This section contains the following topics:
Section 16.12.2, "Integrating Oracle Identity Federation with Oracle Access Manager in SP Mode."
Section 16.12.3, "Switching from Local Authentication to Federation SSO."
Before starting this integration, ensure that the following tasks have been performed:
Install and configure Oracle Access Manager as described in Chapter 13, "Configuring Oracle Access Manager 11g."
Install and configure Oracle HTTP Server as described in Section 6.2, "Installing Oracle HTTP Server."
Install and configure WebGate as described in Section 20.5, "Installing and Configuring WebGate 11g."
This section covers the following topics:
In SP mode, Oracle Identity Federation uses federation protocols to authenticate a user, and then requests the authentication module to create an authenticated session at Oracle Access Manager. Oracle Access Manager 11g SP engine is used for this purpose. The engine also provides logout integration. To configure the SP engine, run the setupOIFOAMConfig
script from IDMHOST1.
To perform the integration proceed as follows:
On IDMHOST1:
Set DOMAIN_HOME
to ASERVER_HOME
.
Set IDM_ORACLE_HOME
to IDM_ORACLE_HOME
.
Set the environment by running the setOIFEnv.sh
script in the current shell. The script resides at IDM_ORACLE_HOME
/fed/scripts
.
For example:
cd $IDM_ORACLE_HOME/fed/scripts . setOIFEnv.sh
Edit the file setupOIFOAMIntegration.py
, which is located in: IDM_ORACLE_HOME
/fed/scripts/oam
Locate the line:
setConfigProperty("spengines","oam11guniqueuserid","cn","string")
Change the line to read:
setConfigProperty("spengines","oam11guniqueuserid","uid","string")
Save the file.
Change Directory to IDM_ORACLE_HOME
/fed/scripts/oam
.
Execute the setupOIFOAMConfig
script providing the following input parameters:
oifHost
: Hostname of one off the OIF managed servers
oifPort
: Port number of OIF Managed server
oifAdminHost
: Hostname of WebLogic Admin server
oifAdminPort
: Port number of WebLogic Admin server
oamAdminHost
: Hostname of WebLogic Admin Server
oamAdminPort
: Port number of WebLogic Admin server
agentType
: The agent type used, for example, webgate11g
For Linux, the syntax is:
oifHost=myhost oifPort=portnum oamAdminHost=myhost2 oamAdminPort=portnum2 agentType=webgate11g ./setupOIFOAMConfig.sh
For Windows, the syntax is:
setupOIFOAMConfig.cmd "oifHost=myhost" "oifPort=portnum" "oamAdminHost=myhost2" "oamAdminPort=portnum2" "agentType=webgate11g"
For example:
oifHost=IDMHOST1 oifAdminHost=ADMINVHN oamAdminHost=ADMINVHN oifPort=7499 oifAdminPort=7001 oamAdminPort=7001 agentType=webgate11g ./setupOIFOAMConfig.sh
The script prompts you for the username and password you use to connect to the WebLogic Administration Server, for example, weblogic_idm
.
Sample Output:
Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands OIF admin user : weblogic_idm *OIF admin password:********* OAM admin user : oamadmin *OAM admin password:********* Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Already in Domain Runtime Tree Already in Domain Runtime Tree Disconnected from weblogic server: AdminServer Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Disconnected from weblogic server: AdminServer Connecting to t3://IDMHOST1:7499 with userid weblogic ... Successfully connected to managed Server 'wls_oif1' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Disconnected from weblogic server: wls_oif1 Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Disconnected from weblogic server: AdminServer Connecting to t3://ADMINVHN:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Registration Successful Disconnected from weblogic server: AdminServer
Restart Managed servers WLS_OIF1 and WLS_OIF2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console as the OAM administration user at: http://ADMIN.mycompany.com/oamconsole
Then perform the following steps:
Click the Policy Configuration tab.
Expand Authentication Schemes under the Shared Components tree.
Select OIFScheme from under the Authentication Schemes and then select Open from the menu.
On the Authentication Schemes page, provide the following information
Challenge URL: https://SSO.mycompany.com:443/fed/user/spoam11g
Context Type: Select external from the list.
Accept the defaults for all other values
Click Apply to update the OIFScheme
.
Note:
Before you perform this operation, Oracle Identity Federation must already be configured for Federation SSO with a Federation IdP, and that IdP must be set as the Default SSO IdP in the OIF Administration Console Service Provider section.
To switch the authentication of the Oracle Access Manager security domain from local authentication to Federation SSO, proceed as follows:
Log in to the OAM console as the OAM administration user.
Navigate to Policy Configuration -> Authentication Schemes -> FAAuthScheme.
Change Challenge Method from FORM
to DAP
.
Set the Authentication Module to DAP
.
Change Challenge URL from /pages/login.jsp
to:
https://SSO.mycompany.com:443/fed/user/spoam11g
Change Context Type from customWar
to external
.
Set the Challenge Parameters field to TAPPartnerId=OIFDAPPartner
.
Click Apply.
After you perform these steps, accessing a Fusion Applications resource protected by the FAAuthScheme triggers the Federation SSO flow and redirects the user to the IdP for authentication. An example of such a Fusion Applications resource might be: https://FS.mycompany.com:443/homePage/faces/AtkHomePageWelcome
Back up the WebLogic Domain, Database, Web Tier, and LDAP directories, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."