16 Extending the Domain to Include Oracle Identity Federation

This chapter describes how to extend the Identity Management domain to include Oracle Identity Federation in an enterprise deployment.

Installing Oracle Identity Federation is optional. You should only perform the steps in this chapter if you intend to use Oracle Identity Federation. This chapter sets up Oracle Identity Federation in Service Provider (SP) mode. Note that the steps in this chapter are complete only with respect to configuring Oracle Identity and Access Management.

You must fully configure your Identity Provider before you switch on Federation in Section 16.12.3, "Switching from Local Authentication to Federation SSO." The steps to configure your Identity Provider are outside the scope of this document.

This chapter contains the following topics:

• Section 16.1, "Overview of Extending the Domain to Include Oracle Identity Federation"

• Section 16.2, "Prerequisites"

• Section 16.3, "Configuring Oracle Identity Federation on IDMHOST1"

• Section 16.5, "Configuring Oracle Identity Federation on IDMHOST2"

• Section 16.6, "Provisioning the Managed Servers on the Local Disk"

• Section 16.7, "Validating Oracle Identity Federation"

• Section 16.8, "Configure the Enterprise Manager Agents"

• Section 16.9, "Enabling Oracle Identity Federation Integration with LDAP Servers"

• Section 16.10, "Configuring Oracle Identity Federation to work with the Oracle Web Tier"

• Section 16.11, "Validating Oracle Identity Federation"

• Section 16.12, "Integrating Oracle Identity Federation with Oracle Access Manager 11g"

• Section 16.13, "Backing Up the Application Tier Configuration"

16.1 Overview of Extending the Domain to Include Oracle Identity Federation

Oracle Identity Federation is a self-contained, standalone federation server that enables single sign-on and authentication in a multiple-domain identity network and supports the broadest set of federation standards. This enables users to federate in heterogeneous environments and business associations, whether they have implemented other Oracle Identity Management products in their solution set or not.

16.2 Prerequisites

Before proceeding with Oracle Identity Federation configuration, ensure that you have done the following.

1. Install and upgrade the software on IDMHOST1 and IDMHOST2 as described in Section 6.3.3, "Installing Oracle WebLogic Server and Creating the Fusion Middleware Home" and Section 6.3.4, "Installing Oracle Identity Management."

2. Run the Repository Creation Utility (RCU) to create and configure the collection of schemas used by Oracle Identity Federation as described in Chapter 7, "Preparing the Database for an Enterprise Deployment."

3. Create the Identity Management domain as described in Chapter 9, "Creating the Domain for an Enterprise Deployment."

4. Install and configure Oracle Internet Directory as described in Chapter 10, "Extending the Domain to Include Oracle Internet Directory.".Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory is used as the User Store and the Federation Store

5. Install and configure Oracle HTTP Server on WEBHOST1 and WEBHOST2 as described in Chapter 8, "Configuring the Web Tier for an Enterprise Deployment."

6. Associate the Identity Management domain created with an External LDAP Store as described in Section 11.4.2, "Reassociating the Policy and Credential Store." This is required because Oracle Identity Federation is being extended on a node where the Administration Server is not running.

16.3 Configuring Oracle Identity Federation on IDMHOST1

Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management manual in the Oracle Fusion Middleware documentation library for the platform and version you are using.

If you plan on provisioning the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 4.3, "About Recommended Locations for the Different Directories."

On UNIX:

1. Ensure that port 7499 (OIF_PORT in Section A.3) is not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "7499"
   

   If the port is in use (if the command returns output identifying the port), you must free it.

   On UNIX:

   Remove the entries for port 7499 in the /etc/services file and restart the services, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.

2. Create a file containing the ports used by Oracle Internet Directory. On Disk1 of the installation media, locate the file stage/Response/staticports.ini. Copy it to a file called oif_ports.ini. Delete all entries in oif_ports.ini except for Oracle Identity Federation Server Port. Change the value of that port to 7499.

   Note:

   If the port name in the file is slightly different from those listed in this step, use the name in the file.

3. Start the Oracle Identity Management 11g Configuration Wizard located under the IDM_ORACLE_HOME/bin directory as follows:

   On UNIX, issue this command:

   ./config.sh
   

   On Windows, double-click config.exe

4. On the Welcome screen, click Next.

5. On the Select Domain screen, select Extend Existing Domain and specify these values:

   • HostName: ADMINVHN.mycompany.com

   • Port: 7001 (WLS_ADMIN_PORT)

   • UserName: weblogic

   • User Password: weblogic_user_password

   Click Next.

6. A dialog box with the following message appears:

   The selected domain is not a valid Identity Management domain or the installer cannot determine if it is a valid domain. If you created the domain using the Identity Management installer, you can ignore this message and continue. If you did not create the domain using the Identity Management installer, refer to the Identity Management documentation for information on how to verify the domain is valid.
   

   This is a benign warning that you can ignore.

   Click Yes to continue.

7. On the Specify Installation Location screen, specify the following values:

   • Oracle Middleware Home Location: OIF_MW_HOME

     This value is prefilled and cannot be updated.

   • Oracle Home Directory: idm

     This value is prefilled and cannot be updated

   • WebLogic Server Directory: OIF_MW_HOME/wlserver_10.3

   • Oracle Instance Location: OIF_ORACLE_INSTANCEn

   • Instance Name: oif1

   Click Next.

8. On the Specify Security Updates screen (if shown), specify the values shown in this example:

   • Email Address: Provide the email address for your My Oracle Support account.

   • Oracle Support Password: Provide the password for your My Oracle Support account.

   • Select I wish to receive security updates via My Oracle Support.

   Click Next.

9. On the Configure Components screen, de-select all the components except Oracle Identity Federation components. Select only Oracle Identity Federation from the Oracle Identity Federation components. Do not select Oracle HTTP Server. Select Clustered.

   Click Next.

10. On the Configure Ports screen, you use the oif_ports.ini file you created in Step 2 to specify the ports to be used. This enables you to bypass automatic port configuration.

    1. Select Specify Ports using a Configuration File.

    2. In the file name field specify oif_ports.ini.

    3. Click Save, then click Next.

11. On the Specify OIF Details screen, specify these values:

    • PKCS12 Password: password

    • Confirm Password: Confirm the password

    • Server Id: WLS_OIF1

    Click Next.

12. On the Select OIF Advanced Flow Attributes screen, specify these values:

    • Authentication Type: LDAP

    • User Store: LDAP

    • Federation Store: RDBMS

    • User Session Store: RDBMS (default selection, which cannot be changed for a cluster)

    • Message Store: RDBMS (default selection, which cannot be changed for a cluster)

    • Configuration Store: RDBMS (default selection, which cannot be changed for a cluster)

    Note:

    When you choose RDBMS for the session, message, and configuration data stores during an Advanced installation, the installer creates one data source for all three data stores. If you want to have separate databases for each of these stores, you must configure this after the installation by using the OUI Config Wizard.

    Click Next.

13. On the Authentication LDAP Details screen, specify the following values:

    • LDAP Type: Select Oracle Internet Directory if you have an Oracle Internet Directory only topology without Oracle Virtual Directory. Otherwise select Oracle Virtual Directory.

    • LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldaps://LDAP_LBR_HOST:LDAP_LBR_SSL_PORT. For example: ldaps://IDSTORE.mycompany.com:636

    • LDAP Bind DN: cn=orcladmin

    • LDAP Password: orcladmin_password

    • User Credential ID Attribute: uid

    • User Unique ID Attribute: uid

    • Person Object Class: inetOrgPerson

    • Base DN: dc=mycompany,dc=com

    Click Next.

14. On the LDAP Attributes for User Data Store screen, specify the following values:

    • LDAP Type: Select Oracle Internet Directory if you have an Oracle Internet Directory only topology without Oracle Virtual Directory. Otherwise select Oracle Virtual Directory.

    • LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldaps://LDAP_LBR_HOST:LDAP_LBR_SSL_PORT. For example: ldaps://IDSTORE.mycompany.com:636

    • LDAP Bind DN: cn=orcladmin

    • LDAP Password: orcladmin_password

    • User Description Attribute: uid

    • User ID Attribute: uid

    • Person Object Class: inetOrgPerson

    • Base DN: dc=mycompany,dc=com

    Click Next.

15. On the Specify Federation Store Database Details screen, specify the following values.

    • Host Name: The connect string to your database. For example:

      IDMDBHOST1-VIP.mycompany.com:1521:idmdb1^IDMDBHOST2-VIP.mycompany.com:1521:idmdb2@OIFEDG.mycompany.com

      Notes:

      • The Oracle RAC database connect string information must be provided in the format:

        host1:port1:instance1^host2:port2:instance2@servicename

      • During this installation, it is not required for all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed.

      • It is required that the information provided is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each Oracle RAC instance, and the service name provided must be configured for all the specified Oracle RAC instances.

        Any incorrect information entered in the Oracle RAC database connect string has to be corrected manually after the installation.

      • If you are using Oracle Database 11.2, replace the vip address and port with the 11.2 SCAN address and port.

    • UserName: The username for the OIF Schema. For example: edg_oif

    • Password: oif_user_password

    Click Next.

16. On the Transient Store Database Details screen, specify the values shown in this example:

    • Host Name: The connect string to your database. For example:

      IDMDBHOST1-VIP.mycompany.com:1521:idmdb1^IDMDBHOST2-VIP.mycompany.com:1521:idmdb2@OIFEDG.mycompany.com

    • UserName: The username for the OIF Schema. For example: edg_oif

    • Password: oif_user_password

    Click Next.

17. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not correct, click Back to modify selections on previous screens. Then click Configure.

18. On the Configuration Progress screen, view the progress of the configuration.

19. On the Configuration Complete screen, click Finish to confirm your choice to exit.

16.4 Run Upgrade Script

Run the oif-upgrade-11.1.1.2.0-11.1.1.6.0.py script as described in "Updating Configuration Properties in Oracle Identity Federation" in Oracle Fusion Middleware Patching Guide.

16.5 Configuring Oracle Identity Federation on IDMHOST2

1. Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management in the Oracle Fusion Middleware documentation library for the platform and version you are using.

2. If you plan to provision the Instance Home or the Managed Server domain directory on shared storage, ensure that the appropriate shared storage volumes are mounted on IDMHOST1 as described in Section 4.3, "About Recommended Locations for the Different Directories."

3. Ensure that port 7499 (OIF_PORT in Section A.3) is not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "7499"
   

   If the port is in use (if the command returns output identifying the port), you must free it.

   On UNIX:

   Remove the entries for port 7499 in the /etc/services file and restart the services, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.

4. Start the Oracle Identity Management 11g Configuration Wizard located under the IDM_ORACLE_HOME/bin directory as follows:

   On UNIX, issue this command:

   ./config.sh
   

   On Windows, double-click config.exe

5. On the Welcome screen, click Next.

6. On the Select Domain screen, select the Expand Cluster option and specify these values:

   • HostName: ADMINVHN.mycompany.com

   • Port: 7001

   • UserName: weblogic

   • User Password: weblogic_user_password

   Click Next.

7. A dialog box with the following message appears:

   The selected domain is not a valid Identity Management domain or the installer cannot determine if it is a valid domain. If you created the domain using the Identity Management installer, you can ignore this message and continue. If you did not create the domain using the Identity Management installer, refer to the Identity Management documentation for information on how to verify the domain is valid.
   

   This is a benign warning that you can ignore.

   Click Yes to continue.

8. On the Specify Installation Location screen, specify the following values:

   • Oracle Middleware Home Location: OIF_MW_HOME (This value is prefilled and cannot be updated.)

   • Oracle Home Directory: idm (This value is prefilled and cannot be updated.)

   • WebLogic Server Directory: OIF_MW_HOME/wlserver_10.3

   • Oracle Instance Location: OIF_ORACLE_INSTANCE

   • Instance Name: oif2

   Click Next.

9. On the Specify Security Updates screen (if shown), specify the values shown in this example:

   • Email Address: Provide the email address for your My Oracle Support account.

   • Oracle Support Password: Provide the password for your My Oracle Support account.

   • Select I wish to receive security updates via My Oracle Support.

   Click Next.

10. On the Configure Components screen, de-select all the components except Oracle Identity Federation components. Select only Oracle Identity Federation from the Oracle Identity Federation components. Do not select Oracle HTTP Server.

    Click Next.

11. On the Configure Ports screen, you use the oif_ports.ini file you created in Section 16.3, "Configuring Oracle Identity Federation on IDMHOST1" to specify the ports to be used. This enables you to bypass automatic port configuration.

    1. Select Specify Ports using a Configuration File.

    2. In the file name field specify oif_ports.ini.

    3. Click Save, then click Next.

12. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not correct, click Back to modify selections on previous screens. Then click Configure.

13. On the Configuration Progress screen, view the progress of the configuration.

14. On the Installation Complete screen, click Finish to confirm your choice to exit.

16.6 Provisioning the Managed Servers on the Local Disk

Due to certain limitations, the Oracle Configuration Wizard creates the domain configuration under the Identity Management Oracle home. In this deployment guide, the Oracle home is on shared disk and it is a best practice recommendation to separate the domain configuration from the Oracle home. This section provides the steps to separate the domain. Proceed as follows:

1. From IDMHOST1, copy the applications directory under the ASERVER_HOME/config/fmwconfig/servers/wls_oif1 directory to the ASERVER_HOME/config/fmwconfig/servers/wls_oif2 directory.

   cp -rp ASERVER_HOME/config/fmwconfig/servers/wls_oif1/applications  user@IDMHOST1:ASERVER_HOME/config/fmwconfig/servers/wls_oif2
   

2. On IDMHOST1, pack the Managed Server domain using the pack command located under the ORACLE_COMMON_HOME/common/bin directory. Make sure to pass the -managed=true flag to pack the Managed Server. Type:

   ORACLE_COMMON_HOME/common/bin/pack.sh -managed=true \
      -domain=path_to_adminServer_domain -template=templateName.jar \
      -template_name=templateName
   

   For example

   ORACLE_COMMON_HOME/common/bin/pack.sh -managed=true \
     -domain=ASERVER_HOME\
     -template=managedServer.jar \
     -template_name=ManagedServer_Template
   

3. Copy the Managed Server template directory from IDMHOST1 to IDMHOST2. For Example:

   scp -rp /templates user@IDMHOST2:/templates
   

4. Unpack the Managed Server to the local disk on IDMHOST1 using the unpack command located under the ORACLE_COMMON_HOME/common/bin directory.

   ORACLE_COMMON_HOME/common/bin/unpack.sh -domain=path_to_domain_on_localdisk \  
   -template=templateName.jar -app_dir=path_to_appdir_on_localdisk \
   -overwrite_domain=true
   

   For example:

   ORACLE_COMMON_HOME/common/bin/unpack.sh \
   -domain=MSERVER_HOME \
   -template=managedServer.jar \
   -app_dir=MSERVER_HOME/applications \
   -overwrite_domain=true
   

5. Unpack the Managed Server to the local disk on IDMHOST2 using the unpack command located under the ORACLE_COMMON_HOME/bin directory.

   ORACLE_COMMON_HOME/common/bin/unpack.sh -domain=path_to_domain_on_localdisk \  
   -template=templateName.jar -app_dir=path_to_appdir_on_localdisk \
   -overwrite_domain=true
   

   For example:

   ORACLE_COMMON_HOME/common/bin/unpack.sh \
   -domain=MSERVER_HOME \
   -template=managedServer.jar \
   -app_dir=MSERVER_HOME/applications \
   -overwrite_domain=true
   

6. Restart the Administration server by following the steps in Section 21.1, "Starting and Stopping Oracle Identity Management Components."

7. Validate that the Administration Server started up successfully by opening a browser accessing the Administration Console at http://ADMINVHN.mycompany.com:7001/console.

   Also validate Enterprise Manager by opening a browser and accessing Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em.

8. Restart the Managed Servers WLS_OIF1 and WLS_OIF2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."

16.7 Validating Oracle Identity Federation

Validate the configuration of Oracle Identity Federation on IDMHOST1 and IDMHOST2 by accessing the SP metatadata on each host.

On IDMHOST1, access the SP metadata by going to:

http://IDMHOST1.mycompany.com:7499/fed/sp/metadata

On IDMHOST2, access the SP metadata by going to:

http://IDMHOST2.mycompany.com:7499/fed/sp/metadata

16.8 Configure the Enterprise Manager Agents

All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage Oracle Identity Federation with this tool, you must configure the EM agents with the correct monitoring credentials. Update the credentials for the EM agents associated with IDMHOST1 and IDMHOST2. Follow these steps to complete this task:

1. Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em. Log in as the WebLogic user.

2. From the Domain Home Page, navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets.

   • Click the Configure link for the Target Type Identity Federation Server to go to the Configure Target Page.

   • On the Configure Target Page, click Change Agent and choose the correct agent for the host.

   • Update the WebLogic monitoring user name and the WebLogic monitoring password. Enter weblogic as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.

   • Click OK to save your changes.

16.9 Enabling Oracle Identity Federation Integration with LDAP Servers

By default, Oracle Identity Federation is not configured to be integrated with LDAP Servers deployed in a high availability configuration. To integrate Oracle Identity Federation with highly available LDAP Servers to serve as user data store, federation data store, or authentication engine, you must configure Oracle Identity Federation based on the LDAP server's function.

Proceed as follows to integrate Oracle Identity Federation with an LDAP Server deployed in a high availability configuration

1. On IDMHOST1, set environment variables as follows:

   Set DOMAIN_HOME to MSERVER_HOME.

   Set IDM_ORACLE_HOME to DIR_ORACLE_HOME.

2. Set Oracle Identity Federation-specific environment variables by executing the setOIFEnv.sh script. This script is located under the IDM_ORACLE_HOME/fed/scripts directory.

   For example:

   cd $IDM_ORACLE_HOME/fed/scripts
   . setOIFEnv.sh
   

3. On IDMHOST1, run the WLST script located under the ORACLE_COMMON_HOME/bin directory.

   cd ORACLE_COMMON_HOME/common/bin
   ./wlst.sh
   

4. Connect to one of the Oracle Identity Federation Managed Servers:

   connect()
   

   Enter the username and password to connect to the Oracle Identity Federation Managed Servers. This is the same as the WebLogic Administration user name and password.

   Enter the URL to connect to the Oracle Identity Federation Managed Server:

   t3://IDMHOST1.mycompany.com:7499

5. Then enter the following properties, as needed:

   • To integrate the user data store with a highly available LDAP Server, set the userldaphaenabled boolean property from the datastore group to true:

     setConfigProperty('datastore','userldaphaenabled', 'true', 'boolean')
     Update was successful for: userldaphaenabled
     

   • Validate the user data store is integrated with a highly available LDAP store by running:

     getConfigProperty('datastore', 'userldaphaenabled')
     Value(s) for property: true
     

     The userldaphaenabled property must return true.

   • To integrate the LDAP authentication engine with a highly available LDAP Server, set the ldaphaenabled boolean property from the authnengines group to true:

     setConfigProperty('authnengines','ldaphaenabled', 'true', 'boolean')
     Update was successful for: ldaphaenabled
     

   • Validate the LDAP authentication engine is integrated with a highly available LDAP store by running:

     getConfigProperty('authnengines','ldaphaenabled')
     Value(s) for property: true
     

     The ldaphaenabled property for the authnengines group must return true.

Note:

On IDMHOST1, delete the following directories:

• ASERVER_HOME/config/fmwconfig/servers/wls_oif1/applications

• ASERVER_HOME/config/fmwconfig/servers/wls_oif2/applications

16.10 Configuring Oracle Identity Federation to work with the Oracle Web Tier

This section describes how to configure Oracle Access Manager to work with the Oracle Web Tier.

This section contains the following topics:

• Section 16.10.1, "Prerequisites"

• Section 16.10.2, "Making Oracle Identity Federation aware of the Load Balancer"

• Section 16.10.3, "Configuring Oracle HTTP Servers To Front End the Oracle Identity Federation Managed Servers"

16.10.1 Prerequisites

Before proceeding, ensure that the following tasks have been performed:

1. Oracle Web Tier has been installed on WEBHOST1 and WEBHOST2.

2. Oracle Access Manager has been installed and configured on IDMHOST1 and IDMHOST2.

3. The load balancer has been configured with a virtual host name (sso.myconpany.com) pointing to the web servers on WEBHOST1 and WEBHOST2.

4. The load balancer has been configured with a virtual host name (ADMIN.mycompany.com) pointing to web servers WEBHOST1 and WEBHOST2.

16.10.2 Making Oracle Identity Federation aware of the Load Balancer

To configure the Oracle Identity Federation application to use the load balancer VIP, follow these steps:

1. Log in to the Oracle Enterprise Manager Fusion Middleware Control console using the credentials of the Administrative user (for example: weblogic).

2. Navigate to an OIF node in Oracle Enterprise Manager Fusion Middleware Control. the OIF nodes are under Identity and Access in the navigation tree.

3. From the OIF menu, select Administration, and then Server Properties.

   Change the host name to SSO.mycompany.com and the port to 443 (HTTP_SSL_PORT).

   Select SSL Enabled.

   Click Apply.

4. From the OIF menu in Oracle Enterprise Manager Fusion Middleware Control, select Administration, and then Service Provider.

   Change the URL to:

   https://SSO.mycompany.com:443/fed/sp

   Click Apply.

16.10.3 Configuring Oracle HTTP Servers To Front End the Oracle Identity Federation Managed Servers

If you are adding OIF to an existing domain, include OIF in the Web Tier configuration as described inSection 8.3.3, "Create Virtual Hosts to Support Identity Management."

16.11 Validating Oracle Identity Federation

If the configuration is correct, you can access the following URL from a web browser:

https://SSO.mycompany.com/fed/sp/metadata

You should see metadata.

16.12 Integrating Oracle Identity Federation with Oracle Access Manager 11g

In Service Provider (SP) mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.

This section provides the steps to integrate OIF with OAM11g in authentication mode and SP mode.

This section contains the following topics:

• Section 16.12.1, "Prerequisites."

• Section 16.12.2, "Integrating Oracle Identity Federation with Oracle Access Manager in SP Mode."

• Section 16.12.3, "Switching from Local Authentication to Federation SSO."

16.12.1 Prerequisites

Before starting this integration, ensure that the following tasks have been performed:

• Install and configure Oracle Access Manager as described in Chapter 13, "Configuring Oracle Access Manager 11g."

• Install and configure Oracle HTTP Server as described in Section 6.2, "Installing Oracle HTTP Server."

• Install and configure WebGate as described in Section 20.5, "Installing and Configuring WebGate 11g."

16.12.2 Integrating Oracle Identity Federation with Oracle Access Manager in SP Mode

This section covers the following topics:

• Section 16.12.2.1, "Configuring the Oracle Access Manager 11g SP Engine."

• Section 16.12.2.2, "Updating the Oracle Identity Federation Authentication Scheme in Oracle Access Manager."

16.12.2.1 Configuring the Oracle Access Manager 11g SP Engine

In SP mode, Oracle Identity Federation uses federation protocols to authenticate a user, and then requests the authentication module to create an authenticated session at Oracle Access Manager. Oracle Access Manager 11g SP engine is used for this purpose. The engine also provides logout integration. To configure the SP engine, run the setupOIFOAMConfig script from IDMHOST1.

To perform the integration proceed as follows:

1. On IDMHOST1:

   Set DOMAIN_HOME to ASERVER_HOME.

   Set IDM_ORACLE_HOME to IDM_ORACLE_HOME.

   Set the environment by running the setOIFEnv.sh script in the current shell. The script resides at IDM_ORACLE_HOME/fed/scripts.

   For example:

   cd $IDM_ORACLE_HOME/fed/scripts
   . setOIFEnv.sh
   

2. Edit the file setupOIFOAMIntegration.py, which is located in: IDM_ORACLE_HOME/fed/scripts/oam

   Locate the line:

   setConfigProperty("spengines","oam11guniqueuserid","cn","string")
   

   Change the line to read:

   setConfigProperty("spengines","oam11guniqueuserid","uid","string")
   

   Save the file.

3. Change Directory to IDM_ORACLE_HOME/fed/scripts/oam.

4. Execute the setupOIFOAMConfig script providing the following input parameters:

   • oifHost: Hostname of one off the OIF managed servers

   • oifPort: Port number of OIF Managed server

   • oifAdminHost: Hostname of WebLogic Admin server

   • oifAdminPort: Port number of WebLogic Admin server

   • oamAdminHost: Hostname of WebLogic Admin Server

   • oamAdminPort: Port number of WebLogic Admin server

   • agentType: The agent type used, for example, webgate11g

   For Linux, the syntax is:

   oifHost=myhost oifPort=portnum oamAdminHost=myhost2 oamAdminPort=portnum2 agentType=webgate11g ./setupOIFOAMConfig.sh 
   

   For Windows, the syntax is:

   setupOIFOAMConfig.cmd "oifHost=myhost" "oifPort=portnum" "oamAdminHost=myhost2" "oamAdminPort=portnum2" "agentType=webgate11g"  
   

   For example:

   oifHost=IDMHOST1 oifAdminHost=ADMINVHN oamAdminHost=ADMINVHN oifPort=7499 oifAdminPort=7001 oamAdminPort=7001 agentType=webgate11g ./setupOIFOAMConfig.sh
   

   The script prompts you for the username and password you use to connect to the WebLogic Administration Server, for example, weblogic_idm.

   Sample Output:

   Initializing WebLogic Scripting Tool (WLST) ... 
   Welcome to WebLogic Server Administration Scripting Shell
    
   Type help() for help on available commands
   
   OIF admin user : weblogic_idm
   *OIF admin password:*********
   OAM admin user : oamadmin
   *OAM admin password:*********
   Connecting to t3://ADMINVHN:7001 with userid weblogic ...
   Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'.
    
   Warning: An insecure protocol was used to connect to the 
   server. To ensure on-the-wire security, the SSL port or
   Admin port should be used instead.
    
   Location changed to domainRuntime tree. This is a read-only tree with
    DomainMBean as the root.
   For more help, use help(domainRuntime)
    
   Already in Domain Runtime Tree
    
   Already in Domain Runtime Tree
    
   Disconnected from weblogic server: AdminServer
   Connecting to t3://ADMINVHN:7001 with userid weblogic ...
   Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'.
    
   Warning: An insecure protocol was used to connect to the
   server. To ensure on-the-wire security, the SSL port or
   Admin port should be used instead.
    
   Disconnected from weblogic server: AdminServer
   Connecting to t3://IDMHOST1:7499 with userid weblogic ...
   Successfully connected to managed Server 'wls_oif1' that belongs to domain 'IDMDomain'.
    
   Warning: An insecure protocol was used to connect to the 
   server. To ensure on-the-wire security, the SSL port or
   Admin port should be used instead.
    
   Disconnected from weblogic server: wls_oif1
   Connecting to t3://ADMINVHN:7001 with userid weblogic ...
   Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'.
   
   Warning: An insecure protocol was used to connect to the 
   server. To ensure on-the-wire security, the SSL port or
   Admin port should be used instead.
     
   Disconnected from weblogic server: AdminServer
   Connecting to t3://ADMINVHN:7001 with userid weblogic ...
   Successfully connected to Admin Server 'AdminServer' that belongs to domain 'IDMDomain'.
    
   Warning: An insecure protocol was used to connect to the 
   server. To ensure on-the-wire security, the SSL port or
   Admin port should be used instead.
    
   Registration Successful
   Disconnected from weblogic server: AdminServer
   

5. Restart Managed servers WLS_OIF1 and WLS_OIF2 as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."

16.12.2.2 Updating the Oracle Identity Federation Authentication Scheme in Oracle Access Manager

Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console as the OAM administration user at: http://ADMIN.mycompany.com/oamconsole

Then perform the following steps:

1. Click the Policy Configuration tab.

2. Expand Authentication Schemes under the Shared Components tree.

3. Select OIFScheme from under the Authentication Schemes and then select Open from the menu.

4. On the Authentication Schemes page, provide the following information

   • Challenge URL: https://SSO.mycompany.com:443/fed/user/spoam11g

   • Context Type: Select external from the list.

   Accept the defaults for all other values

5. Click Apply to update the OIFScheme.

16.12.3 Switching from Local Authentication to Federation SSO

Note:

Before you perform this operation, Oracle Identity Federation must already be configured for Federation SSO with a Federation IdP, and that IdP must be set as the Default SSO IdP in the OIF Administration Console Service Provider section.

To switch the authentication of the Oracle Access Manager security domain from local authentication to Federation SSO, proceed as follows:

1. Log in to the OAM console as the OAM administration user.

2. Navigate to Policy Configuration -> Authentication Schemes -> FAAuthScheme.

3. Change Challenge Method from FORM to DAP.

4. Set the Authentication Module to DAP.

5. Change Challenge URL from /pages/login.jsp to:

   https://SSO.mycompany.com:443/fed/user/spoam11g

6. Change Context Type from customWar to external.

7. Set the Challenge Parameters field to TAPPartnerId=OIFDAPPartner.

8. Click Apply.

After you perform these steps, accessing a Fusion Applications resource protected by the FAAuthScheme triggers the Federation SSO flow and redirects the user to the IdP for authentication. An example of such a Fusion Applications resource might be: https://FS.mycompany.com:443/homePage/faces/AtkHomePageWelcome

16.13 Backing Up the Application Tier Configuration

Back up the WebLogic Domain, Database, Web Tier, and LDAP directories, as described in Section 21.6.3, "Performing Backups During Installation and Configuration."