| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
The Identity Management provisioning tools create, but do not start, Oracle Identity Federation. This chapter explains how to enable Oracle Identity Federation after provisioning has completed.Oracle Identity Federation is an optional component. If you are not planning to use Oracle Identity Federation, skip this chapter. This chapter describes how to extend the Identity Management domain to include Oracle Identity Federation in an enterprise deployment.
This chapter contains the following topics:
Section 11.5, "Enabling Oracle Identity Federation Integration with LDAP Servers"
Section 11.8, "Enabling and Disabling Oracle Identity Federation"
Start the managed servers wls_oif1 and wls_oif2 as follows:
Run stopall.sh as described in Section 16.1, "Starting and Stopping Components."
Update the Oracle Identity Federation Property File oif_startup.conf to automatically start Oracle Identity Federation. To do this, edit the file oif_startup.conf which is located in the directory: SHARED_CONFIG_DIR/scripts
Edit the file so that it looks like this:
# # OIF is enabled OOTB for Shared IDM # # OIF_ENABLED indicates whether or not OIF should be started/stopped # as part of the startoif.sh/stopoif.sh scripts. Valid values are true or false # If false, the OIF will not be started or stopped OIF_ENABLED=true # OPMN_EMAGENT_MANAGED_BY_OIF_SCRIPT indicates whether or not OPMN and # the EMAgent components for the OIM domain should be started, when OIF is enabled. # Valid values are true or false. If false, OPMN and the EMAgent components will not # be started or stopped when OIF is enabled. # If OIF is disabled, OPMN and the EMAgent components will not be started or stopped OPMN_EMAGENT_MANAGED_BY_OIF_SCRIPT=true
Save the file.
Run startall.sh as described in Section 16.1, "Starting and Stopping Components."
Edit the file idminternal_vh.conf which is located in WEB_ORACLE_INSTANCE/config/OHS/component/modultconf
Add the following lines inside the VirtualHost block:
##################################################
## Entries Required by Oracle Identity Federation
##################################################
#OIF
<Location /fed>
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
WebLogicCluster IDMHOST1.mycompany.com:7499,IDMHOST2.mycompany.com:7499
</Location>
Save the file and restart the Oracle HTTP Server as described in Section 16.1, "Starting and Stopping Components."
Repeat this for each Oracle HTTP Server instance.
Validate the configuration of Oracle Identity Federation on IDMHOST1 and IDMHOST2 by accessing the SP metatadata on each host.
On IDMHOST1, access the SP metadata by going to:
http://IDMHOST1.mycompany.com:7499/fed/sp/metadata
On IDMHOST2, access the SP metadata by going to:
http://IDMHOST2.mycompany.com:7499/fed/sp/metadata
If the configuration is correct, you can access the following URL from a web browser:
https://SSO.mycompany.com/fed/sp/metadata
You should see metadata.
All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage Oracle Identity Federation with this tool, you must configure the EM agents with the correct monitoring credentials. Update the credentials for the EM agents associated with IDMHOST1 and IDMHOST2. Follow these steps to complete this task:
Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em. Log in as the WebLogic user.
From the Domain Home Page, navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets.
Click the Configure link for the Target Type Identity Federation Server to go to the Configure Target Page.
On the Configure Target Page, click Change Agent and choose the correct agent for the host.
Note:
If you are unsure about which agent to update, execute the command:
OIF_ORACLE_INSTANCE/EMAGENT/EMAGENT/bin/emctl status agent
Update the WebLogic monitoring user name and the WebLogic monitoring password. Enter weblogic_idm as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.
Click OK to save your changes.
By default, Oracle Identity Federation is not configured to be integrated with LDAP Servers deployed in a high availability configuration. To integrate Oracle Identity Federation with highly available LDAP Servers to serve as user data store, federation data store, or authentication engine, you must configure Oracle Identity Federation based on the LDAP server's function.
Proceed as follows to integrate Oracle Identity Federation with an LDAP Server deployed in a high availability configuration
On IDMHOST1, set environment variables as follows:
Set DOMAIN_HOME to MSERVER_HOME.
Set IDM_ORACLE_HOME to IDM_ORACLE_HOME.
Set Oracle Identity Federation-specific environment variables by executing the setOIFEnv.sh script. This script is located under the IDM_ORACLE_HOME/fed/scripts directory.
For example:
cd IDM_ORACLE_HOME/fed/scripts
. setOIFEnv.sh
On IDMHOST1, run the WLST script located under the ORACLE_COMMON_HOME/bin directory.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Connect to one of the Oracle Identity Federation Managed Servers:
connect()
Enter the username and password to connect to the Oracle Identity Federation Managed Servers. This is the same as the WebLogic Administration user name and password.
Enter the URL to connect to the Oracle Identity Federation Managed Server:
t3://IDMHOST1.mycompany.com:7499
Then enter the following properties, as needed:
To integrate the user data store with a highly available LDAP Server, set the userldaphaenabled boolean property from the datastore group to true:
setConfigProperty('datastore','userldaphaenabled', 'true', 'boolean')
Update was successful for: userldaphaenabled
Validate the user data store is integrated with a highly available LDAP store by running:
getConfigProperty('datastore', 'userldaphaenabled')
Value(s) for property: true
The userldaphaenabled property must return true.
To integrate the LDAP authentication engine with a highly available LDAP Server, set the ldaphaenabled boolean property from the authnengines group to true:
setConfigProperty('authnengines','ldaphaenabled', 'true', 'boolean')
Update was successful for: ldaphaenabled
Validate the LDAP authentication engine is integrated with a highly available LDAP store by running:
getConfigProperty('authnengines','ldaphaenabled')
Value(s) for property: true
The ldaphaenabled property for the authnengines group must return true.
Note:
On IDMHOST1, delete the following directories:
ASERVER_HOME/config/fmwconfig/servers/wls_oif1/applications
ASERVER_HOME/config/fmwconfig/servers/wls_oif2/applications
Oracle Access Manager ships with an Oracle Identity Federation Authentication Scheme. This scheme needs to be updated before it can be used. To update the scheme, log in to the OAM console as the OAM administration user identified by the entry in Section 8.2, "Update User Names in Provisioning Response File." The URL is: http://ADMIN.mycompany.com/oamconsole
Then perform the following steps:
Click the Policy Configuration tab.
Expand Authentication Schemes under the Shared Components tree.
Select OIFScheme from under the Authentication Schemes and then select Open from the menu.
On the Authentication Schemes page, provide the following information
Challenge URL: https://SSO.mycompany.com:443/fed/user/spoam11g
Context Type: Select external from the list.
Accept the defaults for all other values
Click Apply to update the OIFScheme.
Proceed as follows:
On IDMHOST1, run the WLST script located under the ORACLE_COMMON_HOME/common/bin directory.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Connect to the WebLogic Adminiswtration Server:
connect()
Enter the username and password to connect to the Oracle Identity Federation Managed Servers. This is the same as the WebLogic Administration user name and password.
Enter the URL to connect to the Oracle Identity Federation Managed Server:
t3://IDMHOST1.mycompany.com:7001
Execute the following WLST command:
domainRuntime()
To configure the Oracle Access Manager for Oracle Identity Federation SSO flows, execute the following WLST commands:
configOAMOIFSaaS(fedMode="Dedicated")
enablePasswordPolicyProfile()
In Service Provider (SP) mode, Oracle Access Manager delegates user authentication to Oracle Identity Federation, which uses the Federation Oracle Single Sign-On protocol with a remote Identity Provider. Once the Federation Oracle Single Sign-On flow is performed, Oracle Identity Federation will create a local session and then propagates the authentication state to Oracle Access Manager, which maintains the session information.
This section provides the steps to integrate Oracle Identity Federation with Oracle Identity Manager in authentication mode and SP mode.
Note:
Federation Trust must be established prior to enabling Oracle Identity Federation.
This section contains the following topics:
This section describes how to switch the authentication of the Oracle Access Manager security domain from local authentication to Federation SSO.
Perform the following operations to switch from local authentication to Federation SSO for Browser Based Schemes:
In a browser, go to the OAM Console, at:
http://ADMINVHN.mycompany.com:7001/oamconsole
Log in as the Oracle Access Manager user identified by the entry in Section 8.2, "Update User Names in Provisioning Response File."
Navigate to Policy Configuration -> Shared Components -> Authentication Schemes -> FAAuthScheme.
Set the Challenge Method to FORM.
Set the Authentication Module to SaaSModule.
Set the Challenge URL to /pages/oamLogin.jsp.
Set the Context Type to customWar.
Set the Context Value to /fusion_apps.
Set the Challenge Parameters field with the following entries:
federationEnabled=true
ssoChooserEnabled=falseFoot 1
fedSSOEnabled=true
initial_command=NONE
TAPPartnerId=OIFDAPPartner
TAPChallengeURL=https://SSO.mycompany.com:443/fed/user/spoam11g
Click Apply.
This section describes how to switch the authentication of the OAM security domain from Federation SSO to local authentication.
Perform the following operations to switch from local authentication to Federation SSO for Browser Based Schemes:
In a browser, go to the OAM Console, at:
http://ADMINVHN.mycompany.com:7001/oamconsole
Log in as the Oracle Access Manager user identified by the entry in Section 8.2, "Update User Names in Provisioning Response File."
Navigate to Policy Configuration -> Shared Components -> Authentication Schemes -> FAAuthScheme.
Set the Challenge Method to FORM.
Set the Authentication Module to SaaSModule.
Set the Challenge URL to /pages/oamLogin.jsp.
Set the Context Type to customWar.
Set the Context Value to /fusion_apps.
Set the Challenge Parameters field with the following entries:
federationEnabled=false
ssoChooserEnabled=false
fedSSOEnabled=false
initial_command=NONE
TAPPartnerId=OIFDAPPartner
TAPChallengeURL=https://SSO.mycompany.com:443/fed/user/spoam11g
Click Apply.
Footnote Legend
Footnote 1: If dual authentication mode is required, setssoChooserEnabled=true instead of ssoChooserEnabled=false. Dual authentication mode is required when some users in the Oracle Fusion Applications LDAP directory do not exist in the Identity Provider's directory. Those users cannot be authenticated with Federation SSO and must be challenged locally.
|
 Copyright © 2004, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|