H Integrating with Access Management

This appendix describes how to integrate Oracle Identity Manager 11gR2PS2(11.1.2.2.0) with Oracle Access Management (OAM) 10g on Oracle WebLogic Application Server. This integration only enables basic Single Sign On (SSO) login/logout use cases, and does not enable full OIM-OAM integration use cases, for example password management.

This appendix contains the following sections:

Performing the Prerequisites
Configuring OIM Domain for SSO
Validating the Integration

H.1 Performing the Prerequisites

Before integrating Oracle Identity Manager with OAM, perform the following prerequisites steps:

Oracle Identity Manager 11gR2PS2 is installed and configured. Oracle Identity Manager must be frontended with OHS or reverse-proxy, which hosts OAM 10g Webgate.
OAM 10g server and Webgate 10g are installed and configured. OAM SSO login and logout pages and configurations are in place.
Identity information in Oracle Identity Manager is synchronized with LDAP server. For example, the LDAP synchronization can be used for this purpose.

H.2 Configuring OIM Domain for SSO

To configure Oracle Identity Manager domain for SSO:

Set the OIM ssoEnabled flag to true. To do so:
1. Login to Oracle Enterprise Manager.
2. Navigate to OIM Domain.
3. Right-click OIMDomain, and select System MBean Browser.
4. Click the search icon, enter ssoconfig, and search.
5. In the details page, look for the SSOEnabled flag, and select true from the dropdown .
6. Click Apply to save the change.
Configure authentication providers.

This step would configure the security providers in OIM domain in such a way that the SSO login, and OIM client-based login works fine. For this, OAMIDAsserter and OIDAuthenticator must be setup. Note that OIDAuthenticator is configured in order to authenticate/assert users against Oracle Internet Directory (OID). To authenticate/assert users against any other directory server, which is also used by OAM for authentication, corresponding authenticator must be configured instead of OIDAuthenticator.

To configure the authentication providers:
1. Login to WebLogic Administrative Console, and navigate to Security realms, myrealm, Providers, Authentication.
2. Click New to add OAMIDAsserter of type OAMIdentityAsserter. Click OK. Edit OAMIDAsserter, which has just been added, and set the Control flag to REQUIRED. Ensure the Chosen Active Type is OAM_REMOTE_USER, and then save the configuration.
3. Click New to add OIMSignatureAuthenticator of type OIMSignatureAuthenticator. Click OK. Edit OIMSignatureAuthenticator and set the Control flag to SUFFICIENT. Save the configuration. Ensure that the no properties are displayed in the provider-specific configuration tab.
4. Click New to add OIDAuthenticator of type OracleInternetDirectoryAuthenticator. Click OK. Edit OIDAuthenticator and set the Control flag to SUFFICIENT. Save the configuration. Then, open the provider-specific configuration tab, set the following attributes (only), and save the configuration.
```
Host: OID_HOST_NAME
Port: OID_PORT
Principal: cn=orcladmin
Credential/Confirm Credential: ORCLADMIN_PASSWORD
User Base DN: cn=Users,dc=us,dc=oracle,dc=com
All Users Filter: (&(uid=*)(objectclass=inetOrgPerson))
User From Name Filter: (&(uid=%u)(objectclass=inetOrgPerson))
UserNameAttribute: uid
User Object class: inetOrgPerson
Use retrieved use name as principal: true
Group Base DN: cn=Groups,dc=us,dc=oracle,dc=com
All groups filter: (&(cn=*)(objectclass=groupOfUniqueNames))
Group from name filter: (&(cn=%g)(objectclass=groupOfUniqueNames))
```
  Note:
  OIDAuthenticator must be replaced by the appropriate LDAP provider-specific authenticator that is based on the LDAP provider used by Oracle Identity Manager and OAM.
5. Remove OIMAuthenticationProvider, which is already configured.
6. Re-order the remaining authentication providers in the following sequence:
  - OAMIDAsserter
  - OIMSignatureAuthenticator
  - OIDAuthenticator
  - DefaultAuthenticator
  - DefaultIdentityAsserter
7. Activate all the changes done, and then restart all the servers configured in OIM domain.
Configure SSO logout for Oracle Identity Manager, as shown:
```
<IDM_ORACLE_HOME>/common/bin/wlst.sh
  connect()
  addOAMSSOProvider(loginuri= "/${app.context}/adfAuthentication" ,
logouturi= "/oamsso/logout.html" , autologinuri= "/obrar.cgi" )
  exit()
```
Note:
- The connect() call prompts for Admin server URL and WebLogic administrator username and password.
- If a custom logout URL is configured, then logouturi must be changed appropriately before running the wlst command.
Configure OIM resource policies in OAM 10g server. To do so:
1. Protect the following OIM resources:
  - /sysadmin/adfAuthentication
  - /identity/adfAuthentication
  - /Nexaweb
  - /xlWebApp
  - /oim
2. Unprotect the following OIM resources:
  - /identity/.../*
  - /sysadmin/.../*
  - /identity
  - /sysadmin
  - /SchedulerService-web

H.3 Validating the Integration

Table H-1 describes how to validate the integration.

Table H-1 Validating the Integration

Validation Steps and Output

Validation	Steps and Output
End-user login to Oracle Identity Manager through SSO	As a prerequisite, create an end-user, for example ENDUSER001, in Oracle Identity Manager and LDAP. Login to Oracle Identity Self Service through SSO URL as end-user that you created in step 1, and check if the login is successful. Login to Identity System Administration as the system administrator user. Try accessing various sections of the UI. such as approval policies. Logout from either of the consoles, and login again with same or different credentials. Expected output: Login is successful, and all the links work as expected.
Client-based login to Oracle Identity Manager	As a prerequisite, make sure that the Design Console is installed and configured. Login to the Design console as the system administrator user with SSO password. Expected output: Login to the Design Console is successful. For this, LDAPAuthenticator must be configured properly for SSO login.
Signature-based authentication	Try accessing the Scheduler service URL: http://OIM_HOST:PORT/SchedulerService-web The Scheduler is running on Oracle Identity Manager Managed Server port. Login as the system administrator with SSO password. Expected output: Signature login is successful if you can see the following details on the screen: Scheduler Current Status: STARTED Last Error: NONE If login is successful, and the value of `Scheduler Current Status` is `STOPPED`, then click Start on the page. Signature login is successful if there are no errors on the page.

End-user login to Oracle Identity Manager through SSO

As a prerequisite, create an end-user, for example ENDUSER001, in Oracle Identity Manager and LDAP.
Login to Oracle Identity Self Service through SSO URL as end-user that you created in step 1, and check if the login is successful.
Login to Identity System Administration as the system administrator user. Try accessing various sections of the UI. such as approval policies.
Logout from either of the consoles, and login again with same or different credentials.

Expected output: Login is successful, and all the links work as expected.

Client-based login to Oracle Identity Manager

As a prerequisite, make sure that the Design Console is installed and configured.
Login to the Design console as the system administrator user with SSO password.

Expected output: Login to the Design Console is successful. For this, LDAPAuthenticator must be configured properly for SSO login.

Signature-based authentication

Try accessing the Scheduler service URL:

http://OIM_HOST:PORT/SchedulerService-web

The Scheduler is running on Oracle Identity Manager Managed Server port.
Login as the system administrator with SSO password.

Expected output: Signature login is successful if you can see the following details on the screen:

Scheduler Current Status: STARTED
Last Error: NONE

If login is successful, and the value of Scheduler Current Status is STOPPED, then click Start on the page. Signature login is successful if there are no errors on the page.