Skip Headers
Oracle® Fusion Middleware Integration Guide for Oracle Access Manager
11g Release 1 (11.1.1)

Part Number E15740-05
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Integrating Oracle Access Manager and Oracle Identity Manager

This chapter explains how to integrate Oracle Access Manager with Oracle Identity Manager.

The instructions in this chapter use Oracle Internet Directory as an example directory server only. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations. For more information, see Section 1.4, "System Requirements and Certification."

If using a different directory server in your environment, you will need to modify the steps accordingly. You can refer to the configuration scenarios described in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for more information.

This chapter contains these sections:

5.1 About the Integration

This integration enables you to manage identities with Oracle Identity Manager and control access to resources with Oracle Access Manager.

For more information, see Section 2.3, "Enabling Identity Administration with Oracle Identity Manager".

The high-level integration tasks consist of:

Perform the tasks in order, from Section 5.2 through Section 5.5.

5.2 Prerequisites

Take the following steps to prepare for the integration procedure:

  1. Install and configure required components, which include:

    • Oracle Database

    • Directory server (Oracle Internet Directory used as an example)

    • Oracle WebLogic Server

    • WebLogic domain with 11g components:

      • Oracle Access Manager

      • Oracle Identity Manager

      • Oracle SOA Suite

    See Also:

    Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management

  2. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME, where Oracle Internet Directory is installed.

    Set ORACLE_HOME to IAM_ORACLE_HOME, where Oracle Access Manager and Oracle Identity Manager are installed.

  3. Locate the idmConfigTool utility in the directory:

    IAM_ORACLE_HOME/idmtools/bin
    

    You will use this utility in the next few steps to get the identity store ready for the integration.

  4. Create a properties file with contents similar to the following:

    IDSTORE_HOST : idstore.mycompany.com
    IDSTORE_PORT : 389
    IDSTORE_BINDDN : cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    

    where:

    • IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your identity store directory. If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)

    • IDSTORE_BINDDN Is an administrative user in the identity store directory.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

    Name this file preconfigPropertyFile or similar as you will use it to preconfigure the identity store in the next step.

  5. Use this properties file to perform general configuration of the identity store with the following command:

    idmConfigTool –preConfigIDStore input_file=propertiesFile
    
  6. Create a second properties file with contents as shown here:

    IDSTORE_HOST : idstore.mycompany.com
    IDSTORE_PORT : 389
    IDSTORE_BINDDN : cn=orcladmin
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    IDSTORE_READONLYUSER: IDROUser
    IDSTORE_READWRITEUSER: IDRWUser
    IDSTORE_SUPERUSER: weblogic_admin
    IDSTORE_OAMSOFTWAREUSER: oamLDAP
    IDSTORE_OAMADMINUSER: oamadmin
    IDSTORE_OIMADMINUSER: oimadmin
    IDSTORE_OIMADMINGROUP: OIMAdmins
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdmins
    

    where:

    • IDSTORE_HOST and IDSTORE_PORT are the host and port, respectively, of your identity store directory. If you are using a directory other than Oracle Internet Directory, specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com.)

    • IDSTORE_BINDDN is an administrative user in the identity store directory.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. This happens rarely but one example is the Oracle Identity Manager reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.

    • IDSTORE_SYSTEMIDBASE is the location in your directory where the Oracle Identity Manager reconciliation user are placed.

    • IDSTORE_READONLYUSER is the name of a user you want to create which has Read Only permissions on your Identity Store.

    • IDSTORE_READWRITEUSER is the name of a user you want to create which has Read/Write permissions on your identity store.

    • IDSTORE_SUPERUSER is the name of the administration user you want to use to log in to the WebLogic Administration Console in the Oracle Fusion Applications domain.

    • IDSTORE_OAMSOFTWAREUSER is a user that gets created in LDAP that is used when Oracle Access Manager is running to connect to the LDAP server.

    • IDSTORE_OAMADMINUSER is the name of the user you want to create as your Oracle Access Manager Administrator.

    • IDSTORE_OIMADMINUSER is the name of the administration user you would like to use to log in to the Oracle Identity Manager console.

    • IDSTORE_OIMADMINGROUP is the name of the group you want to create to hold your Oracle Identity Manager administrative users.

    • OAM11G_IDSTORE_ROLE_SECURITY_ADMIN is the name of the group to hold users who have access to the Oracle Access Manager administration console.

    Name this file preparePropertyFile or similar as you will use it to prepare the identity store in the next step.

  7. Use this properties file to perform component-specific configuration of the identity store for integration using the following command:

    idmConfigTool -prepareIDStore mode=all input_file=propertiesFile
    
  8. Perform the following tasks for Oracle Identity Manager:

    1. Configure LDAP synchronization (LDAP sync) in the domain where Oracle Identity Manager runs. Confirm that LDAP sync is operational before continuing.

      Note:

      When loading schemas as part of this step, first load the Oracle Access Manager schema and then load the Oracle Identity Manager schema.

      For information about configuring LDAP synchronization, see the following sections in Chapter 15, "Configuring Oracle Identity Manager" of the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management: "Completing the Prerequitistes for Enabling LDAP Synchronization", "Running the LDAP Post-Configuration Utility", and "Verifying the LDAP Synchronization".

    2. Using Oracle Directory Services Manager, configure the Oracle Virtual Directory adapters created in Step 8a to set the oamEnabled parameter to true.

    3. In the domain running Oracle Identity Manager, execute the Oracle Identity Manager configuration wizard with the LDAP sync option enabled.

    Notes:

  9. Verify that the WebLogic managed servers for Oracle Access Manager and Oracle Identity Manager are shut down.

  10. Restart the Oracle WebLogic Server Administration Server.

    See Also:

    See Stopping or Starting the Oracle Stack in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  11. Configure logout for the IDM domain agent. For details, see Configuring Centralized Logout for the IDM Domain Agent in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

5.3 Perform Integration Tasks in Oracle Access Manager

Take these steps to integrate Oracle Access Manager with Oracle Identity Manager and the directory server:

  1. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME, where Oracle Internet Directory is installed.

    Set ORACLE_HOME to IAM_ORACLE_HOME, where Oracle Access Manager and Oracle Identity Manager are installed.

  2. Update the domain agent password as follows:

    1. Log in to the Oracle Access Manager console:

      http:oam_admiserver_host:port/oamconsole
      
    2. Navigate to the system configuration tab, then Access Manager Settings, then SSO Agents.

      Double-click "OAM Agents", which opens a Webgate page on the right.

      Click Search to list all webgate agents including "IAMSuiteAgent".

      Double-click it to edit the IAMSuiteAgent agent. Update the field "Access Client Password" with the desired password.

    3. Log in to the Oracle WebLogic Server console:

      http:oam_adminserver_host:port/console
      
    4. Navigate to Security Realms, then myrealm. Open the providers tab and edit IAMSuiteAgent.

      Open the Provider Specific tab and update the agent password. Save the changes.

    5. Restart the Oracle Access Manager managed server.

    You will use the updated password in Step 4 below.

  3. Create a properties file with the following contents:

    WLSHOST: adminvhn.mycompany.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_BINDDN: cn=orcladmin 
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_USERSEARCHBASE: cn=Users,mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_OAMSOFTWAREUSER: oamLDAP
    IDSTORE_OAMADMINUSER: oamadmin
    PRIMARY_OAM_SERVERS: oamhost1.mycompany.com:5575,oamhost2.mycompany.com:5575
    WEBGATE_TYPE: ohsWebgate10g
    ACCESS_GATE_ID: IAMSuiteAgent
    COOKIE_DOMAIN: .us.example.com
    OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
    OAM_TRANSFER_MODE: OPEN
    OAM11G_SSO_ONLY_FLAG: true
    OAM11G_OIM_INTEGRATION_REQ: true
    OAM11G_OIM_OHS_URL:https://sso.mycompany.com:443/
    COOKIE_EXPIRY_INTERVAL: 120
    

    Where:

    • WLSHOST and WLSPORT are, respectively, the host and port of your administration server, this will be the virtual name.

    • WLSADMIN is the WebLogic administrative user you use to log in to the WebLogic console.

    • IDSTORE_HOST and IDSTORE _PORT are, respectively, the host and port of your Identity Store directory.

      Note:

      If using a directory server other than Oracle Internet Directory, specify the Oracle Virtual Directory host and port.

    • IDSTORE_BINDDN is an administrative user in Oracle Internet Directory.

      Note:

      If using a directory server other than Oracle Internet Directory, specify an Oracle Virtual Directory administrative user.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • IDSTORE_OAMSOFTWAREUSER is the name of the user you use to interact with LDAP.

    • IDSTORE_OAMADMINUSER is the name of the user you use to access your Oracle Access Manager console.

    • PRIMARY_OAM_SERVERS is a comma-separated list of your Oracle Access Manager servers and the proxy ports they use.

      Note:

      To determine the proxy ports your Oracle Access Manager servers use:

      1. Log into the Oracle Access Manager console at http://admin.mycompany.com:7001/oamconsole

      2. Click the System Configuration tab.

      3. Expand Server Instances under the Common Configuration section

      4. Click on an Oracle Access Manager server, such as WLS_OAM1, and click Open.

      5. Proxy port is shown as Port.

    • WEBGATE_TYPE is the type of WebGate agent you want to create.

    • ACCESS_GATE_ID is the name you want to assign to the WebGate. Do not change the property value shown above.

    • COOKIE_DOMAIN is the domain in which the WebGate functions.

    • OAM_TRANSFER_MODE is the security model in which the access servers function.

    • OAM11G_SSO_ONLY_FLAG determines whether Oracle Access Manager is used in authentication-only mode.

    • OAM11G_OIM_OHS_URL is the URL of the load balancer fronting the Oracle HTTP servers.

    Name this file OAMconfigPropertyFile or similar as you will use it to configure Oracle Access Manager in the next step.

  4. Configure Oracle Access Manager using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    The command syntax is as follows:

    idmConfigTool –configOAM input_file=propertiesFile
    

5.4 Perform Integration Tasks in Oracle Identity Manager

Integrate Oracle Identity Manager with Oracle Access Manager by performing the following steps:

  1. On the machine where Oracle WebLogic Server and Oracle Identity Manager Server are installed, create the wlfullclient.jar file as follows:

    1. Navigate to the MW_HOME/wlserver_10.3/server/lib directory.

    2. Set your JAVA_HOME to MW_HOME/jdk160_18 and ensure that your JAVA_HOME/bin directory is in your path.

    3. Create the wlfullclient.jar file by running:

      java -jar wljarbuilder.jar
      

    Verify that the jar file was created.

  2. Set the environment variables: MW_HOME, JAVA_HOME, IDM_HOME and ORACLE_HOME.

    Set IDM_HOME to IDM_ORACLE_HOME, where Oracle Internet Directory is installed.

    Set ORACLE_HOME to IAM_ORACLE_HOME, where Oracle Access Manager and Oracle Identity Manager are installed.

  3. Create a properties file with contents as in the following:

    LOGINURI: /${app.context}/adfAuthentication
    LOGOUTURI: /oamsso/logout.html
    AUTOLOGINURI: /obrar.cgi
    ACCESS_SERVER_HOST: OAMHOST1.mycompany.com
    ACCESS_SERVER_PORT: 5575
    ACCESS_GATE_ID: IAMSuiteAgent
    COOKIE_DOMAIN: .mycompany.com
    COOKIE_EXPIRY_INTERVAL: 120
    OAM_TRANSFER_MODE: SIMPLE
    WEBGATE_TYPE: javaWebgate
    SSO_ENABLED_FLAG: true
    IDSTORE_PORT: 389
    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_DIRECTORYTYPE: OID  
    IDSTORE_ADMIN_USER: oamdmin. Note that the entry contain the complete LDAP DN of the user (the username alone in insufficient).
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    MDS_DB_URL: jdbc:oracle:thin:@DBHOST:PORT:SID
    MDS_DB_SCHEMA_USERNAME: edg_mds
    WLSHOST: adminvhn.mycompany.com
    WLSPORT: 7001
    WLSADMIN: weblogic
    DOMAIN_NAME: IDM_Domain
    OIM_MANAGED_SERVER_NAME: WLS_OIM1
    DOMAIN_LOCATION: ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain
    

    Notes:

    • The ACCESS_SERVER_PORT must be the Oracle Access Manager NAP port.

    • If your access manager servers are configured to accept requests using the simple mode, set OAM_TRANSFER_MODE to SIMPLE. Otherwise set OAM_TRANSFER_MODE to OPEN.

    • Set WEBGATE_TYPE to javaWebgate if using a domain agent; set it to ohsWebgate10g if using a 10g WebGate.

    • Set IDSTORE_PORT to your Oracle Internet Directory port.

    • Set IDSTORE_HOST to your Oracle Internet Directory host or load balancer name.

    • MDS_DB_URL in this case represents a single instance database. The string following the '@' symbol must have the correct values for your environment. SID must be the actual SID, not a service name.

    • The value of IDSTORE_ADMIN_USER must contain the complete LDAP DN of the user. The entry should be similar to "cn=oamadmin,cn=Users,dc=us,dc=oracle,dc=com" instead of just "oamadmin".

    Name this file OIMconfigPropertyFile or similar as you will use it to configure Oracle Identity Manager in Step 4.

  4. Change location to: IAM_ORACLE_HOME/server

    cd IAM_ORACLE_HOME/server
    
  5. Integrate Oracle Access Manager with Oracle Identity Manager using the command idmConfigTool, which is located at:

    IAM_ORACLE_HOME/idmtools/bin

    The syntax of the command is

    idmConfigTool -configOIM input_file=propertiesFile 
    

    where propertiesFile is the file you set up in Step 2.

    When the command executes you will be prompted for:

    • Access Gate Password

    • Single Sign-On (SSO) Keystore Password

    • Global Passphrase

    • Idstore Admin Password

    • MDS Database schema password

    • Admin Server User Password

    • Password to be used for Oracle Access Manager administrative user

  6. Check the log file for errors and correct them if necessary.

  7. Restart the Oracle Identity Manager managed server and the WebLogic Administration Server.

5.5 Test the Integration

The final task is to verify the integration by performing, in order, the steps shown in Table 5-1:

Table 5-1 Verifying Oracle Access Manager-Oracle Identity Manager Integration

Step Description Expected Result

1

Access the Oracle Access Manager Administration Console using the URL:

http://admin_server_host:admin_server_port/oamconsole

Provides access to the console. The credential collector URL should be the Oracle Access Manager Managed Server URL.

2

Access the Oracle Identity Manager administration page with the URL:

http://oimhost:oimport/admin/faces/pages/Admin.jspx

The Oracle Access Manager login page from the Oracle Access Manager managed server should appear.

Check that the links for "Forgot Password", "Self Register" and "Track Registration" appear on the login page.

3

Log in as an Oracle Identity Manager administrator (the user referred to in Step 6 of Section 5.2).

The Oracle Identity Manager Admin Page should be accessible.

4

Create a new user on the Oracle Identity Manager Admin Page.

Close the browser and try accessing the Oracle Identity Manager Admin Pages. When prompted for login, provide valid credentials for the newly-created user.

You should be redirected to Oracle Identity Manager and required to reset the password.

5

Close the browser and access the Oracle Identity Manager Admin Page.

The Oracle Access Manager login page from the Oracle Access Manager managed server should come up. Verify that the links for "Forgot Password", "Self Register" and "Track Registration" are available in the login page. Check that each link works.

6

To check that lock/disable works, open a browser and log in as a test user. In another browser session, log in as xelsysadm and lock the test user account. Click the Logout link on the OIM console.

The user must be logged out and redirected back to the login page.

 

To test SSO logout, log in to the Oracle Identity Manager console as test user/xelsysadm.

Upon logout from the page, it must redirect to the SSO logout page.


5.6 Additional Configuration

This section describes additional configuration that you may need to perform depending on your requirements.

5.6.1 Migrating from the Domain Agent to 10gWebGate with OHS 11g

Perform this task by following the instructions in Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for OAM in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Next, complete the configuration by performing these actions:

5.6.1.1 Update WebGate Type and ID

Take these steps to update the Webgate Type and WebGate ID using Oracle Enterprise Manager Fusion Middleware Control:

  1. Navigate to Identity and Access, then OIM, then oim(11.1.1.3.0).

  2. Right-click on oim (11.1.1.3.0) and select System Mbean Browser.

  3. Navigate to Application Defined Mbeans, then oracle.iam, then Server: oim_server1, then Application:oim, then XMLConfig, then Config, then XMLConfig.SSOConfig, then SSOConfig.

5.6.1.2 Set the WebGate Preferred Host

This step is required to redirect users to the Oracle Access Manager login page for Oracle Identity Manager if they type in a URL of the form:

http://OHS_HOST:OHS_PORT/admin/faces/pages/Admin.jspx

Take these steps to set the preferred Webgate host:

  1. Log in to the Oracle Access Manager console, Click on System Configuration, and navigate to Access Manager Settings, then SSO Agents, then OAM Agent.

  2. Click the Search button. A list of WebGate IDs appears. Open the one registered in WebGate.

  3. Update the Preferred Host field and set it to IAMSuiteAgent.

  4. Click Apply.

  5. Restart Oracle HTTP Server.

5.6.1.3 Create the Oracle Identity Manager SSO Keystore

Note:

This step is needed if WebGate is configured in simple mode.

Follow the instructions in Creating Oracle Identity Manager SSO Keystore in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

5.6.2 Loading the Nexaweb Applet in an Integrated Environment

In an Oracle Identity Manager and Oracle Access Manager (OAM) integrated environment, when you login to the Oracle Identity Manager Administrative and User Console and click a link that opens the Nexaweb applet, configuration is required to enable loading of the NexaWeb Applet. The steps are as follows:

  1. Log in to the Oracle Access Manager Console.

  2. Create a new Webgate ID. To do so:

    1. Click the System Configuration tab.

    2. Click 10Webgates, and then click the Create icon.

    3. Specify values for the following attributes:

      Name: NAME_OF_NEW_WEBGATE_ID

      Access Client Password: PASSWORD_FOR_ACCESSING_CLIENT

      Host Identifier: IAMSuiteAgent

    4. Click Apply.

    5. Edit the Webgate ID, as shown:

      set 'Logout URL' = /oamsso/logout.html

    6. Deselect the Deny On Not Protected checkbox.

  3. Install a second Oracle HTTP Server (OHS) and Webgate. During Webgate configurations, when prompted for Webgate ID and password, use the Webgate ID name and password for the second Webgate that you provided in step 2c.

  4. Login to the Oracle Access Manager Console. In the Policy Configuration tab, expand Application Domains, and open IdMDomainAgent.

  5. Expand Authentication Policies, and open Public Policy. Remove the following URLs in the Resources tab:

    /xlWebApp/.../*

    /xlWebApp

    /Nexaweb/.../*

    /Nexaweb

  6. Expand Authorization Policies, and open Protected Resource Policy. Remove the following URLs in the Resources tab:

    /xlWebApp/.../*

    /xlWebApp

    /Nexaweb/.../*

    /Nexaweb

  7. Restart all the servers.

  8. Update the obAccessClient.xml file in the second Webgate. To do so:

    1. Create a backup of the SECOND_WEBGATE_HOME/access/oblix/lib/ObAccessClient.xml file.

    2. Open the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file.

      Note:

      Ensure that the DenyOnNotProtected parameter is set to 0.

    3. Copy the DOMAIN_HOME/output/WEBGATE_ID_FOR_SECOND_WEBGATE/ObAccessClient.xml file to the SECOND_WEBGATE_HOME/access/oblix/lib/ directory.

  9. Copy the mod_wls_ohs.conf from the FIRST_OHS_INSTANCE_HOME/config/OHS_NAME/directory to the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/ directory. Then, open the mod_wls_host.conf of the second OHS to ensure the WebLogicHost and WeblogicPort are still pointing to Oracle Identity Manager managed server host and port.

  10. Remove or comment out the following lines in the SECOND_OHS_INSTANCE_HOME/config/OHS_NAME/httpd.conf file:

    <LocationMatch "/oamsso/*">
       Satisfy any
    </LocationMatch>
    
  11. Copy the logout.html file from the FIRST_WEBGATE_HOME/access/oamsso/ directory to the SECOND_WEBGATE_HOME/access/oamsso/ directory. Then, open the logout.html file of the second Webgate to ensure that the host and port setting of the SERVER_LOGOUTURL variable are pointing to the correct OAM host and port.

  12. Login to Oracle Access Manager Console. In the Policy Configuration tab, expand Host Identifiers, and open the host identifier that has the same name as the second Webgate ID name. In the Operations section, verify that the host and port for the second OHS are listed. If not, then click the add icon (+ sign) to add them. Then, click Apply.

  13. Use the second OHS host and port in the URL for the OAM login page for Oracle Identity Manager. The URL must be in the following format:

    http://SECOND_OHS_HOST:SECOND_OHS_PORT/admin/faces/pages/Admin.jspx