54.2 Overview of the Access Portal Service Deployment Process

The Access Portal Service provides form-fill single sign-on functionality to intranet and extranet Web applications by acting as a proxy between the target application and the user's browser.

Through the Oracle Traffic Director proxy, the Access Portal Service intercepts user connections to the target application, fetches the application's logon or password change page, and injects JavaScript code necessary to perform form-fill single sign-on tasks (such as credential capture or injection), then delivers the modified page to the user's browser.

The Access Portal Service utilizes the following components:

  • Oracle Traffic Director - intercepts user connections to the target application and provides path-proxy and DNS-proxy functionality, allowing for path and DNS rewriting. Also hosts the WebGate plugin.

  • WebGate plugin - a plugin that monitors whether the intercepted user connections require authentication via Oracle Access Manager (based on the assigned authentication policy) and redirects the user to the authentication page as necessary. It enables single sign-on functionality (logon, password change, and credential capture) in internal and external Web applications

  • Oracle Access Manager - provides the authentication service to users as defined in the authentication policy.

  • An LDAP Directory - serves as a data repository for the Access Portal Service and as the authentication back-end mechanism for Oracle Access Manager. For a list of supported directories, see the Certification Matrix accessible via the Oracle Support site.

  • (Optional) Web Logon Manager - a reference client application that acts as a launchpad for applications enabled with Oracle's single sign-on technologies. Web Logon Manager supports Web applications enabled with the Access Portal Service's form-fill single sign-on technology and is available for download on the Oracle Technology Network web site. For more information, please contact Oracle Support.

  • Oracle Enterprise Single Sign-On Administrative Console - provides the means to create and edit form-fill application policies (templates), password generation policies, delegate credentials, and configure other Access Portal Service features not accessible via the Oracle Access Manager Console.

  • (Optional) Oracle HTTP Server - hosts the Detached Credential Collector Web pages.

The following is a high-level overview of the deployment process:

  1. Deploy the Java Cryptography Extension files on your Oracle Access Manager server. These files enable unlimited strength jurisdiction policy encryption on Oracle Access Manager.

  2. Create the identity store configuration file. This file contains the connection specifics for the directory that will host the Access Portal Service data repository.

  3. Prepare and enable the Access Portal Service. You must use the IDM Configuration Tool to extend the directory schema, create the necessary users and groups, create the Webgate profile, create and assign an authentication scheme, and create a data repository; then, you must enable the Access Portal Service.

  4. Set the Oracle Access Manager policy cache refresh interval. If you plan to use the Enterprise Single Sign-On Administrative Console to create and modify Access Portal Service application policies (templates), you must configure the Oracle Access Manager policy cache refresh interval to ensure that Oracle Access Manager periodically checks for updated policies in the Access Portal Service repository.

  5. (Optional) Install the Oracle Privileged Account Manager certificates. If you plan to enable Oracle Privileged Account Manager-protected applications with the Access Portal Service, you must install the Oracle Privileged Account Manager certificates into the instance of Oracle Access Manager running the Access Portal Service. (Only supported on WebLogic.)

  6. Deploy the Oracle Traffic Director Administration Server instance. This instance will provide the means to administrate Oracle Traffic Director proxy instance(s) (such as configuring listeners, origin servers, and server pools).

  7. Deploy the Webgate binaries and Oracle Access Manager secure trust artifacts. You will run the Webgate installer to deploy the required plugin binaries into Oracle Traffic Director and copy the Oracle Access Manager secure trust artifacts into the deployed Webgate instance.

  8. (Optional) Deploy the ESSOProvisioning plugin. This plugin enables provisioning of LDAP credentials as application credentials for single sign-on and the automatic updating of stored application credentials when the directory-provided credentials change. This plugin is optional and is not required by the Access Portal Service.

  9. Create an Oracle Traffic Director configuration. An Oracle Traffic Director configuration is a collection of elements that define the run-time behavior of an Oracle Traffic Director instance. A configuration contains information about various elements of an Oracle Traffic Director instance such as listeners, origin servers, failover groups, and logs.

  10. Protect the Oracle Traffic Directory instance with the Webgate plugin. To allow the Webgate plugin to process user traffic and provide authentication and single sign-on services, you must place them "in front of" your Oracle Traffic Director instance. This is called "protecting" the instance with the selected plugins.

  11. (Optional) Enable the Detached Credential Collector for the Webgate. The Detached Credential Collector adds a layer of security by intercepting user authentication requests normally sent directly to Oracle Access Manager, collecting the user's credentials, and passing them to Oracle Access Manager. This avoids the need for users to connect directly to your Oracle Access Manager instance. The Detached Credential Collector pages run on an instance of Oracle HTTP Server.

  12. Enable target applications for form-fill single sign-on. Once the Access Portal Service has been successfully deployed, you can begin enabling your target applications with form-fill single sign-on functionality. This includes configuring the necessary proxy rules in Oracle Traffic Director, and creating and publishing a form-fill application policy in Oracle Access Manager.