57.5 Integrating KerberosPlugin with Oracle Virtual Directory

Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications.

This section provides the tasks you must perform to configure Access Manager KerberosPlugin authentication for WNA with Oracle Virtual Directory.

  1. Perform tasks in this section:
  2. Configuring Access Manager for Windows Native Authentication
  3. Enabling the Browser to Return Kerberos Tokens
  4. Validating WNA with Access Manager Protected Resources

57.5.1 Preparing Oracle Virtual Directory for Integration

Oracle Virtual Directory communicates with other directories through adapters. Before you can start using Oracle Virtual Directory as an identity store, you must create adapters to each of the directories you want to use.

The procedure differs slightly, depending on the directory to which you are connecting. If you choose to use Oracle Internet Directory, Active Directory, Oracle Directory Server Enterprise Edition (ODSEE), or Oracle Unified Directory, the required adapters are created and configured while installing and configuring the Oracle Identity Management Server. For more information on managing the adapters, see "Managing Identity Virtualization Library (libOVD) Adapters" in the .

In the following procedure you create an account for the OAM Server in the trusted domain. Additionally, you create two Active Directory Adapters (one for each forest) using the fully-qualified domain names as namespaces. By default Active Directory uses dc to construct the root context distinguished name. If this is different in your deployment, adjust your adapter namespaces accordingly.

  1. Perform tasks described in "Confirming Access Manager Operations".

  2. Install Oracle Virtual Directory, as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. In Oracle Virtual Directory Console, create two Active Directory Adapters (one for each forest) using the fully-qualified domain names as namespaces as follows:

    1. Adapter 1, EXAMPLE Adapter namespace (domain DNS lm.example.com):

    2. Adapter 2, SPRITE Adapter namespace (domain DNS lmsib.sprite.com):

  4. Shut down the OAM Cluster.

  5. Restart the AdminServer and all OAM Servers.

  6. Proceed with "Registering Oracle Virtual Directory as the Default Store for WNA".

57.5.2 Registering Oracle Virtual Directory as the Default Store for WNA

Users with valid Oracle Access Management Administrator credentials can register Oracle Virtual Directory as the user store for Access Manager interoperating with Windows Native Authentication.

For Windows Native Authentication, the user credentials must reside in Microsoft Active Directory. Access Directory can be managed by Oracle Virtual Directory instance. For single sign-on with Access Manager, each User Identity Store must be registered to operate with Access Manager.

Typically, userprincipalname reflects the Windows login name. For WNA with Access Manager, either leave the User Search Base and Group Search Base blank or provide the distinguished name path that is common to both the adapters configured while performing prerequisite tasks. Before you begin, be sure to complete the sections About Preparing Your Active Directory and Kerberos Topology and Confirming Access Manager Operations.

  1. In the Oracle Access Management Console, click Configuration at the top of the window.
  2. Click User Identity Stores.
  3. In the OAM ID Stores section, click Create.
  4. Enter required values for your Oracle Virtual Directory instance. For example:
    • Name: OVD
    • LDAP Url: ldap://ovd_host.domain.com:389
    • Principal: cn=Administrator,cn=users,dc=lm,dc=example,dc=com
    • Credential: ********
    • User Search Base: dc=com
    • User Name Attribute: userprincipalname
    • Group Name: cn
    • Group Search Base: dc=com
    • LDAP Provider: Oracle Virtual Directory
  5. Default Store: Click the Default Store button to make this the user Identity Store for Access Manager.
  6. Click Apply to submit the registration, then dismiss the Confirmation window.
  7. Restart the AdminServer and OAM Servers.
  8. Proceed to "Setting Up Authentication with Access Manager KerberosPlugin and OVD".

57.5.3 Setting Up Authentication with Access Manager KerberosPlugin and OVD

When a native authentication module does not offer enough flexibility for your needs, you can create a custom authentication module using plug-ins designed to meet specific needs.

The KerberosPlugin is a credential mapping module that matches the credentials (encrypted username in the Kerberos ticket (SPNEGO token)) of the user who requests the resource. By default, KerberosPlugin maps the domain DNS name to the corresponding distinguished name using the dc component. However, if the mapping is different, you can specify the correct mapping as a semi-colon (;) separated list of name:value tokens. For example:


Users with valid Oracle Access Management Administrator credentials can perform the following task to replace default KerberosPlugin steps with steps that enable integration for Windows Native Authentication using the Oracle Access Management Console.

  1. In the Oracle Access Management Console, click Application Security at the top of the window.

  2. Click Authentication Modules in the Plug-ins section.

  3. Click Search, locate the KerberosPlugin plug-in and open it for editing.

  4. On the KerberosPlugin page, click the Steps tab.

    Steps Tab: Replace stepKTA, as described here, then click Save.

    1. Click stepKTA then click the Delete (x) button to remove this step.

    2. Click the Add (+) button and add the following step to the plug-in:

      Element Description





    Step Details:

    Edit this new stepKTA to change the Step Orchestration value from NULL (defined during the step deletion) to its default value of:

    On Success: StepUIF Failure Failure

    Also, confirm that this new stepKTA includes the parameter KEY_DOMAIN_DNS2DN_MAP (created earlier), enter the appropriate values for your deployment and click Save.

    Element Description


    Active Directory Forests in your deployment. For example:


    Note: By default, a DN domain name a.b.c is mapped into dc=a,dc=b,dc=c. Only if the mapping is different, one has to specify the parameter. Otherwise it is best not to use it and let the default behavior take its course.

    Service Principal



    keytab.conf location for stepKTA


    krb5.conf location for stepKTA

  5. stepUIF Details: Configure as follows and click Save:

    Element Description






    Leave this empty

  6. stepUI and stepUA: Configure as follows and Save:

    Element Description



  7. Save the changes.

  8. Restart the OAM Cluster.

  9. Proceed with "Configuring Access Manager for Windows Native Authentication".