Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications.
This section provides the tasks you must perform to configure Access Manager KerberosPlugin authentication for WNA with Oracle Virtual Directory.
Oracle Virtual Directory communicates with other directories through adapters. Before you can start using Oracle Virtual Directory as an identity store, you must create adapters to each of the directories you want to use.
The procedure differs slightly, depending on the directory to which you are connecting. If you choose to use Oracle Internet Directory, Active Directory, Oracle Directory Server Enterprise Edition (ODSEE), or Oracle Unified Directory, the required adapters are created and configured while installing and configuring the Oracle Identity Management Server. For more information on managing the adapters, see "Managing Identity Virtualization Library (libOVD) Adapters" in the .
In the following procedure you create an account for the OAM Server in the trusted domain. Additionally, you create two Active Directory Adapters (one for each forest) using the fully-qualified domain names as namespaces. By default Active Directory uses dc
to construct the root context distinguished name. If this is different in your deployment, adjust your adapter namespaces accordingly.
Perform tasks described in "Confirming Access Manager Operations".
Install Oracle Virtual Directory, as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
In Oracle Virtual Directory Console, create two Active Directory Adapters (one for each forest) using the fully-qualified domain names as namespaces as follows:
Adapter 1, EXAMPLE Adapter namespace (domain DNS lm.example.com
):
dc=lm,dc=example,dc=com
Adapter 2, SPRITE Adapter namespace (domain DNS lmsib.sprite.com
):
dc=lmsib,dc=sprite,dc=com
Shut down the OAM Cluster.
Restart the AdminServer and all OAM Servers.
Proceed with "Registering Oracle Virtual Directory as the Default Store for WNA".
Users with valid Oracle Access Management Administrator credentials can register Oracle Virtual Directory as the user store for Access Manager interoperating with Windows Native Authentication.
For Windows Native Authentication, the user credentials must reside in Microsoft Active Directory. Access Directory can be managed by Oracle Virtual Directory instance. For single sign-on with Access Manager, each User Identity Store must be registered to operate with Access Manager.
Typically, userprincipalname
reflects the Windows login name. For WNA with Access Manager, either leave the User Search Base and Group Search Base blank or provide the distinguished name path that is common to both the adapters configured while performing prerequisite tasks. Before you begin, be sure to complete the sections About Preparing Your Active Directory and Kerberos Topology and Confirming Access Manager Operations.
When a native authentication module does not offer enough flexibility for your needs, you can create a custom authentication module using plug-ins designed to meet specific needs.
The KerberosPlugin
is a credential mapping module that matches the credentials (encrypted username in the Kerberos ticket (SPNEGO token)) of the user who requests the resource. By default, KerberosPlugin
maps the domain DNS name to the corresponding distinguished name using the dc
component. However, if the mapping is different, you can specify the correct mapping as a semi-colon (;) separated list of name:value tokens. For example:
LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com
Users with valid Oracle Access Management Administrator credentials can perform the following task to replace default KerberosPlugin
steps with steps that enable integration for Windows Native Authentication using the Oracle Access Management Console.
In the Oracle Access Management Console, click Application Security at the top of the window.
Click Authentication Modules in the Plug-ins section.
Click Search, locate the KerberosPlugin plug-in and open it for editing.
On the KerberosPlugin page, click the Steps tab.
Steps Tab: Replace stepKTA, as described here, then click Save.
Click stepKTA then click the Delete (x) button to remove this step.
Click the Add (+) button and add the following step to the plug-in:
Element | Description |
---|---|
Name |
stepKTA |
Class |
KerberosTokenAuthenticator |
Step Details:
Edit this new stepKTA to change the Step Orchestration value from NULL (defined during the step deletion) to its default value of:
On Success: StepUIF Failure Failure
Also, confirm that this new stepKTA includes the parameter KEY_DOMAIN_DNS2DN_MAP
(created earlier), enter the appropriate values for your deployment and click Save.
Element | Description |
---|---|
KEY_DOMAIN_DNS2DN_MAP |
Active Directory Forests in your deployment. For example: LM.EXAMPLE.COM:dc=lm,dc=example,dc=com;LMSIB.SPRITE.COM:dc=lmsib,dc=sprite,dc=com Note: By default, a DN domain name a.b.c is mapped into dc=a,dc=b,dc=c. Only if the mapping is different, one has to specify the parameter. Otherwise it is best not to use it and let the default behavior take its course. |
Service Principal |
HTTP/oam11g.example.com@LM.EXAMPLE.COM |
keytab.conf |
keytab.conf location for stepKTA |
krb5.conf |
krb5.conf location for stepKTA |
stepUIF Details: Configure as follows and click Save:
Element | Description |
---|---|
KEY_LDAP_FILTER |
(samAccountName={KEY_USERNAME}) |
KEY_IDENTITY_STORE_REF |
OVD |
KEY_SEARCHBASE_URL |
Leave this empty |
stepUI and stepUA: Configure as follows and Save:
Element | Description |
---|---|
KEY_IDENTITY_STORE_REF |
OVD |
Save the changes.
Restart the OAM Cluster.
Proceed with "Configuring Access Manager for Windows Native Authentication".