This appendix contains the configuration steps for enabling Oracle Identity Manager for Single Sign On (SSO). To do so, Oracle Identity Manager is enabled to use third-party SSO providers, such as OpenSSO, IBM Tivoli Access Manager, and CA SiteMinder.
This appendix contains the following sections:
Common Prerequisites for Integration With Third-Party SSO Solutions
Enabling Oracle Identity Manager to Work With IBM Tivoli Access Manager
This section lists the common prerequisites for integrating Oracle Identity Manager with third-party SSO providers, such as Siteminder, OpenSSO, and Tivoli Access Manager. SSO provider-specific prerequisites are listed separately in corresponding sections. The common prerequisites are as follows:
Identity population in Oracle Identity Manager is synchronized with identity information in the LDAP registry used by the SSO provider. Oracle Identity Manger's LDAP synchronization feature can be used for this purpose.
Oracle Identity Manager system administrator (xelsysadm) account should be created in the LDAP repository so that you can perform SSO login to OIM using this administrator account. This account should be created in the same user container that has other OIM users in the LDAP repository. Also ensure that the LDAP user attribute, which is mapped to Oracle Identity Manager user login (uid or samAcountName), has the value set as XELSYSADM.
It is required that the SSO header returned by the SSO provider contains the username value which maps to OIM User Login field.
This section contains the following topics:
The prerequisites for integrating Oracle Identity Manager with OpenSSO are:
Oracle Identity Manager 11g Release 2 (11.1.2.3.0) is installed and configured.
OpenSSO 8.0 is installed and configured
OpenSSO Enterprise Policy Agent 3.0 for Oracle WebLogic Server/Portal 10 (weblogic_v10_agent_3) is installed and configured.
The common prerequisite for integrating Oracle Identity Manager with third-party SSO solutions has been met, as described in "Common Prerequisites for Integration With Third-Party SSO Solutions".
To integrate Oracle Identity Manager 11g Release 2 (11.1.2.3.0) with OpenSSO 8.0 on Oracle WebLogic Server:
Start OpenSSO.
Start Oracle Identity Manager.
Install OpenSSO policy agent on Admin Server of Oracle Identity Manager domain. To do so:
Create a J2EE agent profile on OpenSSO. Refer to the policy agent section in OpenSSO documentation for creating the profile.
Install agent on WebLogic Admin Server. Install the agent by using the agentadmin utility. Refer to the policy agent section in OpenSSO documentation.
Install OpenSSO policy agent on Oracle Identity Manager Managed Server of Oracle Identity Manager domain. To do so, install agent on Oracle Identity Manager Managed Server. Refer to the policy agent section of OpenSSO documentation for installing the agent on a managed server. Use the same agent profile that you created in step 3.a.
Note:
For a clustered deployment of Oracle Identity Manager, install the policy agent on each Oracle Identity Manager Managed Server.To configure OpenSSO policy agent after installation:
Note:
For a clustered deployment of Oracle Identity Manager, OpenSSO policy agent must be configured on each Oracle Identity Manager Managed Server.Configure WebLogic Server instances with set Agent classpath and JAVA options.
Deploy agent application on Admin and Managed Servers.
Deploy and configure agent authentication provider.
Add WebLogic admin to bypasslist.
Install agent filter to oim web-apps. In this step, add OpenSSO Agent filter to all the Oracle Identity Manager web-apps that support OIM user login. To do so:
Note:
The corresponding deployment-descriptors are located at:IDM_ORACLE_HOME/server/apps/oim.ear/iam-consoles-faces.war/WEB-INF/web.xml
IDM_ORACLE_HOME/server/apps/oracle.iam.console.identity.self-service.ear/oracle.iam.console.identity.self-service.war/WEB-INF/web.xml
IDM_ORACLE_HOME/server/apps/oracle.iam.console.identity.sysadmin.ear/oracle.iam.console.identity.sysadmin.war/WEB-INF/web.xml
i) Go to the IDM_ORACLE_HOME/server/apps/ directory.
ii) Create a backup of the oim.ear/iam-consoles-faces.war/WEB-INF/web.xml file, and then edit it to add the filter element as mentioned in OpenSSO documentation. Save the changes.
iii) Create a backup of the oracle.iam.console.identity.self-service.ear file, and then extract it in a temporary location. Then extract the oracle.iam.console.identity.self-service.war file. Edit WEB-INF/web.xml to add the filter element as mentioned in OpenSSO documentation. Repackage oracle.iam.console.identity.self-service.war with the modified web.xml, and then repackage oracle.iam.console.identity.self-service.ear with modified oracle.iam.console.identity.self-service.war.
iv) Create a backup of oracle.iam.console.identity.sysadmin.ear, and then extract it in a temporary location. Then extract the oracle.iam.console.identity.sysadmin.war file. Edit WEB-INF/web.xml to add the filter element as mentioned in OpenSSO documentation. Repackage oracle.iam.console.identity.sysadmin.war with the modified web.xml, and then repackage oracle.iam.console.identity.sysadmin.ear with modified oracle.iam.console.identity.sysadmin.war.
Note:
Ensure that after performing steps iii and iv, the only difference between the modified EAR files and the original EAR files is in the web.xml files.v) Shutdown Oracle Identity Manager instance.
vi) Go to OIM_DOMAIN_HOME/servers/OIM_SERVER_INSTANCE/tmp/_WL_user/ directory. Go to OIM_DOMAIN_HOME\servers\OIM_SERVER_INSTANCE\tmp\_WL_user\ directory if the setup is on Microsoft Windows.
vii) Delete the directories specific to oracle.iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear UI applications. In a typical Oracle Identity Manager setup, the directories to be deleted are oracle.iam.console.identity.self-service.ear_V2.0 and oracle.iam.console.identity.sysadmin.ear_V2.0.
viii) Restart Oracle Identity Manager Managed Server instance, and then check that the directories are re-created in the directory path mentioned in step vi.
Update the agent profile for Oracle Identity Manager Managed Server with Oracle Identity Manager URL information. To do so:
Login to OpenSSO application, and select the Oracle Identity Manager Managed Server agent profile.
Click the general tab. Change the Agent filter mode. Remove all existing values. Add new value with empty key and corresponding map value as J2EE_POLICY.
Click the applications tab. Update the various sections as follows:
Login Form URI. Add the following:
/oim/faces/pages/Login.jspx /identity/faces/signin /sysadmin/faces/signin
Login Error URI. Add the following:
/identity/faces/signin /sysadmin/faces/signin /oim/faces/pages/LoginError.jspx
Not Enforced URI Processing. Add the following:
/identity/faces/register /identity/faces/forgotpassword /identity/faces/trackregistration /identity/faces/forgotuserlogin /identity/faces/accountlocked /identity/adfAuthentication /identity/afr/blank.html /sysadmin/adfAuthentication /sysadmin/afr/blank.html /sysadmin/faces/noaccess /oim/afr/blank.html /workflowservice/* /callbackResponseService/* /spml-xsd/*
Configure SSO in Oracle Identity Manager. To do so:
Set up WebLogic authenticators. To do so:
i) Add and configure WebLogic authentication provider for LDAP server corresponding to the user data store used by OpenSSO. For example, if OpenSSO uses Sun DSEE, then configure iPlanet authentication provider. Set the control flag as SUFFICIENT.
Note:
Ensure that all the Oracle Identity Manager users are synchronized with the LDAP server to which the authenticator points to.ii) Add and configure Oracle Identity Manager signature authentication provider (OIMSignatureAuthenticator). Set the control flag as SUFFICIENT.
iii) Arrange the authenticator chain in the following order:
DefaultAuthenticator - SUFFICIENT
OIMSignatureAuthenticator - SUFFICIENT
AgentAuthenticator - OPTIONAL
LDAPAuthenticator - SUFFICIENT
DefaultIdentityAsserter
Change the Oracle Identity Manager logout to execute OpenSSO logout URL by running the following command:
cd <IDM_ORACLE_HOME>/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="http(s)://openssohost:openssoport/opensso/UI/Logout", autologinuri="/obrar.cgi")
exit()
Set Oracle Identity Manager ssoenabled flag to true. To do so:
i) Login to Enterprise Manager. Open System Mbean Broswer.
ii) Open the oracle.iam:Location=<OIM_SERVER_NAME>,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
iii) Set the value of ssoEnabled to true.
Restart Oracle Identity Manager domain.
Test the configuration by navigating to the following URL:
http://OIM_HOST:OIM_PORT/identity/
The page is redirected to the OpenSSO login page. Login as valid Oracle Identity Manager user.
Run the following validation steps to verify if the integration between Oracle Identity Manager and OpenSSO is successful:
User Login to Oracle Identity Manager Through SSO
Prerequisite: Create a user, for example ENDUSER001 in Oracle Identity Manager and LDAP.
Step: Try logging in to Oracle Identity Manager through SSO as the user you created, for example ENDUSER001, and check if the login is successful.
Expected output: Login is successful.
Client-Based Login to Oracle Identity Manager
Prerequisite: Make sure that Oracle Identity Manager Design Console is installed and configured.
Step: Try logging in to the Design Console as system administrator with SSO password.
Expected output: Login to the Design Console is successful, assuming that LDAPAuthenticator is configured properly for SSO login.
Signature-Based Authentication
To test signature-based authentication:
Try accessing the scheduler service URL. It should be running on Oracle Identity Manager Managed Server port, as shown:
http://OIM_HOST:OIM_PORT/SchedulerService-web
Login as system administrator with SSO password.
If the login is successful and you can see the following details on the screen, then signature login is successful:
Scheduler Current Status: STARTED
Last Error: NONE
Click Start on the page if the following is displayed:
Scheduler Current Status: STOPPED
If no errors are displayed on the page, then signature login is successful.
This section contains the following topics:
The prerequisites for integrating Oracle Identity Manager with OpenSSO are:
Oracle Identity Manager 11g Release 2 (11.1.2.3.0) is installed and configured.
IBM Tivoli Access Manager (TAM) for e-business 6.1 is installed and configured.
IBM Tivoli Access Manager Adapter for Oracle WebLogic Server for TAM 6.1 and Oracle WebLogic Server 10g or 11g are installed and configured.
The common prerequisite for integrating Oracle Identity Manager with third-party SSO solutions has been met, as described in "Common Prerequisites for Integration With Third-Party SSO Solutions".
Form based login is enabled in TAM.
To integrate Oracle Identity Manager 11g Release 2 (11.1.2.3.0) with IBM Tivoli Access Manager for e-business 6.1:
Start IBM Tivoli Access Manager.
Start Oracle Identity Manager.
Setup connection between webseal and WebLogic. To do so:
Create junctions to connect webseal to Oracle Identity Manager WebLogic Server.
Configure webseal logout and login page.
Deploy weblogic security providers.
Refer to TAM-weblogic integration documentation provided as part of IBM Tivoli Access Manager Adapter for Oracle WebLogic Server. The additional details are as follows:
Keep both non-SSL and SSL ports on Oracle Identity Manager into consideration while creating junctions.
While creating webseal junction(s) for protected resources, make sure to use the "-c iv-user" (insert iv-user HTTP header) option.
List of resources that needs to be protected/unprotected:
Protect the following resources:
/oim
/xlWebApp
/Nexaweb
/identity
/sysadmin
Unprotect following uris:
/identity/faces/register
/identity/faces/forgotpassword
/identity/faces/trackregistration
/identity/faces/forgotuserlogin
/identity/faces/accountlocked
/identity/adfAuthentication
/identity/afr/blank.html
/sysadmin/adfAuthentication
/sysadmin/afr/blank.html
/sysadmin/faces/noaccess
/oim/afr/blank.html
Unprotect following resources:
/workflowservice
/callbackResponseService
/spml-xsd
Only configure Tivolli Access Manager Identity assertion provider (AMIdentityAsserterLite). Select the iv-user option while configuring it.
Do not configure Tivolli Access Manager Identity authentication provider.
Configure WebLogic authentication provider for LDAP server corresponding to the LDAP registry used by TAM. For example, if TAM uses Sun DSEE, then configure iPlanet authentication provider. Set its control flag as SUFFICIENT. Ensure that all usersin Oracle Identity Manager are synchronized to this LDAP server. If any Oracle Identity Manager user is not present in the LDAP server, then that user will not be able to login to Oracle Identity Manager.
Configure Oracle Identity Manager signature authentication provider (OIMSignatureAuthenticationProvider). Provide the Oracle Identity Manager database details while configuring it. You can use the same details as specified in OIMAuthenticationProvider. Set its control flag as SUFFICIENT.
Arrange the authenticator chain in the following order:
TAMIdentityAsserter
OIMSignatureAuthenticator - SUFFICIENT
LDAPAuthenticator - SUFFICIENT
DefaultAuthenticator - SUFFICIENT
DefaultIdentityAsserter
Note:
If you cannot use TAMIdentityAsserter, then you can use the OAMIdentityAsserter, as described in "Simplifying Third-Party SSO Integration"Change the Oracle Identity Manager logout to execute TAM logout URL by using the following commands:
cd <IDM_ORACLE_HOME>/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="http(s)://<webseal-host:port>/pkmslogout", autologinuri="/obrar.cgi")
exit()
Set OIM ssoenabled flag to true. To do so:
Login to Enterprise Manager. Open System Mbean Broswer.
Open the oracle.iam:Location=<OIM_SERVER_NAME>,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
At the value of ssoEnabled to true.
Restart Oracle Identity Manager.
Test the configuration by navigating to the following URL:
http(s)://WEBSEAL_HOST:WEBSEAL_PORT/identity/faces/home
TAM login page is displayed. Login as valid Oracle Identity Manager user, and the login should be successful.
Run the following validation steps to verify if the integration Oracle Identity Manager and TAM is successful:
User Login to Oracle Identity Manager Through SSO
Prerequisite: Create a user, for example ENDUSER001, in Oracle Identity Manager and LDAP.
Step: Try logging in to Oracle Identity Manager through SSO as the user that you created, for example ENDUSER001, and check if the login is successful.
Expected output: Login should be successful.
Client-Based Single Login to Oracle Identity Manager
Prerequisite: Make sure that Oracle Identity Manager Design Console is installed and configured.
Step: Try logging in to the Design Console as system administrator with SSO password.
Expected output: Login to the Design console must be successful, assuming that LDAPAuthenticator is configured properly for SSO login.
Signature-Based Authentication
To test signature-based authentication:
Try accessing the scheduler service URL. It should be running on Oracle Identity Manager Managed Server port, as shown:
http://OIM_HOST:OIM_PORT/SchedulerService-web
Login as system administrator by providing SSO password.
If the login is successful and you can see the following details on the screen, then signature login is successful:
Scheduler Current Status: STARTED
Last Error: NONE
Click Start on the page if the following is displayed:
Scheduler Current Status: STOPPED
If there are no errors on the page, then the signature login is successful.
This section contains the following topics:
The prerequisites for integrating Oracle Identity Manager with CA SiteMinder are:
Oracle Identity Manager is installed and configured.
CA Siteminder is installed and configured.
The common prerequisite for integrating Oracle Identity Manager with third-party SSO solutions has been met, as described in "Common Prerequisites for Integration With Third-Party SSO Solutions".
To integrate Oracle Identity Manager with CA SiteMinder:
Install Siteminder WebLogic Agent by referring to Siteminder installation documentation. Follow install GUI instructions.
Edit the setDomainEnv.sh file to set the variables, as shown:
ASA_HOME='PATH_TO_SITEMINDER_AGENT_HOME' export ASA_HOME SMASA_CLASSPATH="$ASA_HOME/conf:$ASA_HOME/lib/smagentapi.jar:$ASA_HOME/lib/smjavasdk2.jar:$ASA_HOME/lib/sm_jsafe.jar:$ASA_HOME/lib/smclientclasses.jar:$ASA_HOME/lib/sm_jsafeJCE.jar" export SMASA_CLASSPATH SM_JAVA_OPTIONS=" -Dsmasa.home=$ASA_HOME" export SM_JAVA_OPTIONS CLASSPATH=${SMASA_CLASSPATH}:${CLASSPATH} export CLASSPATH
Edit the startWebLogic.sh file to add SM_JAVA_OPTIONS to the JAVA command, as shown:
$JAVA_HOME/bin/java ${JAVA_VM} ${MEM_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS} ${SM_JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS}
Edit the ASA_HOME/conf/WebAgent.conf file to change the value of the EnableWebAgent parameter to YES.
Restart all Managed and Admin servers.
Add/Configure SiteminderIdentityAsserter and SiteminderAuthenticationProvider in the Weblogic authentication chain. In Identity Asserter common configuration, select SMSESSION.
In the Provider Specific subtab, set the "SMIdentity Asserter Config File:" field to ASA_HOME/conf/WebAgent.conf.
In SiteminderAuthenticationProvider 'ProviderSpecific', update "SMAuth Provider Config File:" to ASA_HOME/conf/WebAgent.conf.
Remove existing OIMAuthenticationProvider from the authentication chain.
Add OIMSignatureAuthenticator to the authentication chain. Set the control flag to SUFFICIENT. This authenticator is added only to handle signature based login to Oracle Identity Manager.
Add LDAP Authenticator (OID, Iplanet, and so on) to the authentication chain, and set its control flag as SUFFICIENT. Ensure that this authenticator is configured to point to the same LDAP provider, that is :
Synchronized with Oracle Identity Manager, that is, have all the OIM Identity population
Used by the Siteminder server for authentication purposes
LDAPAuthenticator needs to be added in order to handle non-http based login requests (For example, login to OIM design console, or any other OIM client login) and OPSS based Assertion requests.
Rearrange the authentication chain, as listed in Table B-1:
Restart Admin server and all the Managed Servers in the domain.
Configure SSO logout for oim by using the following command:
cd <IDM_ORACLE_HOME>/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="SITEMINDER_LOGOUT_URL", autologinuri="/obrar.cgi")
exit()
Note:
The connect() call will ask for Admin server URL and WebLogic Admin username and password.Set the ssoenabled flag for Oracle Identity Manager to true. To do so:
Login to Enterprise Manager, and open System MBean Browser.
Open the oracle.iam:Location=<OIM_SERVER_NAME>,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
Set the value of ssoEnabled to true.
Restart Admin Server and all Managed Servers in the domain.
Protect/unprotect the following Oracle Identity Manager resources on Siteminder side:
Protect following resources:
/identity
/sysadmin
/oim
/xlWebApp
/Nexaweb
Unprotect the following URIs:
/identity/faces/register
/identity/faces/forgotpassword
/identity/faces/trackregistration
/identity/faces/forgotuserlogin
/identity/faces/accountlocked
/identity/adfAuthentication
/identity/afr/blank.html
/sysadmin/adfAuthentication
/sysadmin/afr/blank.html
/sysadmin/faces/noaccess
/oim/afr/blank.html
Unprotect the following resources:
/workflowservice
/callbackResponseService
/spml-xsd
/reqsvc
/sysadmin/logout
/identity/logout
/identity/notification/secure
/SchedulerService-web
/wsm-pm
/workflow
/soa-infra
/integration
/b2b
/sdpmessaging/userprefs-ui
To support client-based login to Oracle Identity Manager, the smclientclasses.jar must be added to the client classpath. To set the client classpath:
Go to the OIM_ORACLE_HOME/server/bin/ directory using the cd command.
Open the setEnv.sh file in VI Editor.
Add smclientclasses.jar to the CLASSPATH variable at the end. This setting ensures successful client login to Oracle Identity Manager while executing most of the client utilities present in OIM_ORACLE_HOME/server/bin.
However, client classpath must be separately set for the Design Console login to work. To do so:
Go to the OIM_ORACLE_HOME/designconsole directory.
Open the classpath.sh file in VI Editor.
Add smclientclasses.jar to the CLASSPATH variable at the end.
Run the following validation steps to verify if the integration Oracle Identity Manager and CA SiteMinder is successful:
User Login to Oracle Identity Manager Through SSO
Prerequisite: Create a user, for example ENDUSER001, in Oracle Identity Manager and LDAP.
Step: Try logging in to Oracle Identity Manager through SSO as the user that you created, for example ENDUSER001, and check if the login is successful.
Expected output: Login should be successful.
Step: Try logging in to Oracle Identity Manager System Administration console (/sysadmin) as OIM Administrator (typically XELSYSADM), and check if login is successful.
Expected output: Login should be successful.
Client-Based Login to Oracle Identity Manager
Prerequisite: Make sure that Oracle Identity Manager Design Console is installed and configured.
Step: Try logging in to the Design Console as the system administrator with SSO password.
Expected output: Login to the Design console should be successful, assuming that SiteminderAuthenticationProvider is configured properly for SSO login.
Signature-Based Authentication
To test signature-based authentication:
Try accessing the scheduler service URL. It should be running on Oracle Identity Manager Managed Server port, as shown:
http://OIM_HOST:OIM_PORT/SchedulerService-web
Login as system administrator by providing SSO password.
If the login is successful and you can see the following details on the screen, then signature login is successful:
Scheduler Current Status: STARTED
Last Error: NONE
Click Start on the page if the following is displayed:
Scheduler Current Status: STOPPED
If there are no errors on the page, then the signature login is successful.
This section describes how to configure basic integration between Oracle Identity Manager and OAM, and protect the integration with SSO authentication. It includes the following sections:
Note:
Performing the procedure provided in this section only enables basic SSO. Use a LDAP connector to provision passwords and also do additional configuration so that the lock status can be propagated to the directory.Perform the following prerequisites:
Ensure that Oracle Identity Manager 11g Release 2 (11.1.2.3.0) is installed and configured.
Oracle Identity Manager must be frontended with OHS/reverse-proxy, which hosts OAM 11g webgate.
Ensure that Oracle Identity Manager user population is maintained in sync with LDAP repositories by using a connector. Also ensure that the Oracle Identity Manager system administrator account is created in the LDAP repository.
Ensure that OAM 11.1.2.3.0 is installed and configured to authenticate Oracle Identity Manager users against the same LDAP repository that is synchronized with Oracle Identity Manager.
Note:
OIDAuthenticator is used as a reference in this procedure. If you have any other LDAP Server, such as AD, ODSEE, or OUD, then create appropriate WebLogic LDAP Authentication providers.To configure SSO logout and the authenticator:
Set OIM ssoenabled flag to true. To do so:
Login to Oracle Enterprise Manager, and navigate to OIM_DOMAIN.
Right click OIMDomain, and select System MBean Browser.
Click the search icon, enter ssoconfig, and search.
In the details page, look for SSOEnabled flag, and select true from the drop down. Click Apply to save the configuration change.
Configure SSO logout for oim, as shown:
<IDM_ORACLE_HOME>/common/bin/wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
exit()
Note:
The connect() call prompts for Admin server URL and WebLogic administrator username and password.Configure authentication providers. To do so:
Note:
This step configures the security providers in OIM domain in such a way that the SSO login, and OIM-client based login works fine. For this, OAMIDAsserter and OIDAuthenticator must be setup. OIDAuthenticator is configured to authenticate/assert users against OID. To authenticate/assert users against any other Directory server, which is also used by OAM for authentication, corresponding authenticator must to be configured instead of OIDAuthenticator.Login to Oracle WebLogic Administrative Console, and navigate to Security realms, myrealm, Providers, Authentication.
Click New to add OAMIDAsserter of type OAMIdentityAsserter. Click OK.
Edit OAMIDAsserter that you added, and set the control flag to REQUIRED.
Ensure that Chosen Active Type is set to OAM_REMOTE_USER, and then save the configuration.
Click New to add OIMSignatureAuthenticator of type OIMSignatureAuthenticator. Click OK. Edit OIMSignatureAuthenticator and set the Control flag to SUFFICIENT. Save the configuration.
Click New to add OIDAuthenticator of type OracleInternetDirectoryAuthenticator. Click OK. Edit OIDAuthenticator and set the Control flag to SUFFICIENT. Save the configuration. Open the Provider specific tab, and set the following attributes (only), and then save the configuration.
Host: OID_HOST_NAME
Port: OID_PORT
Principal: cn=orcladmin
Credential/Confirm Credential: orcladmin_password
User Base DN: cn=Users,dc=us,dc=oracle,dc=com
All Users Filter: (&(uid=*)(objectclass=inetOrgPerson))
User From Name Filter: (&(uid=%u)(objectclass=inetOrgPerson))
UserNameAttribute: uid
User Object class: inetOrgPerson
Use retrieved use name as principal: true
Group Base DN: cn=Groups,dc=us,dc=oracle,dc=com
All groups filter: (&(cn=*)(objectclass=groupOfUniqueNames))
Group from name filter: (&(cn=%g)(objectclass=groupOfUniqueNames))
Remove OIMAuthenticationProvider that is already configured.
Re-order the remaining authentication providers in the following order:
i) OAMIDAsserter
ii) OIMSignatureAuthenticator
iii) OIDAuthenticator
iv) DefaultAuthenticator
v) DefaultIdentityAsserter
Activate all the changes done, and then restart all the servers configured in OIM domain.
Validate the SSO logout and authenticator configuration by running the following validation tests:
User Login to Oracle Identity Manager Through SSO
Prerequisites: Create a user, for example, ENDUSER001, in Oracle Identity Manager and LDAP.
Step: Try logging in to Oracle Identity Self Service through SSO URL as the user you created, for example ENDUSER001, and check if the login is successful. Also try to login to Oracle Identity System Administration as the system administrator, and try accessing various links, such as Access Polices. Try logging out from either of the consoles, and re-login with same or different users.
Expected output: Login is successful, and all the links work as expected.
Client-Based Login to Oracle Identity Manager
Prerequisites: The Design Console is installed and configured.
Step: Try logging in to the Design Console as the system administrator with SSO password.
Expected output: Login to the Design console as the system administrator is successful, assuming that LDAPAuthenticator is configured properly for SSO login.
Signature-Based Authentication
To test signature-based authentication:
Try accessing the Scheduler service URL running on Oracle Identity Manager Managed server port, as shown:
http://OIM_HOST:PORT/SchedulerService-web
Login as system administrator with SSO password.
If the login is successful and you can see the following details on the screen, then signature login is successful:
Scheduler Current Status: STARTED
Last Error: NONE
Click Start on the page if the following is displayed:
Scheduler Current Status: STOPPED
If there are no errors on the page, then signature login is successful.
To integrate Oracle Identity Manager with third-party SSO providers, such as Tivoli Access Manager and CA Siteminder, it is recommended to follow instructions provided in "Enabling Oracle Identity Manager to Work With IBM Tivoli Access Manager" and "Enabling Oracle Identity Manager to Work With CA SiteMinder".
WebLogic plug-ins (identity asserters or authenticators) provided by third-party SSO solutions are the recommended approach for providing SSO for Oracle Identity Manager. However, if it is not feasible to configure integration using SSO provider-specific Weblogic plug-ins, as mentioned in sections "Enabling Oracle Identity Manager to Work With IBM Tivoli Access Manager" and "Enabling Oracle Identity Manager to Work With CA SiteMinder", then instructions in this section can be followed to achieve the integration.
Note:
This asserter currently supports third-party SSO providers, such as IBM Tivoli Access Manager and CA Siteminder.To configure Oracle's Identity Asserter:
Login to Oracle WebLogic Administrative Console.
Navigate to Security Realms, myrealm, Providers, Authentication.
Click New to add OAMIdentityAsserter.
Open the asserter that you just added, and set the control flag to REQUIRED. In the Active Types shuttle, select the SSO specific HTTP header as the Chosen Active type. For example, if Siteminder SSO provider is being used, then select SM_USER header. Similarly, if Tivoli Access Manager SSO provider is being used, then select iv-user header.
Similarly, change the value of the SSOHeader Name field in provider-specific properties to iv-user or SM_USER appropriately.
Note:
SM_USER and iv-user are mentioned as these seem to be the default SSO headers set by CA Siteminder and IBM Tivoli Access Manager respectively.
For some reason, if the SSO header does not contain the username value that maps to OIM User Login field, then it is recommended to configure SSO provider to return the username as part of a header named OAM_REMOTE_USER. In this case, select OAM_REMOTE_USER as Chosen Active type in step 4, and skip step 5.
Save the configuration.
Configure the authentication chain as follows:
OAMIDAsserter - REQUIRED
OIMSignatureAuthenticator - SUFFICIENT
LDAPAuthenticator - SUFFICIENT
DefaultAuthenticator - SUFFICIENT
DefaultIdentityAsserter
Note:
LDAPAuthenticator must be replaced by the appropriate authenticator that can authenticate against the LDAP provider being used by the SSO provider, for exampleOIDAuthenticator.Configure SSO logout for Oracle Identity Manager as mentioned in sections "Enabling Oracle Identity Manager to Work With IBM Tivoli Access Manager" or "Enabling Oracle Identity Manager to Work With CA SiteMinder", based on the SSO provider.
Set the ssoenabled flag for Oracle Identity Manager to true. To do so:
Login to Oracle Enterprise Manager, and open System MBean Browser.
Open the oracle.iam:Location=<OIM_SERVER_NAME>,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
Set the value of ssoEnabled to true.
Ensure to protect/unprotect the Oracle Identity Manager resources on the SSO provider side, as mentioned in sections "Enabling Oracle Identity Manager to Work With IBM Tivoli Access Manager" or "Enabling Oracle Identity Manager to Work With CA SiteMinder", based on the SSO provider.
Restart all servers in the Oracle Identity Manager domain.
While using this approach of configuring Oracle's Identity Asserter, take note of the following security considerations:
Follow standard security practices for securing OHS and WebLogic.
Ensure that the HTTP web server front ending Oracle Identity Manager is appropriately secured by using the SSO solution's standard security practices.
Oracle Identity Manager can be integrated with third-party SSO providers, such as Siteminder and Tivoli Access Manager, in order to achieve single sign-on. These third-party SSO providers allow configuration of the login ID attribute, which the users need to use to perform SSO login. For example, if you want to allow users to login by using the email attribute (instead of User ID), then that configuration is allowed by SSO providers. However, this configuration will not work well when Oracle Identity Manager is integrated with the SSO provider. This is because the Login ID attribute in Oracle Identity Manager is User Login, and it is not possible to configure some other user attribute (say email) as the Login ID attribute. So, this feature is about making the Login ID attribute configurable in Oracle Identity Manager. After the login ID attribute is configured to some other user entity attribute of Oracle Identity Manager, say Email, then the users can perform SSO login to Oracle Identity Manager using the email values.
Note:
It is not recommended to use this configuration in an Oracle Identity Manager deployment that is not integrated with SSO providers.
This solution is recommended if your Oracle Identity Manager deployment is integrated with third-party SSO providers, and you want to allow users to login with an attribute other than User Login.
It is not recommended to use this solution when Oracle Identity Manager is integrated with OAM. It is possible to configure OAM to allow users to login with multiple attributes, yet assert the User Login equivalent attribute. With that configuration, although the user performs SSO login using email, the JAAS subject is populated with User Login attribute.
To configure Login ID attribute in Oracle Identity Manager:
Login to Oracle Enterprise Manager.
Expand WebLogic Domain. Right-click DOMAIN_NAME, and select System MBean Browser.
Configure the loginMapper property in oim configuration to use the SSOLoginIdMapper. To do so:
Go to Application Defined MBeans, oracle.iam, Server:OIM_SERVER_NAME, Application:oim, XML Config, Config.
Change the value of the LoginMapper attribute to oracle.iam.platform.auth.impl.SSOLoginIDMapper.
Configure Oracle Identity Manager for SSO by setting the ssoEnabled attribute of ssoConfig to true. To do so:
Go to Application Defined MBeans, oracle.iam, Server:oim_server1, Application:oim, XML Config, XMLConfig:SSOConfig, SSOConfig.
Select true as the value of the SSOEnabled attribute.
In the same page, set the value of loginIdAttribute to a valid Oracle Identity Manager user entity attribute.
Note:
If loginIdAttribute is configured to Email, then all users must have a valid email ID, and the values must be unique across all the Oracle Identity Manager users.For all Oracle Identity Manager users seeded by default, ensure that the value of loginIdAttribute is the same as that of USR_LOGIN. For example, if loginIdAttribute is configured to Email, then make sure that the email IDs of default users are the same as the USR_LOGIN values. The following SQL statements can be run against Oracle Identity Manager database schema:
update usr SET usr_email='OIMINTERNAL' where usr_login='OIMINTERNAL'; update usr SET usr_email='XELSYSADM' where usr_login='XELSYSADM'; update usr SET usr_email='WEBLOGIC' where usr_login='WEBLOGIC'; update usr SET usr_email='XELOPERATOR' where usr_login='XELOPERATOR';
Modify LDAP-specific authenticator configuration to use the appropriate attribute for User Name Attribute, User From Name Filter, and All Users Filter. For example, if loginIdAttribute is configured to Email, then make sure that the authenticator is configured as follows:
User Name Attribute: mail User From Name Filter: (&(|(mail=%u)(uid=%u))(objectclass=inetOrgPerson)) All Users Filter: (&(mail=*)(objectclass=inetOrgPerson)
Note:
User From Name Filter contains an OR condition to be able to lookup users either by using uid attribute (which is the default) or by using mail (if loginIdAttribute is configured as Email).However, it is recommended that you perform API client-based login only by using loginIdAttribute (mail for example), if configured.
Create the System Administrator user entry in the LDAP provider. Ensure that the uid and mail (assuming loginIdAttribute is configured as Email) attributes are set as SYSTEM_ADMINISTRATOR.
Note:
If the loginIdAttribute is set to some other unique attribute in Oracle Identity Manager, then the corresponding mapping attribute in LDAP must be set as SYSTEM_ADMINISTRATOR.Perform the following changes at the OPSS layer:
Considering the fact that Oracle Identity Manager connects to SOA via HTTP (UI) as well as t3 (server) channels, you need to configure OIMDBProvider to handle user lookups based on the SSO Login ID, instead of the default User Login. This can be done by modifying the idstore.oim service instance in the jps-config.xml file as follows:
<serviceInstance name="idstore.oim" provider="idstore.oim.provider" location=" ">
<description>OIM Identity Store Service Instance</description>
<property name="idstore.type" value="CUSTOM"/>
<property name="ADF_IM_FACTORY_CLASS" value="oracle.iam.userrole.providers.oimdb.OIMDBIdentityStoreFactory"/>
<property name="DATASOURCE_NAME" value="jdbc/soaOIMLookupDB"/>
<property value="USER_NAME=USR_EMAIL:USER_ID=USR_EMAIL" name="PROPERTY_ATTRIBUTE_MAPPING"/>
</serviceInstance>
Note:
The values for USER_NAME and USER_ID properties must be the field-mapping corresponding tologinIdAttribute. So if loginIdAttribute is configured as Email, then USER_NAME and USER_ID properties should be set to USR_EMAIL, since Email attribute maps to USR_EMAIL column.Ensure that the authentication provider configuration in the Oracle Identity Manager domain security realm is as documented for that specific SSO provider, for example Enabling Oracle Identity Manager to Work With IBM Tivoli Access Manager or Enabling Oracle Identity Manager to Work With CA SiteMinder.
Note:
Ensure the following while developing custom SOA composites, when a customloginIdAttribute (say Email) is configured:
When Oracle Identity Manager initiates SOA composites for approval, it passes RequesterDetails, BeneficiaryDetails as part of the payload.
The Login and ManagerLogin fields within these would be set to Email instead of User Login.
Ensure that you use the loginIdAttribute value as the task assignee.
In order to fetch the loginIdAttribute value for a user (given user key), you can use the getUserDetails operation of RequestDataService in the BPEL process.
The same applies to already existing custom SOA composites.