Integrating Workbench with Oracle Access Management Single Sign-On

You can configure Workbench to authenticate users using Oracle Access Management (OAM).

Before configuring Workbench integration with OAM, you must have an OAM server configured. For details, see the Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management .

To integrate Workbench with OAM SSO:

  1. Configure proxy settings for the OAM Oracle HTTP Server:

    1. Log on to the OAM host machine.

    2. Stop the Oracle HTTP Server.

    3. Navigate to the <IAM Home>\config\OHS\ohs1 directory.

    4. Open the mod_wl_ohs.conf file.

    5. For each instance of Workbench, add the following within the <IfModule weblogic_module> element: 

      Listen [VirtualHost-Port]
<VirtualHost *:[VirtualHost-Port]>
    <Location>
        SetHandler weblogic-handler
        WebLogicHost [Workbench-Host]
        WebLogicPort [Workbench-Port]
    </Location>
</VirtualHost>

      Where [VirtualHost-Port] is the port for the virtual host on the Oracle HTTP Server, and [Workbench-Host] and [Workbench-Port] are the Workbench host and port, respectively.

      For example, for two Workbench instances: 

      Listen 9999
<VirtualHost *:9999>
    <Location>
        SetHandler weblogic-handler
        WebLogicHost 10.154.137.102
        WebLogicPort 8006
    </Location>
</VirtualHost>
Listen 9998
<VirtualHost *:9998>
    <Location>
        SetHandler weblogic-handler
        WebLogicHost 10.154.137.103
        WebLogicPort 8006
    </Location>
</VirtualHost>

    6. Save and close the file.

  2. Configure a dynamic Preferred Host for Webgate:

    1. On the OAM host machine, navigate to the <IAM Home>\config\OHS\ohs1\webgate\config directory.

    2. Open the Webgate configuration file, ObAcessClient.xml.

    3. Set the preferredHost value to SERVER_NAME.

    4. Save and close the file.

    5. Start the Oracle HTTP Server.

    6. Access the OAM Console from the URL.

      For example, http://<OAM Host>:7001/oamconsole/.

    7. Select the System Configuration tab.

    8. Expand Access Manager in the left pane.

    9. In the tree view, expand SSO Agents and double click OAM Agents.

      The OAM Agents tab opens in the right pane.

    10. Click the Search button in the Search panel.

      A list of OAM agents appears.

    11. Select the webgate agent in the Search Results list.

    12. Verify that the Preferred Host column has a value of SERVER_NAME.

      If not, click the Edit button, set the value, and click the Apply button in the upper-right to save changes.

  3. Add the Oracle HTTP Server to the IAMSuiteAgent host identifier:

    1. Within the OAM Console, select the Policy Configuration tab.

    2. Double click Host Identifiers in the left pane.

      The Host Identifiers tab opens in the right pane.

    3. Click the Search button in the Search panel.

      A list of host identifiers appears.

    4. Click the link to select the IAMSuiteAgent.

    5. Click the Add button in the Host Name Variations panel.

    6. Set the Host Name field to the Oracle HTTP Server address and leave the Port field blank.

    7. Click the Apply button in the upper-right.

  4. Create a host identifier for each Workbench instance:

    1. Within the OAM Console, return to the Host Identifiers tab in the right pane.

    2. Click the Create button.

      The Create Host Identifier tab opens.

    3. Set a unique Name, such as WB1.

    4. Click Apply.

    5. Click the Add button in the Host Name Variations panel.

    6. Set the Host Name and Port fields to the Workbench host and port.

    7. Click Apply.

    8. Repeat the steps above for each Workbench instance.

  5. Create the application domain:

    1. Within the OAM Console, select the Policy Configuration tab.

    2. Double click Application Domains in the left pane.

      The Application Domains tab opens in the right pane.

    3. Click the Create button.

      The Create Application Domain tab opens.

    4. Set the Name to ATG/Endeca.

    5. Click Apply.

  6. Create an authentication policy for protected resources on the new domain:

    1. Within the Application Domains tab in the right pane, select the ATG/Endeca domain you created in Step 5.

      An ATG/Endeca tab opens in the right pane.

    2. Select the Authentication Policies tab.

    3. Click the Create button.

      The Create Authentication Policy tab opens.

    4. Set the Name to Endeca.

    5. In the Authentication Scheme dropdown, select LDAPScheme.

    6. Click Apply.

  7. Create an open authorization policy on the new domain.

    This allows global access to protected resources once the user is authenticated.

    1. Within the OAM Console, return to the ATG/Endeca tab in the right pane.

    2. Select the Authorization Policies tab.

    3. Click the Create button.

      The Create Authorization Policy tab opens.

    4. Set the Name to open.

    5. Click Apply.

    6. Select the Conditions tab.

    7. Click the Add button.

      The Add Condiition dialog appears.

    8. Set the Name to TRUE.

    9. In the Type dropdown, select True.

    10. Click Add Selected.

    11. Click Apply.

    12. Select the Rules tab.

    13. In the Allow Rule section, move the TRUE(true) condition to the Selected Conditions list.

    14. Click Apply.

  8. Define a protected resource for each instance of Workbench.

    These are the URLs within the application that trigger an authentication challenge if the request is not accompanied by a valid OAM SSO authentication cookie. For Workbench, this includes all URLs.

    1. Within the OAM Console, return to the ATG/Endeca tab in the right pane.

    2. Within the Application Domains panel, select the Resources tab.

    3. Click the Create button.

      The Create Resource tab opens.

    4. In the Type dropdown, select HTTP.

    5. In the Host Identifier dropdown, select the host identifier you created in Step 4.

    6. In the Resource URL field, enter /**.

    7. In the Protection Level dropdown, select Protected.

    8. In the Authentication Policy dropdown, select Endeca policy you created in Step 6.

    9. In the Authorization Policy dropdown, select the open policy you created in Step 7.

    10. Click Apply.

    11. Repeat the steps above for each Workbench instance.

  9. Configure Workbench to authenticate against the OAM LDAP server.

    Modify the %ENDECA_TOOLS_CONF%\conf\Login.conf file to set the serverInfo property and query templates according to OAM LDAP settings. For detailed information on LDAP configuration, see Syntax of LDAP login profile configuration parameters.

    For example, the following file comments out parameters relating to storage of credentials and plain-text (not recommended) and the use of parameters that support storage of credentials in OCS: 

    Webstudio {

    com.endeca.workbench.authentication.ldap.WorkbenchLdapLoginModule required
    serverInfo="ldap://myOAMHost.mydomain.com:1234"

    // Plain-text storage of credentials is not recommended, so
    // comment ut the following parameters:
    //serviceUsername="cn=myAdminUser"
    //servicePassword="myAdminPassword"

    serviceAuthentication="simple"
    authentication="simple"
    useSSL="false"
    keyStoreLocation="C:/Endeca/MDEXEngine/workspace/conf/webstudio.jks"
    // keyStorePassphrase="keypass"

    credentialsKey="serviceCredentialKey"
    keyStorePassKey="OAMkeyStorePassKey"


    // The query used to look up a user in the LDAP directory and
    // templates that extract information from the user object
    userPath="/cn=users,dc=myOAMHost,dc=mydomain,dc=com??sub?(&(objectClass=per¬
    son)(uid=%{#username}))"
    userTemplate="%{#uid}"
    firstNameTemplate="%{#givenName}"
    lastNameTemplate="%{#sn}"
    emailTemplate="%{#mail}"

    // The query used to look up a group in the LDAP directory and
    // templates that extract information from the group object
    findGroupPath="/cn=groups,dc=myOAMHost,dc=mydomain,dc=com??sub?(&(object¬
    Class=groupofUniqueNames)(cn=%{#groupname}))"
    findGroupTemplate="%{#dn:0}"
    groupEmailTemplate="%{#mail}"

    // The query and template used to fetch the groups associated
    // with a user when the user logs in to Web Studio
    groupPath="/cn=groups,dc=myOAMHost,dc=mydomain,dc=com??sub?(uniquemember=%{#dn})"
    groupTemplate="%{#dn:0}"
;
};

    Note

    To support OCS storage of credentials as illustrated in the preceding sample Loging.conf, add credentials key and key store pass key using the following commands: 

         manage_credentials.bat add --user "cn=myAdminUser"	--key serviceCredentialKey 
     manage_credentials.bat add --key OAMkeyStorePassKey	--type generic

  10. Configure Workbench to use OAM:

    1. On your Workbench host, navigate to the ToolsAndFrameworks\<version>\server\workspace\conf directory.

    2. Open webstudio.properties in a text edtior.

    3. Locate the configuration titled # OAM Authentication.

    4. Set com.endeca.webstudio.useOAM to true: 

      # OAM Authentication
com.endeca.webstudio.useOAM=true

    5. Uncomment com.endeca.webstudio.oam.logoutURL and set the callback URL to the OAM logout page:

      For example, if the OAM logout URL is /mydomain/logout.jsp: 

      #com.endeca.webstudio.oam.keyStore=oamkeystore.ks
#com.endeca.webstudio.oam.keyStoreType=JKS
#com.endeca.webstudio.oam.keyStorePassword=<password>
com.endeca.webstudio.oam.logoutURL=/ifcr/system/sling/logout.html?oam.logout.url=/mydomain/logout.jsp%3Fend_url=/ifcr

    6. Save and close the file.

  11. in Workbench, create a set of LDAP user profiles that correspond to your OAM users.

    For information, see the section on Integrating LDAP with Oracle Commerce Workbench.

Optionally, you can configure Identity Assertion validation in OAM if your environment requires it.

You can enable Identity Assertion validation to confirm that users passed to Workbench through OAM originate from a trusted instance. This comes with a performance cost, since Workbench must verify each incoming authentication or authorization request.

The steps below assume you have already integrated Workbench with Single Sign-On through OAM.

When OAM passes a request to Workbench, it includes oam_remote_user information on the request header. Optionally, you can configure Workbench to verify that the header originates from a trusted OAM instance by checking that the certificate in the header matches a certificate in the OAM keystore.

Note

If both Workbench and the OAM server are running inside the same secure firewall, Identity Assertion validation may not be necessary.

To enable Identity Assertion validation with OAM:

  1. Export the OAM Identity Assertion X509 certificate:

    1. Log in to the OAM host machine.

    2. Navigate to $MW_HOME/Oracle_IDM1/common/bin.

    3. Run wslt.sh.

    4. Run the connect() command to connect to the Weblogic server.

    5. Run the listCred(map="OAM_STORE", key="jks") command to display the OAM keystore.

    6. Navigate to $base_domain/config/fmwconfig.

    7. Run the keytool -exportcert command with the following flags to export the keystore information to an assertion.cer file: 

      keytool -exportcert -v -alias assertion-key -storetype JCEKS 
-keystore .oamkeystore -file assertion.cer

    8. Copy the assertion.cer output file to the Workbench host machine.

      For example, C:\Endeca\ToolsAndFrameworks\<version>\server\workspace\conf\assertion.cer.

  2. Import the OAM Identity Assertion X509 certificate to the oamkeystore.ks file on the Workbench host:

    1. Run the keytool -importcert command with the following flags to import the keystore information to the oamkeystore file: 

      keytool -importcert -v -alias assertion-key -keypass <password>
-keystore c:\Endeca\ToolsAndFrameworks\<version>\server\workspace\conf\oamkeystore.ks 
-file  c:\Endeca\ToolsAndFrameworks\<version>\server\workspace\conf\assertion.cer

      Where <password> is the desired keystore password.

  3. Configure Workbench to use Identity Assertion Validation:

    1. On your Workbench host, navigate to the ToolsAndFrameworks\<version>\server\workspace\conf directory.

    2. Open webstudio.properties in a text edtior.

    3. Locate the configuration titled # OAM Authentication.

    4. Set com.endeca.webstudio.oam.identityAssertionValidation to true: 

      # OAM Authentication
com.endeca.webstudio.useOAM=true
com.endeca.webstudio.oam.identityAssertionValidation=true

    5. Uncomment the following properties:

    6. Set the uncommented properties to their respective values:

      Property

      Value

      com.endeca.webstudio.oam.identityAssertionValidation

      true enables Identity Assertion validation.

      com.endeca.webstudio.oam.keyStore

      The absolute path to the oamkeystore.ks file.

      com.endeca.webstudio.oam.keyStoreType

      The OAM keystore type (JKS).

      com.endeca.webstudio.oam.keyStorePassword

      The OAM keystore password.

      For example: 

      com.endeca.webstudio.oam.keyStore=C:/Endeca/ToolsAndFrameworks/<version>/
server/workspace/conf/oamkeystore.ks
com.endeca.webstudio.oam.keyStoreType=JKS
com.endeca.webstudio.oam.keyStorePassword=<password>
com.endeca.webstudio.oam.logoutURL=/ifcr/system/sling/logout.html?
oam.logout.url=/oamsso/logout.html%3Fend_url=/ifcr

      Where <password> is the keystore password set in Step 2.

    7. Save and close the file.

    8. Restart the Endeca Tools Service.

  4. Modify the authentication policy in OAM to enable Identity Assertion:

    1. Access the OAM Console from the URL.

      For example, http://<OAM Host>:7001/oamconsole/.

    2. Select the Policy Configuration tab.

    3. Double click Application Domains in the left pane.

      The Application Domains tab opens in the right pane.

    4. Click the Search button in the Search panel.

      A list of application domains appears.

    5. Select the ATG/Endeca domain.

      An ATG/Endeca tab opens in the right pane.

    6. Select the Authentication Policies tab.

    7. Click the Search button in the Search panel.

      A list of authentication policies appears.

    8. Select the Endeca authentication policy.

      An authentication policy tab opens.

    9. Select the Responses tab.

    10. Enable the Identity Assertion checkbox.

    11. Click Apply.

  5. Modify the authorization policy in OAM to enable Identity Assertion:

    1. Select the previously opened ATG/Endeca tab.

    2. Select the Authorization Policies tab.

    3. Click the Search button in the Search panel.

      A list of authorization policies appears.

    4. Select the open authorization policy.

      An authorization policy tab opens.

    5. Select the Responses tab.

    6. Enable the Identity Assertion checkbox.

    7. Click Apply.

Copyright © Legal Notices