You can configure Workbench to authenticate users using Oracle Access Management (OAM).
Before configuring Workbench integration with OAM, you must have an OAM server configured. For details, see the Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management .
To integrate Workbench with OAM SSO:
Configure proxy settings for the OAM Oracle HTTP Server:
For each instance of Workbench, add the following within the
<IfModule weblogic_module>
element:Listen [VirtualHost-Port] <VirtualHost *:[VirtualHost-Port]> <Location> SetHandler weblogic-handler WebLogicHost [Workbench-Host] WebLogicPort [Workbench-Port] </Location> </VirtualHost>
Where
[VirtualHost-Port]
is the port for the virtual host on the Oracle HTTP Server, and[Workbench-Host]
and[Workbench-Port]
are the Workbench host and port, respectively.For example, for two Workbench instances:
Listen 9999 <VirtualHost *:9999> <Location> SetHandler weblogic-handler WebLogicHost 10.154.137.102 WebLogicPort 8006 </Location> </VirtualHost> Listen 9998 <VirtualHost *:9998> <Location> SetHandler weblogic-handler WebLogicHost 10.154.137.103 WebLogicPort 8006 </Location> </VirtualHost>
Configure a dynamic Preferred Host for Webgate:
On the OAM host machine, navigate to the
<IAM Home>\config\OHS\ohs1\webgate\config
directory.Access the OAM Console from the URL.
For example,
http://<OAM Host>:7001/oamconsole/
.In the tree view, expand SSO Agents and double click OAM Agents.
The OAM Agents tab opens in the right pane.
Click the Search button in the Search panel.
A list of OAM agents appears.
Verify that the
Preferred Host
column has a value ofSERVER_NAME
.If not, click the Edit button, set the value, and click the Apply button in the upper-right to save changes.
Add the Oracle HTTP Server to the
IAMSuiteAgent
host identifier:Within the OAM Console, select the Policy Configuration tab.
Double click Host Identifiers in the left pane.
The Host Identifiers tab opens in the right pane.
Click the Search button in the Search panel.
A list of host identifiers appears.
Set the Host Name field to the Oracle HTTP Server address and leave the Port field blank.
Create an authentication policy for protected resources on the new domain:
Create an open authorization policy on the new domain.
This allows global access to protected resources once the user is authenticated.
Define a protected resource for each instance of Workbench.
These are the URLs within the application that trigger an authentication challenge if the request is not accompanied by a valid OAM SSO authentication cookie. For Workbench, this includes all URLs.
Within the OAM Console, return to the ATG/Endeca tab in the right pane.
Within the Application Domains panel, select the Resources tab.
The Create Resource tab opens.
In the Host Identifier dropdown, select the host identifier you created in Step 4.
In the Authentication Policy dropdown, select
Endeca
policy you created in Step 6.In the Authorization Policy dropdown, select the
open
policy you created in Step 7.
Configure Workbench to authenticate against the OAM LDAP server.
Modify the
%ENDECA_TOOLS_CONF%\conf\Login.conf
file to set theserverInfo
property and query templates according to OAM LDAP settings. For detailed information on LDAP configuration, see Syntax of LDAP login profile configuration parameters.For example, the following file comments out parameters relating to storage of credentials and plain-text (not recommended) and the use of parameters that support storage of credentials in OCS:
Webstudio { com.endeca.workbench.authentication.ldap.WorkbenchLdapLoginModule required serverInfo="ldap://myOAMHost.mydomain.com:1234" // Plain-text storage of credentials is not recommended, so // comment ut the following parameters: //serviceUsername="cn=myAdminUser" //servicePassword="myAdminPassword" serviceAuthentication="simple" authentication="simple" useSSL="false" keyStoreLocation="C:/Endeca/MDEXEngine/workspace/conf/webstudio.jks" // keyStorePassphrase="keypass" credentialsKey="serviceCredentialKey" keyStorePassKey="OAMkeyStorePassKey" // The query used to look up a user in the LDAP directory and // templates that extract information from the user object userPath="/cn=users,dc=myOAMHost,dc=mydomain,dc=com??sub?(&(objectClass=per¬ son)(uid=%{#username}))" userTemplate="%{#uid}" firstNameTemplate="%{#givenName}" lastNameTemplate="%{#sn}" emailTemplate="%{#mail}" // The query used to look up a group in the LDAP directory and // templates that extract information from the group object findGroupPath="/cn=groups,dc=myOAMHost,dc=mydomain,dc=com??sub?(&(object¬ Class=groupofUniqueNames)(cn=%{#groupname}))" findGroupTemplate="%{#dn:0}" groupEmailTemplate="%{#mail}" // The query and template used to fetch the groups associated // with a user when the user logs in to Web Studio groupPath="/cn=groups,dc=myOAMHost,dc=mydomain,dc=com??sub?(uniquemember=%{#dn})" groupTemplate="%{#dn:0}" ; };
Note
To support OCS storage of credentials as illustrated in the preceding sample Loging.conf, add credentials key and key store pass key using the following commands:
manage_credentials.bat add --user "cn=myAdminUser" --key serviceCredentialKey manage_credentials.bat add --key OAMkeyStorePassKey --type generic
Configure Workbench to use OAM:
On your Workbench host, navigate to the
ToolsAndFrameworks\<version>\server\workspace\conf
directory.Set
com.endeca.webstudio.useOAM
totrue
:# OAM Authentication com.endeca.webstudio.useOAM=true
Uncomment
com.endeca.webstudio.oam.logoutURL
and set the callback URL to the OAM logout page:For example, if the OAM logout URL is
/mydomain/logout.jsp
:#com.endeca.webstudio.oam.keyStore=oamkeystore.ks #com.endeca.webstudio.oam.keyStoreType=JKS #com.endeca.webstudio.oam.keyStorePassword=<password> com.endeca.webstudio.oam.logoutURL=/ifcr/system/sling/logout.html?oam.logout.url=/mydomain/logout.jsp%3Fend_url=/ifcr
in Workbench, create a set of LDAP user profiles that correspond to your OAM users.
For information, see the section on Integrating LDAP with Oracle Commerce Workbench.
Optionally, you can configure Identity Assertion validation in OAM if your environment requires it.
You can enable Identity Assertion validation to confirm that users passed to Workbench through OAM originate from a trusted instance. This comes with a performance cost, since Workbench must verify each incoming authentication or authorization request.
The steps below assume you have already integrated Workbench with Single Sign-On through OAM.
When OAM passes a request to Workbench, it includes
oam_remote_user
information on the request header.
Optionally, you can configure Workbench to verify that the header originates
from a trusted OAM instance by checking that the certificate in the header
matches a certificate in the OAM keystore.
Note
If both Workbench and the OAM server are running inside the same secure firewall, Identity Assertion validation may not be necessary.
To enable Identity Assertion validation with OAM:
Export the OAM Identity Assertion X509 certificate:
Run the
connect()
command to connect to the Weblogic server.Run the
listCred(map="OAM_STORE", key="jks")
command to display the OAM keystore.Run the
keytool -exportcert
command with the following flags to export the keystore information to anassertion.cer
file:keytool -exportcert -v -alias assertion-key -storetype JCEKS -keystore .oamkeystore -file assertion.cer
Copy the
assertion.cer
output file to the Workbench host machine.For example,
C:\Endeca\ToolsAndFrameworks\<version>\server\workspace\conf\assertion.cer
.
Import the OAM Identity Assertion X509 certificate to the
oamkeystore.ks
file on the Workbench host:Run the
keytool -importcert
command with the following flags to import the keystore information to theoamkeystore
file:keytool -importcert -v -alias assertion-key -keypass <password> -keystore c:\Endeca\ToolsAndFrameworks\<version>\server\workspace\conf\oamkeystore.ks -file c:\Endeca\ToolsAndFrameworks\<version>\server\workspace\conf\assertion.cer
Where
<password>
is the desired keystore password.
Configure Workbench to use Identity Assertion Validation:
On your Workbench host, navigate to the
ToolsAndFrameworks\<version>\server\workspace\conf
directory.Set
com.endeca.webstudio.oam.identityAssertionValidation
totrue
:# OAM Authentication com.endeca.webstudio.useOAM=true com.endeca.webstudio.oam.identityAssertionValidation=true
Set the uncommented properties to their respective values:
Property
Value
com.endeca.webstudio.oam.identityAssertionValidation
true
enables Identity Assertion validation.com.endeca.webstudio.oam.keyStore
The absolute path to the
oamkeystore.ks
file.com.endeca.webstudio.oam.keyStoreType
The OAM keystore type (JKS).
com.endeca.webstudio.oam.keyStorePassword
The OAM keystore password.
For example:
com.endeca.webstudio.oam.keyStore=C:/Endeca/ToolsAndFrameworks/<version>/ server/workspace/conf/oamkeystore.ks com.endeca.webstudio.oam.keyStoreType=JKS com.endeca.webstudio.oam.keyStorePassword=<password> com.endeca.webstudio.oam.logoutURL=/ifcr/system/sling/logout.html? oam.logout.url=/oamsso/logout.html%3Fend_url=/ifcr
Where
<password>
is the keystore password set in Step 2.
Modify the authentication policy in OAM to enable Identity Assertion:
Access the OAM Console from the URL.
For example,
http://<OAM Host>:7001/oamconsole/
.Double click Application Domains in the left pane.
The Application Domains tab opens in the right pane.
Click the Search button in the Search panel.
A list of application domains appears.
An ATG/Endeca tab opens in the right pane.
Click the Search button in the Search panel.
A list of authentication policies appears.
Select the
Endeca
authentication policy.An authentication policy tab opens.
Modify the authorization policy in OAM to enable Identity Assertion: