4 Authenticating Using Oracle Access Manager

This chapter describes how to configure an Oracle WebLogic Server 12c server to authenticate users using Oracle Access Manager (OAM).

This chapter includes the following sections:

4.1 Overview of Configuring WebLogic to use OAM Authentication

The following configuration is performed within the Security Realms/Providers section of the WebLogic Server dashboard. For a newly created WebLogic domain, the Providers tab has the following contents:

Figure 4-1 Providers Tab in Oracle WebLogic Server

Surrounding text describes Figure 4-1 .

To configure Oracle Access Manager (OAM), you must set up two additional providers: LDAP and OAM.

4.2 Configuring an LDAP Provider

To configure an LDAP provider:

  1. Click New to create a new authentication provider.

  2. Enter a Name for the authentication provider.

  3. Select OracleInternetDirectoryAuthenticator as the Type:

    Figure 4-2 Creating a New Authentication Provider for LDAP

    Surrounding text describes Figure 4-2 .

  4. Click OK.

  5. Select the name of the newly created provider from the list and set the Control Flag to SUFFICIENT.

  6. Click Save.

  7. Select the Provider Specific tab.

  8. Set the following fields, leaving the remaining fields with default values:

    Field Value
    Host hostname of the OID server
    Port port number of the UID server
    Principal DN of an LDAP user with sufficient rights to search for users and groups
    Credential credential (that is, password) for the principal specified above
    User Base DN Base distinguished name for users
    Group Base DN Base distinguished name for groups

  9. Set provider properties. For information, see "Setting Provider Priorities".

  10. Ensure that the Control Flags are set to SUFFICIENT on the default and LDAP providers.

  11. After configuring providers, adjust the order in which users are tested. This can be done after adding each provider or as the final step.

  12. Restart the WebLogic admin server. Note that this must be done after all configuration changes.

  13. In the WebLogic admin console, verify that you can see LDAP users and groups.

  14. Ensure that there is a mapping to EDQ administrators group - either because your LDAP contains an Administrators group to which an EDQ user belongs, or by adding a new mapping to login.properties. See Section 2.2.1, "Configuring LDAP Group Mappings" for details.

  15. Start EDQ server.

  16. Verify you can login to EDQ using an LDAP user.

  17. Configure any required additional external group mappings on the EDQ admin console.

4.3 Configuring an Oracle Access Manager Provider

To configure an Oracle Access Manager (OAM) provider:

  1. On the providers list, click New and enter OAM as the name and OAMIdentityAsserter as the type:

    Figure 4-3 Creating a New Authentication Provider for OAM

    Surrounding text describes Figure 4-3 .

  2. Click OK.

  3. Select OAM from the list and select the Common tab.

  4. Set the control flag to REQUIRED:

    Figure 4-4 Configuring the Provider

    Surrounding text describes Figure 4-4 .

  5. Click Save.

  6. Select the Provider Specific tab.

  7. Set the following fields, leaving the remaining fields with default values:

    Field Value
    Access Gate Name The host name that you configured when you created the authentication provider. Use the plain host name without domain.
    Primary Access Server The primary Access Server, configured as host:port.

  8. Move OAM to the top of the list of providers, just above LDAP providers.

  9. Click Save to complete the provider definition.

4.4 Setting Provider Priorities

To set the provider priorities:

  1. On the Providers list, select DefaultAuthenticator and change the Control Flag to SUFFICIENT:

    Figure 4-5 Setting Provider Priorities

    Surrounding text describes Figure 4-5 .

  2. On the Providers list, click Reorder and move OAM to the top with the <provider_name> second:

    Figure 4-6 Reordering Authentication Providers

    Surrounding text describes Figure 4-6 .

  3. Restart the WebLogic server. Once the server is restarted, WebLogic is ready for OAM use. EDQ now gets all information from the LDAP provider, and the original user weblogic no longer works in EDQ. Instead, log in as user edqadmin with password welcome1.

4.5 OAM Configuration

Install Oracle HTTP Server (OHS) 11 or 12 and the WebGate extension. WebGate software is shipped with OHS 12. WebGate intercepts HTTP requests from users for web resources and forwards them to the Access Server for authentication and authorization.

If you use OHS 12, the WebGate software is bundled and you do not need a separate download. For more information, see Installing WebGate in Oracle Access Manager Installation Guide.

Configure the WebLogic plugin to forward /edq to WebLogic:

<Location /edq>
  SetHandler weblogic-handler
  WebLogicHost managedserverhost
  WebLogicPort managedserverport
</Location>

Finally install the WebGate artifacts, and restart OHS to complete the installation.

/edq/faces/** Protected Resource Policy
/edq/blueprints/*/jnlp Protected Resource Policy
/edq/** Public Resource Policy (or excluded)