Configuring Oracle Access Manager and the Oracle HTTP Server WebGate for Single Sign-On

There are several supported authentication schemes that you can use to enable SSO for your Primavera applications, such as: Form (LDAP), X509 (Certificate), WNA (Windows Native Authentication); however, this document covers the necessary procedures for form-based authentication. If you prefer to use one of the other authentication schemes, you should review Managing Access Manager SSO, Policies, and Testing in the Fusion Middleware Administrator's Guide for Oracle Access Management.

The following list represents the tasks that you need to complete configure SSO for your P6 EPPM applications:

  1. Registering an Identity Store
  2. Creating an Authentication Module
  3. Configuring a Host Identifier
  4. Configuring an Authentication Scheme
  5. Protecting Your Resources
  6. Configuring Protected Resources Under an Application Domain
  7. Mapping Your Authentication Scheme to Your Authentication Policy
  8. Testing Your Single Sign-On Implementation

Registering an Identity Store

Oracle Access Manager needs to be configured with a data source that will hold a connection to your LDAP directory server.

For more information about managing data sources for Oracle Access Manager, see Section 4 and 4.2 in the Fusion Middleware Administrator's Guide for Oracle Access Management.

To configure a data source in Oracle Access Manager to connect to an LDAP server, follow the instructions in Section 4.3, Managing User Identity Stores, in the Fusion Middleware Administrator's Guide for Oracle Access Management.

Note:

You only need to complete steps 1-5 for Section 4.3.2, Registering a New User Identity Store.

Creating an Authentication Module

After you have your directory store registered in Oracle Access Manager, you need to create an Authentication Module that links to it. The authentication module needs to be linked to an authentication scheme.

To create an authentication module:

  1. Log in to the Oracle Access Manager Administration Console.
  2. Navigate to the System Configuration tab.
  3. Expand Access Manager and then expand Authentication Modules.
  4. Click LDAP Authentication Module.
  5. Click Create.
  6. In the Create LDAP Authentication Module dialog box, do the following:
    1. In the Name field, enter a name for the authentication module that you want to create.
    2. From the User Identity Store list, select the link that matches the LDAP data source that you created.
    3. Click Apply to save the changes.

Configuring a Host Identifier

Oracle Access Manager needs to be configured with a host identifier that matches the host identifier variable that you created when you registered Oracle HTTP Server WebGate with Oracle Access Manager. When you registered your WebGate with Oracle Access Manager, this step was completed automatically for you.

Note:

You need to create a host identifier for each application server in your environment.

If a host identifier was not created or was deleted after you created your WebGate, you will need to create a new host identifier.

To create a new host identifier, follow the instructions in the Managing Host Identifiers section of the Fusion Middleware Administrator's Guide for Oracle Access Management.

To confirm that you have a configured Host Identifier:

  1. Log in to the Oracle Access Manager Administration Console.
  2. Navigate to the Policy Configuration tab.
  3. Click Host Identifier and then click Open.
  4. Click Search.
  5. Select the link for your Host Identifier.
  6. In the Host Identifier dialog box, complete the following:

    In the Host Name Validation list, ensure that the name of your host identifier under Host Name matches the host identifier that you setup when you registered your WebGate with Oracle Access Manager.

    Note:

    The host identifier field is a value that replaces hostname:port in requests from the web server to Oracle Access Manager. For example, your WebGate has a host identifier set to P6EPPM and you make a request in the browser for a resource, such as http://ohs_<server_name>:<port>/p6. WebGate makes an IsProtected call to the Oracle Access Manager managed server to determine whether the resource is protected; in this instance, the resource is /p6. WebGate will pass the resource from itself to Oracle Access Manager as http://P6EPPM/p6 — this can be seen in trace mode logs of Oracle Access Manager — and then it will attempt to match a policy created in Oracle Access Manager. As a result of this substitution, redirection to Oracle Access Manager for authentication will occur if the actual <host_name>:<port> of the web server is not set as the host identifier value.

Configuring an Authentication Scheme

Once you have a data source that stores a connection to your LDAP server, you have to create an authentication scheme for your Primavera applications. An authentication scheme is a named component that defines the challenge mechanism that is required to authenticate a user. For example, the authentication scheme determines if you will use form based authentication, basic authentication, Windows Native Authentication, and so on.

To create a new authentication scheme, follow the instructions in the Managing Authentication Schemes section of the Fusion Middleware Administrator's Guide for Oracle Access Management.

If you already have an authentication scheme, you can use it as a template to provide form based authentication for your P6 EPPM applications.

To duplicate an authentication scheme:

  1. Log in to the Oracle Access Manager Administration Console.
  2. Navigate to the Policy Configuration tab.
  3. Expand Authentication Schemes.
  4. Click LDAP Scheme.
  5. Click Duplicate icon Duplicate.
  6. In the Authentication Schemes dialog box, complete the following:
    • Description
    • Authentication Level
    • Default
    • Challenge Method
    • Challenge Redirect URL
    • Challenge URL
    • Context Type
    • Context Value
    • Challenge Parameters
    1. In the Name field, enter a name for your Authentication Scheme.
    2. In the Authentication Module field, select the authentication module that you created for your LDAP data source.
    3. Click Apply to create the new authentication scheme.

Note:

By default, the ssoCookie:httponly challenge parameter is enabled in an authentication scheme. This parameter helps to prevent JavaScript running in the browser from accessing the ObSSOCookie; however, it is necessary to read ObSSOCookie in order to give applets and iFrames the ability to read from an existing authenticated session.

If this challenge parameter is turned on it will result in the following two issues when using P6 EPPM over SSO:

  • Error: "java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file Applet" or "Prompt For Re-authentication When Loading Any Applet When Configured For Oracle Access Manager (OAM)". For more information about these prompts, see Doc ID = 1242418.1 at My Oracle Support.

  • Applets In P6 Are Generating A "Java Authentication Required" Prompt After Reaching The Oracle Access Manager Session Lifetime Threshold. For more information about this prompt, see Doc ID = 1596987.1 at My Oracle Support.

To prevent these prompts from occurring, the following challenge parameters should be added to the authentication scheme created:
  • ssoCookie=disablehttponly
  • miscCookies=disablehttponly

For more information about the cookies used during SSO, see Understanding SSO Cookies in the Fusion Middleware Administrator's Guide for Oracle Access Management.

Protecting Your Resources

After you have Oracle Access Manager configured with a connection to your LDAP server, a host identifier that links to your Oracle HTTP Server WebGate for Oracle Access Manager, and an authentication scheme, you need to create an application domain so that you can setup policies to protect your resources and to configure a policy that points to the authentication scheme that you want to use.

For more information about resource policies, refer to the Managing Policies to Protect Resources and Enable SSO section of the Fusion Middleware Administrator's Guide for Oracle Access Management.

For the steps to protect your resources, see Configuring Protected Resources Under an Application Domain.

Oracle recommends that you protect your context roots with the following conventions:

  • /context

    For example, the connection http://<host_name>:<port>/<context> will be recognized as a protected resource.

  • /context/

    For example, the connection http://<host_name>:<port>/<context>/ will be recognized as a protected resource.

  • /context/** or /context/.../**

    For example, the connection http://<host_name>:<port>/<context>/<additional_context_roots> will be recognized as a protected resource.

The following list provides the context roots that need to be protected for each Primavera application:

Note:

  • If you require additional context roots, you must use two asterisks at the end of your connection string (for example, ... /<context>/**).
  • Protect the P6 Professional Cloud Connect resource if you intend to configure SAML authentication for P6 Professional instances that connect to a P6 EPPM database.

  • P6

    /p6

    /p6/

    /p6/**

  • P6 mobile

    /p6tmws

    /p6tmws/

    /p6tmws/**

  • P6 Team Member Web

    /p6tmweb

    /p6tmweb/

    /p6tmweb/**

  • P6 Integration API

    /PrimaveraAPI/APIAPPS

    /PrimaveraAPI/APIAPPS/**

  • P6 Professional Cloud Connect

    /p6procloudconnect

    /p6procloudconnect/**

  • P6 EPPM Web Services

    /p6ws/services

    /p6ws/services/**

    /p6ws/token

    /p6ws/downloadtoken

  • Primavera Gateway

    /gatewayapi

    /gatewayapi/

    /gatewayapi/**

  • Primavera Unifier

    /bluedoor

    /bluedoor/

    /bluedoor/**

    /bp/**

    /m/**

  • Primavera Data Warehouse

    /p6rdb

In some instances, you must create a resource definition for context roots with an excluded protection level. For example, Primavera Gateway deployments including P6 integrations and direct AutoVue integrations without VueLink require you to configure context roots with excluded protection levels. When you attempt to connect to an application using a URL that contains an excluded context root, an SSO authentication request will not be generated.

You must configure the context roots below with an excluded protection level because they can cause SSO authentication requests to fail during connection attempts:

  • Primavera Gateway

    /gatewayapi/restapi/**

    /gatewayapi/restapisession/usersession

  • P6 AutoVue integration without VueLink

    /p6/VueServlet/**

    /p6/jvueDMS/**

    /p6/P6AutovueJNLPLauncher

    /p6/P6AutovueJNLPLauncher/**

    /p6/applets/jogl.jar

    /p6/applets/jsonrpc4j.jar

    /p6/applets/gluegen-rt.jar

    /p6/applets/jvue.jar

    Note:

    If you have setup AutoVue integration using VueLink, you do not need to configure the preceding excluded protection context roots for AutoVue.

For the steps to exclude resources, see Configuring Excluded Resources Under an Application Domain.

Configuring Protected Resources Under an Application Domain

When you registered your Oracle HTTP Server WebGate with the Oracle Access Manager, an application domain was automatically created for you.

To protect the context roots of your Primavera applications:

  1. Log in to the Oracle Access Manager Administration Console.
  2. Navigate to the Policy Configuration tab.
  3. Click Application Domains and then click Open icon Open.
  4. Click Search and then search for the name of the application domain that matches your registered WebGate name.
  5. Navigate to the Resource tab.
  6. Click New Resource and then do the following:
    1. In the Type field, select HTTP.
    2. In the Host Identifier field, select the name of the host identifier that you created.
    3. In the Resource URL field, enter a protected context root (for example, /p6)
    4. In the Protection Level field, select Protected.
    5. In the Authentication Policy field, select Protected Resource Policy.
    6. Click Apply.
  7. In the Resources tab, highlight the entire field to the right of the Resource Type column and then close it.
  8. Click Close icon Close.
  9. Repeat this procedure for each protected resource.

Configuring Excluded Resources Under an Application Domain

When you registered your Oracle HTTP Server WebGate with the Oracle Access Manager, an application domain was automatically created for you.

To exclude the context roots of your Primavera applications:

  1. Log in to the Oracle Access Manager Administration Console.
  2. Navigate to the Policy Configuration tab.
  3. Click Application Domains and then click Open icon Open.
  4. Click Search and then search for the name of the application domain that matches your registered WebGate name.
  5. Navigate to the Resource tab.
  6. Click New Resource and then do the following:
    1. In the Type field, select HTTP.
    2. In the Host Identifier field, select the name of the host identifier that you created.
    3. In the Resource URL field, enter an excluded context root (for example, /p6ws).
    4. In the Protection Level field, select Excluded.
    5. Click Apply.
  7. In the Resources tab, highlight the entire field to the right of the Resource Type column and then close it.
  8. Click Close icon Close.
  9. Repeat this procedure for each protected resource.

Mapping Your Authentication Scheme to Your Authentication Policy

After you create your resources and tie them to the Authentication Policy that was created for you when the application domain was created (for example, Protected Resource Policy), you need to map your authentication scheme to your authentication policy so that your resources will present the login form to users for authentication:

  1. Log in to the Oracle Access Manager Administration Console.
  2. Navigate to the Authentication Policies tab.
  3. Select Protected Resource Policy.
  4. In the Authentication Scheme menu, select the authentication scheme that you created.
  5. Click Apply.

Testing Your Single Sign-On Implementation

After your Oracle HTTP Server is configured with Oracle HTTP Server WebGate for Oracle Access Manager is restarted, you can test the SSO integration before you configure SSO with your P6 EPPM applications.

To test your SSO implementation:

  1. Close all of your open browsers.
  2. Open a new browser.
  3. Enter the URL of a Primavera application with the following Oracle HTTP Server convention <server_name> /<port>. For example: http://<OHS_Server_Name>:<ohs_port> /p6

    You are redirected to a SSO form for authentication.

  4. Enter the required information.

    After you have been successfully authenticated, you will be redirected to the P6 EPPM application login page. The redirection from the SSO login page to the P6 EPPM application landing page confirms the successful setup of the Access Manager.

  5. Access a Primavera application that has been enabled for SSO. If you are able to log in to the application without having to enter your user credentials, then you have been successful in implementing SSO.