Configuring WebLogic for Single Sign-On

WebLogic supports a variety of LDAP providers (for example, Oracle Internet Directory). See the Tested Configurations documents for the products with which you intend to enable with SSO to determine the supported LDAP providers, and see your LDAP provider documentation for details on adding users and groups to the store. One of the requirements for the web-based applications is that you create groups in the LDAP store and assign each user that requires access to your applications to these groups in WebLogic.

The following groups are created during the initial deployment of Primavera Gateway:

  • PrimaveraGatewayProductionAdministrator
  • PrimaveraGatewayAdminNoData
  • PrimaveraGatewayProductionDeveloper
  • PrimaveraGatewayProductionUser
  • PrimaveraGatewayUserNoData

The following group was created during the deployment of the Primavera Data Warehouse web-based Configuration Utility:

  • PrimaveraAnalyticsProduction

Note:

If you have modified the name of a group in WebLogic, you must also modify the name of the group in your LDAP provider.

Also, you must configure SSO providers in the WebLogic security realm. See Creating Single Sign-On Authentication Providers for information on creating authentication providers.

Creating Single Sign-On Authentication Providers

To create SSO authentication providers:

  1. Log in to the WebLogic Administration Console as an administrative user for either Primavera Gateway or Primavera Analytics.
  2. In the Change Center pane select Lock & Edit.
  3. In the Domain Structure pane, select Security Realms.
  4. Select myrealm in the security realm list.
  5. In the Settings for myrealm page, select the Providers tab.
  6. Select New and enter information for a new authenticator provider.
    1. In the Name field, enter a name for the authenticator provider. For example, OAMIdentityAsserter.
    2. In the Type field, select OAMIdentityAsserter.
    3. Edit the newly created authenticator and set the Control Flag to Required.
    4. Move the following Active Types to the Chosen column:
      • OAM_REMOTE_USER
      • OAM_IDENTITY_ASSERTION
      • ObSSOCookie
    5. Click Save.
  7. Select New to enter information for a new authenticator provider.
    1. In the Name field, enter a name for the provider. For example, PrimaveraAuthenticator.
    2. In the Type field, select OracleInternetDirectoryAuthenticator.
    3. In the Common tab, select the newly created provider and set the Control Flag to SUFFICIENT, and click Save.
    4. In the Provider Specific tab, enter the LDAP information from Oracle Access Manager LDAP store. Ensure you enter information in the following sections: Connection, Users, Groups, Static Groups, Dynamic Groups (optional), and General.
    5. Click Save.
  8. In the Domain Structure pane, select Security Realms, myrealm, and Providers.
  9. Edit all other authenticators and change the Control Flag to SUFFICIENT.
  10. In the Providers screen, click the Reorder Authentication Providers button and reorder the providers in the following sequence:
    1. OAMIdentityAsserter
    2. PrimaveraAuthenticator
    3. DefaultAuthenticator
    4. DefaultIdentityAsserter
  11. Click OK to save your changes
  12. In the Change Center pane, click Activate Changes.
  13. Log out of the WebLogic Administration Console.