1. Oracle Access Manager
  2. Configuration
  3. Configuring SSO in OAM Console

Configuring SSO in OAM Console

After installing OAM, Webtier Utilities and Webgate, extend the weblogic domain to create OAM server.

Follow the post installation scripts deployWebGate and EditHttpConf as provided in Post Installation Steps.
  1. Identity Store Creation.
  2. To create new User Identity Store, Login to OAM Console.
  3. Navigate to System Configuration > Common configuration > Data Sources > User Identity Store.
  4. Input below information in the User Identity Store.

    Choose Store Type as Oracle Internet Directory.

    Location:

    LDAP server Host name and Port Number in <HOSTNAME>:PORT format

    Bind DN:

    User name to connect the LDAP Server

    Password:

    Password to connect the LDAP Server

    User Name Attribute:

    The attribute created in LDAP, which will be the User Name for the other application (here it will be treated as the OBTR Username)

    User Search Base:

    The container of the User Name in the LDAP server.

    Group Search Base:

    The container of the Group Name in the LDAP server.

    Figure 2-2 Oracle Access Manager- System Configuration

    Description of Figure 2-2 follows
    Description of "Figure 2-2 Oracle Access Manager- System Configuration"
  5. Click on Apply button after entering the above information.
  6. On successful creation, click Test connection button to verify whether the LDAP connection is working fine.
  7. To create Authentication Module, navigate to System Configuration > Access Manager Settings > Authentication Modules > LDAP Authentication Module.
    The LDAP Authentication Module screen is displayed.

    Figure 2-3 LDAP Authentication Module

    Description of Figure 2-3 follows
    Description of "Figure 2-3 LDAP Authentication Module"
  8. Click the New button to create new Authentication Module. Input the Name of the authentication module and choose the User Identity Store we created in step 1.
  9. To create OAM 12c Webgate, navigate to System Configuration > Access Manager Settings > SSO Agents > OAM Agents
    The OAM Agents page is displayed.

    Figure 2-4 OAM Agents

    Description of Figure 2-4 follows
    Description of "Figure 2-4 OAM Agents"
  10. Click on the Create 12c webgate button or Click on New OAM 12c Webgate link available in welcome page.
  11. Enter any name for Webgate and Base URL (The host and port of the computer on which the Web server for the Webgate is installed) and click on apply.
    Once the OAM 12c Webgate created, add filterOAMAuthnCookie=false parameter along with default parameters in User Defined Parameters. Click ‘Apply’ button to save the changes.
  12. Post OAM Webgate 12c Creation Steps
    Perform the following steps to copy the artifacts to the Webgate installation directory: 
    • On the Oracle Access Manager Console host, locate the updated OAM Agent ObAccessClient.xml configuration file (and any certificate artifacts). For example: $DOMAIN_HOME/output/$Agent_Name/ObAccessClient.xml
    • On the OAM Agent host, copy artifacts (to the following Webgate directory path). For example: 12cWebgate_instance_dir/webgate/config/ObAccessClient.xml (for instance WebTier_Middleware_Home/Oracle_WT1/instances/instance1/config/ OHS/ohs1/webgate/config/ObAccessClient.xml)
  13. To create Authentication Scheme, navigate to Policy Configuration > Authentication Schemes and click on ‘Create’ button to create new Authentication Scheme.

    Name : Any name to identify Authentication Scheme

    Challenge Method : BASIC

    Challenge Redirect URL : /oam/server

    Authentication Module : Choose the authentication module created in step 2.

    If it is a basic authentication scheme, we need to add the 'enforce-valid-basic-auth-credentials' tag to the config.xml file located under /user_projects/domains/<MyDomain>/config/. The tag must be inserted within the <security-configuration> tag as follows: [Just before the end of security configuration tag] <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> </security-configuration>

    Figure 2-5 Authentication Schemes

    Description of Figure 2-5 follows
    Description of "Figure 2-5 Authentication Schemes"
  14. To create authentication policy, navigate to Policy Configuration > Application Domains > [Webgate agent name] > Authentication Policies .
  15. Click new button and input the below information

    Name: Enter any name to identify the Authentication Policy (eg. OBTRWebPolicy)

    Authentication Scheme: Choose the authentication scheme created in step 5.

    Resources: Add the resources which are all need to be protected. If <WebgateName>:/…/ and <WebgateName>:/ are added in the resources then all the sources are protected.

  16. Add DN in the Responses section. Enter the value as $user.attr.dn. The responses maintained in the tab will be added in the response header during the authentication.
  17. To add Resources, navigate to Policy Configuration > Application Domains > OBTRWebgate > Resources.
    • Click on Create New Resource button .
    • Select the type as HTTP.
    • Select the Host Identifier as OBTRWebgate
    • Enter the resource URL as /FCJNeoWeb
    • Select the protection level as Protected
    • Click on apply button to update the resource added.
  18. Select the Authentication policy and Authorisation policy as Protected Resource Policy.
  19. Check whether the resources available in the authentication policies are available in Authorization Policy. During web gate creation these values are defaulted.
  20. Add DN in the Responses section. Enter the value as $user.attr.dn. The responses maintained in the tab will be added in the response header during the authorization.
  21. To enable the Oracle HTTP Server instances to route to applications deployed on the Oracle Weblogic Server Clusters, add the directive shown below to the mod_wl_ohs.sh file available in <Weblogic Home> /Oracle_WT1/instances/instance1/config/OHS/ohs1. 
    <Location /console>
SetHandler weblogic-handler
WebLogicHost idmhost1.mycompany.com
    WeblogicPort 7001
</Location>
  22. After configuration of webgate 12c agent launch the URL http://<hostname>:<ohs_Port>/ohs/modules/webgate.cgi?progid=1 to verify whether the webgate configuration is fine. If the URL launches a screen as below then the webgate configuration is working fine.
  23. Using OAM Test Tool (This step is not mandatory)
    There is a test tool provided in OAM software which helps us to check the response parameter values. The test tool is available in <OAM Install Dir>\ oam\server\tester. For eg. D:\weblogic\Middleware\Oracle_IDM1\oam\server\tester
    Use java -jar oamtest.jar to launch the OAM test tool.

Parent topic: Configuration