Before You Begin

This 15-minute tutorial shows you how to integrate Google, a sample social identity site, by configuring OpendIDConnectPlugin (OIDC) in Oracle Access Management.

Background

From 12c (12.1.3.0) Bundle Patch onwards Oracle Access Management provides an out-of-the-box authentication plugin called “OpenIDConnectPlugin” (OIDC). This is a generic plugin that allows you to integrate with any OpenID 2.0 social identity providers, such as Google,Facebook, Oracle Identity Cloud Service or even Oracle Access Management. This plugin redirects to the Identity Provider (IDP) it is integrated with, using OpenIDConnect protocol. After authenticating the user at the IDP, the control is submitted back to Oracle Access Management server where the user is asserted by Oracle Access Management and an Oracle Access Management session is created.

In this tutorial, you will learn how to configure OpendIDConnectPlugin in the Oracle Access Management console in order to integrate it with Google.

What Do You Need?

• An environment with:.
• Oracle Enterprise Linux 6.6 or later with access to internet
• oracle credentials
• A basic understanding of Linux
• An installation and configuration of the following:
• Oracle Access Management 12c PS3 (12.2.1.3.0)
• Oracle Access Manager Bundle Patch 12.2.1.3.0 (Patch Number:27863715)
• Webgate 12c

Register a Client in Google

In this section, you will set up credentials in Google and obtain the client_id and client_secret values.

Note: The steps and the User Interface (UI) described below may change at any time when Google API Console is updated.

1. Go to console.developers.google.com.
2. Click Create Project and enter a name for the project, and click Create.
3. If the APIs & Services page is not already open, open the console on the left side menu and select APIs & Services.
4. On the left, click Credentials.
5. On the Credentials page, select Create Credentials, then select OAuth client ID.
   

   

6. Configure consent screen by clicking Configure consent screen.
7. In the Application Name field, enter Oracle Access Management.
8. In the Authorized Domains field, enter oracle.com and click Save.
9. Select Web application for the Application Type.
10. In the Authorized URIs field, enter the endpoint on Oracle Access Management server as redirect URI for the client. For example, http(s)://OAM HOST:port/oam/server/auth_cred_submit. This is the URI where the authorization code is sent after the user completes the authentication and authorization with Oracle Access Management server.
11. Click Create.
12. Copy client_id and client_secret to your clipboard as you will need them when you configure Authentication Module in Oracle Access Management.
13. Click OK.

Create a New Authentication Module

In this section, you will create a new authentication module in the Oracle Access Management console.

1. Start a web browser and login to the Oracle Access Management console at http://hostname:port/oamconsole using your admin credentials.
2. From the Application Security tab, click Authentication Modules link in the Plug-ins tile.
3. From Create Authentication Module drop-down list, select Create Custom Authentication Module.
4. Enter Google-AuthModule in the Name field and click the Steps tab.
5. Click Add and enter OIDC in the Step Name field in the Add new step screen.
6. Select OpenIDConnectPlugin from the Plug-in Name drop-down list and click OK.
7. Click Add again and enter UI in the Step Name field.
8. Select UserIdentificationPlugIn from the Plug-in Name drop-down list and click OK.
9. Click the Steps Orchestration tab.
10. From the Initial Step drop-down list, select OIDC.
11. Set the values as shown in the figure below:

    

12. Click Apply.
13. Click the Steps tab and select the OpenIDConnectPlugin (OIDC).
14. Follow the below table to guide you with the fields, sample values, and descriptions for the Step Details section:

    Field	Value	Mandatory/Optional	Description
    id_domain	Text	Optional	Enter the identity domain. It is required for integration with Oracle Access Management as an IDP since all the artifacts (client) are created under the Identity Domain in Oracle Access Management.
    oauth_client_secret		Mandatory	Enter the OAuth client secret.
    token_end_point	Text	Optional	Enter the access token endpoint, it is required ONLY if the IDP does not support Discovery URL.
    authz_end_point		Optional	Enter the authorization endpoint, (required ONLY if the IDP does not support Discovery URL)
    require_proxy		Optional	Set it to false, if the plugin does not use the proxy configuration and redirects directly to the IDP. Note: If proxy is required to connect to the IDP, add this setting before starting the server: Dhttp.proxy.Host=www-proxy.example.com -Dhttp.proxy.Port=80
    provider	google	Mandatory	Enter google.
    scope		Optional	The default “scope” sent to the IDP is openid email. If this has to be overwritten, we can set a new scope with this plugin parameter.
    userinfo_end_point		Optional	Enter the user information token endpoint, it is required ONLY if the IDP does not support Discovery URL.
    additional_parameters			This is not used as of now. It can be left blank.
    discovery_ur	https://accounts.google.com	Mandatory	Enter the discovery URL at IDP-end with the format, http(s)://URL host. It provides authorization, token, and userinfo endpoints information The base URL, /.well-known/openid-configuration is appended to the discover URL for building the expected format of http(s)://URL host/.well-known/openid-configuration. The plugin fetches authorization, token and user information endpoints from this discovery URL and redirects to the same.
    username_attr	email	Mandatory	This parameter indicates, which attribute should be read from the Identity Token. Sends the email of the user via “email” attribute. E.g.: {“email” : “John.Doe@gmail.com”}
    oauth_client_id		Mandatory	Enter the OAuth client id.

15. Click Save.
16. Select UserIdenitificationPlugIn.

    

17. In the KEY_IDENTITY_STORE_REF field, enter UserIdentityStore1.
18. In the KEY_LDAP_FILTER field, enter &(objectclass=inetorgperson)(MAIL={KEY_USERNAME}).
19. In the KEY_SEARCH_BASE_URL field, enter ou=people,ou=myrealm,dc=<domain name>.
20. Click Save, then click Apply.

Create New Authentication Scheme

In this section, you will create and configure an authentication scheme that uses the authentication module that you created and configured in the previous sections. In addition, you will set the Challenge Parameters to initial_command=NONE so that the control is passed on to the plugin.

1. From the Application Security tab, click the Authentication Schemes link in the Access Manager tile.
2. Click Create Authentication Scheme.
3. Set the values as shown in the figure below:

   

4. Click Apply.

Modify Authentication Policy in Application Domain

In this section, you will modify the authentication policy in the application domain of the protected resource to use the authentication scheme created in the previous section.

1. From the Application Security -> Launch Pad tab, click Application Domains in the Access Manager tile.
2. Click Search.
3. From Search Result, click the application domain for the protected resource.
4. Click the Authentication Policies tab.
5. Click Protected Resource Policy.
6. From the Authentication Scheme drop-down, select Google-Scheme.
7. In the Resources tab, click ADD.
8. In the Add Resources screen, enter IAMSuiteAgent in the Host Identifier field.
9. Enter  /index.html in the Resource URL field.
10. Click Add Selected.
11. Click Apply.

Verify that User Exists in Identity Store

In this section, you will verify that the user exists in the back-end Identity Store, such as Oracle Internet Directory or Oracle Unified Directory or Embedded LDAP server. In this example, the back-end identity store is Oracle WebLogic's Embedded LDAP server.

1. Launch Oracle WebLogic Server Administration Console.
2. In the Oracle Administration WebLogic Console, select Security Realms from the left pane and click the realm you have configured. For example, “myrealm”.
3. Select the Users and Groups tab.
4. From Users, click the user that has set up credentials in Google.
5. In the Attributes table, verify the value of the mail attribute. The value must exactly match with the Google email id. For example, John.Doe@gmail.com.

Configure Social Login in Oracle Access Management

In this section, you will configure social login in Oracle Access Management. The relevant settings are in the setDomanEnv.sh file.

1. Launch the terminal window as oracle.
2. Enter the following command:

$ cd /u01/app/oracle/admin/domains/<domainname>

<domainname> is the directory where you installed Oracle Access Management Access Server.
3. Open the setDomainEnv.sh file using any text editor.
Note: Before making any changes, create a backup for this file.
4. Add JAVA_OPTIONS: -Dhttp.proxy.Host=<proxy host> and -Dhttp.proxy.Port=<proxy port> for Oracle Access Management Managed Server.
If you are trying to reach the provider endpoint from within the internal network, the proxy configuration may be required. You can achieve this by setting the environment variables HTTP_PROXY, HTTPS_PROXY, http_proxy and https_proxy with the appropriate proxy configuration. 
5. Add -DUseSunHttpHandler=true.
Note: You must add Java Option in order for the plug-in to connect to the external IDP through the back channel to fetch the token and user-info details.

Access Protected Resource

In this section, you will access the protected resource. In this example, http://<oam.example.com>:7777/index.html is the protected resource.

1. Close any open existing browsers and open a new browser.
2. Access http://<oam.example.com>:7777/index.html. You will be redirected to the Google login page.
3. Log into Google with your user credentials.