Oracle Access Manager addresses each user population and LDAP directory store as an identity domain. Each identity domain maps to a configured LDAP User Identity Store that is registered with Oracle Access Manager. Multiple LDAP stores can be used with each one relying on a different supported LDAP provider.
During initial WebLogic Server domain configuration, the Embedded LDAP is configured as the one and only User Identity Store for Oracle Access Manager. Within the Embedded LDAP, the Administrators group is created, with weblogic
seeded as the default Administrator:
Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager Console, remote registration, and custom administrative commands in WLST.
Users attempting to access an OAM-protected resource can be authenticated against any store, not necessarily the only one designated as the Default User Identity Store.
Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.
After registering a User Identity Store with Access Manager, administrators can reference the store in one or more authentication modules, which form the basis for Oracle Access Manager Authentication Schemes and Policies. When you register a partner (either using the Oracle Access Manager Console or the remote registration tool), an application domain can be created and seeded with a policy that uses the designated default Authentication Scheme. When a user attempts to access an Oracle Access Manager-protected resource, she is authenticated against the store designated by the authentication module.
The following topics are covered:
The following overview identifies various tasks required when integrating Oracle Internet Directory 11.1.1.7 or newer with Oracle Access Manager 11.1.2.3 or newer.
See Also:
Integrating Access Manager with Other Products chapter in Administrator's Guide for Oracle Access Management.
Task overview: Integrating Oracle Internet Directory 11.1.1.9 with Oracle Access Manager 11.1.2.3.
Prepare your environment for this integration:
Install Oracle Internet Directory 11.1.1.9, as described in the Installing and Configuring Oracle Identity Management (11.1.1.9.0) chapter in Installation Guide for Oracle Identity Management.
Install and set up Oracle Access Manager with the desired LDAP directory, as described in the Managing Data Sources and other related chapters in Administrator's Guide for Oracle Access Management (see also Configuring Oracle Internet Directory).
Extend the LDAP directory schema for Access Manager and create Users and Groups in the LDAP directory as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Create Authentication Providers for your LDAP provider and Configure WebLogic Server to use them to avoid multiple login pages when accessing the Oracle Access Manager Console.
Whether you authenticate through Oracle Access Manager Console or directly through the WebLogic Server Administration Console, confirm that all authentication providers are set to SUFFICIENT for single sign-on:
Click Security Realms, myrealm, then click Providers.
Click New, enter a name, and select a type. For example:
Name: OID Authenticator
Type: OracleInternetDirectoryAuthenticator
OK
In the Authentication Providers table, click the newly added authenticator.
On the Settings page, click the Common tab, set the Control Flag to SUFFICIENT, then click Save.
Click the Provider Specific tab, then specify the following values for your deployment:
Host: LDAP host. For example: example
Port: LDAP host listening port. 3060
Principal: LDAP administrative user. For example: cn=*********
Credential: LDAP administrative user password. ********
User Base DN: Same search base as the LDAP user.
All Users Filter: For example: (&(uid=*)(objectclass=person))
User Name Attribute: Set as the default attribute for username in the LDAP directory. For example: uid
.
Group Base DN: The group searchbase (same as User Base DN)
Note:
Do not set the All Groups filter; the default works fine as is.
Save.
Set DefaultIdentityAsserter:
From Security Realms, myrealm, Providers, click Authentication, click DefaultIdentityAsserter to see the configuration page.
Click the Common tab and set the Control Flag to SUFFICIENT.
Save.
Reorder Providers:
On the Summary page where providers are listed, click the Reorder button
On the Reorder Authentication Providers page, select a provider name and use the arrows beside the list to order the providers as follows:
Click OK to save your changes
Activate Changes: In the Change Center, click Activate Changes, then Restart Oracle WebLogic Server.
Proceed with Defining Authentication in Oracle Access Manager for Oracle Internet Directory.
The following procedure guides as you set up an LDAP Authentication Method that points to your registered User Identity Store and an Authentication Scheme that uses this LDAP module for Form or Basic authentication. OAMAdminConsoleScheme
is used in this example on the presumption that you designated your new LDAP store as the System Store. Your environment might be different.
Prerequisites
Installing and Setting Up Required Components
Ensure that the designated User Identity Store contains any user credentials required for authentication.
To use your identity store for authentication with Access Manager.
Register Oracle Internet Directory with Oracle Access Manager, as described in the "Managing User Identity Stores" section in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Define Authentication Modules and Plug-ins: From System Configuration tab, Access Manager Settings section, expand the Authentication Modules node.
LDAP Modules: Open LDAP Authentication module, select your User Identity Store, and click Apply.
Custom Authentication Modules: In LDAPPlugin
Steps (stepUI, UserIdentificationPlugIn
), specify your KEY_IDENTITY_STORE_REF, and click Apply. For example:
UserIdentificationPlugIn
Repeat this step for the stepUA UserAuthenticationPlugIn
plug-in, and Apply your changes, as shown here:
Define Authentication Scheme Challenge Methods: Form and Basic Challenge Methods require a reference to the LDAP Authentication Module or Plug-in that points to your User Identity Store. For example:
OAMAdminConsoleScheme
or any Form or Basic scheme)Confirm that the Authentication Module references the LDAP module or plug-in that points to your Identity Store.
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.
Proceed to Managing Oracle Access Manager Policies that Rely on Your LDAP Store.
Oracle Access Manager policies protect specific resources. The policies and resources are organized in an Application Domain.
This section describes how to configure authentication policies to use the Authentication Scheme that points to your User Identity Store.
Prerequisites
Defining Authentication in Oracle Access Manager for Oracle Internet Directory
To create an application domain and policies that use LDAP authentication.
The procedure here provides several methods for confirming that Agent registration and authentication and authorization policies are operational. The procedures are nearly identical for both OAM Agents and OSSO Agents (mod_osso
). However, OSSO Agents use only the authentication policy and not the authorization policy.
To verify authentication and access: