15 Configuring Single Sign-On for an Enterprise Deployment

You will need to configure the Oracle HTTP Server WebGate in order to enable single sign-on with Oracle Access Manager.

About Oracle HTTP Server Webgate
Oracle HTTP Server WebGate is a Web server plug-in that intercepts HTTP requests and forwards them to an existing Oracle Access Manager instance for authentication and authorization.
General Prerequisites for Configuring Oracle HTTP Server Webgate
Before you can configure Oracle HTTP Server WebGate, you must have installed and configured a certified version of Oracle Access Manager.
Enterprise Deployment Prerequisites for Configuring OHS 12c Webgate
When you are configuring Oracle HTTP Server Webgate to enable Single Sign-On for an enterprise deployment, consider the prerequisites mentioned in this section.
Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment
You will need to perform the following steps in order to configure Oracle HTTP Server 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2.
Registering the Oracle HTTP Server WebGate with Oracle Access Manager
You can register the WebGate agent with Oracle Access Manager using the Oracle Access Manager Administration console.
Setting Up the WebLogic Server Authentication Providers
To set up the WebLogic Server authentication providers, back up the configuration files, set up the Oracle Access Manager Identity Assertion Provider and set the order of providers.
Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign On (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml file to enable these capabilities.
Configuring Single Sign-On for Applications
This section describes how to enable single sign-on (SSO) for BI applications.

Parent topic: Common Configuration and Management Procedures for an Enterprise Deployment

15.1 About Oracle HTTP Server Webgate

Oracle HTTP Server WebGate is a Web server plug-in that intercepts HTTP requests and forwards them to an existing Oracle Access Manager instance for authentication and authorization.

For Oracle Fusion Middleware 12c, the WebGate software is installed as part of the Oracle HTTP Server 12c software installation.

For more extensive information about WebGate, see Registering and Managing OAM 11g Agents in Adminstrator’s Guide for Oracle Access Management.

15.2 General Prerequisites for Configuring Oracle HTTP Server Webgate

Before you can configure Oracle HTTP Server WebGate, you must have installed and configured a certified version of Oracle Access Manager.

At the time this document was published, the supported versions of Oracle Access Manager were 11g Release 2 (11.1.2.2) and 11g Release 2 (11.1.2.3). For the most up-to-date information, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

Note:

For production environments, it is highly recommended that you install Oracle Access Manager in its own environment and not on the machines that are hosting the enterprise deployment.

For more information about Oracle Access Manager, see the latest Oracle Identity and Access Management documentation, which you can find in the Middleware documentation on the Oracle Help Center.

15.3 Enterprise Deployment Prerequisites for Configuring OHS 12c Webgate

When you are configuring Oracle HTTP Server Webgate to enable Single Sign-On for an enterprise deployment, consider the prerequisites mentioned in this section.

Oracle recommends that you deploy Oracle Access Manager as part of a highly available, secure, production environment. For more information about deploying Oracle Access Manager in an enterprise environment, see the Enterprise Deployment Guide for your version of Oracle Identity and Access Mangement.
To enable single sign-on for the WebLogic Server Administration Console and the Oracle Enterprise Manager Fusion Middleware Control, you must add a central LDAP-provisioned administration user to the directory service that Oracle Access Manager is using (for example, Oracle Internet Directory or Oracle Unified Directory). For more information about the required user and groups to add to the LDAP directory, follow the instructions in Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group.

15.4 Configuring Oracle HTTP Server 12c WebGate for an Enterprise Deployment

You will need to perform the following steps in order to configure Oracle HTTP Server 12c WebGate for Oracle Access Manager on both WEBHOST1 and WEBHOST2.

In the following procedure, replace the directory variables, such as OHS_ORACLE_HOME and OHS_CONFIG_DIR, with the values, as defined in File System and Directory Variables Used in This Guide.

Perform a complete backup of the Web Tier domain.
Change directory to the following location in the Oracle HTTP Server Oracle home:

cd OHS_ORACLE_HOME/webgate/ohs/tools/deployWebGate/
Run the following command to create the WebGate Instance directory and enable WebGate logging on OHS Instance:
```
./deployWebGateInstance.sh -w OHS_CONFIG_DIR -oh OHS_ORACLE_HOME
```

Verify that a webgate directory and subdirectories was created by the deployWebGateInstance command:

ls -lat OHS_CONFIG_DIR/webgate/
total 16
drwxr-x---+ 8 orcl oinstall 20 Oct  2 07:14 ..
drwxr-xr-x+ 4 orcl oinstall  4 Oct  2 07:14 .
drwxr-xr-x+ 3 orcl oinstall  3 Oct  2 07:14 tools
drwxr-xr-x+ 3 orcl oinstall  4 Oct  2 07:14 config

Run the following command to ensure that the LD_LIBRARY_PATH environment variable contains OHS_ORACLE_HOME/lib directory path:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:OHS_ORACLE_HOME/lib
Change directory to the following directory

OHS_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools
Run the following command from the InstallTools directory.

./EditHttpConf -w OHS_CONFIG_DIR -oh OHS_ORACLE_HOME -o output_file_name

Note:

The -oh OHS_ORACLE_HOME and -o output_file_name parameters are optional.

This command:
- Copies the apache_webgate.template file from the Oracle HTTP Server Oracle home to a new webgate.conf file in the Oracle HTTP Server configuration directory.
- Updates the httpd.conf file to add one line, so it includes the webgate.conf.
- Generates a WebGate configuration file. The default name of the file is webgate.conf, but you can use a custom name by using the -o output_file_name argument to the command.

15.5 Registering the Oracle HTTP Server WebGate with Oracle Access Manager

You can register the WebGate agent with Oracle Access Manager using the Oracle Access Manager Administration console.

For more information, see Registering an OAM Agent Using the Console in Administrator's Guide for Oracle Access Management.

15.5.1 About RREG In-Band and Out-of-Band Mode

You can run the RREG Tool in one of two modes: in-band and out-of-band.

Use in-band mode when you have the privileges to access the Oracle Access Manager server and run the RREG tool yourself from the Oracle Access Manager Oracle home. You can then copy the generated artifacts and files to the Web server configuration directory after you run the RREG Tool.

Use out-of-band mode if you do not have privileges or access to the Oracle Access Manager server. For example, in some organizations, only the Oracle Access Manager server administrators have privileges access the server directories and perform administration tasks on the server. In out-of-band mode, the process can work as follows:

The Oracle Access Manager server administrator provides you with a copy of the RREG archive file (RREG.tar.gz).
Untar the RREG.tar.gz file that was provided to you by the server administrator.

For example:

gunzip RREG.tar.gz

tar -xvf RREG.tar

After you unpack the RREG archive, you can find the tool for registering the agent in the following location:

RREG_HOME/bin/oamreg.sh

In this example, RREG_Home is the directory in which you extracted the contents of RREG archive.
Use the instructions in Updating the Standard Properties in the OAM11gRequest.xml File to update the OAM11GRequest.xml file, and send the completed OAM11GRequest.xml file to the Oracle Access Manager server administrator.
The Oracle Access Manager server administrator then uses the instructions in Running the RREG Tool in Out-Of-Band Mode to run the RREG Tool and generate the AgentID_response.xml file.
The Oracle Access Manager server administrator sends the AgentID_response.xml file to you.
Use the instructions in Running the RREG Tool in Out-Of-Band Mode to run the RREG Tool with the AgentID_response.xml file and generate the required artifacts and files on the client system.

15.5.2 Updating the Standard Properties in the OAM11gRequest.xml File

Before you can register the Webgate agent with Oracle Access Manager, you must update some required properties in the OAM11gRequest.xml file.

Note:

If you plan to use the default values for most of the parameters in the provided XML file, then you can use the shorter version (OAM11gRequest_short.xml, in which all non-listed fields will take a default value.

Note:

In the primary server list, the default names are mentioned as OAM_SERVER1 and OAM_SERVER2 for OAM servers. Rename these names in the list if the server names are changed in your environment.

To perform this task:

If you are using in-band mode, then change directory to the following location on one of the OAM Servers:
```
OAM_ORACLE_HOME/oam/server/rreg/input
```
If you are using out-of-band mode, then change directory to the location where you unpacked the RREG archive on the WEBHOST1 server.
Make a copy of the OAM11GRequest.xml file template with an environment-specific name.

cp OAM11GRequest.xml OAM11GRequest_edg.xml
Review the properties listed in the file, and then update your copy of the OAM11GRequest.xml file to make sure the properties reference the host names and other values specific to your environment.

OAM11gRequest.xml Property	Set to...
`serverAddress`	The host and the port of the Administration Server for the Oracle Access Manager domain.
`agentName`	Any custom name for the agent. Typically, you use a name that identifies the Fusion Middleware product you are configuring for single sign-on.
`applicationDomain`	A value that identifies the Web tier host and the FMW component you are configuring for single sign-on.
`security`	Must be set to the security mode configured on the Oracle Access Management server. This will be one of three modes: open, simple, or certificate. Note: For an enterprise deployment, Oracle recommends simple mode, unless additional requirements exist to implement custom security certificates for the encryption of authentication and authorization traffic. In most cases, avoid using open mode, because in open mode, traffic to and from the Oracle Access Manager server is not encrypted. For more information using certificate mode or about Oracle Access Manager supported security modes in general, see Securing Communication Between OAM Servers and WebGates in the Administrator's Guide for Oracle Access Management.
`cachePragmaHeader`	private
`cacheControlHeader`	private
`ipValidation`	0 <ipValidation>0<ipValidation>
`ipValidationExceptions`	The IP address of the front-end load balancer. For example: <ipValidationExceptions> <ipAddress>130.35.165.42</ipAddress> </ipValidation>
`agentBaseUrl`	Fully-qualified URL with the host and the port of the front-end Load Balancer VIP in front of the WEBHOSTn machines on which Oracle HTTP 12c WebGates are installed. For example: <agentBaseUrl> https://wcp.example.com:443 </agentBaseUrl>
`virtualHost`	Set to true when protecting more than the `agentBaseUrl`, such as SSO protection for the administrative VIP.
`hostPortVariationsList`	Add `hostPortVariation` host and port elements for each of the load-balancer URLs that will be protected by the WebGates. For example: <hostPortVariationsList> <hostPortVariations> <host>wcpinternal.example.com</host> <port>80</port> </hostPortVariations> <hostPortVariations> <host>admin.example.com</host> <port>80</port> </hostPortVariations>

15.5.3 Updating the Protected, Public, and Excluded Resources for an Enterprise Deployment

When you set up an Oracle Fusion Middleware environment for single sign-on, you identify a set of URLs that you want Oracle Access Manager to protect with single sign-on. You identify these using specific sections of the OAM11gRequest.xml file. To identify the URLs:

If you haven’t already opened OAM11GRequest.xml file for editing, locate and open the file in a text editor.
For more information, see the following:
- Updating the Standard Properties in the OAM11gRequest.xml File

Remove the sample entries from the file, and then enter the list of protected, public, and excluded resources in the appropriate sections of the file, as shown in the following example.

Note:

If you are using Oracle Access Manager 11g Release 2 (11.1.2.2) or later, then note that the entries with the wildcard syntax (“.../*”) are included in this example for backward compatibility with previous versions of Oracle Access Manager.

<protectedResourcesList>
        <resource>/analytics</resource>
        <resource>/analytics/saw.dll</resource>
        <resource>/bicontent</resource>
        <resource>/xmlpserver</resource>
        <resource>/mapviewer</resource>
        <resource>/mapviewer/console</resource>
        <resource>/mapviewer/mapadmin</resource>
        <resource>/mapviewer/mcsadmin</resource>
        <resource>/bicomposer</resource>
        <resource>/bisearch</resource>
        <resource>/em</resource>
        <resource>/em/…/*</resource>
        <resource>/console</resource>
        <resource>/console/…/*</resource>
        <resource>/mobile</resource>
        <resource>/mobile/.../*</resource>
        <resource>/va</resource>
        <resource>/analytics/jbips</resources>
</protectedResourcesList>
<publicResourcesList>
        <resource>/aps</resource>
        <resource>/aps/JAPI</resource>
        <resource>/mapviewer/dataserver</resource>
        <resource>/mapviewer/foi</resource>        
        <resource>/mapviewer/mcserver</resource>
        <resource>/mapviewer/wms</resource>  
        <resource>/mapviewer/wmts</resource>  
        <resource>/aps/Essbase</resource>
</publicResourcesList>
<excludedResourcesList>
        <resource>/biservices</resource>
        <resource>/analytics-bi-adf</resource>
        <resource>/xmlpserver/Guest</resource>
        <resource>/xmlpserver/ReportTemplateService.xls</resource>
        <resource>/xmlpserver/report_service</resource>
        <resource>/xmlpserver/services</resource>
        <resource>/analytics/saw.dll/wsdl</resource>
        <resource>/analytics-ws</resource>        
        <resource>/ws/.../*</resource>
        <resource>/wsm-pm</resource>
        <resource>/wsm-pm/.../*</resource>
</excludedResourcesList>

Save and close the OAM11GRequest.xml file.

15.5.4 Running the RREG Tool

The following topics provide information about running the RREG tool to register your Oracle HTTP Server Webgate with Oracle Access Manager.

15.5.4.1 Running the RREG Tool in In-Band Mode

To run the RREG Tool in in-band mode:

Navigate to the RREG home directory.

If you are using in-band mode, the RREG directory is inside the Oracle Access Manager Oracle home:
```
OAM_ORACLE_HOME/oam/server/rreg
```
If you are using out-of-band mode, then the RREG home directory is the location where you unpacked the RREG archive.
In the RREG home directory, navigate to the bin directory:
```
cd RREG_HOME/bin/
```
Set the permissions of the oamreg.sh command so you can execute the file:
```
chmod +x oamreg.sh
```

Run the following command:

./oamreg.sh inband RREG_HOME/input/OAM11GRequest_edg.xml

In this example:

It is assumed the edited OAM11GRequest.xml file is located in the RREG_HOME/input directory.
The output from this command will be saved to the following directory:
```
RREG_HOME/output/
```

The following example shows a sample RREG session:

Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are: 
Mode: inband
Filename: /u01/oracle/products/fmw/iam_home/oam/server/rreg/client/rreg/input/OAM11GRequest_edg.xml
Enter admin username:weblogic_idm
Username: weblogic_idm
Enter admin password: 
Do you want to enter a Webgate password?(y/n):
n
Do you want to import an URIs file?(y/n):
n

----------------------------------------
Request summary:
OAM11G Agent Name:WCC1221_EDG_AGENT
URL String:null
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://host1.example.com:7001
----------------------------------------

Jul 08, 2015 7:18:13 PM oracle.security.jps.util.JpsUtil disableAudit
INFO: JpsUtil: isAuditDisabled set to true
Jul 08, 2015 7:18:14 PM oracle.security.jps.util.JpsUtil disableAudit
INFO: JpsUtil: isAuditDisabled set to true
Inband registration process completed successfully! Output artifacts are created in the output folder.

15.5.4.2 Running the RREG Tool in Out-Of-Band Mode

To run the RREG Tool in out-of-band mode on the WEBHOST server, the administrator uses the following command:

RREG_HOME/bin/oamreg.sh outofband input/OAM11GRequest.xml

In this example:

Replace RREG_HOME with the location where the RREG archive file was unpacked on the server.
The edited OAM11GRequest.xml file is located in the RREG_HOME/input directory.
The RREG Tool saves the output from this command (the AgentID_response.xml file) to the following directory:
```
RREG_HOME/output/
```
The Oracle Access Manager server administrator can then send the AgentID_response.xml to the user who provided the OAM11GRequest.xml file.

To run the RREG Tool in out-of-band mode on the Web server client machine, use the following command:

RREG_HOME/bin/oamreg.sh outofband input/AgentID_response.xml

In this example:

Replace RREG_HOME with the location where you unpacked the RREG archive file on the client system.
The AgentID_response.xml file, which was provided by the Oracle Access Manager server administrator, is located in the RREG_HOME/input directory.
The RREG Tool saves the output from this command (the artifacts and files required to register the Webgate software) to the following directory on the client machine:
```
RREG_HOME/output/
```

15.5.5 Files and Artifacts Generated by RREG

The files that get generated by the RREG Tool vary, depending on the security level you are using for communications between the WebGate and the Oracle Access Manager server. For more information about the supported security levels, see Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.

Note that in this topic any references to RREG_HOME should be replaced with the path to the directory where you ran the RREG tool. This is typically the following directory on the Oracle Access Manager server, or (if you are using out-of-band mode) the directory where you unpacked the RREG archive:

OAM_ORACLE_HOME/oam/server/rreg/client

The following table lists the artifacts that are always generated by the RREG Tool, regardless of the Oracle Access Manager security level.

File	Location
`cwallet.sso`	`RREG_HOME/output/Agent_ID/`
`ObAccessClient.xml`	`RREG_HOME/output/Agent_ID/`

The following table lists the additional files that are created if you are using the SIMPLE or CERT security level for Oracle Access Manager:

File	Location
`aaa_key.pem`	`RREG_HOME/output/Agent_ID/`
`aaa_cert.pem`	`RREG_HOME/output/Agent_ID/`
`password.xml`	`RREG_HOME/output/Agent_ID/`

Note that the password.xml file contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.

You can use the files generated by RREG to generate a certificate request and get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existing aaa_cert.pem and aaa_chain.pem files along with password.xml and aaa_key.pem.

15.5.6 Copying Generated Artifacts to the Oracle HTTP Server WebGate Instance Location

After the RREG Tool generates the required artifacts, manually copy the artifacts from the RREG_Home/output/agent_ID directory to the Oracle HTTP Server configuration directory on the Web tier host.

The location of the files in the Oracle HTTP Server configuration directory depends upon the Oracle Access Manager security mode setting (OPEN, SIMPLE, or CERT).

The following table lists the required location of each generated artifact in the Oracle HTTP Server configuration directory, based on the security mode setting for Oracle Access Manager. In some cases, you might have to create the directories if they do not exist already. For example, the wallet directory might not exist in the configuration directory.

Note:

For an enterprise deployment, Oracle recommends simple mode, unless additional requirements exist to implement custom security certificates for the encryption of authentication and authorization traffic. The information about using open or certification mode is provided here as a convenience.

Avoid using open mode, because in open mode, traffic to and from the Oracle Access Manager server is not encrypted.

For more information using certificate mode or about Oracle Access Manager supported security modes in general, see Securing Communication Between OAM Servers and WebGates in Administrator's Guide for Oracle Access Management.

File	Location When Using OPEN Mode	Location When Using SIMPLE Mode	Location When Using CERT Mode
`wallet/cwallet.sso`	`OHS_CONFIG_DIR/webgate/config/wallet`	`OHS_CONFIG_DIR/webgate/config/wallet/` Note: By default the wallet folder is not available. Create the wallet folder under `OHS_CONFIG_DIR/webgate/config/`.	`OHS_CONFIG_DIR/webgate/config/wallet/`
`ObAccessClient.xml`	`OHS_CONFIG_DIR/webgate/config`	`OHS_CONFIG_DIR/webgate/config/`	`OHS_CONFIG_DIR/webgate/config/`
`password.xml`	N/A	`OHS_CONFIG_DIR/webgate/config/`	`OHS_CONFIG_DIR/webgate/config/`
`aaa_key.pem`	N/A	`OHS_CONFIG_DIR/webgate/config/simple/`	`OHS_CONFIG_DIR/webgate/config/`
`aaa_cert.pem`	N/A	`OHS_CONFIG_DIR/webgate/config/simple/`	`OHS_CONFIG_DIR/webgate/config/`

Note:

If you need to redeploy the ObAccessClient.xml to WEBHOST1 and WEBHOST2, delete the cached copy of ObAccessClient.xml from the servers. The cache location on WEBHOST1 is:

OHS_DOMAIN_HOME/servers/ohs1/cache/

And you must perform the similar step for the second Oracle HTTP Server instance on WEBHOST2:

OHS_DOMAIN_HOME/servers/ohs2/cache/

15.5.7 Restarting the Oracle HTTP Server Instance

For information about restarting the Oracle HTTP Server instance, see Restarting Oracle HTTP Server Instances by Using WLST in Oracle Fusion Middleware Administering Oracle HTTP Server.

If you have configured Oracle HTTP Server in a WebLogic Server domain, you can also use Oracle Fusion Middleware Control to restart the Oracle HTTP Server instances. For more information, see Restarting Oracle HTTP Server Instances by Using Fusion Middleware Control in Oracle Fusion Middleware Administering Oracle HTTP Server.

15.6 Setting Up the WebLogic Server Authentication Providers

To set up the WebLogic Server authentication providers, back up the configuration files, set up the Oracle Access Manager Identity Assertion Provider and set the order of providers.

The following topics assumes that you have already configured the LDAP authenticator by following the steps in Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group. If you have not already created the LDAP authenticator, then do so before continuing with this section.

15.6.1 Backing Up Configuration Files

To be safe, you should first back up the relevant configuration files:

ASERVER_HOME/config/config.xml
ASERVER_HOME/config/fmwconfig/jps-config.xml
ASERVER_HOME/config/fmwconfig/system-jazn-data.xml

Also back up the boot.properties file for the Administration Server:

ASERVER_HOME/servers/AdminServer/security/boot.properties

15.6.2 Setting Up the Oracle Access Manager Identity Assertion Provider

Set up an Oracle Access Manager identity assertion provider in the Oracle WebLogic Server Administration Console.

To set up the Oracle Access Manager identity assertion provider:

Log in to the WebLogic Server Administration Console, if not already logged in.
Click Lock & Edit.
Click Security Realms in the left navigation bar.
Click the myrealm default realm entry.
Click the Providers tab.
Click New, and select the asserter type OAMIdentityAsserter from the drop-down menu.
Name the asserter (for example, OAM ID Asserter) and click OK.
Click the newly added asserter to see the configuration screen for the Oracle Access Manager identity assertion provider.
Set the control flag to REQUIRED.
Under Chosen types, select both the ObSSOCookie and OAM_REMOTE_USER options, if they are not selected by default.
Click Save to save the settings.
Click Activate Changes to propagate the changes.

15.6.3 Updating the Default Authenticator and Setting the Order of Providers

Set the order of identity assertion and authentication providers in the WebLogic Server Administration Console.

To update the default authenticator and set the order of the providers:

Log in to the WebLogic Server Administration Console, if not already logged in.
Click Lock & Edit.
From the left navigation, select Security Realms.
Click the myrealm default realm entry.
Click the Providers tab.
From the table of providers, click the DefaultAuthenticator.
Set the Control Flag to SUFFICIENT.
Click Save to save the settings.
From the navigation breadcrumbs, click Providers to return to the list of providers.
Click Reorder.

Sort the providers to ensure that the OAM Identity Assertion provider is first and the DefaultAuthenticator provider is last.

Table 15-1 Sort order

Sort Order	Provider	Control Flag
1	OAMIdentityAsserter	`REQUIRED`
2	LDAP Authentication Provider	`SUFFICIENT`
3	DefaultAuthenticator	`SUFFICIENT`
4	Trust Service Identity Asserter	`N/A`
5	DefaultIdentityAsserter	`N/A`

Click OK.
Click Activate Changes to propagate the changes.
Restart the Administration Server, Managed Servers, and any system components, as applicable.

15.7 Configuring Oracle ADF and OPSS Security with Oracle Access Manager

Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign On (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml file to enable these capabilities.

The domain-level jps-config.xml file is located in the following location after you create an Oracle Fusion Middleware domain:

DOMAIN_HOME/config/fmwconfig/jps-config.xml

Note:

The domain-level jps-config.xml should not be confused with the jps-config.xml that is deployed with custom applications.

To update the OPSS configuration to delegate SSO actions in Oracle Access Manager, complete the following steps:

Change to the following directory:
```
cd ORACLE_COMMON_HOME/common/bin
```
Start the WebLogic Server Scripting Tool (WLST):
```
./wlst.sh
```
Connect to the Administration Server, using the following WLST command:
```
connect(‘admin_user’,’admin_password’,’admin_url’)
```

Execute the addOAMSSOProvider command, as follows:

addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html")

The following table defines the expected value for each argument in the addOAMSSOProvider command.

Argument Definition

Argument	Definition
loginuri	Specifies the URI of the login page Note: For ADF security enabled applications, "/context-root/adfAuthentication" should be provided for the 'loginuri' parameter. For example: /${app.context}/adfAuthentication Note: `${app.context}` must be entered as shown. At runtime, the application replaces the variable appropriately. Here is the flow: User accesses a resource that has been protected by authorization policies in OPSS, fox example. If the user is not yet authenticated, ADF redirects the user to the URI configured in 'loginuri'. Access Manager, should have a policy to protect the value in 'loginuri': for example, "/context-root/adfAuthentication". When ADF redirects to this URI, Access Manager displays a Login Page (depending on the authentication scheme configured in Access Manager for this URI).
logouturi	Specifies the URI of the logout page Notes: For ADF security enabled applications, `logouturi` should be configured based on logout guidelines in Configuring Centralized Logout for Sessions Involving 11g WebGates in Administrator's Guide for Oracle Access Management. When using WebGate 11g, the value of the `logouturi` should be sought from the 11g WebGate Administrator. When using WebGate 10g, the value of `logouturi` should be `/oamsso/logout.html`.
autologinuri	Specifies the URI of the autologin page. This is an optional parameter.

loginuri

Specifies the URI of the login page

Note:

For ADF security enabled applications, "/context-root/adfAuthentication" should be provided for the 'loginuri' parameter.

For example:

/${app.context}/adfAuthentication

Note:

${app.context} must be entered as shown. At runtime, the application replaces the variable appropriately.

Here is the flow:

User accesses a resource that has been protected by authorization policies in OPSS, fox example.
If the user is not yet authenticated, ADF redirects the user to the URI configured in 'loginuri'.
Access Manager, should have a policy to protect the value in 'loginuri': for example, "/context-root/adfAuthentication".
When ADF redirects to this URI, Access Manager displays a Login Page (depending on the authentication scheme configured in Access Manager for this URI).

logouturi

Specifies the URI of the logout page

Notes:

For ADF security enabled applications, logouturi should be configured based on logout guidelines in Configuring Centralized Logout for Sessions Involving 11g WebGates in Administrator's Guide for Oracle Access Management.
When using WebGate 11g, the value of the logouturi should be sought from the 11g WebGate Administrator.
When using WebGate 10g, the value of logouturi should be /oamsso/logout.html.

autologinuri

Specifies the URI of the autologin page. This is an optional parameter.

Disconnect from the Administration Server:
```
disconnect()
```
Restart the Administration Server and all the Managed Servers.

15.8 Configuring Single Sign-On for Applications

This section describes how to enable single sign-on (SSO) for BI applications.

It includes the following topics.

15.8.1 Enabling Single Sign-On and Oracle Access Manager for Oracle BI EE

Perform the following steps to enable single sign-on (SSO) and Oracle Access Manager for Oracle Business Intelligence Enterprise Edition (BI EE):

Start WLST:

cd ORACLE_HOME/oracle_common/common/bin
./wlst.sh

Open the BI Administration Server domain for updating:
```
wls:/offline> readDomain(‘ASERVER_HOME’)
```
In this example, replace ASERVER_HOME with the actual path to the domain directory you created on the shared storage device.
Run the following command to enable SSO in Oracle BI EE and configure the logout information for the Oracle BI Presentation Services processes:
```
wls:/offline/bi_domain> enableBISingleSignOn('ASERVER_HOME','http://oam_host:oam_port/oamsso/logout.html')
```
In this example:
- Replace ASERVER_HOME with the actual path to the domain directory you created on the shared storage device.
- http://oam_host:oam_port/oamsso/logout.html is the SSO provider (Oracle Access Manager) logoff URL.
Update and save the domain:
```
wls:/offline/bi_domain> updateDomain()
```
Close the domain:
```
wls:/offline/bi_domain> closeDomain()
```
Exit WLST:
```
wls:/offline> exit()
```
Restart the Administration Server, Managed Servers, and system components.

15.8.2 Enabling Single Sign-On and Oracle Access Manager for Oracle BI Publisher

Perform the following steps to enable single sign-on (SSO) and Oracle Access Manager for Oracle BI Publisher:

Log in to BI Publisher using one of the following URLs:
- http://BIHOST1:7003/xmlpserver
- http://BIHOST2:7003/xmlpserver
You will be redirected to:
```
http://bi.example.com/xmlpserver
```
In BI Publisher, click Administration, then Security Configuration.
On the Security Configuration page, provide the following information in the Single Sign-On section:
1. Select Use Single Sign-On.
2. For Single Sign-On Type, select Oracle Access Manager.
3. For Single Sign-Off URL, enter a URL of the following format:
```
http://oam_host:oam_port/oamsso/logout.html
```
4. For User Name Parameter, enter OAM_REMOTE_USER.
Click Apply.
Restart the bipublisher application from the WebLogic Administration Console.
For information on how to restart the bipublisher application, see Using Oracle WebLogic Server Administration Console to Start and Stop Java Components in the Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.