Oracle Access Manager addresses each user population and LDAP directory store as an identity domain. Each identity domain maps to a configured LDAP User Identity Store that is registered with Oracle Access Manager. Multiple LDAP stores can be used with each one relying on a different supported LDAP provider.
During initial WebLogic Server domain configuration, the Embedded LDAP is configured as the one and only User Identity Store for Oracle Access Manager. Within the Embedded LDAP, the Administrators group is created, with weblogic
seeded as the default Administrator:
Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager, remote registration, and custom administrative commands in WLST.
Users attempting to access an Oracle Access Manager-protected resource can be authenticated against any store, not necessarily the only one designated as the Default User Identity Store.
Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.
After registering a User Identity Store with Access Manager, administrators can reference the store in one or more authentication modules, which form the basis for Oracle Access Manager Authentication Schemes and Policies. When you register a partner (either using the Oracle Access Manager Console or the remote registration tool), an application domain can be created and seeded with a policy that uses the designated default Authentication Scheme. When a user attempts to access an Oracle Access Manager-protected resource, she is authenticated against the store designated by the authentication module.
The following topics are covered:
You have to complete series of tasks when integrating Oracle Internet Directory 11.1.1.7 or newer with Oracle Access Manager 11.1.2.3 or newer.
Before you follow the steps to prepare your environment for this integration, see
Configuring Access Manager for Windows Native Authentication
For Installing Oracle Internet Directory 11.1.1.9, see Installing and Configuring Oracle Identity Management.
For Installing and setting up Oracle Access Manager with the desired LDAP directory, see Managing Data Sources and Configuring Oracle Internet Directory.
For Extending the LDAP directory schema for Access Manager and create Users and Groups in the LDAP directory, see Configuring Oracle Identity Manager Server.
You have to set up an LDAP Authentication Method that points to your registered User Identity Store and an Authentication Scheme that uses this LDAP module for Form or Basic authentication.
OAMAdminConsoleScheme
is used in this example on the presumption that you designated your new LDAP store as the System Store. Your environment might be different.
As a prerequisite, see Installing and Setting Up Required Components.
Ensure that the designated User Identity Store contains any user credentials required for authentication.
Note:
Before you perform the steps to use the identity store for authentication with Access Manager, for
Registering Oracle Internet Director, see Registering and Managing User Identity Stores
Defining Authentication Modules and Plug-ins, see Native LDAP Authentication Modules and Orchestrating Multi-Step Authentication with Plug-in Based Modules
Defining Authentication Scheme Challenge Methods, see Creating an Authentication Scheme
To use your identity store for authentication with Access Manager perform the following steps.
Register Oracle Internet Directory with Oracle Access Manager.
Define Authentication Modules and Plug-ins: From System Configuration tab, Access Manager Settings section, expand the Authentication Modules node.
LDAP Modules: Open LDAP Authentication module, select your User Identity Store, and click Apply.
Custom Authentication Modules: In LDAPPlugin
Steps (stepUI, UserIdentificationPlugIn
), specify your KEY_IDENTITY_STORE_REF, and click Apply.
For example,
Authentication Modules
Custom Authentication module
LDAPPlugin
Steps tab
stepUI UserIdentificationPlugIn
Repeat this step for the stepUA UserAuthenticationPlugIn
plug-in, and Apply your changes, as shown here:
Define Authentication Scheme Challenge Methods: Form and Basic Challenge Methods require a reference to the LDAP Authentication Module or Plug-in that points to your User Identity Store.
For example:
Oracle Access Manager Console
Policy Configuration tab
Shared Components node
Authentication Schemes node
DesiredScheme (OAMAdminConsoleScheme
or any Form or Basic scheme)
Confirm that the Authentication Module references the LDAP module or plug-in that points to your Identity Store.
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.
Proceed to the next section.
Oracle Access Manager policies protect specific resources. The policies and resources are organized in an Application Domain.
You have perform series of steps to configure authentication policies to use the Authentication Scheme that points to your User Identity Store.
As a prerequisite, see Defining Authentication in Oracle Access Manager for Oracle Internet Directory
Note:
Before you perform the steps to create an application domain and policies that use LDAP authentication, for
Resource Definitions, see Adding and Managing Policy Resource Definitions.
Authentication Policies, see Defining Authentication Policies for Specific Resources.
Authorization Policies, see Defining Authorization Policies for Specific Resources.
Token Issuance Policies. See Managing Token Issuance Policies, Conditions, and Rules.
To create an application domain and policies that use LDAP authentication:
The procedure here provides several methods for confirming that Agent registration and authentication and authorization policies are operational. The procedures are nearly identical for both OAM Agents and OSSO Agents (mod_osso
). However, OSSO Agents use only the authentication policy and not the authorization policy.
To verify authentication and access: