Oracle Access Manager addresses each user population and LDAP directory store as an identity domain. Each identity domain maps to a configured LDAP User Identity Store that is registered with Oracle Access Manager. Multiple LDAP stores can be used with each one relying on a different supported LDAP provider.
During initial WebLogic Server domain configuration, the Embedded LDAP is configured as the one and only User Identity Store for Oracle Access Manager. Within the Embedded LDAP, the Administrators group is created, with
weblogic seeded as the default Administrator:
Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager, remote registration, and custom administrative commands in WLST.
Users attempting to access an Oracle Access Manager-protected resource can be authenticated against any store, not necessarily the only one designated as the Default User Identity Store.
Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.
After registering a User Identity Store with Access Manager, administrators can reference the store in one or more authentication modules, which form the basis for Oracle Access Manager Authentication Schemes and Policies. When you register a partner (either using the Oracle Access Manager Console or the remote registration tool), an application domain can be created and seeded with a policy that uses the designated default Authentication Scheme. When a user attempts to access an Oracle Access Manager-protected resource, she is authenticated against the store designated by the authentication module.
The following topics are covered:
You have to complete series of tasks when integrating Oracle Internet Directory 184.108.40.206 or newer with Oracle Access Manager 220.127.116.11 or newer.
Before you follow the steps to prepare your environment for this integration, see
For Installing Oracle Internet Directory 18.104.22.168, see Installing and Configuring Oracle Identity Management.
For Extending the LDAP directory schema for Access Manager and create Users and Groups in the LDAP directory, see Configuring Oracle Identity Manager Server.
Host: LDAP host. For example:
Port: LDAP host listening port.
Principal: LDAP administrative user. For example:
Credential: LDAP administrative user password.
User Base DN: Same search base as the LDAP user.
All Users Filter: For example:
User Name Attribute: Set as the default attribute for username in the LDAP directory. For example:
Group Base DN: The group searchbase (same as User Base DN)
Note:Do not set the All Groups filter; the default works fine as is.
You have to set up an LDAP Authentication Method that points to your registered User Identity Store and an Authentication Scheme that uses this LDAP module for Form or Basic authentication.
OAMAdminConsoleScheme is used in this example on the presumption that you designated your new LDAP store as the System Store. Your environment might be different.
As a prerequisite, see Installing and Setting Up Required Components.
Ensure that the designated User Identity Store contains any user credentials required for authentication.
Before you perform the steps to use the identity store for authentication with Access Manager, for
Registering Oracle Internet Director, see Registering and Managing User Identity Stores
Defining Authentication Modules and Plug-ins, see Native LDAP Authentication Modules and Orchestrating Multi-Step Authentication with Plug-in Based Modules
Defining Authentication Scheme Challenge Methods, see Creating an Authentication Scheme
To use your identity store for authentication with Access Manager perform the following steps.
Register Oracle Internet Directory with Oracle Access Manager.
Define Authentication Modules and Plug-ins: From System Configuration tab, Access Manager Settings section, expand the Authentication Modules node.
LDAP Modules: Open LDAP Authentication module, select your User Identity Store, and click Apply.
Custom Authentication Modules: In
LDAPPlugin Steps (stepUI,
UserIdentificationPlugIn), specify your KEY_IDENTITY_STORE_REF, and click Apply.
Custom Authentication module
Repeat this step for the stepUA
UserAuthenticationPlugIn plug-in, and Apply your changes, as shown here:
Define Authentication Scheme Challenge Methods: Form and Basic Challenge Methods require a reference to the LDAP Authentication Module or Plug-in that points to your User Identity Store.
Oracle Access Manager Console
Policy Configuration tab
Shared Components node
Authentication Schemes node
OAMAdminConsoleScheme or any Form or Basic scheme)
Confirm that the Authentication Module references the LDAP module or plug-in that points to your Identity Store.
Click Apply to submit the changes (or close the page without applying changes).
Dismiss the Confirmation window.
Proceed to the next section.
Oracle Access Manager policies protect specific resources. The policies and resources are organized in an Application Domain.
You have perform series of steps to configure authentication policies to use the Authentication Scheme that points to your User Identity Store.
As a prerequisite, see Defining Authentication in Oracle Access Manager for Oracle Internet Directory
Before you perform the steps to create an application domain and policies that use LDAP authentication, for
Resource Definitions, see Adding and Managing Policy Resource Definitions.
Authentication Policies, see Defining Authentication Policies for Specific Resources.
Authorization Policies, see Defining Authorization Policies for Specific Resources.
Token Issuance Policies. See Managing Token Issuance Policies, Conditions, and Rules.
To create an application domain and policies that use LDAP authentication:
Oracle Access Manager Console
Policy Configuration tab
Application Domains node
The procedure here provides several methods for confirming that Agent registration and authentication and authorization policies are operational. The procedures are nearly identical for both OAM Agents and OSSO Agents (
mod_osso). However, OSSO Agents use only the authentication policy and not the authorization policy.
To verify authentication and access:
Success: If you authenticated successfully and were granted access to the resource; the configuration is working properly.
Failure: If you received an error during login or were denied access to the resource, check the following:
Authentication Failed: Sign in again using valid credentials.
Access to URL... denied: This userID is not authorized to access this resource.
Resource not Available: Confirm that the resource is available.
Wrong Redirect URL: Verify the redirect URL in the Oracle Access Manager Console.