Configuring SSO Providers for Oracle Identity Governance

B Configuring SSO Providers for Oracle Identity Governance

To implement the SSO functionality, Oracle Identity Manager uses third-party SSO providers such as OpenSSO, IBM Tivoli Access Manager, and CA SiteMinder.

This appendix contains the configuration steps for enabling Oracle Identity Manager for Single Sign On (SSO). To do so, Oracle Identity Manager is enabled to use third-party SSO providers, such as OpenSSO, IBM Tivoli Access Manager, and CA SiteMinder.

This appendix contains the following sections:

B.1 Common Prerequisites for Integration With Third-Party SSO Solutions

In addition to SSO provider-specific prerequisites, there are some common prerequisites for integration with third-party SSO providers, such as Siteminder, OpenSSO, and Tivoli Access Manager.

This section lists the common prerequisites for integrating Oracle Identity Manager with third-party SSO providers, such as Siteminder, OpenSSO, and Tivoli Access Manager. SSO provider-specific prerequisites are listed separately in corresponding sections. The common prerequisites are as follows:

Identity population in Oracle Identity Manager is synchronized with identity information in the LDAP registry used by the SSO provider. Oracle Identity Manger's LDAP synchronization feature can be used for this purpose.
Oracle Identity Manager system administrator (xelsysadm) account should be created in the LDAP repository so that you can perform SSO login to OIM using this administrator account. This account should be created in the same user container that has other OIM users in the LDAP repository. Also ensure that the LDAP user attribute, which is mapped to Oracle Identity Manager user login (uid or samAcountName), has the value set as XELSYSADM.
It is required that the SSO header returned by the SSO provider contains the username value which maps to OIM User Login field.

B.2 Enabling Oracle Identity Governance to Work With OpenSSO

To integrate a third party SSO provider, you need to enable Oracle Identity Manager to communicate with the Open SSO application. The enabling operation includes steps, such as prerequisites, the actual integration process, and validation of the integration operation.

This section describes how to enable Oracle Identity Manager with OpenSSO. It contains the following topics:

B.2.1 Prerequisites for Integrating Oracle Identity Governance with OpenSSO

The prerequisites for OpenSSO integration are installing and configuring Oracle Identity Governance, OpenSSO, and OpenSSO Enterprise Policy Agent, and meeting the common prerequisites for third-party SSO solutions.

The prerequisites for integrating Oracle Identity Governance with OpenSSO are:

Oracle Identity Governance 12c (12.2.1.3.0) is installed and configured.
OpenSSO 8.0 is installed and configured
OpenSSO Enterprise Policy Agent 3.0 for Oracle WebLogic Server/Portal 10 (weblogic_v10_agent_3) is installed and configured.
The common prerequisite for integrating Oracle Identity Manager with third-party SSO solutions has been met, as described in Common Prerequisites for Integration With Third-Party SSO Solutions.

B.2.2 Integrating Oracle Identity Governance with OpenSSO

Integrating Oracle Identity Manager with OpenSSO involves performing the integration procedure, adding OpenSSO agent filter to Oracle Identity Manager web-apps, and configuring SSO in Oracle Identity Manager.

This section describes about integrating Oracle Identity Manager with OpenSSO in the following topics:

B.2.2.1 Integrating Oracle Identity Governance with OpenSSO Procedure

To integrate Oracle Identity Governance 12c (12.2.1.3.0) with OpenSSO 8.0 on Oracle WebLogic Server:

Start OpenSSO.
Start Oracle Identity Governance.
Install OpenSSO policy agent on Admin Server of Oracle Identity Governance domain. To do so:
1. Create a J2EE agent profile on OpenSSO. Refer to the policy agent section in OpenSSO documentation for creating the profile.
2. Install agent on WebLogic Admin Server. Install the agent by using the agentadmin utility. Refer to the policy agent section in OpenSSO documentation.
Install OpenSSO policy agent on Oracle Identity Manager Managed Server of Oracle Identity Governance domain. To do so, install agent on Oracle Identity Governance Managed Server. Refer to the policy agent section of OpenSSO documentation for installing the agent on a managed server. Use the same agent profile that you created in step 3.a.

Note:

For a clustered deployment of Oracle Identity Governance, install the policy agent on each Oracle Identity Governance Managed Server.
To configure OpenSSO policy agent after installation:

Note:

For a clustered deployment of Oracle Identity Governance, OpenSSO policy agent must be configured on each Oracle Identity Governance Managed Server.
1. Configure WebLogic Server instances with set Agent classpath and JAVA options.
2. Deploy agent application on Admin and Managed Servers.
3. Deploy and configure agent authentication provider.
4. Add WebLogic admin to bypasslist.
5. Install agent filter to oim web-apps. In this step, add OpenSSO Agent filter to all the Oracle Identity Governance web-apps that support OIM user login. To do so see, Adding OpenSSO Agent Filter to Oracle Identity Governance Web-apps.
Update the agent profile for Oracle Identity Governance Managed Server with Oracle Identity Governance URL information. To do so:
1. Login to OpenSSO application, and select the Oracle Identity Governance Managed Server agent profile.
2. Click the general tab. Change the Agent filter mode. Remove all existing values. Add new value with empty key and corresponding map value as J2EE_POLICY.
3. Click the applications tab. Update the various sections as follows:
  - Login Form URI. Add the following:
```
/oim/faces/pages/Login.jspx
/identity/faces/signin
/sysadmin/faces/signin
```
  - Login Error URI. Add the following:
```
/identity/faces/signin
/sysadmin/faces/signin
/oim/faces/pages/LoginError.jspx
```
  - Not Enforced URI Processing. Add the following:
```
/identity/faces/register
/identity/faces/forgotpassword
/identity/faces/trackregistration
/identity/faces/forgotuserlogin
/identity/faces/accountlocked
/identity/adfAuthentication
/identity/afr/blank.html
/sysadmin/adfAuthentication
/sysadmin/afr/blank.html
/sysadmin/faces/noaccess
/oim/afr/blank.html
/workflowservice/*
/callbackResponseService/*
/spml-xsd/*
```
Configure SSO in Oracle Identity Governance. To do so see, Configuring SSO in Oracle Identity Governance.
Restart Oracle Identity Governance domain.
Test the configuration by navigating to the following URL:

http://OIM_HOST:OIM_PORT/identity/

The page is redirected to the OpenSSO login page. Login as valid Oracle Identity Governance user.

B.2.2.2 Adding OpenSSO Agent Filter to Oracle Identity Governance Web-apps

To add OpenSSO Agent filter to all the Oracle Identity Manager web-apps that support OIM user login:

Note:

The corresponding deployment-descriptors are located at:

IDM_ORACLE_HOME/server/apps/oim.ear/iam-consoles-faces.war/WEB-INF/web.xml
IDM_ORACLE_HOME/server/apps/oracle.iam.console.identity.self-service.ear/oracle.iam.console.identity.self-service.war/WEB-INF/web.xml
IDM_ORACLE_HOME/server/apps/oracle.iam.console.identity.sysadmin.ear/oracle.iam.console.identity.sysadmin.war/WEB-INF/web.xml

Go to the IDM_ORACLE_HOME/server/apps/ directory.
Create a backup of the oim.ear/iam-consoles-faces.war/WEB-INF/web.xml file, and then edit it to add the filter element as mentioned in OpenSSO documentation. Save the changes.
Create a backup of the oracle.iam.console.identity.self-service.ear file, and then extract it in a temporary location. Then extract the oracle.iam.console.identity.self-service.war file. Edit WEB-INF/web.xml to add the filter element as mentioned in OpenSSO documentation. Repackage oracle.iam.console.identity.self-service.war with the modified web.xml, and then repackage oracle.iam.console.identity.self-service.ear with modified oracle.iam.console.identity.self-service.war.
Create a backup of oracle.iam.console.identity.sysadmin.ear, and then extract it in a temporary location. Then extract the oracle.iam.console.identity.sysadmin.war file. Edit WEB-INF/web.xml to add the filter element as mentioned in OpenSSO documentation. Repackage oracle.iam.console.identity.sysadmin.war with the modified web.xml, and then repackage oracle.iam.console.identity.sysadmin.ear with modified oracle.iam.console.identity.sysadmin.war.

Note:

Ensure that after performing steps iii and iv, the only difference between the modified EAR files and the original EAR files is in the web.xml files.
Shutdown Oracle Identity Manager instance.
Go to OIM_DOMAIN_HOME/servers/OIM_SERVER_INSTANCE/tmp/_WL_user/ directory. Go to OIM_DOMAIN_HOME\servers\OIM_SERVER_INSTANCE\tmp\_WL_user\ directory if the setup is on Microsoft Windows.
Delete the directories specific to oracle.iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear UI applications. In a typical Oracle Identity Manager setup, the directories to be deleted are oracle.iam.console.identity.self-service.ear_V2.0 and oracle.iam.console.identity.sysadmin.ear_V2.0.
Restart Oracle Identity Manager Managed Server instance, and then check that the directories are re-created in the directory path mentioned in Step 4.

B.2.2.3 Configuring SSO in Oracle Identity Governance

Configure SSO in Oracle Identity Manager. To do so:

Set up WebLogic authenticators. To do so:
1. Add and configure WebLogic authentication provider for LDAP server corresponding to the user data store used by OpenSSO. For example, if OpenSSO uses Sun DSEE, then configure iPlanet authentication provider. Set the control flag as SUFFICIENT.
  
  Note:
  
  Ensure that all the Oracle Identity Manager users are synchronized with the LDAP server to which the authenticator points to.
2. Add and configure Oracle Identity Manager signature authentication provider (OIMSignatureAuthenticator). Set the control flag as SUFFICIENT.
3. Arrange the authenticator chain in the following order:
  - DefaultAuthenticator - SUFFICIENT
  - OIMSignatureAuthenticator - SUFFICIENT
  - AgentAuthenticator - OPTIONAL
  - LDAPAuthenticator - SUFFICIENT
  - DefaultIdentityAsserter

Change the Oracle Identity Manager logout to execute OpenSSO logout URL by running the following command:

cd <IDM_ORACLE_HOME>/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="http(s)://openssohost:openssoport/opensso/UI/Logout", autologinuri="/obrar.cgi")
exit()

Set Oracle Identity Manager ssoenabled flag to true. To do so:
1. Login to Enterprise Manager. Open System Mbean Broswer.
2. Open the oracle.iam:Location=OIM_SERVER_NAME,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
3. Set the value of ssoEnabled to True.

B.2.3 Running Validation Tests to Verify the Configuration

Validation tests to verify OpenSSO integration are: logging in to Oracle Identity Manager through SSO, client-based logging with SSO password, and signature-based authentication.

Run the following validation steps to verify if the integration between Oracle Identity Manager and OpenSSO is successful:

User Login to Oracle Identity Governance Through SSO:

Prerequisite: Create a user, for example ENDUSER001 in Oracle Identity Manager and LDAP.

Step: Try logging in to Oracle Identity Manager through SSO as the user you created, for example ENDUSER001, and check if the login is successful.

Expected output: Login is successful.
Client-Based Login to Oracle Identity Governance:

Prerequisite: Make sure that the Design Console is installed and configured.

Step: Try logging in to the Design Console as system administrator with SSO password.

Expected output: Login to the Design Console is successful, assuming that LDAPAuthenticator is configured properly for SSO login.
Signature-Based Authentication:

To test signature-based authentication:
1. Try accessing the scheduler service URL. It should be running on Oracle Identity Manager Managed Server port, as shown:
  
  http://OIM_HOST:OIM_PORT/SchedulerService-web
2. Login as system administrator with SSO password.
3. If the login is successful and you can see the following details on the screen, then signature login is successful:
  
  Scheduler Current Status: STARTED
  
  Last Error: NONE
4. Click Start on the page if the following is displayed:
  
  Scheduler Current Status: STOPPED
  
  If no errors are displayed on the page, then signature login is successful.

B.3 Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manager

Enabling Oracle Identity Manager to integrate with IBM Tivoli Access Manager involves meeting the prerequisites, performing the integration procedure, and running validation tests.

This section describes about how to enable Oracle Identity Manager to work with IBM Tivoli Access Manager in the following topics:

B.3.1 Prerequisites for Integrating Oracle Identity Governance with IBM Tivoli Access Manager

Prerequisites for Tivoli Access Manager integration include installing and configuring Oracle Identity Governance, Tivoli Access Manager for e-business and WebLogic Server, and meeting the common prerequisites for third-party SSO solutions.

The prerequisites for integrating Oracle Identity Governance with IBM Tivoli Access Manager are:

Oracle Identity Governance 12c (12.2.1.3.0) is installed and configured.
IBM Tivoli Access Manager (TAM) for e-business 6.1 is installed and configured.
IBM Tivoli Access Manager Adapter for Oracle WebLogic Server for TAM 6.1 and Oracle WebLogic Server 10g or 11g are installed and configured.
The common prerequisite for integrating Oracle Identity Governance with third-party SSO solutions has been met, as described in Common Prerequisites for Integration With Third-Party SSO Solutions.
Form based login is enabled in TAM.

B.3.2 Integrating Oracle Identity Governance with IBM Tivoli Access Manager

Tivoli Access Manager integration steps include setting up connection between webseal and WebLogic, changing Oracle Identity Manager logout to execute TAM logout URL, setting OIM ssoenabled flag to true, and restarting Oracle Identity Manager.

To integrate Oracle Identity Governance 12c (12.2.1.3.0) with IBM Tivoli Access Manager for e-business 6.1:

Start IBM Tivoli Access Manager.
Start Oracle Identity Governance.
Setup connection between webseal and WebLogic. To do so:
1. Create junctions to connect webseal to Oracle Identity Governance WebLogic Server.
2. Configure webseal logout and login page.
3. Deploy weblogic security providers.
  
  Refer to TAM-weblogic integration documentation provided as part of IBM Tivoli Access Manager Adapter for Oracle WebLogic Server. The additional details are as follows:
  - Keep both non-SSL and SSL ports on Oracle Identity Governance into consideration while creating junctions.
  - While creating webseal junction(s) for protected resources, make sure to use the "-c iv-user" (insert iv-user HTTP header) option.
  - List of resources that needs to be protected/unprotected:
    
    Protect the following resources:
    
    /oim
    
    /xlWebApp
    
    /Nexaweb
    
    /identity
    
    /sysadmin
    
    Unprotect following uris:
    
    /identity/faces/register
    
    /identity/faces/forgotpassword
    
    /identity/faces/trackregistration
    
    /identity/faces/forgotuserlogin
    
    /identity/faces/accountlocked
    
    /identity/adfAuthentication
    
    /identity/afr/blank.html
    
    /sysadmin/adfAuthentication
    
    /sysadmin/afr/blank.html
    
    /sysadmin/faces/noaccess
    
    /oim/afr/blank.html
    
    Unprotect following resources:
    
    /workflowservice
    
    /callbackResponseService
    
    /spml-xsd
  - Only configure Tivolli Access Manager Identity assertion provider (AMIdentityAsserterLite). Select the iv-user option while configuring it.
  - Do not configure Tivolli Access Manager Identity authentication provider.
  - Configure WebLogic authentication provider for LDAP server corresponding to the LDAP registry used by TAM. For example, if TAM uses Sun DSEE, then configure iPlanet authentication provider. Set its control flag as SUFFICIENT. Ensure that all usersin Oracle Identity Manager are synchronized to this LDAP server. If any Oracle Identity Manager user is not present in the LDAP server, then that user will not be able to login to Oracle Identity Manager.
  - Configure Oracle Identity Governance signature authentication provider (OIMSignatureAuthenticationProvider). Provide the Oracle Identity Governance database details while configuring it. You can use the same details as specified in OIMAuthenticationProvider. Set its control flag as SUFFICIENT.
  - Arrange the authenticator chain in the following order:
    
    TAMIdentityAsserter
    
    OIMSignatureAuthenticator - SUFFICIENT
    
    LDAPAuthenticator - SUFFICIENT
    
    DefaultAuthenticator - SUFFICIENT
    
    DefaultIdentityAsserter
    
    Note:
    
    If you cannot use TAMIdentityAsserter, then you can use the OAMIdentityAsserter, as described in Simplifying Third-Party SSO Integration

Change the Oracle Identity Governance logout to execute TAM logout URL by using the following commands:

cd <IDM_ORACLE_HOME>/common/bin
./wlst.sh
connect()
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="http(s)://<webseal-host:port>/pkmslogout", autologinuri="/obrar.cgi")
exit()

Set OIM ssoenabled flag to true. To do so:
1. Login to Enterprise Manager. Open System Mbean Broswer.
2. Open the oracle.iam:Location=OIM_SERVER_NAME,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
3. At the value of ssoEnabled to true.
Restart Oracle Identity Governance.
Test the configuration by navigating to the following URL:

http(s)://WEBSEAL_HOST:WEBSEAL_PORT/identity/faces/home

TAM login page is displayed. Login as valid Oracle Identity Governance user, and the login should be successful.

B.3.3 Running Validation Tests to Validate the Configuration

Validation tests to verify Tivoli Access Manager integration are: logging in to Oracle Identity Manager through SSO, client-based logging with SSO password, and signature-based authentication.

Run the following validation steps to verify if the integration Oracle Identity Manager and TAM is successful:

User Login to Oracle Identity Governance Through SSO:

Prerequisite: Create a user, for example ENDUSER001, in Oracle Identity Manager and LDAP.

Step: Try logging in to Oracle Identity Manager through SSO as the user that you created, for example ENDUSER001, and check if the login is successful.

Expected output: Login should be successful.
Client-Based Single Login to Oracle Identity Governance:

Prerequisite: Make sure that the Design Console is installed and configured.

Step: Try logging in to the Design Console as system administrator with SSO password.

Expected output: Login to the Design console must be successful, assuming that LDAPAuthenticator is configured properly for SSO login.
Signature-Based Authentication:

To test signature-based authentication:
1. Try accessing the scheduler service URL. It should be running on Oracle Identity Manager Managed Server port, as shown:
  
  http://OIM_HOST:OIM_PORT/SchedulerService-web
2. Login as system administrator by providing SSO password.
3. If the login is successful and you can see the following details on the screen, then signature login is successful:
  
  Scheduler Current Status: STARTED
  
  Last Error: NONE
4. Click Start on the page if the following is displayed:
  
  Scheduler Current Status: STOPPED
  
  If there are no errors on the page, then the signature login is successful.

B.4 Enabling Oracle Identity Governance to Work With CA SiteMinder

Enabling Oracle Identity Manager to integrate with CA SiteMinder involves meeting the prerequisites, performing the actual integration procedure, and running validation tests.

This section describes how to enable Oracle Identity Manager to work with CA SiteMinder in the following topics:

B.4.1 Prerequisites for Integrating Oracle Identity Governance with CA SiteMinder

Prerequisites for SiteMinder integration include installing and configuring Oracle Identity Manager and CA SiteMinder, and meeting the common prerequisites for third-party SSO solutions.

The prerequisites for integrating Oracle Identity Manager with CA SiteMinder are:

Oracle Identity Manager is installed and configured.
CA Siteminder is installed and configured.
The common prerequisite for integrating Oracle Identity Manager with third-party SSO solutions has been met, as described in Common Prerequisites for Integration With Third-Party SSO Solutions.

B.4.2 Integrating Oracle Identity Governance with CA SiteMinder

SiteMinder integration steps include installing Siteminder WebLogic Agent, updating the setDomainEnv.sh, startWebLogic.sh, and WebAgent.conf files to specify required variables and parameters, add or configure SiteminderIdentityAsserter and SiteminderAuthenticationProvider in the Weblogic authentication chain, and enabling SSO.

To integrate Oracle Identity Manager with CA SiteMinder:

Install Siteminder WebLogic Agent by referring to Siteminder installation documentation. Follow install GUI instructions.

Edit the setDomainEnv.sh file to set the variables, as shown:

ASA_HOME='PATH_TO_SITEMINDER_AGENT_HOME'
export ASA_HOME

SMASA_CLASSPATH="$ASA_HOME/conf:$ASA_HOME/lib/smagentapi.jar:$ASA_HOME/lib/smjavasdk2.jar:$ASA_HOME/lib/sm_jsafe.jar:$ASA_HOME/lib/smclientclasses.jar:$ASA_HOME/lib/sm_jsafeJCE.jar"
export SMASA_CLASSPATH

SM_JAVA_OPTIONS=" -Dsmasa.home=$ASA_HOME"
export SM_JAVA_OPTIONS

CLASSPATH=${SMASA_CLASSPATH}:${CLASSPATH}
export CLASSPATH

Edit the startWebLogic.sh file to add SM_JAVA_OPTIONS to the JAVA command, as shown:

$JAVA_HOME/bin/java ${JAVA_VM} ${MEM_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}
${SM_JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS}

Edit the ASA_HOME/conf/WebAgent.conf file to change the value of the EnableWebAgent parameter to YES.
Restart all Managed and Admin servers.
Add/Configure SiteminderIdentityAsserter and SiteminderAuthenticationProvider in the Weblogic authentication chain. In Identity Asserter common configuration, select SMSESSION.
In the Provider Specific subtab, set the "SMIdentity Asserter Config File:" field to ASA_HOME/conf/WebAgent.conf.
In SiteminderAuthenticationProvider 'ProviderSpecific', update "SMAuth Provider Config File:" to ASA_HOME/conf/WebAgent.conf.
Remove existing OIMAuthenticationProvider from the authentication chain.
Add OIMSignatureAuthenticator to the authentication chain. Set the control flag to SUFFICIENT. This authenticator is added only to handle signature based login to Oracle Identity Manager.
Add LDAP Authenticator (OID, Iplanet, and so on) to the authentication chain, and set its control flag as SUFFICIENT. Ensure that this authenticator is configured to point to the same LDAP provider, that is :
1. Synchronized with Oracle Identity Manager, that is, have all the OIM Identity population
2. Used by the Siteminder server for authentication purposes
  
  LDAPAuthenticator needs to be added in order to handle non-http based login requests (For example, login to OIM design console, or any other OIM client login) and OPSS based Assertion requests.

Rearrange the authentication chain, as listed in Table B-1:

Table B-1 Authentication Chain

Authentication Provider	Control Flag
SiteminderIdentityAsserter
OIMSignatureAuthenticator	SUFFICIENT
SiteminderAuthenticationProvider	SUFFICIENT
LDAPAuthenticator	SUFFICIENT
DefaultAuthenticator	SUFFICIENT
DefaultIdentityAsserter

Restart Admin server and all the Managed Servers in the domain.

Configure SSO logout for oim by using the following command:

cd <IDM_ORACLE_HOME>/common/bin
 
./wlst.sh
 
connect()
 
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="SITEMINDER_LOGOUT_URL", autologinuri="/obrar.cgi")
 
exit()

Note:

The connect() call will ask for Admin server URL and WebLogic Admin username and password.

Set the ssoenabled flag for Oracle Identity Manager to true. To do so:
1. Login to Enterprise Manager, and open System MBean Browser.
2. Open the oracle.iam:Location=OIM_SERVER_NAME,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
3. Set the value of ssoEnabled to true.
Restart Admin Server and all Managed Servers in the domain.
Protect/unprotect the following Oracle Identity Manager resources:
- Protect following resources:
  
  /identity
  
  /sysadmin
  
  /oim
  
  /xlWebApp
  
  /Nexaweb
- Unprotect the following URIs:
  
  /identity/faces/register
  
  /identity/faces/forgotpassword
  
  /identity/faces/trackregistration
  
  /identity/faces/forgotuserlogin
  
  /identity/faces/accountlocked
  
  /identity/adfAuthentication
  
  /identity/afr/blank.html
  
  /sysadmin/adfAuthentication
  
  /sysadmin/afr/blank.html
  
  /sysadmin/faces/noaccess
  
  /oim/afr/blank.html
- Unprotect the following resources:
  
  /workflowservice
  
  /callbackResponseService
  
  /spml-xsd
  
  /reqsvc
  
  /sysadmin/logout
  
  /identity/logout
  
  /identity/notification/secure
  
  /SchedulerService-web
  
  /wsm-pm
  
  /workflow
  
  /soa-infra
  
  /integration
  
  /b2b
  
  /sdpmessaging/userprefs-ui
To support client-based login to Oracle Identity Manager, the smclientclasses.jar must be added to the client classpath. To set the client classpath:
1. Go to the OIM_ORACLE_HOME/server/bin/ directory using the cd command.
2. Open the setEnv.sh file in VI Editor.
3. Add smclientclasses.jar to the CLASSPATH variable at the end. This setting ensures successful client login to Oracle Identity Manager while executing most of the client utilities present in OIM_ORACLE_HOME/server/bin.
  
  However, client classpath must be separately set for the Design Console login to work. To do so:
1. Go to the OIM_ORACLE_HOME/designconsole directory.
2. Open the classpath.sh file in VI Editor.
3. Add smclientclasses.jar to the CLASSPATH variable at the end.

B.4.3 Running Validation Tests to Validate the Configuration

Validation tests to verify SiteMinder integration are: logging in to Oracle Identity Manager through SSO, client-based logging with SSO password, and signature-based authentication.

Run the following validation steps to verify if the integration Oracle Identity Manager and CA SiteMinder is successful:

User Login to Oracle Identity Governance Through SSO:

Prerequisite: Create a user, for example ENDUSER001, in Oracle Identity Manager and LDAP.

Step: Try logging in to Oracle Identity Manager through SSO as the user that you created, for example ENDUSER001, and check if the login is successful.

Expected output: Login should be successful.

Step: Try logging in to Oracle Identity Manager System Administration console (/sysadmin) as OIM Administrator (typically XELSYSADM), and check if login is successful.

Expected output: Login should be successful.
Client-Based Login to Oracle Identity Governance:

Prerequisite: Make sure that the Design Console is installed and configured.

Step: Try logging in to the Design Console as the system administrator with SSO password.

Expected output: Login to the Design console should be successful, assuming that SiteminderAuthenticationProvider is configured properly for SSO login.
Signature-Based Authentication:

To test signature-based authentication:
1. Try accessing the scheduler service URL. It should be running on Oracle Identity Manager Managed Server port, as shown:
  
  http://OIM_HOST:OIM_PORT/SchedulerService-web
2. Login as system administrator by providing SSO password.
3. If the login is successful and you can see the following details on the screen, then signature login is successful:
  
  Scheduler Current Status: STARTED
  
  Last Error: NONE
4. Click Start on the page if the following is displayed:
  
  Scheduler Current Status: STOPPED
  
  If there are no errors on the page, then the signature login is successful.

B.5 Configuring Basic SSO Using OAM

Configuring Basic SSO using OAM involves meeting the prerequisites, configuring SSO logout and authenticator, and running validation tests.

This section describes how to configure basic integration between Oracle Identity Manager and OAM, and protect the integration with SSO authentication. It includes the following sections:

Note:

Performing the procedure provided in this section only enables basic SSO. Use a LDAP connector to provision passwords and also do additional configuration so that the lock status can be propagated to the directory.

B.5.1 Prerequisites for Configuring SSO Logout and the Authenticator

Prerequisites for Configuring Basic SSO using OAM include installing and configuring Oracle Identity Governance and OAM, frontending Oracle Identity Governance with OHS/reverse-proxy that hosts OAM 11g webgate, and enabling LDAP synchronization.

Perform the following prerequisites:

Ensure that Oracle Identity Governance 12c (12.2.1.3.0) is installed and configured.
Oracle Identity Governance must be frontended with OHS/reverse-proxy, which hosts OAM 11g webgate.
Ensure that Oracle Identity Governance user population is maintained in sync with LDAP repositories by using a connector. Also ensure that the Oracle Identity Governance system administrator account is created in the LDAP repository.
Ensure that OAM 12.2.1.3.0 is installed and configured to authenticate Oracle Identity Governance users against the same LDAP repository that is synchronized with Oracle Identity Governance.

Note:

OIDAuthenticator is used as a reference in this procedure. If you have any other LDAP Server, such as AD, ODSEE, or OUD, then create appropriate WebLogic LDAP Authentication providers.

B.5.2 Configuring SSO Logout and the Authenticator

Steps to configure basic SSO using OAM include setting the OIM ssoenabled flag to true, configuring SSO logout and authentication providers.

To configure SSO logout and the authenticator:

Set OIM ssoenabled flag to true. To do so:
1. Login to Oracle Enterprise Manager, and navigate to OIM_DOMAIN.
2. Right click OIMDomain, and select System MBean Browser.
3. Click the search icon, enter ssoconfig, and search.
4. In the details page, look for SSOEnabled flag, and select true from the drop down. Click Apply to save the configuration change.

Configure SSO logout for oim, as shown:

<IDM_ORACLE_HOME>/common/bin/wlst.sh
    connect()
    addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
    exit()

Note:

The connect() call prompts for Admin server URL and WebLogic administrator username and password.

Configure authentication providers. To do so:

Note:

This step configures the security providers in OIM domain in such a way that the SSO login, and OIM-client based login works fine. For this, OAMIDAsserter and OIDAuthenticator must be setup. OIDAuthenticator is configured to authenticate/assert users against OID. To authenticate/assert users against any other Directory server, which is also used by OAM for authentication, corresponding authenticator must to be configured instead of OIDAuthenticator.
1. Login to Oracle WebLogic Administrative Console, and navigate to Security realms, myrealm, Providers, Authentication.
2. Click New to add OAMIDAsserter of type OAMIdentityAsserter. Click OK.
  
  Edit OAMIDAsserter that you added, and set the control flag to REQUIRED.
  
  Ensure that Chosen Active Type is set to OAM_REMOTE_USER, and then save the configuration.
3. Click New to add OIMSignatureAuthenticator of type OIMSignatureAuthenticator. Click OK. Edit OIMSignatureAuthenticator and set the Control flag to SUFFICIENT. Save the configuration.
4. Click New to add OIDAuthenticator of type OracleInternetDirectoryAuthenticator. Click OK. Edit OIDAuthenticator and set the Control flag to SUFFICIENT. Save the configuration. Open the Provider specific tab, and set the following attributes (only), and then save the configuration.
  - Host: OID_HOST_NAME
  - Port: OID_PORT
  - Principal: cn=orcladmin
  - Credential/Confirm Credential: orcladmin_password
  - User Base DN: cn=Users,dc=us,dc=oracle,dc=com
  - All Users Filter: (&(uid=*)(objectclass=inetOrgPerson))
  - User From Name Filter: (&(uid=%u)(objectclass=inetOrgPerson))
  - UserNameAttribute: uid
  - User Object class: inetOrgPerson
  - Use retrieved use name as principal: true
  - Group Base DN: cn=Groups,dc=us,dc=oracle,dc=com
  - All groups filter: (&(cn=*)(objectclass=groupOfUniqueNames))
  - Group from name filter: (&(cn=%g)(objectclass=groupOfUniqueNames))
5. Remove OIMAuthenticationProvider that is already configured.
6. Re-order the remaining authentication providers in the following order:
  
  OAMIDAsserter
  
  OIMSignatureAuthenticator
  
  OIDAuthenticator
  
  DefaultAuthenticator
  
  DefaultIdentityAsserter
7. Activate all the changes done, and then restart all the servers configured in OIM domain.

B.5.3 Running Validation Tests to Validate the Configuration

Validation tests to verify basic SSO configuration are: logging in to Oracle Identity Manager through SSO, client-based logging with SSO password, and signature-based authentication.

Validate the SSO logout and authenticator configuration by running the following validation tests:

User Login to Oracle Identity Governance Through SSO

Prerequisites: Create a user, for example, ENDUSER001, in Oracle Identity Manager and LDAP.

Step: Try logging in to Oracle Identity Self Service through SSO URL as the user you created, for example ENDUSER001, and check if the login is successful. Also try to login to Oracle Identity System Administration as the system administrator, and try accessing various links, such as Access Polices. Try logging out from either of the consoles, and re-login with same or different users.

Expected output: Login is successful, and all the links work as expected.
Client-Based Login to Oracle Identity Governance:

Prerequisites: The Design Console is installed and configured.

Step: Try logging in to the Design Console as the system administrator with SSO password.

Expected output: Login to the Design console as the system administrator is successful, assuming that LDAPAuthenticator is configured properly for SSO login.
Signature-Based Authentication:

To test signature-based authentication:
1. Try accessing the Scheduler service URL running on Oracle Identity Manager Managed server port, as shown:
  
  http://OIM_HOST:PORT/SchedulerService-web
2. Login as system administrator with SSO password.
3. If the login is successful and you can see the following details on the screen, then signature login is successful:
  
  Scheduler Current Status: STARTED
  
  Last Error: NONE
4. Click Start on the page if the following is displayed:
  
  Scheduler Current Status: STOPPED
  
  If there are no errors on the page, then signature login is successful.

B.6 Simplifying Third-Party SSO Integration

Configure Oracle’s Identity Asserter provided by third-party SSO solutions, which is the recommended approach for providing SSO for Oracle Identity Manager.

To integrate Oracle Identity Manager with third-party SSO providers, such as Tivoli Access Manager and CA Siteminder, it is recommended to follow instructions provided in Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manager and Enabling Oracle Identity Governance to Work With CA SiteMinder.

WebLogic plug-ins (identity asserters or authenticators) provided by third-party SSO solutions are the recommended approach for providing SSO for Oracle Identity Manager. However, if it is not feasible to configure integration using SSO provider-specific Weblogic plug-ins, as mentioned in sections Enabling Oracle Identity Governance to Work With IBM Tivoli Access Managerand Enabling Oracle Identity Governance to Work With CA SiteMinder, then instructions in this section can be followed to achieve the integration.

Note:

This asserter currently supports third-party SSO providers, such as IBM Tivoli Access Manager and CA Siteminder.

To configure Oracle's Identity Asserter:

Login to Oracle WebLogic Administrative Console.
Navigate to Security Realms, myrealm, Providers, Authentication.
Click New to add OAMIdentityAsserter.
Open the asserter that you just added, and set the control flag to REQUIRED. In the Active Types shuttle, select the SSO specific HTTP header as the Chosen Active type. For example, if Siteminder SSO provider is being used, then select SM_USER header. Similarly, if Tivoli Access Manager SSO provider is being used, then select iv-user header.
Similarly, change the value of the SSOHeader Name field in provider-specific properties to iv-user or SM_USER appropriately.
Note:
- SM_USER and iv-user are mentioned as these seem to be the default SSO headers set by CA Siteminder and IBM Tivoli Access Manager respectively.
- For some reason, if the SSO header does not contain the username value that maps to OIM User Login field, then it is recommended to configure SSO provider to return the username as part of a header named OAM_REMOTE_USER. In this case, select OAM_REMOTE_USER as Chosen Active type in step 4, and skip step 5.
Save the configuration.
Configure the authentication chain as follows:

OAMIDAsserter - REQUIRED

OIMSignatureAuthenticator - SUFFICIENT

LDAPAuthenticator - SUFFICIENT

DefaultAuthenticator - SUFFICIENT

DefaultIdentityAsserter

Note:

LDAPAuthenticator must be replaced by the appropriate authenticator that can authenticate against the LDAP provider being used by the SSO provider, for example OIDAuthenticator.
Configure SSO logout for Oracle Identity Manager as mentioned in sections Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manageror Enabling Oracle Identity Governance to Work With CA SiteMinder, based on the SSO provider.
Set the ssoenabled flag for Oracle Identity Manager to true. To do so:
1. Login to Oracle Enterprise Manager, and open System MBean Browser.
2. Open the oracle.iam:Location=OIM_SERVER_NAME,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
3. Set the value of ssoEnabled to true.
Ensure to protect/unprotect the Oracle Identity Manager resources on the SSO provider side, as mentioned in sections Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manageror Enabling Oracle Identity Governance to Work With CA SiteMinder, based on the SSO provider.
Restart all servers in the Oracle Identity Manager domain.

While using this approach of configuring Oracle's Identity Asserter, take note of the following security considerations:

Follow standard security practices for securing OHS and WebLogic.
Ensure that the HTTP web server front ending Oracle Identity Manager is appropriately secured by using the SSO solution's standard security practices.

B.7 Using Configurable Login ID Support for SSO Integration

Generally, the SSO providers use the Login ID attribute for performing a SSO login. However, Oracle Identity Manager uses User ID attribute for a SSO login.

Oracle Identity Manager can be integrated with third-party SSO providers, such as Siteminder and Tivoli Access Manager, in order to achieve single sign-on. These third-party SSO providers allow configuration of the login ID attribute, which the users need to use to perform SSO login. For example, if you want to allow users to login by using the email attribute (instead of User ID), then that configuration is allowed by SSO providers. However, this configuration will not work well when Oracle Identity Manager is integrated with the SSO provider. This is because the Login ID attribute in Oracle Identity Manager is User Login, and it is not possible to configure some other user attribute (say email) as the Login ID attribute. So, this feature is about making the Login ID attribute configurable in Oracle Identity Manager. After the login ID attribute is configured to some other user entity attribute of Oracle Identity Manager, say Email, then the users can perform SSO login to Oracle Identity Manager using the email values.

Note:

It is not recommended to use this configuration in an Oracle Identity Manager deployment that is not integrated with SSO providers.
This solution is recommended if your Oracle Identity Manager deployment is integrated with third-party SSO providers, and you want to allow users to login with an attribute other than User Login.
It is not recommended to use this solution when Oracle Identity Manager is integrated with OAM. It is possible to configure OAM to allow users to login with multiple attributes, yet assert the User Login equivalent attribute. With that configuration, although the user performs SSO login using email, the JAAS subject is populated with User Login attribute.

B.8 Configuring Login ID Support for SSO Integration

Configuring the login ID attribute in Oracle Identity Manager involves configuring the loginMapper property in oim configuration to use the SSOLoginIdMapper, configuring SSO, specifying the same value for loginIdAttribute and USR_LOGIN for each user, and modifying LDAP-specific authenticator configuration.

To configure Login ID attribute in Oracle Identity Manager:

Login to Oracle Enterprise Manager.
Expand WebLogic Domain. Right-click DOMAIN_NAME, and select System MBean Browser.
Configure the loginMapper property in oim configuration to use the SSOLoginIdMapper. To do so:
1. Go to Application Defined MBeans, oracle.iam, Server:OIM_SERVER_NAME, Application:oim, XML Config, Config.
2. Change the value of the LoginMapper attribute to oracle.iam.platform.auth.impl.SSOLoginIDMapper.
Configure Oracle Identity Manager for SSO by setting the ssoEnabled attribute of ssoConfig to true. To do so:
1. Go to Application Defined MBeans, oracle.iam, Server:oim_server1, Application:oim, XML Config, XMLConfig:SSOConfig, SSOConfig.
2. Select true as the value of the SSOEnabled attribute.
In the same page, set the value of loginIdAttribute to a valid Oracle Identity Manager user entity attribute.

Note:

If loginIdAttribute is configured to Email, then all users must have a valid email ID, and the values must be unique across all the Oracle Identity Manager users.
For all Oracle Identity Manager users seeded by default, ensure that the value of loginIdAttribute is the same as that of USR_LOGIN. For example, if loginIdAttribute is configured to Email, then make sure that the email IDs of default users are the same as the USR_LOGIN values. The following SQL statements can be run against Oracle Identity Manager database schema:
```
update usr SET usr_email='OIMINTERNAL' where usr_login='OIMINTERNAL';
update usr SET usr_email='XELSYSADM' where usr_login='XELSYSADM';
update usr SET usr_email='WEBLOGIC' where usr_login='WEBLOGIC';
update usr SET usr_email='XELOPERATOR' where usr_login='XELOPERATOR';
```
Modify LDAP-specific authenticator configuration to use the appropriate attribute for User Name Attribute, User From Name Filter, and All Users Filter. For example, if loginIdAttribute is configured to Email, then make sure that the authenticator is configured as follows:
```
User Name Attribute: mail 
User From Name Filter: (&(|(mail=%u)(uid=%u))(objectclass=inetOrgPerson)) 
All Users Filter: (&(mail=*)(objectclass=inetOrgPerson)
```
Note:

User From Name Filter contains an OR condition to be able to lookup users either by using uid attribute (which is the default) or by using mail (if loginIdAttribute is configured as Email).

However, it is recommended that you perform API client-based login only by using loginIdAttribute (mail for example), if configured.
Create the System Administrator user entry in the LDAP provider. Ensure that the uid and mail (assuming loginIdAttribute is configured as Email) attributes are set as SYSTEM_ADMINISTRATOR.

Note:

If the loginIdAttribute is set to some other unique attribute in Oracle Identity Manager, then the corresponding mapping attribute in LDAP must be set as SYSTEM_ADMINISTRATOR.
Perform the following changes at the OPSS layer:

Considering the fact that Oracle Identity Manager connects to SOA via HTTP (UI) as well as t3 (server) channels, you need to configure OIMDBProvider to handle user lookups based on the SSO Login ID, instead of the default User Login. This can be done by modifying the idstore.oim service instance in the jps-config.xml file as follows:
```
<serviceInstance name="idstore.oim" provider="idstore.oim.provider" location=" ">
        <description>OIM Identity Store Service Instance</description>
        <property name="idstore.type" value="CUSTOM"/>
        <property name="ADF_IM_FACTORY_CLASS" value="oracle.iam.userrole.providers.oimdb.OIMDBIdentityStoreFactory"/>
        <property name="DATASOURCE_NAME" value="jdbc/soaOIMLookupDB"/>
        <property value="USER_NAME=USR_EMAIL:USER_ID=USR_EMAIL" name="PROPERTY_ATTRIBUTE_MAPPING"/>
</serviceInstance>
```
Note:

The values for USER_NAME and USER_ID properties must be the field-mapping corresponding to loginIdAttribute. So if loginIdAttribute is configured as Email, then USER_NAME and USER_ID properties should be set to USR_EMAIL, since Email attribute maps to USR_EMAIL column.
Ensure that the authentication provider configuration in the Oracle Identity Manager domain security realm is as documented for that specific SSO provider, for example Enabling Oracle Identity Governance to Work With IBM Tivoli Access Manager or Enabling Oracle Identity Governance to Work With CA SiteMinder.

Note:

Ensure the following while developing custom SOA composites, when a custom loginIdAttribute (say Email) is configured:

When Oracle Identity Manager initiates SOA composites for approval, it passes RequesterDetails, BeneficiaryDetails as part of the payload.

The Login and ManagerLogin fields within these would be set to Email instead of User Login.
Ensure that you use the loginIdAttribute value as the task assignee.

In order to fetch the loginIdAttribute value for a user (given user key), you can use the getUserDetails operation of RequestDataService in the BPEL process.

The same applies to already existing custom SOA composites.

B.9 Integrating Oracle Identity Governance with Identity Providers using SAML2 Asserter

This section describes the configuration steps for enabling Oracle Identity Governance for Single Sign On (SSO) by using SAML2 single sign on flow. The identity provider (IDP) or SAML2 assertion provider used in this document is Oracle Access Manager (OAM). You can also use any other IDP that supports SAML2.

Note:

Using SAML2 for intergrating OIG with identity providers is supported from Oracle Identity Governance 12c (12.2.1.3.0) onwards.
Although you can use SAML2 for integrating OAM with OIG, Oracle recommends configuring the integration by using WebGate, as described in Integrating Oracle Identity Governance and Oracle Access Manager Using LDAP Connectors in the Integration Guide for Oracle Identity Management Suite.

This section contains the following topics:

B.9.1 Prerequisites for Integrating Oracle Identity Governance with Identity Providers

Before integrating Oracle Identity Governance with Identity Providers (IDPs), pserform the following prerequisites:

Install Oracle Access Manager 12c (12.2.1.3.0) on a host computer, say host1.
Install Oracle Identity Governance 12c (12.2.1.3.0) on another host computer, say host2.

On host2, configure Oracle HTTP Server (OHS) 12c (12.2.1.3.0) on top of OIG. To do so:

Update the $DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/mod_wl_ohs.conf file as shown in this step. The following entries are standard for OHS and OIG integration. Change the value of all instances of WLCookieName from oimjessionid to JSESSIONID, as shown:

<Location /reqsvc>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /identity>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /sysadmin>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /admin>
 SetHandler weblogic-handler
 WebLogicHost example.com
 WebLogicPort PORT
 WLCookieName JSESSIONID
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
  
# oim self and advanced admin webapp consoles(canonic webapp)
<Location /oim>
 SetHandler weblogic-handler
 WebLogicHost example.com
 WebLogicPort PORT
 WLCookieName JSESSIONID
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
# SOA Callback webservice for SOD
<Location /sodcheck>
 SetHandler weblogic-handler
 WebLogicHost example.com
 WebLogicPort PORT
 WLCookieName JSESSIONID
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
  
# Callback webservice for SOA. SOA calls this when a request is approved/rejected
# Provide the SOA Managed Server Port
<Location /workflowservice>
 SetHandler weblogic-handler
 WebLogicHost example.com
 WebLogicPort PORT
 WLCookieName JSESSIONID
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
  
# Nexaweb WebApp - used for workflow designer and DM
<Location /Nexaweb>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
  
# used for FA Callback service.
<Location /callbackResponseService>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
  
# spml xsd profile
<Location /spml-xsd>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
  
<Location /HTTPClnt>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /provisioning-callback>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /CertificationCallbackService>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /FacadeWebApp>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /iam/governance/configmgmt>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /iam/governance/scim/v1>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /iam/governance/token/api/v1>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /OIGUI>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>
 
<Location /iam/governance/applicationmanagement>
 SetHandler weblogic-handler
 WLCookieName JSESSIONID
 WebLogicHost example.com
 WebLogicPort PORT
 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
</Location>

Add the following snippet for adding redirection of SAML2 response recieved from the IDP:
```
<Location /saml2>
   SetHandler weblogic-handler
   WLCookieName JSESSIONID
   WebLogicHost example.com
   WebLogicPort PORT
</Location>
```

Save the mod_wl_ohs.conf file.

B.9.2 Configuring the SAML2 Asserter in the Oracle Identity Governance Domain

To configure the SAML2 identiy asserter in the Oracle Identity Governance domain:

Login to Oracle WebLogic Server Administration Console 12c.
Navigate to the Security Realm, and click the Providers tab. All the configured providers are displayed.
In the Authentication tab, under Authentication Providers, click New. The Create a New Identity Provider page is displayed.
In the Name field, enter a name for the identity asserter.
Make sure that SAML2IdentityAsserter is selected in the Type list, and click OK.
Reorder the identity providers so that SAML2IdentityAsserter is the first in the list. To do so:
1. In the Authentication tab, under Authentication Providers, click Reorder. The Reorder Authentication Providers page is displayed.
2. Under Authentication Providers, in the Available list, reorder the SAML2 identity asserter that you created to be the first in the list by using the navigation arrows adjacent to the list.
3. Click OK.
Restart the servers for the changes to take effect.

B.9.3 Configuring Identity Federation Settings on Oracle Identity Goverance

To configure Identity Federation settings on Oracle Identity Governance:

Login to Oracle WebLogic Administration Console 12c.
Navigate to Environments, Servers, OIM_SERVER_NAME.
Click the Federation Services tab.
Click the SAML2.0 Service Provider tab.
Enter the following details, and click Save.
- Authentication Request Cache Size: 10000
- Authentication Request Cache Timeout: 300
- Preferred Binding: None
- Default URL: https://host1.example.com:PORT/identity/faces/home
Click the SAML2.0 General tab, and enter the following details:
- Entity ID: OIM_SAML2
  This can be any name. It is the name through which the identity provider identifies the service provider.
- Published Site URL: http://host1.example.com:PORT/saml2 or http://host1.example.com:OHS_PORT/saml2
  This is the URL to which the SAML2 response is sent after the authentication on the identity provider. If OHS is installed on top of Oracle Identity Governance, then use OHS host and port.
- Single Sign Sigining Key Alias: DemoIdentity/DemoIdentityPassPhrase
  This is the keystore alias for the key to be used for signing documents.
Click Save.

B.9.4 Exporting the Identity Federation Document

To export the Identity Federation document :

In the SAML2.0 General tab, click Publish Metadata. The Publish SAML2.0 Meta Data page is displayed.
In the Path field, enter the directory path and name of the file that you want to export, for example, DIRECTORY_PATH/OIM_SAML2.xml.
Optionally select the Overwrite option if you want the metadata to be written to the file if the file already exists. Otherwise, leave this option unchecked.
Click OK.

B.9.5 Configuring the Identity Provider for Federation With Oracle Identity Governance

To configure the Identity Provider, which is Oracle Acess Manager in this example, for federation with the Service Provider, which is Oracle Identity Governance:

Log in to Oracle Access Management console.
Click the Federation tab, and then click the Identity Provider Administration tab.
Click Create Service Provider Partner.
In the General section, enter a name for the service provider in the Name field.
In the Service Information section, import the federation metadata object that you earlier exported in Exporting the Identity Federation Document. To do so, ensure that the Load from provider metadata option is selected, and then click Load Metadata.
In the NameID Format section, select User ID Store Attribute in the NameID Value list, and enter uid.
Click Save.

B.9.6 Exporting the Identity Provider Metadata

To export Oracle Access Management (identity provider) document:

Download the metadata document from the following URL:
http://host2.example.com:PORT/oamfed/idp/metadata
Save the metadata content in a file, say OAMMetadata.xml.

B.9.7 Configuring the Identity Provider Metadata on Oracle Identity Governance

To configure the Oracle Access Manager (identity provider) metadata on Oracle Identity Governance (service provider):

Login to Oracle WebLogic Server Aministration Console 12c.
Go to Security Realm, and then click the Providers tab.
Click the SAML2 asserter created in .
Click the Management tab.
Click New, and select New Web Single Sign-On Identity Provider Partner. The Create a SAML2.0 Web Single Sign-On Identity Provider Partner page is displayed.
If you the following error on the page:
```
Cannot resolve 'query:AttributeQueryDescriptorType' to a type definition for element 'md:RoleDescriptor'.
Create Operation failed - no partner created.
```
Then modify the metadata file, and remove the AttributeQueryDescriptorType element from the OAMMetadata file.

On successful import, the message Partner created successfully. is displayed, and OAMIDP is displayed in the Identity Provider Partners list. By default, the configured partner is disabled.
Under Identity Provider Partners, click the created partner, and set the values of the following parameters:
1. In the Overview section, select Enabled to enable the partner.
2. In the Redirect URIs box, enter the following to add redirect URIs:
```
/identity/adfAuthentication
/sysadmin/adfAuthentication
```
Restart the Oracle Identity Governance domain servers for the changes to take effect and the federation between Oracle Access Management and Oracle Identity Governance to be successful.

B.9.8 Updating Identity Self Service, System Administration, and FacadeWebApp to Change the Session Cookie

Use deployment plan to update the cookie from oimjessionid to JSESSIONID, as shown:

Note:

This step is required to support SAML2 flow if the application uses custom cookie. See Use of Non-default Cookie Name in the Fusion Middleware Securing Oracle WebLogic Server.

Create Plan.xml files for oracle.iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear. Make sure to provide a unique name for Plan.xml for these applications to avoid collision. For example, store the files as MW_HOME/idm/server/apps/identityPlan.xml, MW_HOME/idm/server/apps/sysadminPlan.xml, and MW_HOME/idm/server/apps/oimPlan.xml.

The sample Plan.xml files are as follows:

Sample deployment plan XML for oracle.iam.console.identity.self-service.ear

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
  <application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name>
  <variable-definition>
    <variable>
      <name>NewCookieName</name>
      <value>JSESSIONID</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>oracle.iam.console.identity.self-service.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
             <name>NewCookieName</name>
             <xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
    </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

Sample deployment plan XML for oracle.iam.console.identity.sysadmin.ear

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
  <application-name>oracle.iam.console.identity.sysadmin.ear#V2.0</application-name>
  <variable-definition>
    <variable>
      <name>NewCookieName</name>
      <value>JSESSIONID</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>oracle.iam.console.identity.sysadmin.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
             <name>NewCookieName</name>
             <xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
    </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

Sample deployment plan XML for oim.ear

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan
http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
<application-name>oim</application-name>
<variable-definition>
<variable>
<name>NewCookieName</name>
<value>JSESSIONID</value>
</variable>
</variable-definition>
<module-override>
<module-name>iam-consoles-faces.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>NewCookieName</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
<module-override>
<module-name>FacadeWebApp.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>NewCookieName</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
<module-override>
<module-name>xlWebApp.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>NewCookieName</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
</deployment-plan>

Login to Oracle WebLogic Administrative Console.
Navigate to Deployments, and then select the application.
Click Update. The Update Application Assistant page is displayed.
Click Change Path against the deployment plan path configuration.
Specify the path to the deployment plan XML file specific to the application, and click Next.

Select the Update this application in place with new deployment plan changes option. Click Finish to complete the deployment plan configuration. Activate changes if required.

Note:

You can ignore the following errors while updating the plan:

oracle.iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear error:

'weblogic.management.DeploymentException:  The application oracle.iam.console.identity.self-service.ear#V2.0 cannot have the resource WEB-INF/weblogic.xml updated dynamically. Either:
1.) The resource does not exist. 
 or 
2) The resource cannot be changed dynamically.

oim error:

weblogic.descriptor.DescriptorUpdateRejectedException: Non-dynamic properties were found to be updated Bean: weblogic.j2ee.descriptor.WebAppBeanImpl FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@be33a8a0(/FilterMappings[[CompoundKey: SSOSessionSynchronizationFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@5a3116b4(/FilterMappings[[CompoundKey: JpsFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@3f7e90c7(/FilterMappings[[CompoundKey: ExtensibleGlobalFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@a18ad6a0(/FilterMappings[[CompoundKey: DMSSystemFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@c63fc573(/FilterMappings[[CompoundKey: OAMAgentFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@88cea9cf(/Filters[JpsFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@eb9d7cfb(/Filters[DMSSystemFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@45ac8348(/Filters[OAMAgentFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@17e26bdc(/Filters[ExtensibleGlobalFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@dea456fb(/Filters[SSOSessionSynchronizationFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Id (CHANGE)(Dynamic=false)[Original Value: WebApp_ID, Proposed Value: null]
¿Non-dynamic properties were found to be updated Bean: weblogic.j2ee.descriptor.WebAppBeanImpl FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@be33a8a0(/FilterMappings[[CompoundKey: SSOSessionSynchronizationFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@5a3116b4(/FilterMappings[[CompoundKey: JpsFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@3f7e90c7(/FilterMappings[[CompoundKey: ExtensibleGlobalFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@a18ad6a0(/FilterMappings[[CompoundKey: DMSSystemFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] FilterMappings (REMOVE weblogic.j2ee.descriptor.FilterMappingBeanImpl@c63fc573(/FilterMappings[[CompoundKey: OAMAgentFilter[CompoundKey: ][CompoundKey: /*]]]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@148fdb1f, Proposed Value: [Lweblogic.j2ee.descriptor.FilterMappingBeanImpl;@7075de61] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@88cea9cf(/Filters[JpsFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@eb9d7cfb(/Filters[DMSSystemFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@45ac8348(/Filters[OAMAgentFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@17e26bdc(/Filters[ExtensibleGlobalFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Filters (REMOVE weblogic.j2ee.descriptor.FilterBeanImpl@dea456fb(/Filters[SSOSessionSynchronizationFilter]))(Dynamic=false)[Original Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@32be66e8, Proposed Value: [Lweblogic.j2ee.descriptor.FilterBeanImpl;@39c7fa98] Id (CHANGE)(Dynamic=false)[Original Value: WebApp_ID, Proposed Value: null]

Restart the servers.

B.9.9 Testing the SAML2.0 Flow with Identity Self Service and System Administration Pages

To test the SAML2.0 flow with Oracle Identity Governance Self Service and System Administration pages:

Login to Oracle Identity Self Service by navigating to http://host1.example.com:PORT/identity/faces/home or http://host1.example.com:OHS_PORT/identity/faces/home (if OHS is installed on top of Oracle Identity Governance).
This redirects to the Oracle Access Management home page.
Enter the credentials of a user that is present in both OAM and OIG user stores. For example, enter the credentials of the weblogic user that is present on OAM.
The user is logged-in to the Identity Governance Self Service.
Login to Oracle Identity System Administration by navigating to http://host1.example.com:PORT/sysadmin/faces/home or http://host1.example.com:OHS_PORT/sysadmin/faces/home (if OHS is installed on top of Oracle Identity Governance).
This redirects to the Oracle Access Manager home page.
Enter the credentials of the system administrator user, which exists on the OAM user store.
The user is logged-in to the Identity Governance System Administration.