OAS – OAM (Access Manager / Oblix COREid) Integration Architecture

Integrating Oracle 10g Application Server with Oracle Access Manager -Overview
=========================

i) Oracle Application Server (OAS) can be integrated with Oracle Access
Manager (OAM, earlier called as Oblix COREid) for Authentication and
Authorization. Though Oracle Application Server has its own
Authentication and Single Sign-On feature but integrating OAS with OAM
provide more flexibility and security to Oracle Application Server and help in providing fine grained access control for protecting web and other resources.

ii) You also need OAM-OAS integration if you wish to integrate E-Business
Suite with Oracle Access Manager (Oblix COREid) for authentication and
authorization.

iii) If you wish to integrate (protect/authenticate/authorize) any oracle
product (like portal, Forms, BI, E-Business Suite) with Oracle Access
Manager (Oblix COREid) it should be done via Oracle Application Server.

iv) Integration of OAM with OAS will help you to provide identity management functionality to Web based application which run on Oracle Application server or any other Oracle product like Oracle E-Business Suite Self Service applications (iProc, iRec)

iv) While integrating Oracle Access Manager’s Authorization functionality, either Oracle Application Server or Oracle Access Manager Single Sign-On can act as authentication mechanism.

OAS (10g AS) – OAM (Oblix COREid) Integration Architecture
—————————————————————————–
As shown in diagram on top, you will have Oracle Access Manager installed and configured with any LDAP Server (AD, OID, iPlanet) and Oracle HTTP Server will be protected by WebGate (OAM web component).
Here is request flow when Oracle Application Server is protected by Oracle Access Manager (Oblix COREid)

i) User try to access web resource (http/https) on oracle application server which is protected by Oracle Access Manager (Oblix COREid), request is received by WebGate (access manager component on Web Server)

ii) Webgate request for policy from Access Server (another component in Oracle Access Manager) to check if resource (URL) is protected or not

iii) If resource/URL is not protected page is returned to user. If resource/URL is protected, webgate ask user to authenticate

iv) Credentials entered by user is validated against LDAP directory via access system.

v) After successful authentication, Oracle Access Manager Single Sign-On cookie (obSSOCookie) is sent to user browser

vi) After successful authorization (pre-defined at access server policy domains), access server executes actions specified in security policy and set HTTP Header variable that maps to Oracle Application Server 10g User ID

vii) Oracle AS Single Sign-On recognizes HTTP Headers set by Oracle Access Manager (HeaderVar), authenticates user and sets Oracle Single Sign-On Cookie.

If your LDAP store for Access is not same OID where Oracle Application Server users are stored then ensure that user data in two LDAP servers is in sync (up to date)

Implementation of 10g AS integration with Oracle Access Manager(Oblix COREid) coming soon …

Integration of Oracle Access Manager(COREid) with Siebel coming soon…

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

31 comments
pandeypunit says October 16, 2007

Hi Atul,

I am trying to protect MS Exchange Server with Oracle Access Manager (Oblix Netpoint). Do you have any idea how to do it?

I would appreciate an email on pandeypunit@yahoo.com.

Thanks & Regards,

Punit Pandey

Reply
Atul says October 16, 2007

Punit, Depending on way you are accessing MS exchange data you can protect using access policy on netpoint access server (Oracle Access manager now) and authentication plug-in on Exchange server.

Reply
IDM says April 3, 2008

Here is a scenario. We would like to use external apps e.g. .net asp as landing site for external users. After they are logged in, they can click on istore (EBS) and access it without having to provide the credentials again. I know OAM can handle heterogeneous environments. But the question is how will the credentials be handed over to EBS HTTP server once users have logged into .net app? I know OAM creates the SSO cookies, but will it work ? How can we “hand-over” the credentials to EBS HTTP….

Reply
Atul says April 4, 2008

Integrate EBS with 10g SSO/OID and further SSO/OID with OAM so OAM passes cookie to OAS and OAS inturn to EBS HTTP

Reply
ppatil says July 31, 2008

When are you going to post Integration of Oracle Access Manager(COREid) with Siebel? Really looking forward to read it.

Reply
Atul says July 31, 2008

Hi PPatil,
Thanks for your interest, Are you looking for Oracle Access Manager Integration with Siebel Applications or Siebel Business Intelligence ?

Reply
ppatil says August 6, 2008

Yes i am looking for Integration with OBIEE 10.1.3.3.3 or 10.1.3.3.2

Reply
Atul says August 8, 2008

ppatil,
As you know OBIEE consist of many components and you can deploy it on different application server so integration with OAM depends on all such factor. More over integration will depend on what you wish to protect in OBIEE (URL, services, users, sso ) using OAM …

Good starting point is integration guide for Oracle access Manager http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25347/toc.htm

Reply
Julie says August 26, 2008

Your blog is excellent. Thanks. How would you best integrate Oblix/OAM with Sharepoint 2007 server? Do you have any diagrams/tips of how it would work in an HA environment?

Reply
Atul says August 26, 2008

To integrate Oracle Access Manager (earlier Oblix) with Sharepoint Portal server
check
Here

Reply
Julie says October 2, 2008

Atul, thanks very much!

Reply
vasavi says December 16, 2008

Hi Atul and All,

Can u guide how to do the custom authentication plug-in by writing the C language code in OAM.I create a form based authuntication after that i want to do custom suthnetication plg-in which accept the username only and it has to login by getting the password from the OID or hardcoded values. Actually i thought writing in Java But we can write in C and C# only.
Can u help me regarding this one??

Thanks in Advance,

Vasavi

Reply
M Mehta says December 19, 2008

Could you give me a link on how to integrate Oracle Access Manager with Cognos 8 BI suite? I looked in the integration guide you posted but it does not mention Cognos BI.

Reply
Damian says January 14, 2009

Hi,

Thanks great guide. I would be interested in some more information on OAM integration with Cognos 8 BI suite too if anybody has some.

Cheers,
Damian

Reply
dsharma says February 3, 2009

Is there an integration between OAM and EBS, except SSO? Please tell me in what other way can OAM interact with SSO?

Reply
dsharma says February 3, 2009

mistake in previous question, In what other way can OAM interact with EBS?

Reply
Atul Kumar says February 3, 2009

Only supported and certified way of EBS integration with OAM (access maanger) is via Oracle AS SSO server which is now part of Oracle Identity Management under (AS infrastructure component)

Reply
Miit says February 9, 2009

Hi,

I want to know about the API used by OAM which it internally used while we click Lost Password or Forget password.
How OAM internally work for these two applications –
a). Lost Password.
b). Forget Password.

Thanks
Miit

Reply
Miit says February 10, 2009

Hi,

Can some one help in finding about Access SDK and IDXML in OAM.
I want to know how OAM sets the UserID and Password in OID.

Thanks
Miit

Reply
Miit says February 11, 2009

Hi,

I want to use the existing password setting functionality of OAM in my application.

I want to achieve it by either of the two ways-
1. Using Access Manager API
2. Access Manager SDK.

Can you please guide me in following –
1. Which is the better one in above mentioned ways in my case?
2. which is the method responsible for password setting in ObAuthenticationScheme of Access Manager API?
3. Also please provide me the details how can I use that method in my customized Authentication Scheme.

Your assistance will be highly appriciated.
Thanks in advance.

Reply
Asohan says March 4, 2009

I would be interested in some more information on OAM integration with Oracle Universal Contnent Management(UCM)

Reply
Vani says March 25, 2009

Hi

We have the below scenario to implement, Can you please suggest me some ideas to implement this. Searched in Development and customization guide of OAM but could not get much help….your early response will be helpfull.

Problem : There is an requirement to Change Password for a user by his supervisor/admin in OAM / Core ID identity xml server programmatically (like Any administrator can reset the password for any OAM user in OAM Administrative Screen) .

I would like to achieve the Change Password functionality by invoking the OAM API to RESET USER PASSWORD by external JSP Application

If you have implemented this functionality from an third party call, please send responses. Or please let us know which is the OAM API which is called during default Password reset functionality.

Timely input will be greatly appreciated.

Reply
vasavi says April 15, 2009

Hi Vani/ALL,

let me too know the solution for that issue plz.

We have the same requirement and we are at the initial stage. if you got any info please share with us.

Thanks & Regards,

Vasavi

Reply
regulla says May 6, 2009

HI,

I am need to configure reverse proxy for apache web server and weblogic app server could you please provide httpd.conf file for the same.

Thanks
Regulla

Reply
Mahendra says May 13, 2009

Hi Atul,

We are looking to integrate weblogic portal 10.3 with OAM 10.1.4.2 BP 06+. Unfortunately, we didnot find any document.
Do you have any pointer for this?

Please help me in this.

Reply
gokul says June 15, 2009

HI,
How do I handle Forgotten Password in Coreid OBlix screen programatically. I need to fetch a value from the database and eMail that to him once Forgotton password is clicked.
I would also like to redirect the user bypassing the login screen on clicking the forgotten password link.
please help me.

Reply
rajesh says December 10, 2009

Hi Atul,

I want to authenticate the user based on the obssocookie in IDXML.can you send me the sample code for that.

Thanks In Advance,

Rajesh

Reply
kunal.dhar2001@gmail.com says March 8, 2010

Hi Atul,

Not sure is this the correct place to post this query. But is there any documentation for Integrating Sun Java Application Server with OAM for Authentication Services.

Regards
Kunal

Reply
sinraj72 says April 18, 2012

Hi Atul,

I would like to know is there any mechanism available whereby I can intergrate “Forgotten Password” feature with Oracle Access Manager 11G without using Oracle Identity Manager 11g?

A prompt reply will support me a lot

Reply
Narendra says July 31, 2013

Hi Atul,

I created a authorization policy in which a condition of type Identity is created. I choose OVD as the store name and “test” is the entityname and entitytype is group and configured an authentication policy to a resource in a policy, but while accessing the resource i am getting authorization failed for the user who is present in the test group(Verified in OID he is assigned to this group ).

Please help me to solve the issue.

Thanks in advance.

Regards,
Narendra

Reply
Kumar says November 19, 2014

Hi

1. How to protect an application running in a weblogic application server with OAM 11g which is in different domain?
2. How to protect an custom application running in a managed server with OAM 11g which is in same domain?

My understanding is that agent webgate is webservers, what type of agent should i use for appication severs.
Thanks

Reply
Add Your Reply

[i]
[i]