This post is from our Oracle WebLogic training for Administrators/DBA’s which covers step by step instructions on “How to integrate Oracle WebLogic Server with OID (Oracle Internet Directory) for user Login/Authentication”
By Default Oracle WebLogic Server uses security realm with name “myrealm” that uses embedded LDAP server (two default users WebLogic & OracleSystemUser) that acts as data store for Authentication, Authorization, Credential Mapping and Role Mapping Provider.
You can view Embedded LDAP Server configuration from WebLogic Console Page (/console) : Domain -> Security -> Embedded LDAP Server
.
If you wish to login to WebLogic Server using users in Oracle Internet Directory (more on OID here) or allow access to your WebServices to users in OID (OWSM Policy) then you will have to define new Authentication Providers in your WebLogic realm (myrealm) . Authentication Provider supported by WebLogic are LDAP, RDBMS, Windows NT, SAML, Password Validator, Identity Assertion etc..
Before I jump to step by step OID (LDAP) authentication provider configuration for WebLogic, lets first check few important things
1.You can configure one or more (minimum one) Authentication Provider in a security realm in WebLogic.
2. For multiple Authentication Providers, they are called in order in which they were configured in the security realm.
3. Control Flag: (as shown in 4th image from top) is used to control how authentication providers are used in login sequence. These are also called as JAAS control flag and values are : REQUIRED , REQUISITE, SUFFICIENT, OPTIONAL
REQUIRED - The Authentication provider is always called, and the user must always pass its authentication test. Regardless of whether authentication succeeds or fails, authentication still continues down the list of providers
REQUISITE - The user is required to pass the authentication test of this Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
SUFFICIENT - The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
OPTIONAL - The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
.
Things required to configure OID as authentication Provider in WebLogic
1. OID Server Name
2. OID Port
3. Password for cn=orcladmin account -> WebLogic Server uses this account to connect to LDAP Server
4.BASE DN of your user base in OID -> cn=users, [default OID realm] (usually of format cn=users, dc=uk, dc=co, dc=focusthread)
5.BASE DN of your group base in OID -> cn=groups, [default OID realm] (usually of format cn=groups, dc=uk, dc=co, dc=focusthread)
For steps on how to find OID Port or OID realm click here
.
How to configure OID as Authentication Provider in WebLogic
1. Login to WebLogic Console -> Security Realm -> myrealm
.
.
2. Select tab Providers -> Authentication -> Default Provider
.
3. Change Control Flag (JAAS Flag) from REQUIRED to SUFFICIENT
.
4. Click on New to add new Authentication Provider
.
5. Select OracleInternetDirectoryAuthenticator
.
6. Change control flag to SUFFICIENT for OID Authentication Provider added above
.
7. Select Provider Specific tab and enter your OID server details
Do not forget to change “User Base DN” and “Group Base DN” as per your OID
8. Bounce WebLogic Server
To test if Integration is working :Create a group (Administrators or Deployers or Operators or Monitors) and dummy user as member of group in OID and try to login to WebLogic Server using user in OID who is member of one of group in OID.
.
How to Debug if Login to WebLogic via OID user fails ?
You can enable debug on Login (Security) to find debug messages in log file for actions (behind the scenes in WebLogic Server)
Servers -> AdminServer -> Debug Select WebLogic -> Security and click on Enable button
You can see debug messages in $DOMAIN_HOME/servers/AdminServer/logs
.
References
.
If you wish to learn more on Oracle WebLogic Server (Key Component on Oracle Fusion Middleware) visit Oracle WebLogic training for Administrators/DBA’s weekend only batch from 399 USD Only.
Related Posts for Learn WebLogic with Us
- Oracle WebLogic Installation Steps
- Domain , Administration & Managed Server, Cluster in Oracle WebLogic
- Create Domain in Oracle WebLogic
- Oracle WebLogic Server - Startup/Shutdown
- Oracle WebLogic Server 10g R3 10.3 is out now
- Deploy Application on Oracle WebLogic Server
- Cluster Architecture : Oracle WebLogic Server
- Start WebLogic Server on Linux on port 80, 443 <= 1024
- JDBC (Java DataBase Connectivity ) in Oracle WebLogic - Overview
- WebLogic Server JDBC for Database connection : Step by Step
- Security in Oracle WebLogic : Realm, Security Provider, Authentication, Authorization, Users
- Deploy ADF application to Oracle WebLogic Server
- Node Manager in Oracle WebLogic Server
- Configure Oracle HTTP Server infront of Oracle WebLogic Server mod_wl_ohs
- How to install weblogic server on 64 bit O.S. (Linux /Solaris) ?
- Oracle WebLogic Login Issue : Password is not correct (Password Lock Policy)
- Oracle WebLogic Server : Node Manager in nutshell
- Certification : 1Z0-108 Oracle WebLogic Server 10g System Administrator Certified Expert
- How to integrate WebLogic with Oracle Internet Directory for Login : Authentication
- opatch, adpatch and now “smart update” (BSU) to apply weblogic patches
- Disater Recovery documentation for Oracle WebLogic Server 11g (Fusion Middleware)
- Authentication Providers in #WebLogic - Oracle Access Manager Identity Assertion for Single Sign-On and OAM Authenticator
- Error while starting WebLogic Server : java.lang.NumberFormatException: null
- #WebLogic startup prompting from username password : boot.properties
Popularity: 7% [?]
Download R12 VMware
Documentation
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth every penny
13 users commented in " How to integrate WebLogic with Oracle Internet Directory for Login : Authentication "
Follow-up comment rss or Leave a TrackbackNice details.
I have an R12.1 e-business integrated to OID/SSO 10.1.4.3 and the SSO has an external authentication (custom IPASAuthInterface for a smartcard system). Works great for E-business logins. Can I use the same OID/SSO/Smartcard environment for WebLogic 10.3.1 logins as recommended here? It would really help my authentication issues.
@ dbabeege,
Yes you can use same OID environment for weblogic 10.3.1
If you also want SSO (single sign-on) with weblogin (authentication using OID is different from SSO) then check
documentation here
Hi Atul,
First of all, you’ve done a very nice compilation of all steps needed for LDAP authentication.
After doing all steps, i could see all LDAP users loaded through ‘Users and Groups’ tab in WLS console. However, I’m unable to log into OBIEE Answers with any LDAP user; it everytime says -
Unable to Sign In
An invalid User Name or Password was entered.
I also enabled debugging and checked AdminServer\logs but to no avail. Can you suggest, what could be wrong?
@ Harsh,
Did you deploy OBIEE n weblogic ?
If yes which version of OBIEE and WebLogic you are running ?
which documentation you used to deploy OBIEE on WebLogic ?
Atul,
I can now access Answers with LDAP users. thanks..
@ Harsh,
Good to hear that so what was issue ? Is this simple weblogic restart or something else ?
Thnx Atul. restarting weblogic and OPMN services fixed this issue..
Atul - thanks for the SSO document reference. I realize SSO is a little off topic, however I’m trying to follow the document and in section 10.3.2, step 1.e. it has this:
An Oracle Fusion Middleware product such as Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter is required; it includes the provider required for OSSO by Oracle WebLogic Server in the following path:
ORACLE_INSTANCE/modules/oracle.ossoiap_11.1.1/ossoiap.jar
Any thoughts regarding which environment actually needs this jar file? It doesn’t exist in the existing 10.1.4.3 Identity Management environment. Also, we’ve installed an OHS 10g from the companion CD and we still can’t find the file.
In order to use SSO we need a newer (11g? “Oracle Fusion Middleware”??) identity management environment instead of the 10.1.4.3 IM we use with our e-business suite?
@ Harsh,
This jar file is part of Fusion Middleware 11g of installation type SOA, WebCenter or Identity Managerement
In my case Fusion MW 11g home is /oracle/apps/fusion/mid with installation type of SOA
/oracle/apps/fusion/mid/Oracle_SOA1/modules/oracle.ossoiap_11.1.1
-bash-3.00# ls
ossoiap.jar
[…] To configure OID (Oracle Internet Directory) as Authentication Provider in WebLogic click here […]
Atul,
I was trying to integrate my 10.1.4.0.1 OID with ADS. I was able to do the sync from AD to OID. I am also able to authenticate AD users from SSO against ADS by running oidspadi.sh.
But later i realized that i missed excluding the orcladmin and other OID specific users to mention under “exception entry property”. For this i re-run the oidspadi.sh, after deleting “adwhencompare” and “adwhenbind” from PLug-in management through oidadmin. From then onwards i am not able to authenticate AD users. New users created in AD are getting synced to OID perfectly, but authentication is getting failed. Please help me on this
Hi Atul
I was tryig to create the OID Authenticator but it does not appear in the list box in new provider screen.
What i need to do or configurate to fix this??
Can you help me please??
Thanks
@ Javier,
Which version of WebLogic you are using ? Did you or any one in team extended weblogic console (It is possible to change console properties so that only selective providers are available) ?
Update full nevigation path for your authentication provider (OIDAuthenticator)
Leave A Reply