Oracle Access Manager 10.1.4.3 integration with WebLogic Server

Until many people have asked me for the integration aspects of Oracle Access Manager 10.1.4.3 (latest version) with WebLogic Server, it did not strike in my mind to do a write up on this. Anyway better late than never.
Before we go into the integration process, check this.

Now you should be having a fair idea on the difference between integration aspects relative to various OAM versions.

Let me give you a background of this integration aspects.

How Single Sign-On works:

Oracle Platform Security Services (OPSS) comprise Oracle WebLogic Server’s internal security framework. A WebLogic domain uses a separate software component called an Authentication provider to store, transport and provide access to security data.

Oracle Fusion Middleware 11g supports two new single sign-on solutions that applications can use to establish and enforce perimeter authentication:

•    Oracle Access Manager Solution
•    Oracle Single Sign-On solution

Oracle Access Manager is part of Oracle’s enterprise class suite of products for identity management and security. The Oracle Authentication provider is a new component that works with Oracle WebLogic server. An application can use either or both of the Oracle
Access Manager Authentication provider features, each of which enables a specific racle Access Manager function for WebLogic users:

•    Identity Asserter for Single Sign-On
o    This function uses Oracle Access Manager authentication services and also validates already-authenticated Oracle Access Manager users through ObSSOCookie and creates a WebLogic – authenticated session. It also provides single sign-on between webgates and portals.

•    Authenticator
o    This function uses Oracle Access Manager authentication services to authenticate users (based on username and password) who access applications deployed in WebLogic server.

This document describes the setup and configuration of Identity Asserter for Single Sign-On for the applications deployed in WebLogic server.

Identity Asserter:

The Authentication provider for Oracle Access Manager can be configured as the Identity Asserter for single sign-on. In this case, the provider protects Web resources
only.

This Identity Asserter for single sign-on uses perimeter authentication performed by WebGate on the Web Tier and the ObSSOCookie to assert the identity of users who try
to access protected WebLogic resources.

All requests are routed to a reverse proxy Web Server; requests are intercepted by WebGate. The user is challenged for credentials based on the authentication scheme
that is configured within Oracle Access Manager. The recommended scheme is Form (form-based login).

If authentication succeeds, WebGate generates an ObSSOCookie, the Web server mod_WebLogic module forwards the request to Oracle WebLogic Server, which, in turn,
invokes Oracle Access Manager Identity Asserter for single sign-on (with the request and the cookie) for validation.

WebLogic Security Service invokes Oracle Access Manager Identity Asserter for single sign-on, which gets the ObSSOCookie from the incoming request, and populates the
subject with WLSUserImpl principal. The Identity Asserter for single sign-on also adds the WLSGroupImpl principal that corresponds to the user’s groups, if any. Oracle
Access Manager validates the cookie.

The architecture diagram goes almost similiar to the one as here except that the SSPI Connector is not explicitly installed  in the WebLogic Server (instead there is an implementation jar file copied to the WebLogic server location).Here is the architecture diagram.

 .

.

Oracle Access Manager Identity Asserter with Web-only Applications

  1. A user attempts to access an Oracle Access Manager protected Web application that is deployed on the Oracle WebLogic Server.
  2. WebGate on a reverse proxy Web server intercepts the request and queries the Oracle Access Manager Access Server to check if the requested resource is protected.
  3. If the requested resource is protected, WebGate challenges the user for credentials based on the type of Oracle Access Manager authentication scheme configured for the resource (Oracle recommends Form Login). The user presents credentials such as user name and password.
  4. WebGate forwards the authentication request to the Access Server.
  5. Access Server validates the user credentials against those stored in user directory and returns the response back to WebGate. Processing continues based on:

Successful Authentication: Processing continues with Step 6.

Authentication Not Successful: The login form appears asking the user for credentials again; no error is reported.

  1. Access Server generates the session token and sends it to the WebGate. WebGate sets the ObSSOCookie and value as that returned from Access Server. The Web server forwards this request to the proxy, which in turn forwards the request to the Oracle WebLogic Server using the mod_weblogic plug-in.
  2. mod_webLogic forwards requests as directed by its configuration.
  3. WebLogic Server security service invokes the Oracle Access Manager Identity Asserter for single sign-on, which is configured to accept the tokens of type “ObSSOCookie”. The Identity Asserter initializes a CallbackHandler with the ObSSOCookie. In addition, the Identity Asserter sets up NameCallback with the username for downstream LoginModules.
  4. Oracle WebLogic Security service authorizes the user and allows access to the requested resource.
  5. A response is sent back to the reverse proxy Web server.
  6. A response is sent back to the browser.

As part of this integration process, I assume that OAM is already installed, up and running.

Now, we dive into the actual integration process.

  1. When you use the Oracle Access Manager Identity Asserter, all web.xml files in the application EAR/WAR file must specify CLIENT-CERT in the element auth-method for the appropriate realm as shown below.<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>myRealm</realm-name>
    </login-config>
  2. Confirming mod_weblogic for Oracle Access Manager Identity Asserter:Open the httpd.conf file of OHS 11g server and add/uncomment the text as shown below.

    <IfModule mod_weblogic.c>

    WebLogicHost oam.oracle.com

    WebLogicPort 7002

    </IfModule>

    <Location /CustomWebApplication>

    SetHandler weblogic-handler

    </Location>

  3. Create OAM Objects such as host identifiers, authentication scheme, webgate profile and policy domain using OAM Configuration tool as shown below.

export JAVA_HOME=/identity_mgmt/Oracle/Middleware/jdk160_11

mahendra>$JAVA_HOME/bin/java -jar /installs/11g/11g/oam/oamcfgtool/oamcfgtool.jar mode=CREATE app_domain=IASSO_App1 web_domain=IASSO_App1 protected_uris=”/Marketing/index.jsp,/Finance/home.jsp” app_agent_password=welcome1 ldap_host=itechdemo.us.oracle.com ldap_port=3060 ldap_userdn=orcladmin ldap_userpassword=welcome1 oam_aaa_host=itechdemo.us.oracle.com oam_aaa_port=6021

App_domain – policy domain name to be created
Web_domain – host identifier will be created with this name.
webgate – profile will be created with this Web_domain_AG.
Protected_uris – resources to be protected
App_agent_password – webgate password
Ldap_host  – OID hostname
Ldap_port – OID port
Ldap_userdn – OID administrator username
Ldap_userpassword – OID admin password
Oam_aaa_host – hostname where access server is installed
Oam_aaa_port – access server port (in this case, 6021)

4. Modify the host identifier to include your hostname:weblogic port and the hostname:proxy server port details.

5. Add the resource type wl_authen with following details.

Resource Name: wl_authen

Resource Matching: Case Insensitive

Resource Operation: Login

6. Install the WebGate on the OHS web server.

7. Check the login.html presence in the WebGate installed directory under WebGate_dir/access/oamsso/login.html.

8. Copy the oamAuthenProvider.jar to the location WebLogic_dir/wlsserver_10.3/server/lib/mbeantypes.

9.  Check the OHS httpd.conf file at the end of webgate configuration parameters for the presence of the field oamsso alias to ensure that webgate can find the login form.

10.  Goto the WebLogic console, myrealm, and click on the Providers tab.

11. Create two providers one as LDAPAuthenticator and OAMIdentityAsserter.

12.  In the OAMIdentityAsserter provider specific tab, specify the Access Server details like port, host name etc.,

13.  Similarly in the LDAPAuthenticator, provide the LDAP details.

14. Mark the flags for LDAPAuthenticator as SUFFICIENT and for OAMIDAsserter as REQUIRED. Change the flag values for DefaultAuthenticator to SUFFICIENT.

15. Reorder the providers as OAMIDAsserter, LDAPAuthenticator, DefaultAuthenticator, Default Asserter.

16.  Now test the WebApplication as you should be able to see the login form to enter your credentials. Upon entering the valid login details, you should be able to see the requested resource.

References:

OAM Documentation

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

9 comments
MPunch says May 14, 2010

Hi,

Nice article. I was wondering if you could explain to me what the OAMAuthenticator & OracleIdentityDirectoryAuthenticator provider are used for? What are the scenarios that would dictate which one to use? Could you direct me to any documentation you know of?

Thanks.

Reply
Atul Kumar says May 15, 2010

@MPunch,
If you want your application to authenticate via OID then you use OracleIdentityDirectoryAuthenticator where as if you want your application to authenticate via OAM (Access Manager) then use OAMAuthenticator

OAM provides better access control and it uses Directory Server like OID or AD to store users and policies .

There is plenty of documentation both on OID & OAM but if you are looking for which one to pick then it is question like should I authenticate via my LDAP server or via my Access Management software then my choice would be against access management software (provided I have one)

Oracle Access Manager is Oracle’s recommended single Sign-On solution for Fusion Middleware products

For basics of OAM check this

http://onlineappsdba.com/index.php/2010/04/25/introduction-to-oracle-access-manager-identity-and-access-system-webpass-webgate-policy-manager/

Reply
Mahendra says May 17, 2010

Hi MPunch,

Yes, Atul is correct. In general the customer requirement will be to achieve the SSO between WebLogic and non-weblogic apps protected by OAM. In this case, we need OID Authenticator in addition to OAMIDAsserter. But if you are just for authenticating your WLS application against OAM then you need OAMAuthenticator.
Hope this helps.

Mahendra.

Reply
Harvey says June 9, 2010

The OAMIdentityAsserter tab has entries for “Trust Store” and “Key Store”. I cannot find any documentation on these. Can you tell me what keys are in these stores?

Harvey

Reply
Mahendra says June 10, 2010

Harvey,

Keystore entries are for SSL purpose. When you have certificate, you will create a keystore and will put those entries there..

Mahendra.

Reply
MPunch says June 15, 2010

Hi,

I have another question in regards to WLS to OAM integration. I’m currently writing a “custom” access gate that is creating a single sign-on session with OAM through the Access Server SDK. After establishing this session I set the obSSOCookie with the session token and perform a redirect to a protected resource configured in WebGate.

Right now it seems WebGate is not recognizing the obSSOCookie and forcing me to do a re-authentication. If I go through WebGate to perform the initial login everything seems to be working correctly even though the obSSOCookie seems to be resetting with every request.

I thought WebGate will only force an authentication if the obSSOCookie is not present or the value is not valid?

Could you please shed some light on this issue I’m having?

Thanks,
MPunch

Reply
Mahendra says June 16, 2010

Hi MPunch,

I dont think the regular access gate with SDK works with WLS because of its own proprietary security framework. This may work out with other web servers like Tomcat and JBoss. Hence I would suggest to integrate OAM with WLS as suggested in Integration guides. Place a web server with a webgate in front of WLS. This will be used for SSO purpose. The other application with webgate that you are accessing will accept that cookie very well.

HTH.
Mahendra.

Reply
MPunch says June 16, 2010

Hi,

Thanks for the quick response. Unfortunately this will not suffice the requirements I have. I was under the assumption that the only thing WebGate needed to track an SSO session was the obssocookie and that itself was using the Access Server SDK to perform its operations.

I was able to see one application assert a user after a redirect from the app I had written which went through a WebGate. This application relied on the remote_user header variable that WebGate sets so I know it is indeed doing something with the obssocookie I set.

If you think of anything please do let me know. I appreciate all the help.

Thanks,
MPunch

Reply
Mahendra says June 16, 2010

Hi MPunch,

Here are my thoughts.

In that case, you would need to write your own custom identity asserter and custom authentication provider. You have to use Access SDK in this case. But again, I would not suggest this approach because Oracle already provides OOTB integration with WLS and OAM.

So, once the webgate authenticates the user and creates the cookie, it passes to cookie to Identity Asserter sitting in WLS framework. This asserter will extract cookie information and will authenticate against OAM using SDK.

Again, I have not tried this solution yet.

Hope this helps.

Reply
Add Your Reply

Not found