Authentication Providers in #WebLogic – Oracle Access Manager Identity Assertion for Single Sign-On and OAM Authenticator

OAM– Oracle Access Manager is recommended Single Sign-On solution for Fusion Middleware products (SOA, WebCenter, OSB, UCM ….)

ObSSOCookie – is cookie generated by OAM for users authenticated via OAM.

.
What is Authentication Provider in WebLogic Server ?
WebLogic Server includes numerous Authentication security providers: given a username and password credential pair, the provider attempts to find a corresponding user in the provider’s data store (LDAP, Database or other data store). In addition to these username/password based security providers, WebLogic Server includes identity  assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.

More on authentication providers in WebLogic server here . For steps on how to configure Authentication Providers in  WebLogic Server check Configure Authentication and Identity Assertion providers in  Administration Console Online Help for weblogic here

  • To configure OID (Oracle Internet Directory) as Authentication Provider in WebLogic click here

.

OAM Authentication Provider for WebLogic

Oracle Access Manager Authentication Provider (oamAuthnProvider.jar – part of OAM 10.1.4.3) provides two features/functions (“Identity Assertion for Single Sign-On” and  “Authenticator“) which can be integrated with WebLogic Server.

a) OAM Identity Assertion for Single Sign-On – This authentication provider in WebLogic Server, uses OAM authentication service and also validate already-authenticated (users with ObSSOCookie) users and creates a WebLogic-authenticated session. This function (OAM Identity Assertion) also provides single sign-on between WebGates and portals (webcenter, soa…)

b) OAM Authenticator – This authentication provider in WebLogic Server, uses OAM authentication service to authenticate users who access applications deployed in WebLogic Server.

  • If you have Oracle Fusion Middleware 11g of type WebCenter, SOA or Identity Management then “OAM Identity Assertion for Single Sign-On” and “OAM authenticator” should already be available in your weblogic authentication providers.
  • If you have standalone weblogic server (NO – SOA, WebCenter or Identity Management) then you can get these two providers (“OAM Identity Assertion for Single Sign-On” and “OAM authenticator“) by downloading oamAuthnProvider.jar from OTN (Oracle Technology Network)

.

a) oamAuthnProvider.jar: Includes files for both the Oracle Access Manager Identity Asserter for single sign-on and the Authenticator for Oracle WebLogic Server 10.3.1
b) oamauthenticationprovider.war: (optional component) Restricts the list of providers that you see in the Oracle WebLogic Server Console to only those needed for use with Oracle Access Manager. (This application is required “only if” you wish to restrict weblogic console to see only two authentication provider in weblogic)
 

c) oamcfgtool.jar: (optional component) – is script that automates creation of the Oracle Access Manager form-based authentication scheme, policy domain, access policies, and WebGate profile for the Identity Asserter for single sign-on.  For more information on oamcfgtool.jar click here  – You can configure all steps (as done by oamcfgtool.jar) manually too.

.

More on OAM Identity Assertion for Single Sign-On   &  OAM Authenticator  coming soon.

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

49 comments
KINGSTAR says April 28, 2011

Am working on windows 2003 and 2008
-I need very details doc with snap shot how to build OAM 11g as SSO for UCM server and other like IIS….. what the software’s I have to install for that
-Please make this doc explain it for low level

Reply
Atul Kumar says April 28, 2011

@ KINGSTAR,
I am currently working on integrating UCM/OBIEE/DISCO with OAM 11g SSO . I don’t have all steps yet but for start you can do

1. Install OID 11g (11.1.1.4) using http://onlineappsdba.com/index.php/2011/03/23/install-oracle-identity-management-oimidm-11114-oid-ovd-oif-high-level-steps/

2. Install OAM 11g (11.1.1.3) using http://onlineappsdba.com/index.php/2010/08/05/oracleidm-11g-step-by-installation-of-oam-oim-oaam-oapm-oin-111130-part-i-load-schema/

3. Install UCM 11g (11.1.1.4)

4. Change OAM’s Identity Store to OID 11g using http://onlineappsdba.com/index.php/2011/04/27/how-to-integrate-oam-11g-with-oid-11g-for-useridentity-store/

5. Install OHS infront of UCM and configure access of UCM via OHS

6. Integrate UCM with OID 11g – steps coming soon – for time being read http://onlineappsdba.com/index.php/2011/04/16/integrate-oracle-ecmucm-content-management-11g-with-oracle-internet-directory-ldap-server-things-you-must-know/

7. Create webgate instance in OAM 11g for OHS 11g (configured with UCM) using http://onlineappsdba.com/index.php/2011/01/10/part-ix-install-oam-agent-11g-webgate-with-oam-11g/ (You need to configure UCM URL access via OAM. I’ll discuss this step in detail later)

Step 7 with some additional step will configure SSO .

Hope this helps .

Reply
KINGSTAR says April 30, 2011

Dear atul,
alot of thanks for your response
sorry for late. i have alredy finished the steps 1,2,3
but please send me the version for OHS,and the documents of how to configure access of UCM via OHS.
i will read the Integrate Oracle ECM/UCM but when the steps will come
also there is some additional details in step 7 when you will post it ?

Reply
Atul Kumar says April 30, 2011

@ Kingstar,
Are you using IIS with UCM or would like to use OHS ?

If OHS then check this link http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/ (replace console with UCM server uri and port 7001 with UCM server port )

check link http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15483/extend_ucm.htm#CHDJFGJH

For chapter 7, steps for creating webgate instance and installing webgate are mentioned in my book at https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

I’ll post UCM specific tasks in chapter 12 of this book.

Reply
KINGSTAR says May 1, 2011

i will buy the book tomorrow then i will send you the feed back

Reply
KINGSTAR says May 2, 2011

Dear atul,
after Change OAM’s Identity Store to OID 11g using and its give me succsfull connection i cant logon to http://localhost:7001/oamconsole/faces/pages/AuthZError.jspx?_afrWindowMode=0&_afrLoop=527309410672221&_adf.ctrl-state=74e2vs79f_19

Access Denied
Access to administration console is restricted.
i tried multi users and cant log on

Reply
KINGSTAR says May 2, 2011

sorry atul
i solve it, so ignore my last comment

Reply
Atul Kumar says May 2, 2011

@ KINGSTAR,
Good to hear that your issue is fixed , could you please share what was issue and what you did to fix it ?

( was this related to administrator group for OAM ?)

Reply
KINGSTAR says May 2, 2011

dear,
mainly it was miss connfguration in the steps you sent to me,
i reconfigure it with step by step and it works good
thanks

Reply
KINGSTAR says May 3, 2011

Dear atul,
i bought your book this evening, I have been trying to configure the SSO based on the scinareo you have described to me. Yet, I am not able to configure OHS as a webtier for weblogic server. I used OHS 11.1.1.2 but i was never able to be redirected to the weblogic URL through OHS.
We eddited the file (mod_wl_ohs.conf
) manually as described in: http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

Is there any other configurations other tham the ones I did or is it the problem of a non compliant OHS version.

Many Thanks Atul

Reply
Atul Kumar says May 3, 2011

@ KINGSTAR,
Thanks for puchasing book.

Regarding your OHS config issue, could you please share what URL you want to configure via OHS ?

Update entry for mod_wl_ohs.conf

Post your UCM weblogic managed server port too

Reply
KINGSTAR says May 3, 2011

These are the modifications I made on the mod_wl_ohs file (does the hash proceeding a line comments it in the cfg file?)

I tried the URL: http://vmucm:7777/console

to access weblogic console on the same machine where OHS is installed , it shows a page cannot be displayed message.

yet when I access weblogic console directly: http://vmucm:7001/console
or to access the OHS console: http://vmucm:7777
both URLs work properly and show both consols.

Another question is that you refered me to another document that has configurations for OHS, Link:(http://download.oracle.com/docs/cd/E12839_01/web.1111/e10144/getstart.htm#BEHGIDCB)
Section: (4.4.4 Configuring the mod_wl_ohs Module)

It shows a snapshot of an administration screen that i cannot find, is this a weblogic administration screen?

Is this additional configuration required or does modifying the mod_wl_ohs file is enough?

# WebLogicHost
# WebLogicPort
# Debug ON
# WLLogFile /tmp/weblogic.log
# MatchExpression *.jsp

#
# SetHandler weblogic-handler
# PathTrim /weblogic
# ErrorPage http:/vmucm:7001/
#

Reply
KINGSTAR says May 3, 2011

Dear Atul,

This is the body of the modified file: mod_wl_ohs.config (ps. does the hash key infront of a line in the config file comment is?)

This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level

WebLogicHost
WebLogicPort
Debug ON
WLLogFile /tmp/weblogic.log
MatchExpression *.jsp

SetHandler weblogic-handler
PathTrim /weblogic
ErrorPage http:/vmucm:7001/

the link I am trying to access is:(http:/vmucm:7777/console) is should redirect me to the Weblogic console page, it shows a page cannot be found message.

yet, when I try to access both the weblogic or the OHS console directrly the work fine.

one other question is that you ve refered me to a page that had more configurations for OHS, Page: (http://download.oracle.com/docs/cd/E12839_01/web.1111/e10144/getstart.htm#BEHGIDCB)
Section: (4.4.4 Configuring the mod_wl_ohs Module)

I cant seem to locate where this admin screen is. And is this additional configuration required or the mod_wl_ohs modification is enough?

Reply
Atul Kumar says May 3, 2011

@ Kingstar,
Please post mod_wl_ohs related issue in respective post so others can take help from that. Your hostname and port value missing in entry.

Post query in http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

Reply
KINGSTAR says May 3, 2011

Dear Atul,
i am still stuck on installing OHS, and i didnt get any response from onlineappsdba,
i started installing oam 10.1.4 but i need your guidenes and advice
keep working on 11g or turn to 10.1.4
best regard

Reply
Atul Kumar says May 3, 2011

@ Kingstar,
As mentioned in my comment on lineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

do not use /em but update config file directly as per my comment .

Don’t go for 10g, stick to OAM 11g (these issues are common in all new implementations)

Reply
KINGSTAR says May 8, 2011

Dear Atul,
as i mentioned before i installed weblogic 10.3.4.0 and OHS 11.1.1.4
i modified the mod_wl_ohs as in page

(http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/)

but it still didnt work,PAl I spent 3 days on this steps, advice

Reply
Atul Kumar says May 8, 2011

@KINGSTAR,
This is very simple configuration, as mentioned do not use /em (just edit manually)

I would like to see entry you made in httpd.conf (section under which you added module related to weblogic)

1. From httpd.conf paste section where you added weblogic related configuration.
2. Listen, Port and ServerName variable value from http.conf
3. What is weblogic admin server port
4. On what server weblogic is running .

Reply
KINGSTAR says May 8, 2011

i made the editing on mod_wl_ohs file
i added :

SetHandler weblogic-handler
WebLogicHost ucmhost
WeblogicPort 7001

*where ucmhost is local host

i didnt edit any thing in on httpd
7001
Both ohs,wls on same server

Reply
Atul Kumar says May 8, 2011

@ Kingstar,

remove entry you made in mod_wl_ohs.conf and add new entry like

[Location /console]
SetHandler weblogic-handler
WebLogicHost ucmhost
WeblogicPort 7001
[/Location]

Replace [ by less than sign

2. Restart http server

3. Access /console via OHS url

If this still doesn’t work, install teamviewer http://teamviewer.com and send me teamviewer ID and password (I ca do this just today in next 1-2 hours)

Reply
KINGSTAR says May 8, 2011

646 584 067
9744
plz open txt file and chat what you want to ask

Reply
Atul Kumar says May 8, 2011

@ KINGSTAR , not able to connect to this teamviewer ID , check if this is accessible

Reply
KINGSTAR says May 8, 2011

646 584 067

8804

Reply
KINGSTAR says May 8, 2011

Dear Atul,
many thanks for your support and solve the OHS problem also for telephone call,
now i will start step 6- Integrate UCM with OID 11g – steps coming soon – for time being read http://onlineappsdba.com/index.php/2011/04/16/integrate-oracle-ecmucm-content-management-11g-with-oracle-internet-directory-ldap-server-things-you-must-know/
any advice

Reply
KINGSTAR says May 9, 2011

Dear Atul,
now i recah steps
6. Integrate UCM with OID 11g – steps coming soon – for time being read http://onlineappsdba.com/index.php/2011/04/16/integrate-oracle-ecmucm-content-management-11g-with-oracle-internet-directory-ldap-server-things-you-must-know/
also steps 7 will be in the book
so what i can do now,

Reply
Atul Kumar says May 9, 2011

@ KINGSTAR,
Migrate users, policy and credential store to OID .

Reply
KINGSTAR says May 10, 2011

Dear Atul
i have Changed OAM’s Identity Store to OID

how to Migrate users, policy and credential store to OID any links,doc..

Reply
elkouz says May 11, 2011

Hi Atul,

I am working on a test senario for an SSO on UCM, I have read this thread and it was very helpful, till I got to this step where I cant progress any further.
I was workin in accordance to your post step by step till step7 which I am still workin on.

I have four seperate machines in this test case:
1. OID
2. OAM that is configered to use OID as an identity store.
3. UCM which is using the same OID as an LDAP
4. OHS which is configured to forward URLs to the UCM.

What else am I missing to achive a running SSO?

Reply
Atul Kumar says May 11, 2011

@ Kingstar, I am going to covers this on this blog in weeks time. Stay tuned

Reply
Atul Kumar says May 11, 2011

@ elkouz

Things missing in your case are

1. WebGate instance in OAM
2. Webgate installation with OHS
3. Policy to protect/unprotect UCM

Reply
elkouz says May 15, 2011

Deae Atul,

correct me if am wrong
1- OHS— redirect the traffic for UCM sever (login page)
2- i configure webgate instance in OAM for OHS
3- i installed the Oracle Access Manager – OHS 11g Webgates in the ohs server

its right ????/

BR

Reply
elkouz says May 15, 2011

Dear Atul,

I have continued workin on the implementation of SSO on OAM and UCM.

this is the second time I implement this step which is listed on step 6.1 of your blog linked: http://onlineappsdba.com/index.php/2011/01/10/part-ix-install-oam-agent-11g-webgate-with-oam-11g/#comment-138836

When ever I reach this point everything stops working, while everything before this point works just fine. for example: when I enter the url of the UCM proceeded by the OHS url the OHS redirects me back to the UCM page and so is every other URL defined in the mod_wl_ohs file.
while after finishing step 6.1 OHS stops redirecting URLs
Kindly advice on what configurations am I missing.
Regards,
Khaled elkouz

Reply
Atul Kumar says May 15, 2011

@ elkouz,
After intalling/configuring webgate with OHS 11g , can you start OHS 11g without issues ?

Please note that We also provide remote consulting where we can fix your issues remotely on a reasonable fee. Please share your contact details or contact us at admin @ onlineAppsDBA.com or atul @ onlineAppsDBA.com

Reply
elkouz says May 16, 2011

Yes, the OHS is started but it didnt seem to be work (its didnt redirect the URL traffic)to UCM
so when i test the URL no page displed

it happened as i told you in previuos comment after step 6.1
but before that the OHS working fine

Reply
elkouz says May 16, 2011

Dear Atul,
when i turned the OAM server off and tried to access the UCM link from the OHS server i got this output on the webpage:

Oracle Access Manager Operation ErrorOracle Access Manager Operation ErrorThe WebGate plug-in is unable to contact any Access Servers.Contact your website administrator to remedy this problem.

i thought it might be usful for you to figure out the problem i have.
thank you
thank

Reply
Atul Kumar says May 16, 2011

@ elkouz,
This means that UCM related configuration is missing in OAM Console (for application domain which you created during webgate registration)

Reply
Vit says August 23, 2012

Dear Atul,
Is it possible to enable WebLogic Single Sign-On without having OIM/OAM?
I’m new to WebLogic and have WebSphere background. WebSphere has features call LTPA that can do single sign-on. I wonder that does WebLogic has somethings similar to this.
Thanks in advance,

Reply
joe says August 31, 2012

Hey,

I have Weblogic/OHS and Webcache all on the same server.
On my other server when I get server:7001/em
I click on webcache / on the right panel I see host listed as orgin server. But for one server it does not. Any idea what could be the issue?

DBA is out for now..

Thanks
Joe

Reply
    Atul Kumar says August 31, 2012

    @joe,
    What do you mean by “on my other server” & “But for one server it does not”, I don’t think I understand your issue – please explain ?

    Reply
joe says August 31, 2012

Atul – I have other weblogic servie with OHS and Webcahce components installed.
And on these server the Webcache panel shows the “orgin server” listed under it

But one server where Weblogic with OHS and Webcache is installed does not show the host listed under the “orgin server” for webcache
I go to this issue / server:7001/em
click on web tier/ click on webcache/ on the right panel therei s heading for “orgin server” and under it there are no server listed

Reply
fox says November 17, 2012

i keep getting this when i try to log in to my site Oracle Access Manager Operation Error
Access to the URL has been denied for user .

Contact your website administrator to remedy this problem.

Reply
    Atul Kumar says November 17, 2012

    @ Fox,

    What is URL ?
    Is this for all the URLs ?
    Is this for all the Users ?
    What version of WebGate do you have ?

    Reply
    Atul Kumar says April 18, 2013

    @ Fox,
    This could be for multiple reasons –
    What is WebGate version (10g or 11g) ?
    What is flag ‘Deny on not protected’ for webgate that is protecting the URL ?
    Is this URL allowed in OAM server ?

    Reply
jbright says November 19, 2012

I want to use OAM to secure the SOAP & REST based webservices created using Apache CXF.

Could somebody guide me thru…

or pls provide me some links..

I’ve downloaded the ofm_oam_sdk_generic_11.1.1.5.0 which is having only one .jar file
oamasdk-api.jar

Reply
rmallamp@yahoo.com says April 3, 2013

Hi Atul and other experienced techies.

I am trying to implement SSO between a custom application that is deployed on WebLogic 10.3 and OAM (10.1.4.3). Here is the configuration:

I have an apache 2.2.23 configured as a reverse proxy in front of WebLogic 10.3. I have installed webgate on apache and it is communicating with OAM.

I have deployed the oamAuthnProvider.jar file to mbeantypes folder under weblogic server/lib.
Configured an identityasserter based on the oamauthnprovider and populated the provider specific items such access gate name, password, etc.

Everything is fine so far. I have created a virtual host entry in apache that points to the application that is deployed on WebLogic.

Here is the problem:
======================
When I access the secured URL through apache the webgate is intercepting the http request and requesting user credentials. After providing the credentials, the webgate is authenticating the user against OAM and getting obSSOCookie and forwarding the request to WebLogic (so far so good).

WebLogic in-turn sending the obSSOCookie to OAM for validation. That’s when I am getting the following error.

I have confirmed with my OAM Identity team all the passwords and other configuration parameters are exactly what they have in OAM. It is very puzzling why I am getting this error. One more piece of information, both webgate and the weblogic identity asserter are using the same access gate.

Any help to unravel this error is highly appreciated.

Thanks
Raj

Reply
    Atul Kumar says April 18, 2013

    @rmallamp@yahoo.com
    What all Authentication providers did you configure in Weblogic security realm ? What is JAAS flag for these newly added authentication providers ?

    Reply
N.Srikanth says April 17, 2013

Hi Atul,

What is the difference between OID and OAM…

Reply
    Atul Kumar says April 18, 2013

    OID is user/group repository (LDAP server) where users that try to login to OAM server are stored.

    OAM server is single sign-on application that takes user’s credentials , validate them against OID(or LDAP server) and creates user session to pass on to business application.

    Reply
Narendra says January 28, 2014

Hi Atul,

My application is running over JBOSS http://xxx.sample.com:8080/sample and I had an apache proxy server which forwards all the requests to JBOSS , I protected the apache url (http://yyy.sample.com/sample with OAM 11g by using Webgate 10g.
My resource protection is like /sample/…/*

But if i access http://yyy.sample.com/sample/headers.jsp it is redirecting to OAM SSO Login page and after successful authentication it is redirecing to the http://yyy.sample.com/sample/dashboard.jsp which is configured as success url in the authentication policy.

How can I manage to redirect back to /sample/headers.jsp without effecting actual authentication policy ?

Reply
Add Your Reply