Integration of Oracle Access Manager with Oracle Identity Manager

This post covers the steps for Integration of Oracle Access Manager with Oracle Identity Manager.

The objective of this integration is to protect the Oracle Identity Manager User Administration Console using Oracle Access Manager.

The authentication scheme used in this Post is Form Based authentication. The other schemes such as Basic Over LDAP, Certificate and Custom are also possible but are not covered in this post.

In this case, OIM is deployed in Oracle Application Server and hence this post will cover only configurations required for OAS as part of this integration.

During the time of installation of Oracle Identity Manager, we would select Default Mode generally, wherein the OIM will handle the authentication by itself. The other option available is Single sign-on mode, wherein the OIM looks for a header variable passed by external authentication system (it is OAM in our case).

The architecture is as given below.

OAM-OIM

The integration flow is explained below:

  1. User access the OIM user administration console.
  2. The WebGate installed on WebServer (acting as proxy server for Application Server where OIM is deployed) will intercept that request and check if the OIM is protected or not and accordingly challenges the user as per the authentication scheme configured.
  3. Form page gets displayed and user enters credentials.
  4. WebGate passes login details to Access Server for authentication.
  5. Upon successful authentication, Access Server generates ObSSOCookie and sends it to  WebGate which in turn sends it to browser. WebGate checks with Access Server if the user is authorized to access the resource or not.
  6. Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable.
  7. The WebServer will forward the request to the Oracle Identity Manager and it is configured to read the header variable and treats that userid as logged in user.

Configuration changes:

  • We assume that OIM is already deployed in Oracle Application Server. A WebServer acting as proxy server is also installed and configured accordingly.
  • We need to install a WebGate on the WebServer.
  • Create Policy Domain in OAM with resource to be protected as host:port/xlWebApp
  • Create Authorization rule accordingly and set the action tab to set the HeaderVar as userid as shown below.
  • HeaderVar                 HTTP_REMOTE_USERID             uid
  • Configure Authentication Rule and Authorization expression in Default Rules.
  • Enable the policy domain.
  • Stop the Application Server gracefully where OIM is deployed.
  • Open the file OIM_HOME/xellerate/config/xlconfig.xml and change the Authentication and AuthHeader elements to SSO and  HTTP_REMOTE_USERID  respectively as shown below.
  • From
    <web-client>
    <Authentication>Default</Authentication>
    <AuthHeader>REMOTE_USER</AuthHeader>
    </web-client>
  • To
    <web-client>
    <Authentication>SSO</Authentication>
    <AuthHeader>SSO_HEADER_NAME</AuthHeader>
    </web-client>
  • Start the Application server.

Test the integration:
Access the OIM console i.e., http://host:port/xlWebApp and you will notice the Form page is displayed for entering the credentials. Enter the login details and see if the logged in user shown on Right side is the actual user logged in.

Observations:

You can observe that the Logout link vanishes after OAM-OIM integration. This is because OIM will be expecting the Logout page specification from OAM as it is already integrated for SSO configuration. I will cover this part in the next post.

References:

Oracle Docs

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

8 comments
dearsud1981 says September 13, 2010

Hi Mahendra,

Its nice post however i would like to understand step 6 here :-

Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable. Access Server generates ObSSOCookie and sends it to WebGate which in turn sends it to browser.

As per my understanding usually Oracle Access Server generate ObSSOCookie after successful authentication itself not during authorization. Please correct me if i am missing here anything.

Reply
gemini says May 30, 2011

Hi,
Do you know how to do OIM-OAM integration for 11g?
Please upload the same if you have done it.

Reply
Odesa says June 7, 2012

Hola mahendras, How are you?
Do you know how to do OIM-OAM integration for 11g? I need an example if you have done it.

Thanks you

Reply
Mahendra says June 7, 2012

Odesa,

Please post your queries on OAM-OIM integration in 11g. Please read the Oracle documentation and let me know if you run into any issues.

-Mahendra.

Reply
Sankar says August 7, 2012

Mahendra,
How to get the HTTP header variables in oracle forms11g application?

Reply
German Pabon says April 12, 2013

Hi Mahendra.

I followed up all the docs to integrate OAM vs OIM but with different hosts not in just one machine.

http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/oim.htm

After finish the step 5.2, I cannot login on Identity Manager and I get the following error:

<An error occurred while initializing the event handler that adds missing LDAP object classes, and the corresponding error is – com.thortech.xl.dataaccess.tcDataSetException: Dataset is not open

I did every steps no skip of anyone.

Hope you can help.

Thanks

Reply
Mahendra says April 13, 2013

This OIM error could be due to DB connectivity problems. Did you restart OIM and OAM services? Does it prompt for authentication at all?

Reply
Add Your Reply