How to integrate WebCenter 11g with Oracle Access Manager 11g for Single Sign-On

Oracle WebCenter11g is user interaction product that helps to create social applications, enterprise portals, collaborative communities and internet/intranet websites.

Oracle Access Manager 11g is Oracle’s recommended Single Sign-On solution for Fusion Middleware (SOA, WebCenter, OBIEE, UCM..) and Fusion Applications.

This post covers high level overview and documents related to WebCenter 11g integration with OAM 11g for Single Sign-On.

By default when you install WebCenter you get WebLogic domain with one Admin Server few Managed Servers(Spaces, Portlet, Services). If you are new to WebLogic then check my post on Domain, Admin & Managed server here

    For Single Sign-On integration, you deploy OHS (Oracle HTTP Server) infront of WebLogic Server (check steps to configure OHS in front of WebLogic here), configure WebGate plug-in with OHS check here and migrate from WebLogic’s embedded LDAP store to Oracle Internet Directory check here . You must also use OID as primary identity store of OAM 11g steps here and unprotect some of WebCenter URLs in OAM Console (details to follow in my coming posts).

If you are new to Oracle Access Manager then you can install OAM 11g using my step by step series here  (If you just need OAM then OIM, SOA, OAAM, OAPM and OIN are not required)  

.

Key Points for OAM 11g integration with WebCenter 11g

1. WebCenter 11g R1 PS3 and higher (11.1.1.4+) are certified with OAM 11g R1 (11.1.1.3)

2. When you configure OHS in front of WebLogic then configure following URI’s
a) /webcenter , /rss, /workflow, integration, /soa-infra, and /rest pointing to weblogic Managed Server – Spaces (port 8888)
b) /owc_wiki, owc_discussions pointing to weblogic Managed Server – Discussions (8890)

3. Configure system property oracle.webcenter.spaces.osso &owc_discussions.sso.mode  to true

4. Unprotect following URI from OAM Console (or during WebGate Registration)  /webcenter/…/* ,  /webcenterhelp,  /webcenterhelp/…/*,  /owc_discussions, /owc_discussions/…/*,
/rss, /rss/…/*, /workflow, /workflow/…/*, /integration/services,
/integration/services/…/*,  /soa-infra,  /soa-infra/…/*, 
/rest/api/cmis/…/*, /cs,  /cs/…/*

5. Grant WebCenter Spaces Administrator role to OID user using grantAppRole or Fusion Middleware Control (/em)

.

High Level Steps to configure OAM 11g with WebCenter 11g for Single Sign-On

1. Install OAM 11g (11.1.1.3)

2. Install OID 11g (11.1.1.4 or 11.1.1.5)

3. Change OAM’s primary identity store to OID

4. Install OHS 11g (11.1.1.4 or 11.1.1.5)

5. Configure OID as Authentication Provider in WebLogic (where WebCenter is running)

6. Configure OHS in from of WebLogic (where WebCenter is running)

7. Configure an Instance of Webgate in OAM using RREG or OAM Console

8. Install Webgate with OHS

9. Run configuration steps on WebCenter (changing system properties and other things as mentioned above)

.

Related/References

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

21 comments
Paul says May 19, 2011

Atul,
Excellent article. Very helpful. Appreciate your time and efforts.
Are you planning to have some training on OID & OAM technology in near future?

Thanks.

Reply
Atul Kumar says May 20, 2011

@ Paul, Yes We are planning but this is still at planning stage. We will announce it here http://focusthread.com/training

Reply
Rehan Shah says May 24, 2011

Hello Atul,

I have read most of your articles and found them very useful.

I need a little help in integrating WebCenter Spaces SSO with External Application (MS Exchange Server 2007).

I am using OAM 11g for SSO. How can I forward Spaces User Credentials to External Application(Exchange Server). I don’t want that Mail Login Box, not even once.

Components versions are:
MS Exchange 2007
Webcenter 11g R1 PS3
OAM 11g 11.2
Active Directory 2008 as Identity Store

Regards,
Rehan Shah

Reply
Atul Kumar says May 25, 2011

@Rehan Shah,
Check with OAM team if 11g R1 (11.1.1.3) is certified with MS Exchange 2007.

Check OAM 11.1.1.5 (released yesterday) for certification with MS Exchange (I’ll cover on 11.1.1.5 OAM here shortly)

To pass on identity (or any other user attribute) from OAM to downward application like MS Exchange (or sharepoint or webcenter), In authentication/authorization policies define responses as mentioned in guide http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15478/app_domn.htm#BABEGCDC

Reply
Shovon says August 5, 2011

Hi Atul, Thanks for the useful article. Many of the Oracle documentation I see mention OID as LDAP. Can OAM be integrated with Mircosoft Active Directory alone? My company is deploying Webcenter PS4 (11.1.1.5.0) and has MS AD as LDAP. We are looking for a SSO solution for the Webcenter. Thanks in advance for your help.

Reply
Shovon says August 5, 2011

Also, when is your book on OAM getting published? Does the RAW book has enough materials now to get started with installing OAM. Thanks again.

Reply
Atul Kumar says August 5, 2011

@ Shovon,
Yes webcenter and OAM both can be integrated directly with AD. For SSO with WebCenter using OAM where user repository is in AD, integrated weblogic (on which webcenter is running) with AD and also integrate OAM with AD for userstore. Then integrate webcenter with OAM for SSO.

OAM installation (including High Availability) is covered in chapter 2 of my book.
OAM integration with LDAP server is covered in chapter 5 and OAM integration with Webcenter is covered in chapter 12. (Just replace OID with AD)

Book is available now to download (softcopy) from https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

Hard copy will be available in september but then price will increase. Currently it is discounted.

Reply
Shovon says August 7, 2011

This is a very helpful and timely article for me. I just bought your RAW book and found it very valuable. Thanks for your wonderful work. I still have few questions.

I am trying to add SSO to existing Webcenter (PS4) so users won’t be challenged with uid/password when the browse to Webcenter with Internet Explorer. My need stops here for now and don’t have any additional requirements (groups, policy, etc.)

Questions:
1. Can SSO be achieved by only installing OAM and skipping Oracle Identity Manager (OIM)?
2. If yes, can SOA suite alos be ignored if I am doing only Oracle Access Manager (OAM). You mentioned this on page 26.
3. Is there any setup/configuration/ needed on the clinet’s browser side?
4. Do I need to make any changes as described in chapter 6 (OAM Policy compoent) and Chapter 7 (Seession) for a straight forward SSO integration?
5. You mentioned integration with Webcenter is in Chapter 12. This chapter was not included in the download as of August 5th, 2011. How soon can I expect it to download?

Components Version:
Webcenter 11g R1 PS4
Microsoft Active Directory
Internet Explorer 7

Thank you so much.

With kindest regard,
Shovon

Reply
Atul Kumar says December 10, 2011

@ Shovon,

Questions:
1. Can SSO be achieved by only installing OAM and skipping Oracle Identity Manager (OIM)?

Yes

2. If yes, can SOA suite alos be ignored if I am doing only Oracle Access Manager (OAM). You mentioned this on page 26.

Yes

3. Is there any setup/configuration/ needed on the clinet’s browser side?

You need to further integrate OAM with AD (kerberos for 0 sign on). This is not covered in my book but steps are covered in OAM integration guide at

http://docs.oracle.com/cd/E21764_01/doc.1111/e15740/wna.htm#sthref248

4. Do I need to make any changes as described in chapter 6 (OAM Policy compoent) and Chapter 7 (Seession) for a straight forward SSO integration?

5. You mentioned integration with Webcenter is in Chapter 12. This chapter was not included in the download as of August 5th, 2011. How soon can I expect it to download?

This chapter must now be available

Reply
Vineet says April 25, 2012

Excellent Post

Reply
samer sweiss says June 17, 2012

hi
is there any information about upgrading oracle webcenter spaces from 11.1.5 to11.1.6 ?

Reply
vankasrikar says July 15, 2013

Hi Atul,
I integrated webcenter with OAM11g and I’m able to login into webcenter through OAM with OID user credentials. But logout is not working.
When I click on logout, its going to logout page but when I try to access webcenter again, its directly going to webcenter homepage instead of OAM login page. Can someone give me a clue why its happening.

Thanks
Srikar

Reply
    Atul Kumar says July 15, 2013

    @ Srikar,
    Which logout page you are calling when user click on Logout ?
    You must have done something like
    addOAMSSOProvider(loginuri=”/${app.context}/adfAuthentication”, logouturi=”/oamsso/logout.html”)

    Can you access this page ?
    From where you got this page ?

    Reply
vankasrikar says July 15, 2013

Hi Atul,
Thanks for the response. I already figured this out and its working now.

Thanks
Srikar

Reply
purva says August 22, 2013

Hello,

I need to configure the logout for OAM – WebCenter integration.
Can anybody help me?

Thanks,
Purva

Reply
purva says August 26, 2013

Thanks Atul!

also, I was curious to know whether the following will work :

addOAMSSOProvider(loginuri=”/${app.context}/adfAuthentication”, logouturi=”http://::oam/server/logout?end_url=”)

Regards,
Purva

Reply
Atul Kumar says August 26, 2013

@ Purva,
It looks like you want to redirect user to a different URL after logout, This command should work. If this doesn’t then check HTTP Headers as to where requests are going after logout

Reply
purva says August 26, 2013

@Atul,

Yes I need to redirect the user to a static page after successful logout (from both WebCenter and OAM). Hence wanted to confirm whether below url will work:

http://oamhost:oamport/oam/server/logout?end_url=some custom page on portal

Thanks for the reply!

Regards,
Purva

Reply
poornima says July 19, 2014

Hi Atul,

We are using WCC (PS6)with Imaging and BPEL for document processing and workflow. And documents when uploaded from IPM , there were getting uploaded to WCC and pushed to BPEL workflow without any issues. And BPEL runs on a different machine.

Recently DM (OID with OAM) has been integrated with WCC (PS6) and from that time onwards we get the following error when the document is being uploaded from Imaging.

javax.xml.ws.WebServiceException: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-02557 oracle.wsm.policymanager.accessor.BeanAccessor The documents required to configure the Oracle Web Services Manager runtime have not been retrieved from the Policy Manager application (wsm-pm), possibly because the application is not running or has not been deployed in the environment. The query “&(policysets:global/%)(@appliesTo~=”WS-Client()”)” is queued for later retrieval

without IDM it works without any issues. i.e wsm-pm is not required for the IPM, BPEL and WCC except Credential mapping.

Since we have found that that some of the steps of IDM integration with WCC have been missed out, we tried to revert all the changes did it at WCC and WLS of the same.
We have removed the authenticators from WLS console ,reset the security provider configuration in Enterprise Manager and reverted back the jps-config.xml. since the WCC is integrated with Imaging and Imaging with BPEL, after the IDM has been integrated, whenever we push the documents from IPM to WCC and BPEL. However it still throws the same exception.

So I was just wondering whether you have any idea that what else we could have missed from being reverting the issue.

Reply
IDM Newbie says September 25, 2014

Hi Atul,

Can you reply to above issue? are you aware of the solution? how much time does it take?

Reply
Add Your Reply

Not found