Integration between Oracle Access Manager and Oracle Entitlement Server
This post describes the aspects of the integration between Oracle Entitlement Server and Oracle Access Manager. As we know that from 11g onwards, Oracle recommends OAM for authentication, SSO and OES for Authorization. Hence it’s always good to know how this integration works.
Frankly, there is no integration between OAM and OES. The ease of the product OES allows us to integrate with various applications and utilise OES for ATZ.
In my case, I have implemented the scenario as explained below.
The Weblogic Portal 10.2 will be authenticated using OAM and the authentication scheme can be used as Basic over Ldap or Form (I have done Basic Over LDAP for timebeing).
Upon successful authentication using OAM, access server generates obssocookie and sends it to browser. However the front end here is the OHS proxy server for weblogic portal resource.
Hence the plugin in proxy server (mod_weblogic) will forward this request to the Weblogic Security Framework. WLS framework will inturn trigger the SSPI interface where the weblogic server SSM is being configured (as SSM realm).
The providers that are configured are:
1. OAM Identity Asserter
2. LDAP Authenticator
The OAM 10.1.4.3 package provides the oamAuthnProvider.jar which should be copied to the weblogic server directory (wls_server103\mbeantypes\lib).
Once the request is passed to the SSPI interface of OES, the OAM identity Asserter (flagged as REQUIRED) kicks in and checks for ObSSOCookie in the request. If it exists then weblogic will validate the user against the LDAP using LDAP Authenticator.
At this point, the resource is authorised at page level by OAM.
Now, its time for OES to do the page level and content level authorization.
Based on the resources and policies (ATZ and Role) configured in OES, it fetches the user accessing the resource and executes Role and ATZ policies. If the user is allowed GRANT, then the user will be shown the requested page.
If there are any ALES tags specified in the application for content level atz, it gets executed.
I will attach the architecture diagram soon.
Various products used in this integration are:
1. Oracle Access Manager 10.1.4.3
2. Oracle Entitlement Server 10.1.4.3 (Admin CP3, SSM CP3)
3. Weblogic Portal 10.2.0
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com