Oracle Access Manager 10.1.4.3 integration with WebLogic Server

Until many people have asked me for the integration aspects of Oracle Access Manager 10.1.4.3 (latest version) with WebLogic Server, it did not strike in my mind to do a write up on this. Anyway better late than never.
Before we go into the integration process, check this.

Now you should be having a fair idea on the difference between integration aspects relative to various OAM versions.

Let me give you a background of this integration aspects.

How Single Sign-On works:

Oracle Platform Security Services (OPSS) comprise Oracle WebLogic Server’s internal security framework. A WebLogic domain uses a separate software component called an Authentication provider to store, transport and provide access to security data.

Oracle Fusion Middleware 11g supports two new single sign-on solutions that applications can use to establish and enforce perimeter authentication:

•    Oracle Access Manager Solution
•    Oracle Single Sign-On solution

Oracle Access Manager is part of Oracle’s enterprise class suite of products for identity management and security. The Oracle Authentication provider is a new component that works with Oracle WebLogic server. An application can use either or both of the Oracle
Access Manager Authentication provider features, each of which enables a specific racle Access Manager function for WebLogic users:

•    Identity Asserter for Single Sign-On
o    This function uses Oracle Access Manager authentication services and also validates already-authenticated Oracle Access Manager users through ObSSOCookie and creates a WebLogic – authenticated session. It also provides single sign-on between webgates and portals.

•    Authenticator
o    This function uses Oracle Access Manager authentication services to authenticate users (based on username and password) who access applications deployed in WebLogic server.

This document describes the setup and configuration of Identity Asserter for Single Sign-On for the applications deployed in WebLogic server.

Identity Asserter:

The Authentication provider for Oracle Access Manager can be configured as the Identity Asserter for single sign-on. In this case, the provider protects Web resources
only.

This Identity Asserter for single sign-on uses perimeter authentication performed by WebGate on the Web Tier and the ObSSOCookie to assert the identity of users who try
to access protected WebLogic resources.

All requests are routed to a reverse proxy Web Server; requests are intercepted by WebGate. The user is challenged for credentials based on the authentication scheme
that is configured within Oracle Access Manager. The recommended scheme is Form (form-based login).

If authentication succeeds, WebGate generates an ObSSOCookie, the Web server mod_WebLogic module forwards the request to Oracle WebLogic Server, which, in turn,
invokes Oracle Access Manager Identity Asserter for single sign-on (with the request and the cookie) for validation.

WebLogic Security Service invokes Oracle Access Manager Identity Asserter for single sign-on, which gets the ObSSOCookie from the incoming request, and populates the
subject with WLSUserImpl principal. The Identity Asserter for single sign-on also adds the WLSGroupImpl principal that corresponds to the user’s groups, if any. Oracle
Access Manager validates the cookie.

The architecture diagram goes almost similiar to the one as here except that the SSPI Connector is not explicitly installed  in the WebLogic Server (instead there is an implementation jar file copied to the WebLogic server location).Here is the architecture diagram.

 .

.

Oracle Access Manager Identity Asserter with Web-only Applications

  1. A user attempts to access an Oracle Access Manager protected Web application that is deployed on the Oracle WebLogic Server.
  2. WebGate on a reverse proxy Web server intercepts the request and queries the Oracle Access Manager Access Server to check if the requested resource is protected.
  3. If the requested resource is protected, WebGate challenges the user for credentials based on the type of Oracle Access Manager authentication scheme configured for the resource (Oracle recommends Form Login). The user presents credentials such as user name and password.
  4. WebGate forwards the authentication request to the Access Server.
  5. Access Server validates the user credentials against those stored in user directory and returns the response back to WebGate. Processing continues based on:

Successful Authentication: Processing continues with Step 6.

Authentication Not Successful: The login form appears asking the user for credentials again; no error is reported.

  1. Access Server generates the session token and sends it to the WebGate. WebGate sets the ObSSOCookie and value as that returned from Access Server. The Web server forwards this request to the proxy, which in turn forwards the request to the Oracle WebLogic Server using the mod_weblogic plug-in.
  2. mod_webLogic forwards requests as directed by its configuration.
  3. WebLogic Server security service invokes the Oracle Access Manager Identity Asserter for single sign-on, which is configured to accept the tokens of type “ObSSOCookie”. The Identity Asserter initializes a CallbackHandler with the ObSSOCookie. In addition, the Identity Asserter sets up NameCallback with the username for downstream LoginModules.
  4. Oracle WebLogic Security service authorizes the user and allows access to the requested resource.
  5. A response is sent back to the reverse proxy Web server.
  6. A response is sent back to the browser.

As part of this integration process, I assume that OAM is already installed, up and running.

Now, we dive into the actual integration process.

  1. When you use the Oracle Access Manager Identity Asserter, all web.xml files in the application EAR/WAR file must specify CLIENT-CERT in the element auth-method for the appropriate realm as shown below.<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>myRealm</realm-name>
    </login-config>
  2. Confirming mod_weblogic for Oracle Access Manager Identity Asserter:Open the httpd.conf file of OHS 11g server and add/uncomment the text as shown below.

    <IfModule mod_weblogic.c>

    WebLogicHost oam.oracle.com

    WebLogicPort 7002

    </IfModule>

    <Location /CustomWebApplication>

    SetHandler weblogic-handler

    </Location>

  3. Create OAM Objects such as host identifiers, authentication scheme, webgate profile and policy domain using OAM Configuration tool as shown below.

export JAVA_HOME=/identity_mgmt/Oracle/Middleware/jdk160_11

mahendra>$JAVA_HOME/bin/java -jar /installs/11g/11g/oam/oamcfgtool/oamcfgtool.jar mode=CREATE app_domain=IASSO_App1 web_domain=IASSO_App1 protected_uris=”/Marketing/index.jsp,/Finance/home.jsp” app_agent_password=welcome1 ldap_host=itechdemo.us.oracle.com ldap_port=3060 ldap_userdn=orcladmin ldap_userpassword=welcome1 oam_aaa_host=itechdemo.us.oracle.com oam_aaa_port=6021

App_domain – policy domain name to be created
Web_domain – host identifier will be created with this name.
webgate – profile will be created with this Web_domain_AG.
Protected_uris – resources to be protected
App_agent_password – webgate password
Ldap_host  – OID hostname
Ldap_port – OID port
Ldap_userdn – OID administrator username
Ldap_userpassword – OID admin password
Oam_aaa_host – hostname where access server is installed
Oam_aaa_port – access server port (in this case, 6021)

4. Modify the host identifier to include your hostname:weblogic port and the hostname:proxy server port details.

5. Add the resource type wl_authen with following details.

Resource Name: wl_authen

Resource Matching: Case Insensitive

Resource Operation: Login

6. Install the WebGate on the OHS web server.

7. Check the login.html presence in the WebGate installed directory under WebGate_dir/access/oamsso/login.html.

8. Copy the oamAuthenProvider.jar to the location WebLogic_dir/wlsserver_10.3/server/lib/mbeantypes.

9.  Check the OHS httpd.conf file at the end of webgate configuration parameters for the presence of the field oamsso alias to ensure that webgate can find the login form.

10.  Goto the WebLogic console, myrealm, and click on the Providers tab.

11. Create two providers one as LDAPAuthenticator and OAMIdentityAsserter.

12.  In the OAMIdentityAsserter provider specific tab, specify the Access Server details like port, host name etc.,

13.  Similarly in the LDAPAuthenticator, provide the LDAP details.

14. Mark the flags for LDAPAuthenticator as SUFFICIENT and for OAMIDAsserter as REQUIRED. Change the flag values for DefaultAuthenticator to SUFFICIENT.

15. Reorder the providers as OAMIDAsserter, LDAPAuthenticator, DefaultAuthenticator, Default Asserter.

16.  Now test the WebApplication as you should be able to see the login form to enter your credentials. Upon entering the valid login details, you should be able to see the requested resource.

References:

OAM Documentation

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

9 comments
Add Your Reply