Oracle Access Manager integration with BPEL

The objective of integrating Oracle Access Manager with BPEL worklist is to provide Single Sign-On for BPEL worklist application. Thus the authentication and authorization part is handled by the Oracle Access Manager.

My environment  has: OAM 10.1.4.3, BPEL 10.1.3.4, OSSO 10.14.1, OID 10.1.4.1

It is possible to integration OAM with BPEL worklist in two ways:

1. Direct integration of OAM with BPEL: Check this link.

2. Using OSSO component: First, the BPEL will be integrated with OSSO  using the metalink note 753087.1 . 

This will be followed by OAM and OSSO integration.

In my environment, OAM, OSSO and OID components are installed on one machine and BPEL is residing on different machine.

Integration Process:

This post does not cover BPEL-OSSO integration as it is straight forward if you follow the metalink note.

As part of the integration process, WebGate to be installed on WebServer (Oracle HTTP Server) where OSSO is running. When you integrate OAM-OSSO-BPEL, the integration flow happens as explained below.

  1. User access the BPEL worklist application.
  2. Due to the integration between BPEL-OSSO, BPEL delegates authentication to OSSO.
  3. The OSSO server inturn redirects it to OAM for authentication.
  4. Accordingly, the WebGate on OSSO server intercepts the request and checks with Access Server if the resource is protected or not.
  5. If the resource is protected, it prompts the user for login details. In my case, I used Form based authentication.
  6. User enters login details and webgates forwards these details to Access Server for Authentication & Authorization.
  7. Upon successful authn and authz, Access Server creates OAM cookie and sends it to WebGate.
  8. OAM WebGate redirects control to mod_osso for validating the user. This will happen by using SSOOblixAuth plugin configured in policy.properties as part of OAM-OSSO integration.
  9. The OSSO validates the user and creates valid OSSO session and authorizes the user and redirects to BPEL server.
  10. The user will then see the requested BPEL worklist application.

Notes:
I had used this OSSO approach as the BPEL worklist is residing on AIX server and direct integration requires Access Server SDK component which is not present for AIX machine.

Observations:

The worklist application URL should ***NOT BE*** protected in OAM policy domain.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

2 comments
Add Your Reply