OID 11g Integration with OAM (11.1.1.5) for Identity Store
In this post we will cover OAM 11.1.1.5 integration with OID as identity store. If you are on OAM 11.1.1.3 , please refer HERE for integration with OID.
Identity store refers to store containing enterprise users & group. Weblogic comes with an embedded ldap which is used as identity store by fusion middleware components by default. You can configure external ldap servers like- OID, AD, Novell etc to be used as identity stores.
Things Good to know:-
1) Till 11.1.1.3 , OAM use to support only only 1 Identity Store at a time i.e though you can register multiple external ldap’s as identity stores but only one will be used as primary identity store & OAM will refer that identity store only.
2) OAM 11.1.1.5 can support multiple identity stores at same time.Out of these multiple identity stores, one is store is marked and used as “System Store” and either same or any other identity store will be marked as “default store”
System Store– Represents the identity store which will have groups or users that will act as “Administrators” to OAM i.e only members of this identity store group/user can perform admin functions via oamconsole.
Default Store– This will be the identity store that will be used at time of patching for migration purpose or by Oracle security token service. More on OAM Security Token service coming soon….
3) You can mark any single identity store as both- system & default store. OR you can choose 2 different identity stores for this purpose. But there can be ONLY 1 system store & 1 default store.
For instance, lets say we have 5 identity stores registered with OAM (11.1.1.5) namely- OID1, OID2, AD1, AD2 and Novell1. Now we can pickup any of them ,like OID 2 to be our system store & AD1 to be default store. OR i can choose AD 2 to be both. Its not possible to have AD1 & OID 1 both as system stores.
By default- Embedded ldap is used as the system as well as default store.
4) In OAM 11.1.1.5 , the original IDMDomainAgent is not availble & remains as artifact. In place of it, IAMSuiteAgent is installed & pre-configured to povide signle sign on to IDM administration console.
Steps to Integrate OID 11g with OAM 11.1.1.5
1. Create a groups “Administrators” in OIDunder dc=[your_domain], cn=groups using ODSM
2. Create a user oamadmin in OID under dc=[your_domain] , cn=users (This user will then be used to connect to login to weblogic console) – Ensure that attribute userPassword is set for this user.
3. Add user oidadmin in OID to group “Administrators“. Use ODSM to create user/group in OID 11g. More on ODSM here
4. .Login to OAMconsole (http://hostname:adminport/oamconsole. Navigate to System Configuration tab –>Data Sources –> select User Identity Stores –> Click create from Actions drop down on top.
2) Create: User Identity store applet opens. Entervales as:-
Store Name– Name of Identity store (Tip:- Keep it something which can make you easy recall the ldap type/hostname it )
Store Type– select which type of LDAP is it. Options are- Embedded ldap,OID, AD,Novell , Iplanet & OVD.
Location– hostname and port of External ldpa in format- hotsname:port
Bind DN – OID’s Administrator account DN. like cn=orcladmin
UserName Attribute– Attribute which will be used for login
User & Group Search Base– Complete DN of OID Domain under which the users/groups will be searched
GroupName Attribute– default is cn
Test Connection , save & then close it.
3) This new identity store will now be availble under datastources. Again open it from datasources. You will see 2 options of either setting this store as “System store” or “Default Store“.
Check the system store box, it will prompt you to add group/user of this identity store which you want to act as administrator to oam.
Add “Administrators” group that we created in OID.
Click apply button,it will pop up with message as ” Manually Change Identity Store Settings at OPSS Level and configure the IDMDOmainAgent“, click OK
It will then prompt to ” Validate this Identity store against a user of that group in order to set this as “System Store” “. Enter name & password of user -e.g oamadmin that we created under OID .
Once validated it will show “Successfully Set as System Store”
4) OAM uses OAMAdminConsole Autehntication Scehme for “System Store” which in turn calls the “LDAP Module”. This Ldap modules have an “identity store” value which will be used as “system store”. Change this value to newly configured “system store”
Under System Configuration tab–> Authentication modules–> LDAP Authentication Module–> LDAP –>change indentity store to New System store value–>Save
5) Logout from OAMConsole & now login as any user member of SystemStore. If you able to login successfully , configuration with OID done.
Reference Documentation:-