Integration between Oracle Access Manager and Oracle Entitlement Server

This post describes the aspects of the integration between Oracle Entitlement Server and Oracle Access Manager. As we know that from 11g onwards, Oracle recommends OAM for authentication, SSO and OES for Authorization. Hence it’s always good to know how this integration works.

Frankly, there is no integration between OAM and OES. The ease of the product OES allows us to integrate with various applications and utilise OES for ATZ.

In my case, I have implemented the scenario as explained below.

The Weblogic Portal 10.2 will be authenticated using OAM and the authentication scheme can be used as Basic over Ldap or Form (I have done Basic Over LDAP for timebeing).

Upon successful authentication using OAM, access server generates obssocookie and sends it to browser. However the front end here is the OHS proxy server for weblogic portal resource.

Hence the plugin in proxy server (mod_weblogic) will forward this request to the Weblogic Security Framework. WLS framework will inturn trigger the SSPI interface where the weblogic server SSM is being configured (as SSM realm).

The providers that are configured are:

1. OAM Identity Asserter

2. LDAP Authenticator

The OAM 10.1.4.3 package provides the oamAuthnProvider.jar which should be copied to the weblogic server directory (wls_server103\mbeantypes\lib).

Once the request is passed to the SSPI interface of OES, the OAM identity Asserter (flagged as REQUIRED) kicks in and checks for ObSSOCookie in the request. If it exists then weblogic will validate the user against the LDAP using LDAP Authenticator.

At this point, the resource is authorised at page level by OAM.

Now, its time for OES to do the page level and content level authorization.

Based on the resources and policies (ATZ and Role) configured in OES, it fetches the user accessing the resource and executes Role and ATZ policies. If the user is allowed GRANT, then the user will be shown the requested page.

If there are any ALES tags specified in the application for content level atz, it gets executed.

I will attach the architecture diagram soon.

Various products used in this integration are:

1. Oracle Access Manager 10.1.4.3

2. Oracle Entitlement Server 10.1.4.3 (Admin CP3, SSM CP3)

3. Weblogic Portal 10.2.0

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

25 comments
bharathi says June 1, 2010

Hi Mahendra,

I have a query in OAM. Will it be possible to populate the fields in the self registration page, before the self registration page gets loaded.

Reply
Atul Kumar says June 1, 2010

@ Bharathi,
You mean some default values to few fieolds ? Yes this is possible. Could you please elaborate which attribute (field) you wish to populate in self registration screen.

Are you using default self registration page or creating your own page and using IdentityAPI for self registration ?

Reply
bharathi says June 1, 2010

Thanks for the reply. I am using the default self reg page.

I need to populate dynamic values in the fields for role. Actually the requirement is like, the end user will recieve the self registration link to his mail. When the user clicks on the link the user should be redirected to the self reg page and the role related fields should be populated.

Reply
Mahendra says June 1, 2010

Hi Bharathi,

If I understood your scenario correctly, you want to pre-populate some fields based on their Role ? If so, the user doing the self registration is a new user and has no Roles defined in the system already. If you are talking about some fields pre-populate by default, YES, you can do this. As Atul said, you will be achieving the Self Registration using Identity XML API. So, when you use the API to construct the Self Registration page with various fields, you can play with the code as per your wish to pre-populate the fields.

Does this answer your question?

Reply
bharathi says June 2, 2010

Will it not be possible to invoke the code using the ppp type = “pre” in the oblixpppcatalog.lst file. I am trying to do in this way actually.

Reply
Mahendra says June 2, 2010

Hi Bharathi,

Can you please elaborate what exact code are you invoking and which attributes do you want to pre-populate?

Thanks,
Mahendra.

Reply
bharathi says June 2, 2010

For example, if i want to populate a default role “employee” for all the user who are getting registered using the self registration procedure. How can populate that value when the self reg page gets loaded and the user should not be able to change that field.

Reply
Edward says July 8, 2010

Hi Mahendra

Can you attach the architecture diagram please?? I have many questions about your scheme of integration.

May be if i see the diagram i would resolve my questions.

What type of SSM it was used to integrate??, is it a WLS_SSM?? or you was used another type of SSM??

What information

Reply
Mahendra says July 8, 2010

Hi Edward,

I dont have architecture diagram as of now. I have used WLS_SSM. Please shoot with your questions.

-Mahendra.

Reply
Edward says July 10, 2010

Hi Mahendra

If not there is an architecture diagram, let me explain my case.

I’m try to do an integration between OAM and OES to secure an a java application, i have installed:
Weblogic 10.3 (server1)
OAM 10.1.4.3 (server2)
OES 10.1.4.3 (server3)
OID (LDAP) (server4)

Now, what configuration i need to do in the access manager??
What information is necesary populate in the provider specific of OAM identity asserter.
The LDAP Authenticator works with the OID or is necessary configure an OID authenticator??.
What information is necesary in the provider specific of LDAP??
Is necesary install another type of SSM or only the WLS SSM is sufficient??

Thanks

Reply
Mahendra says July 11, 2010

Hi Edward,

Sorry for late response.
You can either protect your java app using Java SSM or WLS SSM. I dont have much exposure in Java SSM, so I would deploy java app in WLS.
You can follow the below approach.

1. Install WLS SSM and configure it.
2. Ensure that application is being protected by OES.
3. Create OID Authenticator in WLS realm and make java app authenticate against OID users.
4. Do the OAM WebLogic server integration. Since this is OAM 10.1.4.3, you may copy the oamAuthnProvider.jar available with OAM downloads into WLS server directory. A seperate post is written for this integration and you can follow that.
5. Ensure to have OAM Identity Asserter created in WLS realm.
6. Use a proxy server infront of WLS required for SSO.
7.Test the application and it should authenticate & page level atz against OAM and fine grained atz against OES.

Let me know if you have any questions.

Reply
Edward says July 12, 2010

Hi Mahendra

Thank for your answer

I installed and configured the WLS SSM, I ensure the java app.

But the OID Authenticator does not appear in the list box when i try to create a new provider.

Is there any jar file to enable the OID Authenticator??.

Maybe, am i missing some type of configuration?, I need to do a previous configuration with the OID or the OAM?

Thanks

Reply
Mahendra says July 13, 2010

Hi Edward,

The OIDAUthenticator is present from WLS 10.3.1 onwards. So you may use LDAPAuthenticator and provide OID configurations.

M

Reply
Edward says July 15, 2010

Hi Mahendra

I have a question about the OES configuration.

I need to use the OID user’s to secure the java app, but, i don’t know how i can integrate the OID and OES to create new policies based on OID user’s.

Is necesary create a new authorization provider in OES asi console??

Reply
Mahendra says July 15, 2010

Hi Edward,

All you need to do is to create LDAP Authentication in the Authenticator section of asi console. You should provide OID details there.

Goto eui console, and create Groups or users for your specific java app. Ideally we would create groups instead of users as the user count will be huge.

Please note that the group name should be same as it is in OID. It automatically maps the OID groups to the OES groups you created and will authorize the users.

Now, you can play with the java app by specifying authorization/Role policies assigned to specific Group created in OES.

Hope this helps.

Mahendra.

Reply
Edward says July 27, 2010

Hi Mahendra

What type of LDAP, i need to create?, I review my asi console and only appears the next options:
Configure a new WebLogic Authenticator
Configure a new Open LDAPAuthenticator
Configure a new Database Authenticator
Configure a new iPlanet Authenticator
Configure a new Novell Authenticator
Configure a new ASIDirectory Resolver
Configure a new Active Directory Authenticator
Configure a new ALESIdentity Asserter
Configure a new Single Pass Negotiate Identity Asserter
Configure a new FGACIdentity Asserter
Configure a new SAML Identity Asserter
Configure a new X509 Identity Asserter

I’m not sure if OPEN LDAP is the correct option because i don’t know if OPEN LDAP is the Sun LDAP or is for any LDAP.

Regards

Reply
Mahendra says July 28, 2010

Hi Edward,

I think there must be LDAP Authenticator available.
Open LDAP may not be the right one for your SUN LDAP.

Reply
morion says August 19, 2010

Hi Mahendra,

We need to set up the integration between Oracle Access Manager and Oracle Entitlements Server but we are not using Weblogic.

The applications we are securing are deployed in WebSphere Application Server.

We need to know how OES can authenticate an user already authenticated in OAM. Is there any way OES can use the ObSSOCookie to assert the identity of the user who is trying to access a resource in an application protected by OES (Autorization) and OAM (Authentication)?

Thanks in advance.

Reply
Edward says August 19, 2010

Hi Mahendra

I’m not using SUN LDAP, i’m using OID.

When i access to ASI Console -> Administration console-> Security configuration-> Service Control Manager-> “appSCM” -> Authentication

Only appears the next options:

Configure a new WebLogic Authenticator
Configure a new Open LDAPAuthenticator
Configure a new Database Authenticator
Configure a new iPlanet Authenticator
Configure a new Novell Authenticator
Configure a new ASIDirectory Resolver
Configure a new Active Directory Authenticator
Configure a new ALESIdentity Asserter
Configure a new Single Pass Negotiate Identity Asserter
Configure a new FGACIdentity Asserter
Configure a new SAML Identity Asserter
Configure a new X509 Identity Asserter

What authenticator is the right option for connect the OES with OID LDAP to map the groups or users created in OID to configurate policy rules?

Once created the LDAP authenticator is it possible to see groups and users in the OES eui console automatically?

Thanks in advance.

Reply
Mahendra says August 20, 2010

@Edward,

I think there must be an LDAP Authenticator available. However, you can try with open LDAP Authenticator, though it is not right option to select.
Please get back to me in case of any issues.

Reply
Mahendra says August 20, 2010

@Morion,

First of all, you would need to install SSM on WebSphere (not sure if its certified).
Later, get the authentication and authorization working with OES alone for the applications deployed on WebSphere.

If you are using OAM 10.1.4.3, oamidentityasserter jar file is provided OOTB (not sure if its applicable for WebSphere). So, you can copy that jar file websphere directory. Put a proxy server infront and protect the websphere application in OAM.

When you access the application, OAM authenticates the user and OES authorizes the user. Though I have not tested the WebSphere stuff yet, this is my understanding of how the integration works.

Reply
jibitesh says October 22, 2010

@Edward
Use iPlanet if you are using Sun or Oracle Identity Directories. Sun had acquired it long time from Netscape and they haven’t bothered to change it.

Reply
hema says November 16, 2010

Hi Mahendra,
i would like to integrate OES, OAM to protect JBoss applications. Could you please let me know the procedure and configurations..

thanks,
Hema

Reply
janu says November 16, 2010

hi

Reply
Edward says November 23, 2010

Hi Mahendra

I have a problem with my weblogic protected by OES,
I have intalled a weblogic 10.3.2 and a WLS-SSM 10.3.4.1 + CP4.
When i try to create a new attribute of the an attribute retriever in the weblogic console, the screen of the weblogic console send a error message:

2010-11-23 11:05:57,497 [[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] ERROR com.bea.retrievers.action.utils.BaseActionUtils –
java.lang.NullPointerException
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222)
at javax.management.remote.rmi.RMIConnectionImpl_1032_WLStub.getAttribute(Unknown Source)
at

To reproduce the error in the weblogic console navigate to:
home>Summary of Security Realms >”oes_realm” >ASIAuthorizationProvider > Attributes (TAB)

Previously i created an attribute and works fine but when i try to modify or create a new attribute the screen sends an error.

Do you have had a similar problem?, do you have any recomendations? or do you have any idea about this?.

Regards

Reply
Add Your Reply