Single Sign-on between Weblogic Server and Weblogic Portal using Oracle Access Manager

This post talks about the architecture, integration aspects and troubleshooting tips for the SSO implementation between WLS and WLP applications.

Architecture:

Architecture

Description:
The components present in this architecture are Oracle Access Manager 10.1.4.3, Weblogic Server 10.3.0 and Weblogic Portal 10.3.0, SSPI Connector 10.1.4.2.2 and OHS webserver 11g .
The objective is to get Single Sign-On between Weblogic server and weblogic portal resources using SSPI connector.
Two SSPI connectors are used for Weblogic Server and Portal acting in Identity Assertion Provider mode which is available by default configuration. The OHS webserver acting as reverse proxy for both Weblogic Server and portal applications.
Here, the authentication & authz for Weblogic server resource happens through Oracle Access Manager using SSPI connector. However for the Weblogic Portal, only the authentication happens through OAM and Authz happens via Weblogic Portal.
The flow is described as shown below for Single Sign-On when user traverse from WLS to WLP applications:
1. User access Weblogic Server application through Proxy server and it is intercepted by OHS Webgate and checks with Policy Manager if the resource is protected or not.
2. If resource is protected, Webgate challenges user with form login. Form scheme is recommended for SSO solutions.
3. Login details are validated by Access Server and upon successful authentication, it checks if user is authorized to access the resource.
4. If user is authorized to access then Access server creates cookie and passes it to the browser.
5. The mod_proxy plugin present in the OHS server forwards the request to the Weblogic Server.
5. The Weblogic Security Framework invokes the SSPI connector and Identity Assertion provider listens for ObSSOCookie.
6. IAP will then check the user identity taken from the ObSSOCookie with the weblogic.
7. Upon successful verification, requested resource is shown.
8. User will then access the WLP portal application through the reverse proxy server.
Note: The WLP application is not protected by the OAM where as WLS application is protected by OAM.
9. The OHS webgate checks for the presence of cookie in the user session.
10. The ObLoginFilter configured in the web.xml gets invoked and checks for the ObSSOCookie. If its not present then it will present ObLogin.jsp. Since cookie is present in this scenario, it will check with the weblogic if the user is authorized to access the portal.
11. Upon successful authz, portal will be shown.

The flow is described as shown below for Single Sign-On when user traverse from WLP to WLS applications:
1. User access Weblogic portal application through Proxy server and it is intercepted by OHS Webgate and checks with Policy Manager if the resource is protected or not.
2. Since the user session does not have ObSSOCookie present, then ObLogin.jsp will be shown to enter login details.
3. Login details are validated by ASDK against Access Server and generates ObSSOCookie programatically.
4. It also checks against Weblogic if user is authorised to access the portal.
5. If user is authorized then portal page will be shown.
6.The user will then access the WLS application through the reverse proxy.
7. The OHS webgate intercepts request and check for cookie.
8. Since cookie is present, the mod_proxy plugin in OHS will forward request to Weblogic Server.
9. The Weblogic Security Framework invokes the SSPI connector and Identity Assertion provider listens for ObSSOCookie.
10. IAP will then check the user identity taken from the ObSSOCookie with the weblogic.
11. Upon successful verification, requested resource is shown.

Troubleshooting Tips:
1. Ensure that IPValidation for OHS webgate and both Access gates (portal and server) are OFF. Otherwise when user access WLS resource it will prompt for authentication.
2. Ensure that Login filter mappings are added in the portal application web.xml as shown below.

OblixLoginFilter
com.oracle.login.ObLoginFilter

OblixLoginFilter
/portlets/login_validate/*

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

9 comments

Kishore Rout says January 11, 2011

Hi Atul,
I have weblogic server(10.3.3),Oracle access manager(11.1.1.3.0),soa(11.1.1.3.0) and UCM(11.1.1.3.0) and weblogic portal(10.3.2). Do you have any idea how I can configure SSO in my environment.

Atul Kumar says January 11, 2011

@ Kishore Rout,

Check this

http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/osso.htm#BABJJFAI

Kishore Rout says February 9, 2011

Hi Atul,
I have done SSO configuration using weblogic portal 10.3.2, OAM 11g via webgate. Now SSO is working for me. But after sso login I can see my potal pages, but .jpeg,.css,.gif files which are there in my project ear files are showing in the portal pages only letters are coming. http server is not fetching styles from my project ear files. Could you please help me in this regard.

Kishore Rout says February 9, 2011

Hi Atul,
Sorry.. Mistakes in my above writings. Correct statement is “.jpeg,.css,.gif files which are there in my project ear files are not showing in the portal pages only letters are coming.”

Mahendra says February 9, 2011

Hello Kishore,

Please check whether the jpef, css and gif files are unprotected in OAM Policy domain using anonymous auth scheme.

-Mahendra.

Kishore Rout says February 9, 2011

Hi Atul,
I have done configuration by adding(jpef, css and gif files) in public authentication policy in OAM policy domain. Our configuration is like below.. weblogic server 10.3.3 and OAM 11g is running from one location where as weblogic portal 10.3.2 is running from other location.project ear file was deployed in portal location. SSO is done using webgate with OAM 11g and OHS 11g with project portal. Is there any changes we have to do in http serevr conf file. I think http server is not getting the .gif,.jpeg,.css files?

Mahendra says February 9, 2011

Hello Kishore,

Have you done any proxy at HTTP Server to WebLogic Portal application? If so, is that inclusive of gif,css etc., files?

Please let me know.

-Mahendra.

Kishore Rout says February 9, 2011

Hi Mahendra,
I have added location part to mod_wl_ohs.conf file. The entry is like below:

SetHandler weblogic-handler
WebLogicHost 172.18.226.190
WeblogicPort 7002

and the URL to access portal is: http://172.18.226.190:6666/LoginPortal1/KACSTLogin.portal
OHS server is listening on port:6666. Except this I didn’t do any configuratiion changes.

Varun says June 20, 2013

Hi Atul,
I’m trying to integrate Ping Federate in our WLP 10.3.
Portal has existing Authentication.Login mechanism taking username/password from form coming from JPF controller and then userProfile is created using username.
But now there would Ping Federate server talking to OAM and do authentication and just pass openToken to our application URL and we will read parameters from openToken like username but password will not be available and now how will we move ahead with current Authentication.login as it ask for password of user and only then creates user profile, but we dont have password and if we authentication then this is two way authentication once OAM and then portal authentication and profile creation.

Add Your Reply