This post talks about the architecture, integration aspects and troubleshooting tips for the SSO implementation between WLS and WLP applications.
The components present in this architecture are Oracle Access Manager 10.1.4.3, Weblogic Server 10.3.0 and Weblogic Portal 10.3.0, SSPI Connector 10.1.4.2.2 and OHS webserver 11g .
The objective is to get Single Sign-On between Weblogic server and weblogic portal resources using SSPI connector.
Two SSPI connectors are used for Weblogic Server and Portal acting in Identity Assertion Provider mode which is available by default configuration. The OHS webserver acting as reverse proxy for both Weblogic Server and portal applications.
Here, the authentication & authz for Weblogic server resource happens through Oracle Access Manager using SSPI connector. However for the Weblogic Portal, only the authentication happens through OAM and Authz happens via Weblogic Portal.
The flow is described as shown below for Single Sign-On when user traverse from WLS to WLP applications:
1. User access Weblogic Server application through Proxy server and it is intercepted by OHS Webgate and checks with Policy Manager if the resource is protected or not.
2. If resource is protected, Webgate challenges user with form login. Form scheme is recommended for SSO solutions.
3. Login details are validated by Access Server and upon successful authentication, it checks if user is authorized to access the resource.
4. If user is authorized to access then Access server creates cookie and passes it to the browser.
5. The mod_proxy plugin present in the OHS server forwards the request to the Weblogic Server.
5. The Weblogic Security Framework invokes the SSPI connector and Identity Assertion provider listens for ObSSOCookie.
6. IAP will then check the user identity taken from the ObSSOCookie with the weblogic.
7. Upon successful verification, requested resource is shown.
8. User will then access the WLP portal application through the reverse proxy server.
Note: The WLP application is not protected by the OAM where as WLS application is protected by OAM.
9. The OHS webgate checks for the presence of cookie in the user session.
10. The ObLoginFilter configured in the web.xml gets invoked and checks for the ObSSOCookie. If its not present then it will present ObLogin.jsp. Since cookie is present in this scenario, it will check with the weblogic if the user is authorized to access the portal.
11. Upon successful authz, portal will be shown.
The flow is described as shown below for Single Sign-On when user traverse from WLP to WLS applications:
1. User access Weblogic portal application through Proxy server and it is intercepted by OHS Webgate and checks with Policy Manager if the resource is protected or not.
2. Since the user session does not have ObSSOCookie present, then ObLogin.jsp will be shown to enter login details.
3. Login details are validated by ASDK against Access Server and generates ObSSOCookie programatically.
4. It also checks against Weblogic if user is authorised to access the portal.
5. If user is authorized then portal page will be shown.
6.The user will then access the WLS application through the reverse proxy.
7. The OHS webgate intercepts request and check for cookie.
8. Since cookie is present, the mod_proxy plugin in OHS will forward request to Weblogic Server.
9. The Weblogic Security Framework invokes the SSPI connector and Identity Assertion provider listens for ObSSOCookie.
10. IAP will then check the user identity taken from the ObSSOCookie with the weblogic.
11. Upon successful verification, requested resource is shown.
1. Ensure that IPValidation for OHS webgate and both Access gates (portal and server) are OFF. Otherwise when user access WLS resource it will prompt for authentication.
2. Ensure that Login filter mappings are added in the portal application web.xml as shown below.
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com