Form based authentication using Oracle Access Manager when login page resides in Central location

Hi all,

In my previous you would have seen the configuration for Form based authentication using Oracle Access Manager when application and login page resides in same server.

What if the login page resides in Central location ? This is generally the recommended approach in real time scenarios because there might be several applications where you will use OAM for achieving SSO for all those applications using Form login. In this case, login page will be residing in Central location.

Lets assume that web application resides in OHS server running on port 7777. Login page resides on Apache server running on port 80.

The key params of Authentication Scheme in this usecase are:

Challenge Redirect: http://apachesvr_hostname:80

Rest of the params in Challenge Parameter remains same as explained in the previous article.

You should test the login page accessibility in Apache server using the URL http://apachesvr_hostname:80/login.html

The essential point in this scenario is that there should be a WebGate on the server where login page resides. Also, the login page should be protected using Anonymous Auth scheme as seen in the previous case.

Lets test the application as shown below.

Observe that the login page is present in Apache Server and hence it is redirected as shown below.

After entering the correct credentials, user will be taken to the requested resource on OHS Server.

This finishes the configuration.

Please write your comments in case of any questions.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

30 comments
» Form based authentication using Oracle Access Manager Online Apps DBA: One Stop Shop for Apps DBA’s says June 16, 2010

[…] this article, I will explain the case 1 and the other article explains case […]

Reply
wilparra says July 28, 2010

Hello.

I have any question: how to configure an external site login, such as the login page of a portal?

Tanks

Reply
Mahendra says July 28, 2010

Hi ,

Can you please elaborate your qn?

Reply
Mahendra says July 29, 2010

Wilparra,

If I understood correctly, you want to have the login page at remote location for your portal ?

If so, this post would answer that question.

mahendra.

Reply
Joe says September 27, 2010

Hi Mahendra,

Do we need to provide the complete url like
http://apachesvr_hostname:80/login.html
in the Challenge Redirect parameter?

Thanks
Joe

Reply
wilparra says September 27, 2010

Thanks, for his responses.

I configured my external login page, and i configured form settings to point to OAM, but the OAM do not authenticate.

I configure with the normal mechanism.

Reply
Mahendra says September 27, 2010

Joe,

Challenge redirect parameter has to be created to specify where the form login is residing. Hence, it is required to specify the value like this http://form_page_hostname:port

Mahendra

Reply
Mahendra says September 27, 2010

wilparra,

Please elaborate what is the normal mechanism you meant by?
When you have protected an application using Form login scheme, is it showing the login page when you access the URL ?
If not, please configure it properly.
What is the exact behavior you are seeing?

Mahendra

Reply
wilparra says September 27, 2010

Hello:

I configure the Form Login Schema. And i place the login page into the web server (the same with Webgate). I do not speak english, so i will explain in spanish.

Excuse me (…)
________
Existía un requerimiento, en el que solicitaba que la página de login estuviera controlada por un WebCenter sobre WebLogic. Intenté la configuración de envío de credenciales a través del método post de la forma sugerida en los webgates, hacia la URL correcta la cual configuré dentro del action de la forma, pero al intentar hacer login sobre esta página, no era posible obtener una autenticación efectiva. La configuración de autenticación basada en formas y la página de redirección sobre Oracle Access Manager funciona correctamente, no funciona es el paso de credenciales desde la página personalizada. La configuración que finalmente dejé, fué Basada en formas, perso con una página alojada en el mismo servidor web sobre el que configuré el WebGate y los proxy inversos.

Reply
Joe says September 28, 2010

Mahendra,

When I provide Challenge Redirect parameter in the format http://form_page_hostname:port, the login page is not rendered. I can confirm that the request is being redirected to the webserver hosting the login page as I can see the entries in the access logs in the web server. But it goes into a loop causing the log file to grow indefinitely. Not sure what’s happening. Please advise.

Thanks
Bino

Reply
Joe says September 28, 2010

Without challenge redirect parameter, Login Page on separate servers work just fine.

Reply
Mahendra says September 28, 2010

Joe,

If you are using OAM above 10.1.4.0.1, then you will need to protect form action. The behavior of form page looping seems to be a known issue. Please let me know the OAM version you are using. Please be cautious with the order of plugins configured in Form authentication scheme. Credential_mapping should be first and validate_password should be next.

Reply
Joe says October 4, 2010

Hi Mahendra,

OAM version is 10.1.4.3

I tried changing the order of plugins but the looping issue remains. Could you tell more on protecting form action? What authentication scheme do we need to use for the same?

Regards
Joe

Reply
Joe says October 4, 2010

Mahendra, to add – the form action “/dummy” has already been protected using anonymous authentication rules. Any other configuration that I have left out?

Regards
Joe

Reply
Mahendra says October 4, 2010

Joe,

Do you have Form page residing in different machine from OAM Access Server? Form action URL should be protected using Anonymous scheme. Please check if this policy domain is enabled or not.

The WebServer on which the form login page is residing should have webgate installed.

-Mahendra.

Reply
Joe says October 5, 2010

Hi Mahendra,

Yes, the form page is residing in a different machine from OAM Access Server (is this a problem ?) and web gate has been installed in that machine.

Form action URL has been protected using Anonymous scheme and the policy is enabled.

Regards
Joe

Reply
Mahendra says October 5, 2010

Joe,

Please check if there is a time difference between those two machines. This could be the cause for the the behavior you are seeing. what does Access Server & WebGate logs say? You can also use the ie http headers tool to verify whether the obssocookie is getting created and again set to loggedoutcontinue. If you see this behavior in ie http headers, then it could be due to time difference.

Mahendra.

Reply
Joe says October 7, 2010

Mahendra,

I have checked – there is no time difference between the two machines.

Yes, the ObSSOCookie is created and set to loggedoutcontinue.

As before, Mozilla says the request cannot be completed due to Redirect Loop.

regards
Joe

Reply
Mahendra says October 7, 2010

Joe,

Please check the access server and webgate logs. If you see timeout exceeded error then this could be due to time difference.
Else, you may need to patch the OAM.

Mahendra.

Reply
dinesh says December 6, 2010

Hi,

We are having a separate web application that should be integrated with IDM for SSO. The IDM team has a OID where the users and roles for our web application URL are configured in policy admin.Our webapplication has a tomcat webserver that is integrated with tomcat. A user already logs-in portal.When he hits our webapp url the username is passed in URL and obssocookie is set. we have to validate this obssocookie to authenticate the user. How we can route the user to our webapp defined in our web.xml. Please explain the flow.

Reply
madhu says September 8, 2011

Hi Mahendra,

When we access the protected url (http://localhost:port/testapplication in the browser is it redirecting to http://localhost:port/login.html .Can we hide the url with redirecting to login.html in browser as people adding http://localhost:port/login.html in favourites and next time they are accessing saved url instead of protected url resulting in its stopping in dummy.

Reply
Mahendra says September 8, 2011

Madhu,

I feel this is something at browser level. Even if we proxy the Login.html to a protected resource in HTTP Server, it is not right approach. I understand your scenario, but cannot find a way to hide it. The only solution is to knowledge the people not to add Login page as favorites.

Hope this helps.

Thanks,
Mahendra

Reply
arock says November 19, 2011

I found that you can test the login (i.e., verify the credentials) and bypass the login form by entering the the protected url with the login and password in the query string in the browser address bar.
http://server/protected/page.html?login=jsmith&password=MyPwd

How can i bypass that. I don’t want it be accessed using the credentials as it will breach the secure identity of the user. Is there a way i can avoid this. I remember a setting you could do in authentication scheme challenge parameter to use domain:MyDomain instead of creds:username password, but will it effect the login. Please help !

Thanks,

Reply
arock says November 19, 2011

To be precise, i want to preserve protected URL from being accessed using query string parameters. Can i mention the query string parameters directly in the policy console and will it stop using those parameters in the URL ? Why do we mention query string parameter in that policy configuration form anyway.

Thanks for the inputs.

Reply
Sunil says July 12, 2012

Hi Mahendra,

I have configured OAM, OIM set up as part for SSO configuration. I am struggling with form base authentication.
As part of Form base authentication .. performed following activities
1. I have build small struts application with login.jsp, success.jsp and error.jsp

2. configured login.jsp at authentication scheme with challenge URL and
3. Expecting to authenticate the username & passowrd with OID.
4. Once its successful then it should redirect to successful.jsp else redirect to error.jsp and all these are configured at Authentication scheme.
5. Registered this Authentication module with Application domains -> Authorization policies.

ISSUE : Currently its not authenticating with the username and password. In case of valid credential or invalid credential its redirecting to success.jsp
As part of response I am not getting SSO cookies.
Only “OAMAuthnCookie” and I am expecting ‘OAM_ID’.

Please REPLY

============================================
Please below HTTP headers for more details
Header = Accept & Value =image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Header = Referer & Value =http://172.00.000.000:7021/testApp/index.jsp?authn_try_count=0&request_id=8776486164890632572&OAM_REQ=VERSION_4%7E9HP%252fwYIKtqB1Amjym4PTdbef91wqN1bKs6fnbv3lHelEB5bQLNmhtsxHOTn0YsrdTzqCmenoahihwMEp5u4GaCnF7fxqlapbkdxAWU1f5GjO3GY%252bF%252bkWT56s0AHjCgchtG4ivLNbVjuoq%252fm%252fQtR9uOe7uLwmpWpLZVNoUU9LjLq7EDDW2SEhQZWi2oMkhHSrwVj89TZ7g9R1GOq0RDtRlNpkw%252bCEI2cvcqNmF7bqfZBYADAqqNsICBiSOvJjD1UwGryFMymGfhLieij2XXslNUOWFWOkb1DcuxMTKdf8fOpOFzcUz4HYXn5sh5DtXEkG7YiqF2zHOjp4UdF2KIuA55FgyD7R7YFBNQEupjR0AY48GQqIpGWphegwYrXAnSpsz%252fTsO1OuHLQ9oVg%252fFG0EyV2wo%252fl7hLb94t8YxPexh8XSD%252bc3fSPVJussHlyGpwshZiN6MOfb8FDVcIdEci8Lx1tGB3J5Cv1C0OtUN3WXvVZ9VK2Go9yUXulkoFENdRftBaCBcKJupkoSE14vlJE1dt6cK5REOoz7lauklXa3Ew2gfriEIzK4EpIbE%252fRF9ejpNNpaXq9DFr2tRMycaBjoxeuq223j14O%252b%252blmobCR%252fbz81sW7ANr3ZdmpAnpWNQZdN8Lo%252fGSiQJJcGK3foLVGqmrcq33%252fhLuBfvNOvfPT5ndv4bZgdpuv5thLHluCYcKstB1uTQqhGRzSVec%252bf94lUp71fmSABu2tS5wIM2HcZNfFPtkMUpLLNO2O%252fbuTtEzFtJ8MvcF%252bs3xqvAERFB3jRIy1MysQd6EUD263pOM0ePd3bbgcej0SY8gE3ryFYwAYd3yprLejRvPgQWqJMD9lvwF%252bv5HfTLm%252bJXsPMxCmMbYvHpGNH27B0nXT1asNCO%252bP2bS9jDKgmGSNFxk4NAZ5tPcACneYZQ5KfKE8rmppAF9gIYWleOVSNYlPRtDlPI0VLNa9MOMXjhtGswen%252btESsZfZia%252b4LmETLK8A81lxjBukNGl9JzCy16bpLhZOVYHq84PbWkv85CEXm83b9JPHvwDX0Fyx2cpVXca2Kh8PIGemVQEzGcTWSSGJSriE1wi%252bUKy7E4ZiB2yQIV4A1dWusCp95Hhwzs9N9MTAniCmQB75wj9LL80tfDEBnxVpaIJAXdwMq2iHEf0O2hUDs9lKXHlcHMCAo5h8uc8Uk97Z0y%252fq5hqQTXF5mjVvJz52XFKtVFdbKPbLKY9joCccTCpNCnyDhh10Bf5fu%252fRRhYYwTViNsZ2TV3ws%252bGGq4IVMr%252b0CMoPcIWRwfd%252bBrOPviiIuGK7yPsQ57r5ZbOrIKm6DDhSVXjlXLHiKZIUg8Z47bvJGU8UpW5N4KC2KlSPXhgWzerBmHaCHNa6qN6tJ40ZbXMYNgoHmzuA6RKbgtXDBZOkH7xEs3NzbzmMYoaEO%252fTYQM9raBxwBB21P8dGmcTPJiPEpPzInVijQZW9nhhVk6bNNhZn3BIMLwQLk5Haf8DyW9UyrJW3AXP3fhpXxrPMwMUnmcw5lfO0Kmups%252fAi2Iw3fSqA4ZoyNJSrnfjY2yuHjZEVQMuWrFb8d6ll3lh4MJ57Qm0iah7tYziCPHxIgMRR6fqNDMVw43Vz6GvgOAeFVyMMOR7JMbv4CZn16fmHg7XO2iqQpNSXr7xzaGy%252fwrdpuM&locale=en_US
Header = Accept-Language & Value =en-us
Header = User-Agent & Value =Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Header = Content-Type & Value =application/x-www-form-urlencoded
Header = Accept-Encoding & Value =gzip, deflate
Header = Host & Value =172.00.000.000:7021
Header = Content-Length & Value =49
Header = Connection & Value =Keep-Alive
Header = Cache-Control & Value =no-cache
Header = Cookie & Value =http%3A%2F%2F172.00.000.000%3A7001%2Fsuite%2Fmasterapp%2Ftheme=%7B%22state%22%3A%7B%22id%22%3A%22s%3Aappian%22%2C%20%22file%22%3A%22s%3Ahttp%3A%2F%2F172.00.000.000%3A7001%2Fsuite%2Fmasterapp%2F..%2FappBuilder%2Fcss%2Fgxt-appian.css%22%7D%7D; OAMAuthnCookie_172.00.000.000:7777=loggedoutcontinue; OAMRequestContext_172.00.000.000:7777_337754=3wTHDPLdoDlp9+xCt+guSw==; JSESSIONID=GtXTP2CLh18s7f2LXPQpTlJ7Xx6kTNhpDWGJvppkMQyHTjYJDPhC!1941440109

Reply
venkat28 says February 13, 2013

Hello Mahendra,
I have DCC configured in http://localhost:7777 (OHS Server running there). I created a sample html and placed in the htdocs of the OHS server. Could you please explain the how to configure the authentication scheme?

Reply
Mahendra says February 13, 2013

Venkat,

You would need to define host identifier in OAM console. I presume webgate is already installed and working.

Create a policy domain with resource as / and assign form based auth scheme to test it.

Reply
jayaraj313 says September 16, 2014

Hi,

How to bypass sso in apache level while using the oam webgate plugin.

Reply
jayaraj313 says September 16, 2014

Hi,

How to bypass sso in apache level while using the oam webgate plugin. Please help.

Reply
GPR says February 19, 2015

Hi,

We have configured SSO for one of the nagios Apache application.This application provide the runtime monitoring information of the servers. Below is the steps that we followed

1) Install the apache webgate on apache server
2) There is an existing OAM setup integrating with OID for user storage.
3) created the SSO webgate on OAM server to connect the apache
4) Access the apache application with apachehost and portnumber with context root as below.

http://apachehost:80/apace
This is is redirecting to OAM login pages
entered the user id and password which are stored in OID and successfully login the apache application.

Issue: After getting the login page user not able to see the monitoring information on the page.

Can any one suggest is there anything need to modify the apache configuration to user get the runtime information.

Reply
Add Your Reply

Not found