Integration of Oracle Access Manager with Oracle Identity Manager
This post covers the steps for Integration of Oracle Access Manager with Oracle Identity Manager.
The objective of this integration is to protect the Oracle Identity Manager User Administration Console using Oracle Access Manager.
The authentication scheme used in this Post is Form Based authentication. The other schemes such as Basic Over LDAP, Certificate and Custom are also possible but are not covered in this post.
In this case, OIM is deployed in Oracle Application Server and hence this post will cover only configurations required for OAS as part of this integration.
During the time of installation of Oracle Identity Manager, we would select Default Mode generally, wherein the OIM will handle the authentication by itself. The other option available is Single sign-on mode, wherein the OIM looks for a header variable passed by external authentication system (it is OAM in our case).
The architecture is as given below.
The integration flow is explained below:
- User access the OIM user administration console.
- The WebGate installed on WebServer (acting as proxy server for Application Server where OIM is deployed) will intercept that request and check if the OIM is protected or not and accordingly challenges the user as per the authentication scheme configured.
- Form page gets displayed and user enters credentials.
- WebGate passes login details to Access Server for authentication.
- Upon successful authentication, Access Server generates ObSSOCookie and sends it to WebGate which in turn sends it to browser. WebGate checks with Access Server if the user is authorized to access the resource or not.
- Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable.
- The WebServer will forward the request to the Oracle Identity Manager and it is configured to read the header variable and treats that userid as logged in user.
Configuration changes:
- We assume that OIM is already deployed in Oracle Application Server. A WebServer acting as proxy server is also installed and configured accordingly.
- We need to install a WebGate on the WebServer.
- Create Policy Domain in OAM with resource to be protected as host:port/xlWebApp
- Create Authorization rule accordingly and set the action tab to set the HeaderVar as userid as shown below.
- HeaderVar HTTP_REMOTE_USERID uid
- Configure Authentication Rule and Authorization expression in Default Rules.
- Enable the policy domain.
- Stop the Application Server gracefully where OIM is deployed.
- Open the file OIM_HOME/xellerate/config/xlconfig.xml and change the Authentication and AuthHeader elements to SSO and HTTP_REMOTE_USERID respectively as shown below.
- From
<web-client> <Authentication>Default</Authentication> <AuthHeader>REMOTE_USER</AuthHeader> </web-client>
- To
<web-client> <Authentication>SSO</Authentication> <AuthHeader>SSO_HEADER_NAME</AuthHeader> </web-client>
- Start the Application server.
Test the integration:
Access the OIM console i.e., http://host:port/xlWebApp and you will notice the Form page is displayed for entering the credentials. Enter the login details and see if the logged in user shown on Right side is the actual user logged in.
Observations:
You can observe that the Logout link vanishes after OAM-OIM integration. This is because OIM will be expecting the Logout page specification from OAM as it is already integrated for SSO configuration. I will cover this part in the next post.
References:
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com