1. Installation Guide
  2. Setting Up Network Integrity for Single Sign-On Authentication

10 Setting Up Network Integrity for Single Sign-On Authentication

This chapter provides instructions for setting up Oracle Communications Network Integrity for single sign-on (SSO) authentication.

Network Integrity implements the single sign-on (SSO) authentication solution using Oracle Access Manager, which enables you to seamlessly access multiple applications without being prompted to authenticate for each application separately. You can also use SAML 2.0 to enable Single Sign-On (SSO) and Single Log-Out (SLO) in Network Integrity which allows you to access applications with a single username and password combination. For more information on security concepts and definitions, see “Security Assertion Markup Language (SAML)” section of the Understanding Security for Oracle WebLogic Server Guide. The main advantage of SSO is that you are authenticated only once, when you log in to the first application; you are not required to authenticate again when you subsequently access different applications with the same (or lower) authentication level (as the first application) within the same web browser session.

Network Integrity also supports the single logout (SLO) feature. If you access multiple applications using SSO within the same web browser session, and then if you log out of any one of the applications, you are logged out of all the applications.

This solution supports SSO authentication between Network Integrity and Oracle Communications Unified Inventory Management (UIM) applications.

For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Setting up Network Integrity for SSO authentication includes the following tasks:

Using Oracle Access Manager:

Using SAML 2.0 and IDP:

Installing Required Software

Install and configure the following software that Network Integrity requires for implementing SSO authentication:

  • External Lightweight Directory Access Protocol (LDAP) Server. Oracle recommends Oracle Internet Directory (OID) as the LDAP store external to the WebLogic server.

  • Oracle Access Manager (OAM), included with Oracle Identity and Access Management

  • Oracle WebLogic Server

  • Oracle HTTP Server (OHS)

  • Oracle HTTP Server WebGate for OAM

See "Software Requirements" for information on required software versions.

To install the required software, do the following:

  1. Install WebLogic Server and create the Oracle Middleware Home directory (MW_Home). This is the directory in which the Oracle Fusion Middleware products are installed.

    For more information, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

  2. Install Oracle Access Manager (OAM) in the same Oracle Middleware Home directory that you created when you installed Oracle WebLogic Server.

    For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Install and configure Oracle HTTP Server, which is a Web server that acts as the front end to the Oracle WebLogic Server.

    For more information, Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server.

  4. Install and configure Oracle HTTP Server WebGate for OAM.

    A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization. For more information, see Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.

  5. Install an external LDAP server. For example, Oracle Internet Directory (OID). Oracle recommends Oracle Internet Directory as the LDAP store external to the WebLogic Server. See the following for more information.

    For information on installing and configuring Oracle Internet Directory, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  6. Configure the external LDAP as the user identity store in OAM.

    For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

  7. Register the Oracle HTTP Server WebGate instance with OAM by using the Oracle Access Manager Administration Console.

    For more information, see the chapter on “Registering Partners (Agents and Applications) by Using the Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

  8. Install Oracle WebLogic Server 12c. See "Installing and Configuring Oracle WebLogic Server" for more information.

  9. Continue with the steps in "Configuring Network Integrity to Enable SSO Authentication".

Configuring Network Integrity to Enable SSO Authentication

Configuring Network Integrity to enable SSO authentication involves the following tasks:

Installing and Deploying Network Integrity Specifying the External LDAP Provider

To install and deploy Network Integrity specifying the external LDAP security provider:

  1. Configure authentication providers for your external security provider. See "Configuring Custom Authentication Providers" for more information.

    Oracle recommends Oracle Internet Directory as the LDAP store external to the WebLogic server. See "Installing and Configuring Oracle Internet Directory" for more information.

  2. Install and deploy Network Integrity specifying the external LDAP provider.

    When installing Network Integrity, in the Security Provider Selection screen, select the External Security Provider option, and then enter the required information in the External Security Provider Connection Information screen. Follow the instructions provided in "Installing Network Integrity by Using Interactive Install".

Configuring the Frontend URL in Administration Console

Set the front-end host and port so that all requests to access the applications (Network Integrity) deployed in the WebLogic administration server go through the Oracle HTTP server:

To configure the Frontend URL:

  1. Log in to the Oracle WebLogic Server administration console.

  2. In the Domain Structure tree, expand Environment, and do one of the following:

    • Select Clusters (if the server instances to which you want to proxy requests from Oracle HTTP Server are in a cluster)

    • Select Servers.

      The Summary of Servers page appears.

  3. Select the server or cluster to which you want to proxy requests from Oracle HTTP Server.

  4. Click the Configuration tab.

  5. On the General tab, in the Advanced section, select the WebLogic Plug-In Enabled check box.

  6. If you selected Servers in step 2, repeat steps 3 through 5 for the other servers to which you want to proxy requests from Oracle HTTP Servers.

  7. Click Save.

  8. Restart the WebLogic server.

  9. Log in to the Oracle WebLogic Server administration console.

  10. In the Domain Structure tree, expand Environment, and click Servers.

    The Summary of Servers screen appears.

  11. Click the server where Network Integrity is deployed.

    The settings screen for the server appears.

  12. Click the Protocols tab.

  13. On the HTTP tab, do the following:

  14. In the Frontend Host field, enter the name of the Oracle HTTP Server host machine.

    WebLogic Server uses this value instead of the one in the host header. All HTTP URLs are redirected to this HTTP host.

  15. In the Frontend HTTP Port field, enter the Oracle HTTP Server port number.

    All HTTP URLs are redirected to this HTTP port.

  16. In the Frontend HTTPS Port field, enter the Oracle HTTP Server SSL port number.

    All HTTPS URLs are redirected to this HTTPS port.

  17. Click Save.

  18. In the Change Center of the Administration Console, click Activate Changes, which activates these changes.

Creating and Configuring Authentication Providers for OAM SSO

You must create a new OAMIdentityAsserter provider for OAM SSO in WebLogic Server Administration Console.

To create the OAMIdentityAsserter provider:

  1. Log in to the WebLogic Server Administration Console.

  2. Under Your Application's Security Settings, click Security Realms.

    The Summary of Security Realms screen appears.

  3. Select the realm YourRealmName, for which you need to configure the OAM identity asserter.

    The Settings For YourRealmName screen appears.

  4. Click the Providers tab, and then click the Authentication tab.

  5. Click New.

    The Create a New Authentication Provider screen appears.

  6. In the Name field, enter a name for the new provider; for example, OAM ID Asserter.

  7. From the Type list, select OAMIdentityAsserter.

  8. Click OK.

    The Settings For YourRealmName screen appears, showing the newly created authentication name in the Authentication tab.

  9. Click the link for AuthenticatorName (For example, OAM ID Asserter).

    The Settings for AuthenticatorName screen appears.

  10. On the Common tab, from the Control Flag list, select REQUIRED.

  11. Under Active Types, use the directional arrow buttons to move OAM_REMOTE_USER from the Available column to the Chosen column.

    Ensure that OAMAuthnCookie and OAM_IDENTITY_ASSERTION are present in the Chosen column.

  12. Click Save.

  13. Click the Providers tab, and then click the Authentication tab.

  14. Click the link for DefaultAuthenticator and ensure that the default authenticator's control flag is set to SUFFICIENT.

  15. Click the link for OID/OUD Authenticator (for example, OracleInternetDirectoryAuthenticator) and ensure that the OID/OUD authenticator's control flag is set to SUFFICIENT.

    See "Configuring the Authentication Provider" for more information.

  16. On the Authentication tab, click Reorder.

    The Reorder Authentication Providers screen appears

  17. Use the up and down arrows to reorder the listed authentication providers as follows:

    • OAMIdentityAsserter (REQUIRED)

    • OracleInternetDirectoryAuthenticator (SUFFICIENT)

    • DefaultAuthenticator (SUFFICIENT)

  18. Click OK.

Configuring web.xml for the OAM Identity Asserter

You configure the web.xml file for the OAM Identity Asserter by updating the deployment plan. You use deployment plans to change an application's WebLogic Server configuration for a specific environment without modifying existing deployment descriptors.

To update the web.xml file:

  1. For using Oracle Access Manager Identity Asserter, you must specify the authentication method as CLIENT-CERT in the web.xml file for the appropriate realm by editing the deployment plan. The web.xml file is located at NI_Home/app/NetworkIntegrity.ear/NetworkIntegrityApp_NetworkIntegrityUI_webapp1.war/WEB-INF/, where NI_Home is the directory in which the Network Integrity software is installed.

    • Depending on your deployment configuration, do one of the following:

      • If Network Integrity is installed in a single server environment, navigate to and open the NI_Home/app/plan/Plan.xml file.

      • If Network Integrity is installed in a clustered server environment, navigate to and open the NI_Home/app/plan/ClusterPlan.xml file.

    • Update the variable-definition and variable-assignment elements; specifically, add CLIENT-CERT as follows:

      <variable-definition>
 <variable>
     <name>ClientCertAuthMethod</name> 
     <value>CLIENT-CERT</value> 
 </variable>
 <variable>
     <name>RealmName</name>  
     <value>myrealm</value>  
 </variable>
</variable-definition>
<module-override>
    <module-name>NetworkIntegrityApp_NetworkIntegrityUI_webapp1.war</module-name>
    <module-type>war</module-type> <module-descriptor external="false">
      <root-element>web-app</root-element>
      <uri>WEB-INF/web.xml</uri>
 <variable-assignment>
     <name>ClientCertAuthMethod</name>
     <xpath>/web-app/login-config/auth-method</xpath>
     <operation>replace</operation>
 </variable-assignment>
 <variable-assignment>
     <name>RealmName</name>
     <xpath>/web-app/login-config/realm-name</xpath>
     <operation>add</operation>
  </variable-assignment>
    </module-descriptor>
</module-override>

    • Save and close the Plan.xml/ClusterPlan.xml file.

  2. Update the deployment plan for the currently-deployed Network Integrity application:

    1. Log in to the WebLogic Server Administration Console.

    2. In the Domain Structure tree, expand Environment, and click Deployments.

      The Summary of Deployments screen appears.

    3. Select the check box beside NetworkIntegrity.

    4. Click Update.

      The Update Application Assistant page appears.

    5. Select Update this application in place with new deployment plan changes and click Next.

    6. (Optional) Click Change Path beside the Deployment Plan Path field and browse to the location of the Plan.xml/ClusterPlan.xml file.

      The Summary page appears.

    7. Click Finish.

    8. In the Change Center of the Administration Console, click Activate Changes, which activates these changes.

Configuring the mod_wl_ohs Plug-In for Oracle HTTP Server

You can configure mod_wl_ohs plug-in by specifying directives in the mod_wl_ohs.conf file to enable the Oracle HTTP Server instances to forward requests to the applications deployed on the Oracle WebLogic server or clusters.

For more information, see Oracle Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server.

To configure the mod_wls_ohs plug-in:

  1. Open the mod_wl_ohs.conf file from the following location:

    Domain_Home/config/fmwconfig/components/OHS/ohs1/

    where:

    Domain_Home is the directory containing the configuration for the domain into which Oracle HTTP Server is installed.

  2. Add directives within the <IfModule weblogic_module> element in the configuration file as follows:

    • To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance, specify /NetworkIntegrity within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /NetworkIntegrity>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which Network Integrity is installed

    • To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances, specify /NetworkIntegrity within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /NetworkIntegrity>
SetHandler weblogic-handler
WebLogicCluster host1:port1,host2:port2
</Location>
</IfModule>

      where:

      • host1 and host 2 are host names of the managed servers

      • port1 and port2 are ports of the managed servers

    • To forward requests to the Network Integrity Web services running on a single Oracle WebLogic Server instance, specify /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which Network Integrity is installed

    • To forward requests to the Network Integrity Web services running on a cluster of Oracle WebLogic Server instances, specify /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root>
SetHandler weblogic-handler
WebLogicCluster host1:port1,host2:port2
</Location>
</IfModule>

      where:

      • host1 and host 2 are host names of the managed servers

      • port1 and port2 are ports of the managed servers

    • To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance to support integration with UIM, specify /NI_Uim within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /NI_Uim>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which Network Integrity is installed

    • To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances to support integration with UIM, specify /NI_Uim within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /NI_Uim>
SetHandler weblogic-handler
WebLogicCluster host1:port1,host2:port2
</Location>
</IfModule>

      where:

      • host1 and host 2 are host names of the managed servers

      • port1 and port2 are ports of the managed servers

    • To forward requests to the Network Integrity application running on a single Oracle WebLogic Server instance into which you want to deploy cartridges, specify /cartridge within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /cartridge>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which Network Integrity is installed

    • To forward requests to the Network Integrity application running on a cluster of Oracle WebLogic Server instances into which you want to deploy cartridges, specify /cartridge within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /cartridge>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort ms_port
</Location>
</IfModule>

      where:

      • host is the machine where the managed server is running

      • ms_port is the port of the managed server running on the host specified in the host variable above

      For example, if a managed server networkintegrity01 with listen port 8065 is running on the machine NETINT1, you must specify the following: 

      <IfModule weblogic_module>
<Location /cartridge>
SetHandler weblogic-handler
WebLogicHost NETINT1
WebLogicPort 8065
</Location>
</IfModule>

Protecting Resources For SSO Authentication

You must protect resources (for example, the Network Integrity application) in Oracle Access Manager for SSO authentication. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.

To protect resources for SSO authentication:

  1. Open the Oracle Access Management Console.

  2. On the Policy Configuration tab, expand the Application Domains node.

  3. Expand the node for the application domain.

  4. Within the application domain, expand the Resources node.

  5. Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.

    The Resource Definition page appears.

  6. Do the following to configure the Network Integrity application as a protected resource for SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter /NetworkIntegrity/.../*.

    • From the Protection Level list, select Protected.

  7. Click Apply.

Excluding Resources From SSO Authentication

You can exclude HTTP resources that do not require SSO authentication. For example, when accessing a Web Services Description Language (WSDL) document for Web services. The excluded resources are public and do not require an OAM Server check for authentication.

When allowing access to excluded resources, WebGate does not contact the OAM Server. Excluded resources cannot be added to any user-defined policy in the console. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.

To exclude resources from SSO authentication:

  1. Open the Oracle Access Management Console.

  2. On the Policy Configuration tab, expand the Application Domains node.

  3. Expand the node for the application domain.

  4. Within the application domain, expand the Resources node.

  5. Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.

    The Resource Definition page appears.

  6. Do the following to exclude Network Integrity Web services from SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter the following to exclude Network Integrity Web services from SSO authentication:

      /NetworkIntegrityApp-NetworkIntegrityControlWebService-context-root/.../*

    • From the Protection Level list, select Excluded.

  7. Click Apply.

  8. Click the New Resource button.

    The Resource Definition page appears.

  9. Do the following to exclude the Network Integrity cartridge deployment process from SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter /cartridge/.../*.

    • From the Protection Level list, select Excluded.

  10. Click Apply.

  11. Click the New Resource button.

    The Resource Definition page appears.

  12. Do the following to exclude the Network Integrity and UIM integration process from SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter /NI_Uim/.../*.

    • From the Protection Level list, select Excluded.

  13. Click Apply.

Installing Required Software

Install and configure the following software that Network Integrity requires for implementing for SSO authentication using SAML 2.0:

  • Oracle WebLogic Server

    There is no need to install a separate instance of WebLogic server since the instance being used for running Network Integrity will be sufficient.

  • Identity Provider (IDP)

    Note:

    In the procedure to configure SAML 2.0 for NI, Oracle IDCS is used as IDP. To use Oracle IDCS as your IDP, you will require a license. You can choose to use any IDP that supports SAML 2.0. Please refer the documentation of the corresponding IDP to configure it with the application.

Configuring Network Integrity to Enable Authentication using SSO/SLO and IDP using SAML

Configuring Network Integrity to enable SSO authentication and IDP using SAML involves the following tasks:

  1. Creating SAML Assertion Provider and SAML Authenticator
  2. Specifying General Information
  3. Configuring the SAML Service Provider
  4. Updating the deployment Plan of Network Integrity
  5. Registering the NI Application in Identity Cloud Service or any other IDP
  6. Registering IDP in WebLogic
  7. Verifying SAML Configuration

Creating SAML Assertion Provider and SAML Authenticator

To create SAML Assertion Provider and SAML Authenticator, do the following:

  1. Access the WebLogic Server Console as administrator (for example, weblogic).

  2. Click Lock & Edit.

  3. Click Security Realm.

  4. Click myrealm.

  5. Click Providers, and then click New.

  6. Enter SAML2IdentityAsserter as Name, select SAML2IdentityAsserter as Type, and then click OK.

    The SAML2IdentityAsserter is displayed under the Authentication Providers table.

  7. On the Providers page, click New.

  8. Enter SAMLAuthenticator as Name, select SAMLAuthenticator as Type, and then click OK.

    The SAMLAuthenticator is displayed under the Authentication Providers table.

  9. Click Reorder.

  10. Select and reorder the providers in the following order:

    1. SAML2IdentityAsserter
    2. SAMLAuthenticator
    3. DefaultAuthenticator
    4. DefaultIdentityAsserter

  11. Click OK.

  12. Click SAMLAuthenticator.

  13. Select SUFFICIENT as Control Flag and then click Save.

  14. Return to the Providers page.

  15. Click DefaultAuthenticator.

  16. Select SUFFICIENT as Control Flag and then click Save.

  17. Click Activate Changes.

  18. Restart the server.

Specifying General Information

  1. Access the WebLogic Server Console as administrator.

  2. Click Lock & Edit.

  3. Click Environment > Servers.

  4. Click the manager server (in this case, AdminServer) that is hosting the Inventory application (for example, ms1).

    Note:

    In a clustered environment, the below steps need to be performed on each managed server that is hosting the Inventory application (not 'proxy' and 'admin server').

  5. Click Federation Services > SAML 2.0 General.

    Tip:

    Tip: You can use this page to define the Site Information and additional settings for the SAML assertion, plus generate the service provider metadata file.

  6. Modify the General settings as follows to enter information accordingly.

    Attribute Sample Value
    Published Site URL https://<HostName>:<NIPort>/saml2
    Entity ID

    samlNI

    Tip:

    You can enter any identification value, as long it's unique in Identity Cloud Service and in your WebLogic Domain.
    Recipient Check Enabled Deselected

  7. Click Save.

Configuring the SAML Service Provider

  1. Access the WebLogic Server Console as administrator.

  2. Click Lock & Edit.

  3. Click Environment and Servers.

  4. Select the manager server (in our case AdminServer) that is hosting Inventory application (for example, ms1).

    Note:

    In a clustered environment, the below steps need to be performed on each managed server that is hosting the Inventory application. (not 'proxy' and 'admin server').

  5. Select Configuration, then Federation Services and then select SAML 2.0 Service Provider.

  6. Select Enabled.

  7. Select Single Logout Enabled (*).

  8. Select Assertion Subject Timeout Check (*).

  9. Optionally provide the list of Allowed redirect URIs to be used but Service Provide for after logout redirections. (*).

  10. Select POST as Preferred Binding.

  11. Enter https://<HostName>:<NIPort>/NetworkIntegrity/faces/login.jspx as the Default URL, and then click Save.

  12. Click Activate Changes.

Updating the deployment Plan of Network Integrity

Changes have to be made on top of your Plan.xml (Standalone) or ClusterPlan.xml (Cluster) depending on your environment, for the authentication to happen. The file will be present inside your domain_home/ni/plan folder .

Modify the logout URL to https://<MachineIP>:<Port>/saml2/sp/slo/init. Replace the port and machine IP as per your NI machine.

Registering the NI Application in Identity Cloud Service or any other IDP

In this section, you register Network Integrity as a SAML application in Oracle Identity Cloud Service.

  1. Access the Identity Cloud Service console and log in as administrator.

  2. Navigate to the Domains and select the domain (in our case Default domain) to add NI as SAML application.

  3. Click Add application button to register Inventory as SAML application.

    1. Choose SAML Application and click the Launch app catalog button.

    2. EnterNI Applicationas Name and NI Application as SAML applicationas Description.

    3. Click Next button at the bottom of the page.

    4. Enter samlNI as Entity ID. (This should be same as the value provided in above section i.e., Configure the SAML Service Provider Settings under Federation Services > SAML 2.0 General.)

    5. Enter https://<Hostname>:<NIPORT>/saml2/sp/acs/postas Assertion consumer URL.

    6. Choose Unspecified as Name ID format.

    7. Choose Username as Name ID value.

    8. Upload the Signing certificate of your application. This is needed for SLO to work.

  4. You can download the certificate from the browser, from the NI login page

    1. check Enable single logout checkbox.

    2. Enter https://Hostname:NIPORT/saml2/sp/slo as Single Logout URL and Logout Response URL.

    3. Set Require Encrypted Assertion : NO

    4. Click + Additional attribute at the right bottom corner of the page.

      1. Enter Groups as Name.

      2. Choose User attribute as Type.

      3. Choose Group membership as Type value.

      4. Choose All groups as Condition.

    5. Click Finish.

  5. Click the Activate button for the create application within NI.

    1. Click Activate application button in the pop-up window.

  6. Click the Download identity provider metadata button for downloading the IDP's metadata xml (for example, IDCSMetadata.xml).

  7. Click the Users on the left side pane to assign users.

    1. Click the Assign users for adding the domain users to the registered application.

    2. Choose the desired users from the pop-up window and click Assign.

    3. Click Groups on the left side pane to assign groups (ensure ‘NetworkIntegrityGroup, NetworkIntegrityRole and JDGroup' group is created/added to your domain prior to this step).

    4. Click Assign groups for adding the domain groups to the registered application.

    5. Choose the 3 groups mentioned in Step 7c from the pop-up window and click Assign.

Registering IDP in WebLogic

In this section, you register Oracle Identity Cloud Service as a SAML Identity Provider in WebLogic.

  1. Upload the IDCSMetadata.xml obtained from the IDP to the server hosting WebLogic (for example, under <Domain_Home>/NI/IDCSMetadata.xml).

  2. Access the WebLogic Administration Server Console as administrator.

  3. Click Security Realm.

  4. Click myrealm.

  5. Click Providers, and then click SAML2IdentityAsserter.

  6. Click Management, and then click on New and then New Web Single Sign-On Identity Provider Partner.

    The Create a Web Single Sign-On Identity Provider Partner page appears.

  7. In the Name field, enter WebSSO-IdP-Partner-1.

  8. In the Path field, enter the path to the XML file that contains the identity provider's metadata.

  9. Click OK.

  10. Click WebSSO-IdP-Partner-1 link.

  11. Ensure that the identity provider details are displayed in the Site Info and Single Sign-On Signing Certificate tabs.

  12. In the General tab, select the Enabled, Virtual User, and Process Attributes check box. This is required for allowing IDP users with UIM group to be allowed access to NI UI. See “Configuring the SAML Authentication Provider” in Fusion Middleware Administering Security for Oracle WebLogic Server 12.1.3 for more information.

  13. In the Redirect URIs field, enter /NetworkIntegrity/*.

  14. Click on Save.

    The WebLogic server displays a confirmation message.

  15. Sign-out of the WebLogic Server and close your browser.

Verifying SAML Configuration

  1. Go to the URL http://<Hostname>:<NIPort>/NetworkIntegrity

    The login page of the identity provider is displayed.

  2. Enter the login credentials.

    The NI home page appears.

  3. Once logged in, user can logout by clicking the Logout option from the top right corner of the page.

    Based on the configurations in Identity Provider, either the login page is displayed or a successful logged message is shown. Close the browser or tab.

  4. To verify SLO register multiple applications in the same domain in IDCS. When you hit logout button for one application, it should log you out of other applications also.