1. Installation Guide
  2. Setting Up Unified Inventory Management for Single Sign-On Authentication

10 Setting Up Unified Inventory Management for Single Sign-On Authentication

This chapter provides instructions for setting up Oracle Communications Unified Inventory Management (UIM) for single sign-on (SSO) authentication.

UIM implements the single sign-on (SSO) authentication solution using Oracle Access Manager, which enables you to seamlessly access multiple applications without being prompted to authenticate for each application separately. The main advantage of SSO is that you are authenticated only once, which is when you log in to the first application; you are not required to authenticate again when you subsequently access different applications with the same (or lower) authentication level (as the first application) within the same web browser session.

UIM also supports the single logout (SLO) feature. If you access multiple applications using SSO within the same web browser session, and then if you log out of any one of the applications, you are logged out of all the applications.

This solution supports SSO authentication between UIM and Network Integrity applications.

For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Installing Required Software

Install and configure the following software that UIM requires for implementing SSO authentication:

  • External Lightweight Directory Access Protocol (LDAP) Server. Oracle recommends Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) as the LDAP store external to the WebLogic Server.

  • The following software can be optional if you use an Identity Provider other than OAM:

    • Oracle Access Manager (OAM), included with Oracle Identity and Access Management 12c (12.2.1.4.0)

    • Oracle WebLogic Server 12c (12.2.1.4.0)

    • Oracle HTTP Server (OHS) 12c (12.2.1.4.0)

    • Oracle HTTP Server 12c WebGate for OAM

    Note:

Install the following required software only if you use OAM or OHS for traditional UIM. If you want to use OAM as a service, see Common Authentication chapter in Unified Inventory and Topology Deployment Guide.

Note:

You can skip installing the following software if your Identity Provider supports SAML2.0.

To install the required software, do the following:

  1. Install Oracle WebLogic Server 12c and create the Oracle Middleware Home directory (MW_Home). This is the directory in which the Oracle Fusion Middleware products are installed.

    For more information, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server 12c.

  2. Install Oracle Access Manager (OAM) in the same Oracle Middleware Home directory that you created when you installed Oracle WebLogic Server 12c.

    For more information, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Install and configure Oracle HTTP Server, which is a Web server that acts as the front end to the Oracle WebLogic Server.

    For more information, Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server.

  4. Install and configure Oracle HTTP Server WebGate for OAM.

    A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization. For more information, see Oracle Fusion Middleware Installing WebGates for Oracle Access Manager.

  5. Install an external LDAP server. For example, Oracle Internet Directory (OID). Oracle recommends Oracle Internet Directory as an external LDAP store.

    For information on installing and configuring Oracle Internet Directory, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  6. Configure the external LDAP as the user identity store in OAM.

    For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

  7. Register the Oracle HTTP Server WebGate instance with OAM by using the Oracle Access Manager Administration Console.

    For more information, see the chapter on “Registering Partners (Agents and Applications) by Using the Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

  8. Continue with the steps in "Configuring UIM to Enable SSO Authentication".

Note:

OAM, OHS, and WebGate are optional when you use UIM with UTIA, and if you use any other identity provider.

Configuring UIM to Enable SSO Authentication

Configuring UIM to enable SSO authentication involves the following tasks:

Prerequisites

Before configuring UIM for SSO, ensure that the server on which UIM is installed can connect to the server on which OID is installed.

To enable the UIM server to connect to the OID server, edit the UIM server's hosts file and add the host name and IP address of the OID server. On Windows, the hosts file is typically located at C:\Windows\System32\drivers\etc\. On Unix and Solaris, the hosts file is located at /etc/hosts.

Installing and Deploying UIM Specifying the External LDAP Provider

Install and deploy UIM specifying the external LDAP provider. When installing UIM, in the Security Provider Selection screen, select the External_LDAP option, and then enter the required information in the External Security Provider Connection Information screen. Follow the instructions provided in "Installing UIM by Using Interactive Install".

Configuring the Frontend URL in Administration Console

Set the front-end host and port so that all requests to access the applications (UIM/Network Integrity) deployed in the WebLogic administration server go through the Oracle HTTP server:

To configure the Frontend URL:

  1. Log in to the WebLogic Server Administration Console.

  2. In the Domain Structure tree, expand Environment, and click Servers.

    The Summary of Servers screen appears.

  3. Click AdminServer.

    The Setting for AdminServer screen appears.

  4. Click the Protocols tab.

  5. Open the HTTP tab.

  6. In the Frontend Host field, enter the name of the Oracle HTTP Server host machine.

    WebLogic Server uses this value instead of the one in the host header. All HTTP URLs are redirected to this HTTP host.

  7. In the Frontend HTTP Port field, enter the Oracle HTTP Server port number.

    All HTTP URLs are redirected to this HTTP port.

  8. Click Save.

  9. In the Change Center of the Administration Console, click Activate Changes, which activates these changes.

To configure the Frontend URL in a cluster environment:

  1. Open the domain, the corresponding environment, and then clusters.
  2. Click clusterName and navigate to the HTTP tab.
  3. Update the following:
    • Hostname, http port, and https port.
    • Frontend Host: ohs server hostname. If you use OAM as a service, the format is <INSTANCE_NAME>.<PROJECT_NAME>.ohs.<hostSuffix>
    • Frontend HTTP Port: The Traefik non-ssl port.
    • Frontend HTTPS Port: The Traefik ssl port.

Creating and Configuring Providers for OAM SSO

You must create a new OAMIdentityAsserter provider for OAM SSO in WebLogic Server Administration Console.

To create the OAMIdentityAsserter provider:

  1. Log in to the WebLogic Server Administration Console.

  2. Under Your Application's Security Settings, click Security Realms.

    The Summary of Security Realms screen appears.

  3. Select the realm YourRealmName, for which you need to configure the OAM identity asserter.

    The Settings For YourRealmName screen appears.

  4. Click the Providers tab, and then click the Authentication tab.

  5. Click New.

    The Create a New Authentication Provider screen appears.

  6. In the Name field, enter a name for the new provider; for example, OAM ID Asserter.

  7. From the Type list, select OAMIdentityAsserter.

  8. Click OK.

    The Settings For YourRealmName screen appears, showing the newly created authentication name in the Authentication tab.

  9. Click the link for AuthenticatorName (For example, OAM ID Asserter).

    The Settings for AuthenticatorName screen appears.

  10. On the Common tab, from the Control Flag list, select REQUIRED.

  11. Under Active Types, use the directional arrow buttons to move OAM_REMOTE_USER from the Available column to the Chosen column.

  12. (Optional) If you use Oracle Internet Directory as the external LDAP store, ensure that you move OAM_IDENTITY_ASSERTION to the Chosen column.

  13. Click Save.

  14. Click the Provider Specific tab, beside the Common tab.

  15. Update the following details:

    • Identity Domain: UnifiedIdDomain
    • Access Gate Name: <INSTANCE_NAME>.<PROJECT_NAME>.ohs.<OHS-hostSuffix> if OAM is used as a service.
    • Primary Access Server: <INSTANCE_NAME>.<PROJECT_NAME>.ohs.<OHS-hostSuffix>:<TRAEFIKPORT> if OAM is used as a service.

  16. Click Save.

  17. Click the Providers tab, and then click the Authentication tab.

  18. Click the link for DefaultAuthenticator and ensure that the default authenticator's control flag is set to SUFFICIENT.

  19. Click the link for OID/OUD Authenticator (for example, OracleInternetDirectoryAuthenticator) and ensure that the OID/OUD authenticator's control flag is set to SUFFICIENT.

    See "Installing and Configuring an Authentication Provider" for more information.

  20. On the Authentication tab, click Reorder.

    The Reorder Authentication Providers screen appears

  21. Use the Up and Down arrows to reorder the listed Authentication Providers as follows:

    • OAMIdentityAsserter (REQUIRED)

    • OracleInternetDirectoryAuthenticator (SUFFICIENT)

    • DefaultAuthenticator (SUFFICIENT)

  22. Click OK.

Configuring web.xml for the OAM Identity Asserter

You configure the web.xml file for the OAM Identity Asserter by updating the deployment plan. You use deployment plans to change an application's WebLogic Server configuration for a specific environment without modifying existing deployment descriptors.

To configure the web.xml file:

  1. For using Oracle Access Manager Identity Asserter, you must specify the authentication method as CLIENT-CERT in the web.xml file for the appropriate realm by editing the deployment plan. The web.xml file is located at UIM_Home/app/inventory.ear/inv.war/WEB-INF/, where UIM_Home is the directory in which the UIM software is installed.

    • Depending on your deployment configuration, do one of the following:

      • If UIM is installed in a single server environment, navigate to and open the UIM_Home/app/plan/Plan.xml file.

      • If UIM is installed in a clustered server environment, navigate to and open the UIM_Home/app/plan/ClusterPlan.xml file.

    • Update the variable-definition and variable-assignment elements; specifically, add CLIENT-CERT as follows:

      <variable-definition>
 <variable>
     <name>ClientCertAuthMethod</name> 
     <value>CLIENT-CERT</value> 
 </variable>
 <variable>
     <name>RealmName</name>  
     <value>myrealm</value>  
 </variable>
</variable-definition>
<module-override>
    <module-name>inv.war</module-name>
    <module-type>war</module-type> <module-descriptor external="false">
      <root-element>web-app</root-element>
      <uri>WEB-INF/web.xml</uri>
 <variable-assignment>
     <name>ClientCertAuthMethod</name>
     <xpath>/web-app/login-config/auth-method</xpath>
     <operation>replace</operation>
 </variable-assignment>
 <variable-assignment>
     <name>RealmName</name>
     <xpath>/web-app/login-config/realm-name</xpath>
     <operation>add</operation>
  </variable-assignment>
    </module-descriptor>
</module-override>

    • Save and close the Plan.xml/ClusterPlan.xml file.

  2. Update the deployment plan for the currently-deployed UIM application:

    1. Log in to the WebLogic Server Administration Console.

    2. In the Domain Structure tree, expand Environment, and click Deployments.

      The Summary of Deployments screen appears.

    3. Select the check box for oracle.communications.inventory.

    4. Click Update.

      The Update Application Assistant page appears.

    5. Select Update this application in place with new deployment plan changes and click Next.

    6. (Optional) Click Change Path beside the Deployment Plan Path filed and browse to the location of the Plan.xml/ClusterPlan.xml file.

      The Summary page appears.

    7. Click Finish.

    8. In the Change Center of the Administration Console, click Activate Changes, which activates these changes.

Configuring the mod_wl_ohs Plug-In for Oracle HTTP Server

You must configure the mod_wl_ohs plug-in and edit the mod_wl_ohs.conf file to enable the Oracle HTTP Server instances to forward requests to the applications deployed on the Oracle WebLogic Server or clusters.

For more information, see Oracle Fusion Middleware Using Web Server Plug-Ins with Oracle WebLogic Server.

Configuring the mod_wl_ohs plug-in involves the following tasks:

Configuring the WebLogic Proxy Plug-In

To configure the WebLogic Proxy Plug-in:

  1. Log in to the Oracle WebLogic Server administration console.

  2. In the Domain Structure tree, expand Environment, and do one of the following:

    • Select Clusters (if the server instances to which you want to proxy requests from Oracle HTTP Server are in a cluster)

    • Select Servers.

      The Summary of Servers page appears.

  3. Select the server or cluster to which you want to proxy requests from Oracle HTTP Server.

  4. Click the Configuration tab.

  5. On the General tab, in the Advanced section, select the WebLogic Plug-In Enabled checkbox.

  6. If you selected Servers in step 2, repeat steps 3 and 4 for the other servers to which you want to proxy requests from Oracle HTTP Servers.

  7. Click Save.

  8. Restart the WebLogic Server.

Editing the mod_wl_ohs.conf File

Note:

You can skip this procedure if you use OAM as a service. See Common Authentication in Unified Inventory and Topology Deployment Guide for more information.

To edit the mod_wl_ohs.conf file:

  1. Open the mod_wl_ohs.conf file from the following location:

    Domain_Home/config/fmwconfig/components/OHS/ohs1/

    where:

    Domain_Home is the directory containing the configuration for the domain into which UIM is installed.

  2. Add directives within the <IfModule weblogic_module> element in the configuration file as follows:

    • To forward requests to the UIM application running on a single Oracle WebLogic Server instance, specify /Inventory within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /Inventory>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which UIM is installed

    • To forward requests to the UIM application running on a cluster of Oracle WebLogic Server instances, specify /Inventory within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /Inventory>
SetHandler weblogic-handler
WebLogicCluster host1:port1,host2:port2
</Location>
</IfModule>

      where:

      • host1 and host 2 are host names of the managed servers

      • port1 and port2 are ports of the managed servers

    • To forward requests to the UIM Web services running on a single Oracle WebLogic Server instance, specify /InventoryWS within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /InventoryWS>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which UIM is installed

    • To forward requests to the UIM Web services running on a cluster of Oracle WebLogic Server instances, specify /InventoryWS within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /InventoryWS>
SetHandler weblogic-handler
WebLogicCluster host1:port1,host2:port2
</Location>
</IfModule>

      where:

      • host1 and host 2 are host names of the managed servers

      • port1 and port2 are ports of the managed servers

    • To forward requests to the UIM application running on a single Oracle WebLogic Server instance into which you want to deploy cartridges, specify /cartridge within the <location> element as follows: 

      <IfModule weblogic_module>
<Location /cartridge>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort port
</Location>
</IfModule>

      where:

      • host is the name of the WebLogic Administration server machine

      • port is the port of the server on which UIM is installed

    • To forward requests to the UIM application running on a cluster of Oracle WebLogic Server instances into which you want to deploy cartridges, specify /cartridge within a new <location> element as follows: 

      <IfModule weblogic_module>
<Location /cartridge>
SetHandler weblogic-handler
WebLogicHost host
WebLogicPort ms_port
</Location>
</IfModule>

      where:

      • host is the machine where the managed server is running

      • ms_port is the port of the managed server running on the host specified in the host variable above

      For example, if a managed server uim_ms1 with listen port 8065 is running on the machine UIM1, you must specify the following: 

      <IfModule weblogic_module>
<Location /cartridge>
SetHandler weblogic-handler
WebLogicHost UIM1
WebLogicPort 8065
</Location>
</IfModule>

Protecting Resources For SSO Authentication

You must protect resources (for example, the UIM application) in Oracle Access Manager for SSO authentication. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.

To protect resources for SSO authentication:

  1. Open the Oracle Access Management Console.

  2. On the Policy Configuration tab, expand the Application Domains node.

  3. Expand the node for the application domain.

  4. Within the application domain, expand the Resources node.

  5. Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.

    The Resource Definition page appears.

  6. Do the following to configure the UIM application as a protected resource for SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter /Inventory/*.

    • From the Protection Level list, select Protected.

  7. Click Apply.

Excluding Resources From SSO Authentication

You can exclude HTTP resources that do not require SSO authentication. For example, when accessing a Web Services Description Language (WSDL) document for Web services. The excluded resources are public and do not require an OAM Server check for authentication.

When allowing access to excluded resources, WebGate does not contact the OAM Server. Excluded resources cannot be added to any user-defined policy in the console. For more information, see Fusion Middleware Administrator's Guide for Oracle Access Management.

To exclude resources from SSO authentication:

  1. Open the Oracle Access Management Console.

  2. On the Policy Configuration tab, expand the Application Domains node.

  3. Expand the node for the application domain.

  4. Within the application domain, expand the Resources node.

  5. Click the Resources tab, and then click the New Resource button in the upper-right corner of the Search page.

    The Resource Definition page appears.

  6. Do the following to exclude UIM Web services from SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter /InventoryWS/.../*.

    • From the Protection Level list, select Excluded.

  7. Click Apply.

  8. Click the New Resource button in the upper-right corner of the Search page.

    The Resource Definition page appears.

  9. Do the following to exclude the UIM cartridge deployment process from SSO authentication:

    • From the Type list, select HTTP.

    • In the Resource URL field, enter /cartridge/.../*.

    • From the Protection Level list, select Excluded.

  10. Click Apply.

Configuring SSO using SAML 2.0 Protocol from IDCS Identity Provider

You can use SAML 2.0 for enabling SSO in UIM. SSO allows you to log into applications using a single username and password combination.

For security concepts and definitions, see the Security Assertion Markup Language (SAML) section in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.

Configuring SAML for SSO

To configure SAML for SSO:

  1. Create SAML Assertion Provider and SAML Authenticator.
  2. Enter General Information.
  3. Configure SAML Service Provider.
  4. Publish the Service Provider metadata.
  5. Register IdP in WebLogic.
  6. Update the Deployment Plan of UIM.
  7. Verify the SAML configuration.
Creating SAML Assertion Provider and SAML Authenticator
  1. Access the WebLogic Server Console as administrator.
  2. Click Lock & Edit.
  3. Select Security Realm.
  4. Select myrealm.
  5. Select Providers, and then click New.
  6. Enter SAML2IdentityAsserter as Name, select SAML2IdentityAsserter as Type, and then click OK.

    The SAML2IdentityAsserter is displayed under the Authentication Providers table.

  7. On the Providers page, click New.
  8. Enter SAMLAuthenticator as Name, select SAMLAuthenticator as Type, and then click OK.

    The SAMLAuthenticator is displayed under the Authentication Providers table.

  9. Click Reorder.
  10. Select and reorder the providers in the following order:
    1. SAML2IdentityAsserter
    2. SAMLAuthenticator
    3. DefaultAuthenticator
    4. DefaultIdentityAsserter
  11. Click OK.
  12. Click SAMLAuthenticator.
  13. Select SUFFICIENT as Control Flag and then click Save.
  14. Return to the Providers page.
  15. Click DefaultAuthenticator.
  16. Select SUFFICIENT as Control Flag and then click Save.
  17. Click Activate Changes.
  18. Restart the server.
Specifying General Information

To specifiy General Information:

  1. Access the WebLogic Server Console as administrator.
  2. Click Lock & Edit.
  3. Click Environment and then select Servers.
  4. Click the manager server (AdminServer) that has the Inventory application (for example, ms1).
    • In a clustered environment, the later steps must be performed on each managed server that has the Inventory application. (other than proxy and admin server)
  5. Click Federation Services and then select SAML 2.0 General.
  6. Define the site information and additional settings for the SAML assertion.
  7. Generate the service provider metadata file.
  8. Modify the General settings as showin the the table by replacing the information according to your requirement and the server.
  9. Click Save.

Table 10-1 Attribute and Values

Attribute Sample Value
Published Site URL 
http://<InventoryHostName>:<InventoryPort>/saml2
Entity ID 
samlUIM

Note: You can enter any identification value, as long it is unique in Identity Cloud Service and in your WebLogic Domain.

Recipient Check Enabled 
Deselected
Replicated Cache Enabled

Deselected (for single instance or non-clustered)

Selected (for clustered environment)

Configuring the SAML Service Provider

To configure the SAML service provider:

  1. Access the WebLogic Server Console as administrator.
  2. Click Lock & Edit.
  3. Click Environment and then select Servers.
  4. Click the manager server (AdminServer) that has the Inventory application (for example, ms1).
    • In clustered environment, the later steps must be performed on each managed server that has the Inventory application (other than proxy and admin server).
  5. Select Configuration, then Federation Services and then SAML 2.0 Service Provider.
  6. Select Enabled.
  7. Select Single Logout Enabled.
  8. Select Assertion Subject Timeout Check.
  9. Select POST as Preferred Binding.
  10. (Optional) Provide the list of Allowed redirect URIs to be used by Service Provider for after logout redirections.
  11. Select POST as Preferred Binding.
  12. Enter https://<InventoryHost>:<InventoryPort>/Inventory/ as Default URL, and then click Save.
  13. Click Activate Changes.
Publishing the Service Provider Metadata

To publish the service provider metadata:

  1. Access the WebLogic Server Console as administrator.
  2. Click Lock & Edit.
  3. Click Environment and then select Servers.
  4. Click the manager server (AdminServer) that has the Inventory application (for example, ms1).
    • In a clustered environment, the later steps must be performed on each managed server that has the Inventory application. (other than proxy and admin server)
  5. Select Configuration, Federation Services, and then SAML 2.0 General.
  6. Click Publish Meta Data.

    The Publish SAML 2.0 Meta Data page appears.

  7. In the Path field, enter the full path and filename of the metadata file. For example, C:\mydomain\myserver\sppmeta.xml.
  8. Click OK.
Registering Identity Provider in WebLogic

To register a SAML Identity Provider in WebLogic:

  1. Upload the IdPMetadata.xml file from the Identity Provider to the server hosting WebLogic (for example, /path/to/metadata/file/IDCSMetadata.xml).
  2. Open the WebLogic Administration Server Console as administrator.
  3. Click Security Realm and then select myrealm.
  4. Click Providers, and then select SAML2IdentityAsserter.
  5. Click Management, click New, and then select New Web Single Sign-On Identity Provider Partner.

    The Create a Web Single Sign-On Identity Provider Partner page appears.

    Note:

    This is required for enabling Identity Provider users with UIM group to access the UIM UI. See Configuring the SAML Authentication Provider for more information.

  6. In the Name field, enter WebSSO-IdP-Partner-1.
  7. In the Path field, enter the path to the XML file that contains the Identity Provider metadata.
  8. Click OK.
  9. Click the WebSSO-IdP-Partner-1 link.
  10. Ensure that the Identity Provider details appear in the Site Info and Single Sign-On Signing Certificate tabs.
  11. In the General tab, select Enabled, Virtual User, and Process Attributes check boxes.
  12. In the Redirect URIs field, enter /Inventory/*.
  13. Click Save.

    The WebLogic server displays a confirmation message.

  14. Sign out of the WebLogic server and close your browser.
Updating the Deployment Plan of Unified Inventory Management

Update the Plan.xml (Standalone) file or ClusterPlan.xml (Cluster) file depending on your environment, for the authentication to happen. These changes are applicable for a traditional UIM installation.

To update the deployment plan of UIM:

  1. Within <variable-definition>, override the value of the existing logoutURL variable with the Identity Provider logout URL.

    Replace /oracle/communications/platform/logout.jspx with the Identity Provider logout URL. For example, https://<WL_SP_hostname>:<WL_SP_port>/saml2/sp/slo/init. 

    <variable>
    <name>logoutURL</name>
    <value>IDP_LOGOUT_URL</value>
</variable>
  2. Update the <module-override> section of inv.war module name as follows:
    <module-override>
    <module-name>inv.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
        <root-element>weblogic-web-app</root-element>
        <uri>WEB-INF/weblogic.xml</uri>
        <variable-assignment>
            <name>cookie-path</name>
            <xpath>/weblogic-web-app/session-descriptor/cookie-path</xpath>
            <operation>remove</operation>
        </variable-assignment>
    </module-descriptor>
    <module-descriptor external="false">
        <root-element>web-app</root-element>
        <uri>WEB-INF/web.xml</uri>
        <variable-assignment>
            <name>logoutURL</name>
            <xpath>/web-app/context-param[param-name="loginURL"]/param-value</xpath>
            <operation>replace</operation>
        </variable-assignment>
	 <variable-assignment>
            <name>endURL</name>
            <xpath>/web-app/context-param[param-name="endUrl"]/param-value</xpath>
            <operation>replace</operation>
        </variable-assignment>
    </module-descriptor>
</module-override>
Verifying SAML Configuration

To verify the SAML configuration:

  1. Enter the URL http://<InventoryHostname>:<InventoryPort>/Inventory to open the Inventory login page.

    The login page of the Identity Provider appears.

  2. Enter the login credentials.

    The UIM home page appears.

  3. After you log in, you can logout using the Logout option from the top right corner of the page.

    The login page of Identity Provider appears or a successful logout message appears, based on the configurations entered in Identity Provider.

  4. Close the browser or tab.

To register UIM in Identity Provider:

  1. Use Entity ID (for example, samlUIM).

    Note:

    This value must be same as the value provided in "Configuring the SAML Service Provider" under the SAML 2.0 General section within the Federation Services section.
  2. Enter Assertion consumer URL as http://<InventoryHostname>:<InventoryPort>/saml2/sp/acs/post

Registering UIM in IDCS Identity Provider

You can register UIM in Oracle Identity Cloud Service (IDCS) Identity Provider as a SAML application.

Note:

To register a service provider (SP) with any Identity Provider, you can perform a manual configuration or import the SP Metadata (xml) file to the Identity Provider.

To import SP metadata files for creating SAML clients, use any Identity Provider other than IDCS. If you are using any other Identity Provider, and if it supports configuration using a service provider metadata file (for example: KeyCloak), you can publish the metadata file of UIM and use it to create a SAML client.

Manually Configuring UIM Details in IDCS Identity Provider

To manually configure UIM in IDCS Identity Provider:

  1. Access the IDCS console and log in as administrator.
  2. Navigate to the Domains and select the domain (Default domain) to add UIM as a SAML application.
  3. Click Add Application button to register UIM as a SAML application.
    1. Select SAML Application and click Launch app catalog.
    2. Enter UIM Inventory Application as Name and UIM Inventory Application as SAML application as Description.
    3. Click Next.
    4. Enter Entity ID, for example: samlUIM. This should be same as the value provided in "Configuring the SAML Service Provider" under the SAML 2.0 General section under Federation Services.
    5. Enter http://InventoryHostname:InventoryPort/saml2/sp/acs/post as Assertion consumer URL.
    6. Select Unspecified as Name ID format.
    7. Select Username as Name ID value.
    8. Upload the SSL Certificate of UIM. This is required for SLO to work.
    9. Enter https://<WL_SP_hostname>:<WL_SP_port>/saml2/sp/slo as Single logout URL.
    10. Enter https://<WL_SP_hostname>:<WL_SP_port>/saml2/sp/slo as Logout response URL.
    11. Click + Additional attribute at the bottom-right corner of the page.
      1. Enter Groups as Name.
      2. Select User attribute as Type.
      3. Select Group membership as Type value.
      4. Select All groups as Condition.
    12. Click Finish.
  4. Click Activate buttonfor the create application (UIM Inventory Application)
  5. Click Activate application button in the pop-up window.
  6. Click Download identity provider metadata button for downloading the IdP's metadata xml. (for example, IDCSMetadata.xml)
  7. Click Users on the left side pane to assign users. (Ensure desired users are added to your domain prior to this step)
    1. Click Assign groups for adding domain groups to the registered application.
    2. Choose the desired users from the pop-up window and click Assign.
  8. Click Groups on the left-side pane to assign groups.

    Note:

    Ensure uim-users group is created or added to your domain before performing this step.
    1. Click Assign users for adding the domain users to the registered application.
    2. Choose uim-users from the pop-up window and click Assign.
Creating SAML2.0 Client in Identity Provider by Importing UIM Metadata (xml)

If your Identity Provider provides you an option to create SAML 2.0 client by importing the metadata file, you can use the published metadata file of UIM to create SAML2.0 client.

Note:

You can create SAML2.0 client in an identity provider other than IDCS.

For traditional UIM, to publish the metadata file, verify the step on "Publishing the Service Provider Metadata".

For UIM cloud native, to publish metadata file, see Publishing UIM CN (service provider) Metadata file section in UIM Cloud Native Deployment Guide.

Configuring WebLogic for Using Identity Provider for Authorization

You configure WebLogic to access the Identity Provider users in the Oracle Enterprise Manager (EM) console for authorization (in UIM).

For WebLogic server to authenticate users with the Identity Provider, the Identity Provider must be associated with an OAuth client that is registered with the Identity Provider. The OAuth client allows the provider access to the Identity Provider.

For authorization, the roles or groups information must be shared as basic format attributes in the SAML assertion response. For more information, see SAML 2.0 Basic Attribute Profile Required.

Updating the SSL.hostnameVerifier Property

The IDCS provider can access IDCS only if you update the SSL.hostnameVerifier property.

To update the SSL.hostnameVerifier property:

  1. Go to the WebLogic administrator console and open Environment, Servers, your server (AdminServer), Configuration and then SSL.
  2. Click Lock & Edit.
  3. Open Advanced.
  4. Change Hostname Verification from BEA Hostname Verifier to Custom Hostname Verifier.
  5. Set Custom Hostname Verifier to weblogic.security.utils.SSLWLSWildcardHostnameVerifier.
  6. Click Save and then Activate Changes.
  7. Start the Administration server and all Managed WebLogic servers.
Configuring Oracle Identity Cloud Integrator Provider

The Oracle Identity Cloud Integrator provider is an authentication and identity assertion provider that accesses users, groups, and Identity Provider scopes, and application roles stored in the IDCS Identity Provider.

Before you can configure the provider, you must obtain the required OAuth client information from IDCS Identity Provider. To do so, you create a trusted application in the Identity Provider. A trusted application in the Identity Provider is a type of custom application that can be accessed by multiple users and hosted in a secure and protected place (server) where the trusted application uses OAuth 2.0. Because you know where the application is hosted, you can treat that application as trusted. Creating the application in Identity Provider results in the provisioning of an OAuth client.

Creating the OAuth Client

To create OAuth client in the Identity Cloud Service console:

Note:

Perform similar steps for any Identity Provider.
  1. Log into the Identity Cloud Service console as an administrator.
  2. Create a trusted application. See Adding a Trusted Application in Administering Oracle Identity Cloud Service.

Note:

The OAuth client can be used only within the specific tenant in which it was provisioned.

In the Add Trusted Application window:

  1. Enter a client name and a description (optional).
  2. Select Configure this application as a client now to configure the authorization settings:
    1. Select only Client Credentials as the allowed grant type.

      This setting is used when the authorization scope is limited to the protected resources under the control of the client or to the protected resources registered with the authorization server. The client presents the corresponding credentials to obtain an access token.

    2. Assign the client to the Identity Domain Administrator application role. To do so, select Grant the client access to Identity Cloud Service Admin APIs and then, in the pop-up window that appears, select Identity Domain Administrator.

    Note:

    Using the Identity Domain Administrator application role provides write access to the Oracle Identity Cloud Service user store. The WebLogic Server Oracle Identity Cloud Integrator provider does not support any update operations. Therefore, you must use the Identity Cloud Service Administration Console to modify the content of the user store.

  3. Go through the remaining pages in the wizard and click Finish.
  4. Note down the Client ID and Client Secret that appear when you create the application.

    You need these values when you configure the Oracle Identity Cloud Integrator provider. The attributes that you must provide while configuring the provider are:

    • Tenant: Name of the primary tenant in the Identity Provider where you provisioned the OAuth client.
    • ClientId: The OAuth client ID used to access the Identity Provider identity store.
    • ClientSecret: The OAuth Client Secret (password) used to generate access tokens.
    • Client tenant (Optional): Name of the OAuth client tenant in which the Client ID is available. This attribute is not required if the Client tenant is same as the primary tenant.
  5. Activate the application.
Configuring Identity Cloud Integrator Provider

To configure Identity Cloud Integrator Provider:

  1. Log into the WebLogic Server Administration console.
  2. Select Security Realm in the Domain Structure pane.
  3. On the Summary of Security Realms page, select the name of the realm (for example, myrealm) and click myrealm.

    The Settings for myrealm page appears.

  4. On the Settings for Realm Name page, select Providers and then Authentication.
  5. To create a new Authentication Provider in the Authentication Providers table, click New.
  6. In the Create a New Authentication Provider page, enter the name of the authentication provider. For example, IDCSIntegrator.
  7. Select the OracleIdentityCloudIntegrator type of the authentication provider from the drop-down list and click OK.
  8. In the Authentication Providers table, click the newly created Oracle Identity Cloud Integrator IDCSIntegrator link.
  9. In the Settings for IDCSIntegrator page, select Sufficient from the drop-down list for Control Flag and click Save.
  10. Go to the Provider Specific page to configure the additional attributes for the security provider.
  11. Enter the values for the following fields and click Save:
    • Host
    • Port 443(default)
    • select SSLEnabled
    • Tenant
    • Client Id
    • Client Secret.

    Note:

    If the IDCS URL is idcs-abcde.identity.example.com, then IDCS host is identity.example.com and tenant name is idcs-abcde. Keep the default settings for the other sections of the page.

  12. Select Security Realm, myrealm, and then Providers.
  13. In the Authentication Providers table, click Reorder.
  14. In the Reorder Authentication Providers page, move IDCSIntegrator to the top and click OK.
  15. In the Authentication Providers table, click the DefaultAuthenticator link.
  16. In the Settings for DefaultAuthenticator page, select Sufficient from the drop-down list for Control Flag and click Save.

    All changes are activated.

  17. Restart the Administration server.
Setting Up Trust between IDCS and WebLogic

To set up trust between IDCS and WebLogic:

  1. Import the certificate in KSS store.
    1. Open the Administration Server node.
    2. Get the IDCS certificate as follows:
      echo -n | openssl s_client -showcerts -servername <IDCS_URL> -connect <IDCS_URL>:443|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/idcs_cert_chain.crt
 
#sample echo -n | openssl s_client -showcerts -servername xyz.identity.oraclecloud.com -connect idcs-xyz.identity.oraclecloud.com:443|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/idcs_cert_chain.crt
    3. Import the certificate and run the <ORACLE_HOME>/oracle_common/common/bin/wlst.sh file.
    4. Run the following commands:
      connect('weblogic','<admin_pwd>','t3://<WEBLOGIC_HOST>:7001')
svc=getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system',name='trust',password='',alias='idcs_cert_chain',type='TrustedCertificate',filepath='/tmp/idcs_cert_chain.crt',keypassword='')
syncKeyStores(appStripe='system',keystoreFormat='KSS')
    5. Run exit().
  2. Restart the Administration server and Managed servers.
Creating an Administrator User in IDCS Administration Console for WebLogic

You must create an Administrator user in IDCS because once the Managed servers are configured for SAML, the domain administrator user (usually, the weblogic user) cannot log into the Managed servers.

Note:

You must perform this procedure only if you use IDCS as Identity Provider.

To create WebLogic Administrator user in IDCS for WebLogic JaxWS connection:

  1. In IDCS, go to the Groups tab and create the Administrators and sysmanager roles.
  2. Go to the Users tab and create a wls admin user, for example, weblogic and assign it to the Administrators and sysmanager groups.
  3. Restart all Managed servers.
Managing Group Memberships, Roles, and Accounts

To manage group memberships, roles, and accounts, you must update OPSS and libOVD to access IDCS.

The following procedure is required only if you use IDCS for user authorization.

Ensure that all servers are stopped (including Administration) before proceeding further.

To manage group memberships, roles, and accounts:

  1. Shutdown all servers that use WebLogic Server Administration Console.

    Note:

    You must use - kubectl patch domain command for starting or stopping pods and not the WebLogic Server Administration Console.
  2. Run the following:
    #Run the wlst.sh
cd /u01/oracle/oracle_common/common/bin/
./wlst.sh

    Note:

    This does not require a connection to the WebLogic Administration Server.
  3. Read the domain as follows:
    readDomain(<DOMAIN_HOME>)
  4. Add the template as follows:
    addTemplate(<MIDDLEWARE_HOME>/oracle_common/common/templates/wls/oracle.opss_scim_template.jar")

    Note:

    This step may throw a warning, which can be ignored. The addTemplate is deprecated. Use selectTemplate followed by loadTemplates instead of addTemplate.
  5. Update the domain as follows:
    updateDomain()
  6. Close the domain as follows:
    closeDomain()
  7. Exit from the Administration server container using exit().
  8. Start the Administration and Managed servers.