2.3 Configure SSO in OAM Console

This topic provides the systematic instructions to configure SSO in OAM console.

After installing OAM, Webtier Utilities and Webgate, extend the weblogic domain to create OAM server.

Follow the post installation scripts deployWebGate and EditHttpConf as provided in the Post Installation Steps topic in the Fusion Middleware Installation Guide for Oracle Identity Management.
  1. Identity Store Creation.
  2. To create new user identity store, login to OAM Console.
  3. Navigate to System Configuration click Common configuration, and clickData Sources and select User Identity Store.
  4. Specify the below information in the User Identity Store.

    Table 2-1 User Identity Store

    Field Description
    Store type Select Store Type as Oracle Internet Directory.
    Location Specify LDAP server Host name and Port Number.

    For example: <HOSTNAME>:<PORT number>
    Bind DN Specify user name to connect the LDAP Server.
    Password Specify password to connect the LDAP Server.
    User Name Attribute The attribute created in LDAP, which will be the User Name for the other application (here it will be treated as the Oracle Banking Corporate Lending Username)
    User Search Base The container of the User Name in the LDAP server.
    Group Search Base The container of the Group Name in the LDAP server.

    Figure 2-2 Oracle Access Manager- System Configuration


    Description of Figure 2-2 follows
    Description of "Figure 2-2 Oracle Access Manager- System Configuration"

  5. Click the Apply button after entering the above information.
  6. On successful creation, click the Test connection button to verify whether the LDAP connection is working fine.

    Figure 2-3 Oracle Access Manager- System Configuration - Test Connection


    Description of Figure 2-3 follows
    Description of "Figure 2-3 Oracle Access Manager- System Configuration - Test Connection"

  7. To create Authentication Module, navigate to System Configuration click Access Manager Settings, and click Authentication Modules, and then click LDAP Authentication Module.
    The LDAP Authentication Module screen displays.

    Figure 2-4 LDAP Authentication Module


    Description of Figure 2-4 follows
    Description of "Figure 2-4 LDAP Authentication Module"

  8. Click the New button to create new Authentication Module.
  9. Specify Name of the authentication module and choose the User Identity Store.
  10. To create OAM 12c Webgate, navigate to System Configuration, click Access Manager Settings, and click SSO Agents, and then click OAM Agents.
    The OAM Agents screen displays.

    Figure 2-5 Welcome to Oracle Access Manager


    Description of Figure 2-5 follows
    Description of "Figure 2-5 Welcome to Oracle Access Manager "

  11. Click the Create 12c webgate button or Click new OAM 12c Webgate link available in welcome page.
    The Create OAM 12c Webgate screen displays.

    Figure 2-6 Create OAM 12c Webgate


    Description of Figure 2-6 follows
    Description of "Figure 2-6 Create OAM 12c Webgate"

  12. Specify Name for Webgate and Base URL (The host and port of the computer on which the Web server for the Webgate is installed).
    Once the OAM 12c Webgate created, add filterOAMAuthnCookie=false parameter along with default parameters in User Defined Parameters.
  13. Click the Apply button to save the changes.
    A confirmation message displays on the FCUBSWebgate screen.
  14. Perform the following steps to copy the artifacts to the Webgate installation directory after OAM Webgate 12c is created:
    • On the Oracle Access Manager Console host, locate the updated OAM Agent ObAccessClient.xml configuration file (and any certificate artifacts). For example: $DOMAIN_HOME/output/$Agent_Name/ObAccessClient.xml
    • On the OAM Agent host, copy artifacts (to the following Webgate directory path). For example: 12cWebgate_instance_dir/webgate/config/ObAccessClient.xml (for instance WebTier_Middleware_Home/Oracle_WT1/instances/instance1/config/ OHS/ohs1/webgate/config/ObAccessClient.xml)
  15. To create Authentication Scheme, navigate to Policy Configuration, click Authentication Schemes.
    The Authentication Schemes screen displays.
  16. Click Create button to create new Authentication Scheme and specify the following details:

    Table 2-2 Authentication Schemes

    Field Description
    Name Specify name to identify Authentication Scheme.
    Authentication Level Set the authentication level to 1.
    Challenge Method Select challenge method as BASIC from the drop-down.
    Challenge Redirect URL Specify URL as /oam/server
    Authentication Module Select the authentication module as OBCL_Authentication_Module from the drop-down.

    If it is a basic authentication scheme, user need to add the enforce-valid-basic-auth-credentials tag to the config.xml file located under /user_projects/domains/<MyDomain>/config/. The tag must be inserted within the <security-configuration> tag as follows: [Just before the end of security configuration tag] <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> </security-configuration>

    The new authentication scheme is created.

    Figure 2-7 Authentication Schemes


    Description of Figure 2-7 follows
    Description of "Figure 2-7 Authentication Schemes"

  17. To create authentication policy, navigate to Policy Configuration, click Application Domains, and click [Webgate agent name], and then clickAuthentication Policies.
    The Authentication Policies screen displays.

    Figure 2-8 Authentication Policies


    Description of Figure 2-8 follows
    Description of "Figure 2-8 Authentication Policies"

  18. Click New and specify the below information:

    Table 2-3 Authentication Policies

    Field Description
    Name Specify any name to identify the Authentication Policy (For example: OBCLWebPolicy)
    Authentication Scheme Select the authentication scheme from the drop-down.
  19. In the Resources section, add the resources which are all need to be protected. If <WebgateName>:/…/ and <WebgateName>:/ are added in the resources, then all the sources are protected.
  20. Click Responses tab and specify the Name as DN and the Value as $user.attr.dn.
    The responses maintained in the tab will be added in the response header during the authentication.

    Figure 2-9 Authentication Policy - Response tab


    Description of Figure 2-9 follows
    Description of "Figure 2-9 Authentication Policy - Response tab"

  21. To add new resources, navigate to Policy Configuration, click Application Domains, and click OBCLWebgate, and then click Resources.
    The Resources screen displays.

    Figure 2-10 Resources


    Description of Figure 2-10 follows
    Description of "Figure 2-10 Resources"

  22. Click the Create New Resource button and specify the following details.

    Table 2-4 Resources

    Field Description
    Type Select the type as HTTP.
    Host Identifier Select the Host Identifier as OBCLWebgate.
    Resource URL Specify the resource URL as /FCJNeoWeb.
    Protection Level Select the protection level as Protected from the drop-down.
    Authentication Policy Select Protected Resource Policy from the drop-down.
    Authorization Policy Select Protected Resource Policy from the drop-down.
  23. Click the Apply button to update the resource added.
  24. Check whether the resources available in the authentication policies are available in Authorization Policy. During web gate creation these values are defaulted.

    Figure 2-11 Application Policy - Resources


    Description of Figure 2-11 follows
    Description of "Figure 2-11 Application Policy - Resources"

  25. Click Responses tab and specify the Name as DN and the Value as $user.attr.dn.
    The responses maintained in the tab will be added in the response header during the authorization.
  26. To enable the Oracle HTTP Server instances to route to applications deployed on the Oracle Weblogic Server Clusters, add the directive shown below to the mod_wl_ohs.sh file available in <Weblogic Home> /Oracle_WT1/instances/instance1/config/OHS/ohs1. 
    <Location /console>
SetHandler weblogic-handler
WebLogicHost idmhost1.mycompany.com
WeblogicPort 7001
</Location>
  27. After configuration of webgate 12c agent launch the URL http://<hostname>:<ohs_Port>/ohs/modules/webgate.cgi?progid=1 to verify whether the webgate configuration is fine. If the URL launches a screen as below then the webgate configuration is working fine.

    Figure 2-12 Diagnostic View of Oracle Access Manager


    Description of Figure 2-12 follows
    Description of "Figure 2-12 Diagnostic View of Oracle Access Manager"

  28. Use OAM Test Tool (This step is not mandatory)
    There is a test tool provided in OAM software which helps us to check the response parameter values. The test tool is available in <OAM Install Dir>\ oam\server\tester.

    For example D:\weblogic\Middleware\Oracle_IDM1\oam\server\tester

    Use java -jar oamtest.jar to launch the OAM test tool.

    Figure 2-13 Oracle Access Manager Test Tool


    Description of Figure 2-13 follows
    Description of "Figure 2-13 Oracle Access Manager Test Tool"

Parent topic: Configuration