20 Configuring Single Sign-on for Administration Consoles

20.1.1 Prerequisites for Configuring Single Sign-On

Make sure that the following tasks have been performed before moving on to the next section:

1. Install and configure Oracle Access Manager as described in Chapter 10.

2. Ensure that the policy protecting the Policy Manager ("/access") has been created and enabled. If this is not enabled, use the Policy Manager console to enable it, as described in Section 20.1.1.1.

3. Determine the host identifier value. It is required for enabling single sign-on.

4. Ensure that the administrator users are created as detailed in Section 20.3, "Administrator Provisioning"

20.1.2 Updating the Form Authentication for Delegated Administration

The WebGates in the IDM Domain also need to act as delegated authentication WebGates, that is, they receive authentication requests from external applications or domains in the enterprise. To enable delegated authentication, the form authentication scheme created by the OAM Configuration Tool must be modified to add the Challenge Redirect parameter.

Follow the steps below to add the challenge redirect parameter to the Form authentication scheme:

1. Use a web browser to display the Access Console using the URL below:

   http://oamadminhost.mycompany.com:7777/access/oblix
   

2. Click the Access System Console link and log in using the credentials for the orcladmin user.

3. On the main page, click the Access System Configuration tab.

4. On the Access System Configuration page, click the Authentication Management link on the left hand side.

5. On the Authentication Management page, under the List all Authentication Schemes table, click OraDefaultFormAuthNScheme.

6. On the Details for Authentication Scheme page, click Modify to modify the configuration of the authentication scheme.

7. On the Modifying Authentication Scheme page, update the Challenge Redirect parameter with the Single Sign-On virtual host configured in the load balancer. Use https://sso.mycompany.com to update the Challenge Redirect parameter.

8. Click Save to save the updated configuration.

9. To validate that the configuration was successful, follow the steps below:

   1. Using a web browser, bring up either the Oracle WebLogic Administration Console or Oracle Enterprise Manager Fusion Middleware Control:

      URL for the WebLogic Administration Server Console:

      http://admin.mycompany.com/console
      

      URL for the Enterprise Manager Oracle Fusion Middleware Control:

      http://admin.mycompany.com/em
      

   2. This will redirect your web browser to https://sso.mycompany.com for authentication.

      Log into the console using the administrator user's credentials. For example: orcladmin, password.

   3. Then you will be redirected back to the WebLogic Administration Console login page. Log in using weblogic, password.

20.1.3 Enable SSO protection for the Oracle Identity Navigator and APM Consoles

Follow the steps described in Section 10.4.3.3, "Running the OAM Configuration Tool" to protect the Oracle Identity Navigator and APM consoles using Oracle Access Manager 10g. Run the oamcfgtool using the same values passed in Section 10.4.3, but with /oinav, /apm as the protected_uris.

For example:

$JAVA_HOME/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="IDMEDG"web_domain="idmEDG_WD" cookie_domain="mycompany.com"protected_uris="/oinav,/apm" app_agent_password="welcome1"ldap_host=oid.us.oracle.com ldap_port=389 ldap_userdn="cn=orcladmin"ldap_userpassword=password oam_aaa_host=oamhost1.mycompany.comoam_aaa_port=6023

20.1.4 Validating the Policy Domain and AccessGate Configurations

The next part of the process is to validate the policy domain configuration and the AccessGate configuration.

20.1.5 Setting Up the WebLogic Authenticators

This section describes the steps for setting up Oracle WebLogic Server authenticators.

ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/config.xml

20.1.6 Validating the Oracle Access Manager Single Sign-On Setup

To validate the setup, open a web browser and go the following URLs:

http://admin.mycompany.com/console

http://admin.mycompany.com/em

The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.

20.2.1 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure Ensure that the following tasks have been performed:

1. Configure Oracle HTTP Server, as described in Chapter 5.

2. Configure Oracle Identity Manager, as described in Chapter 13.

3. Install and Configure WebGate, as described in Section 18.2.

20.2.2 Creating Oracle Virtual Directory Authenticator

1. Log in to the WebLogic Administration Console at http://admin.mycompany.com/console.

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

6. Click DefaultAuthenticator.

7. Set Control Flag to SUFFICIENT.

8. Click Save.

9. Click Security Realms from the Domain structure menu.

10. Click myrealm.

11. Select the Providers tab.

12. Click New.

13. Supply the following information:

    • Name: OVDAuthenticator

    • Type: OracleVirtualDirectoryAuthenticator

14. Click OK.

15. Click Reorder.

16. Click OVDAuthenticator.

17. Click OK.

18. Click OVDAuthenticator.

19. Set Control Flag to SUFFICIENT.

20. Click Save.

21. Select the Provider Specific tab.

22. Enter the following details:

    • Host: ovd.mycompany.com

    • Port: 389

    • Principal: cn=orcladmin

    • Credential: orcladmin password

    • Confirm Credential: orcladmin password

    • User Base DN: cn=Users,dc=mycompany,dc=com

    • Group Base DN: cn=Groups,dc=mycompany,dc=com

    • GUID Attribute: orclguid

23. Click Save.

24. Click Activate Changes from the Change Center.

25. Restart the Administration Server and all the managed servers, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

Validating the Configuration

Validate the configuration by logging in to the oamconsole as the user oamadmin.

You can perform a further validation test by using the Oracle WebLogic Administration Console, as follows.

1. Log in to the console, which is at http://admin.mycompany.com/console.

2. Select Security Realms from the Domain structure menu.

3. Click myrealm.

4. Click the Users and Groups tab.

5. Click Users.

   LDAP users will be displayed.

20.2.3 Creating Oracle Access Manager Identity Asserter

1. Log in to the WebLogic Administration Console at: http://admin.mycompany.com/console.

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

6. Click New.

7. Supply the following information:

   • Name: OAMIdentityAsserter

   • Type: OAMIdentityAsserter

8. Click OK.

9. Click Reorder.

10. Click OAMIdentityAsserter.

11. Using the arrows on the right hand side order the providers such that the order is:

    • OAMIdentity Asserter

    • Default Authenticator

    • OIM Signature Authenticator

    • OIMAuthenticationProvider

    • OVDAuthenticator

    • Default Identity Asserter

    Note:

    OIM providers only exist if OIM has been configured.

12. Click OK.

13. Click OAMIdentityAsserter.

14. Set Control Flag to REQUIRED.

15. Click Save.

16. Click Activate Changes.

17. Restart the Administration Server and all the managed servers, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

20.3.1 Provisioning Admin Users and Groups in an LDAP Directory

As mentioned in the introduction to this section, users and groups from multiple WebLogic domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic admin user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique distinguished name within the directory tree. In this guide, the admin user and group for the IDM WebLogic Domain will be provisioned with the DNs below:

• Admin User DN:

  cn=weblogic_idm,cn=Users,dc=mycompany,dc=com
  

• Admin Group DN:

  cn=IDM Administrators, cn=Groups,dc=mycompany,dc=com
  

Follow the steps below to provision the admin user and admin group in Oracle Internet Directory:

1. Create an ldif file named admin_user.ldif with the contents shown below and then save the file:

   dn: cn=weblogic_idm, cn=Users, dc=mycompany,dc=com
   obpasswordchangeflag: false
   obpasswordexpirydate: 2035-01-01T00:00:00Z
   sn: weblogic_idm
   uid: weblogic_idm
   givenname: weblogic_idm
   displayname: weblogic_idm
   cn: weblogic_idm
   objectclass: orclIDXPerson
   objectclass: inetOrgPerson
   objectclass: organizationalPerson
   objectclass: person
   objectclass: top
   objectclass: oblixPersonPwdPolicy
   objectclass: OIMPersonPwdPolicy
   objectclass: oblixorgperson
   userpassword: Account password
   obuseraccountcontrol: activated
   orclisenabled: ENABLED
   

   Ensure that the user has the mail attribute. This attribute is required by Oracle Identity Management for user reconcilation.

2. Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the user in Oracle Internet Directory. For example:

   ORACLE_HOME/bin/ldapadd -h ovd.mycompany.com -p 389 -D cn="orcladmin" -w
   welcome1 -c -v -f admin_user.ldif
   

3. Create an ldif file named admin_group.ldif with the contents shown below and then save the file:

   dn: cn=IDM Administrators, cn=Groups, dc=mycompany, dc=com
   displayname: IDM Administrators
   objectclass: top
   objectclass: groupOfUniqueNames
   objectclass: orclGroup
   uniquemember: cn=weblogic_idm,cn=Users,dc=mycompany,dc=com
   cn: IDM Administrators
   description: Administrators Group for the IDM Domain in OID
   

4. Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the group in Oracle Internet Directory. For example:

   ORACLE_HOME/bin/ldapadd -h ovd.mycompany.com -p 389 -D cn="orcladmin" -w
   welcome1 -c -v -f admin_group.ldif
   

5. Update the provisioned user as described in Section 18.3.4 "Update Existing LDAP Users with Required Objectclasses."

20.3.2 Assigning the Admin Role to the Admin Group

After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain. Follow the steps below to assign the Admin role to the Admin group:

1. Log into the WebLogic Administration Server Console.

2. In the left pane of the console, click Security Realms.

3. On the Summary of Security Realms page, click myrealm under the Realms table.

4. On the Settings page for myrealm, click the Roles & Policies tab.

5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page.

6. On the Global Roles page, click the Admin role to bring up the Edit Global Role page:

   1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

   2. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

   3. On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

7. Click Finish to return to the Edit Global Rule page.

8. The Role Conditions table now shows the IDM Administrators Group as an entry.

9. Click Save to finish adding the Admin Role to the IDM Administrators Group.

10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

20.3.3 Enabling OIM to Connect to SOA Using the Admin Users Provisioned in LDAP

Oracle Identity Manager connects to SOA as SOA administrator, with the username weblogic by default. As mentioned in the previous sections, a new administrator user is provisioned in the central LDAP store to manage Identity Management Weblogic Domain.

Perform the following postinstallation steps to enable Oracle Identity Manager to work with the Oracle WebLogic Server administrator user provisioned in the central LDAP store. This enables Oracle Identity Manager to connect to SOA without any problem:

1. Log in to Enterprise Manager at: http://admin.mycompany.com/em

2. Right click Identity and Access/oim(11.1.1.3.0) and select System Mbean Browser.

3. Expand oracle.iam under application-defined Mbeans, and select Server: OIM_SERVER_NAME, Application: oim, XML config, config, XMLConfig.SOAConfig, and then select the SOAConfig Mbean.

4. View the username attribute. By default, the value of this attribute is weblogic. Change this to the Oracle WebLogic Server administrator username provisioned in Section 20.3.1 . For example: weblogic_idm

5. Click Apply.

6. Navigate to the IAM_ORACLE_HOME/common/bin/ directory in the Oracle Identity Manager deployment.

7. Start the WebLogic Scripting Tool (WLST) by running the following command:

   ./wlst.sh
   

8. At the prompt, enter connect(). When prompted, enter the Oracle WebLogic Server administrator username, password, and administrative server connection string.

9. Delete the default SOA administrator username and password credential from CSF by running the following command:

   deleteCred(map="oim", key="SOAAdminPassword");
   

10. Create the new credential that Oracle Identity Manager uses to connect to SOA as SOA administrator by running the following command:

    createCred(map="oim", key="SOAAdminPassword", user="weblogic_idm",password="ADMINISTRATOR_PASSWORD");
    

    Replace ADMINISTRATOR_PASSWORD with the actual password.

11. Confirm that the correct value has been seeded by running the following command:

    listCred(map="oim", key="SOAAdminPassword");
    

12. Exit WLST shell by running the following command:

    exit()
    

13. Log in to Oracle Identity Manager Administrative and User Console using the administrator login credentials.

14. Run the reconciliation process to enable the Oracle WebLogic Server administrator, weblogic_idm, to be visible in the OIM Console. Follow these steps:

    1. Log in to Oracle Identity Manager at: https://sso.mycompany.com:443/oim as the user xelsysadm.

    2. Click Advanced.

    3. Click the System Management tab

    4. Click the arrow for the Search Scheduler to list all the schedulers.

    5. Select LDAP User Create and Update Full Reconciliation.

    6. Click Run Now to run the job.

    7. Go to the Administration page and perform a search to verify that the user is visible in the Oracle Identity Manager console.

15. Search for the Administrators role. Open the role details and click the Members tab.

16. Add the newly created user as member of this role.

17. Restart Oracle Identity Manager managed server.

20.3.4 Updating the boot.properties File on IDMHOST1 and IDMHOST2

The boot.properties file for the Administration Server and the Managed Servers should be updated with the WebLogic admin user created in Oracle Internet Directory. Follow the steps below to update the boot.properties file.

For the Administration Server on IDMHOST1

1. On IDMHOST1, go the following directory:

   ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
   

   For example:

   cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
   

2. Rename the existing boot.properties file.

3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

   username=adminUser
   password=adminUserPassword
   

   For example:

   username=weblogic_idm
   password=Password for weblogic_idm user
   

   Note:

   When you start the Administration Server, the username and password entries in the file get encrypted.

   For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

Stopping and Starting the Servers

Restart the Administration server and all managed servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."