OraNA :: Oracle News Aggregator

This post covers the steps for Integration of Oracle Access Manager with Oracle Identity Manager.

The objective of this integration is to protect the Oracle Identity Manager User Administration Console using Oracle Access Manager.

The authentication scheme used in this Post is Form Based authentication. The other schemes such as Basic Over LDAP, Certificate and Custom are also possible but are not covered in this post.

In this case, OIM is deployed in Oracle Application Server and hence this post will cover only configurations required for OAS as part of this integration.

During the time of installation of Oracle Identity Manager, we would select Default Mode generally, wherein the OIM will handle the authentication by itself. The other option available is Single sign-on mode, wherein the OIM looks for a header variable passed by external authentication system (it is OAM in our case).

The architecture is as given below.

The integration flow is explained below:

1. User access the OIM user administration console.
2. The WebGate installed on WebServer (acting as proxy server for Application Server where OIM is deployed) will intercept that request and check if the OIM is protected or not and accordingly challenges the user as per the authentication scheme configured.
3. Form page gets displayed and user enters credentials.
4. WebGate passes login details to Access Server for authentication.
5. Upon successful authentication, WebGate checks with Access Server if the user is authorized to access the resource or not.
6. Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable. Access Server generates ObSSOCookie and sends it to  WebGate which in turn sends it to browser.
7. The WebServer will forward the request to the Oracle Identity Manager and it is configured to read the header variable and treats that userid as logged in user.

Configuration changes:

• We assume that OIM is already deployed in Oracle Application Server. A WebServer acting as proxy server is also installed and configured accordingly.
• We need to install a WebGate on the WebServer.
• Create Policy Domain in OAM with resource to be protected as host:port/xlWebApp
• Create Authorization rule accordingly and set the action tab to set the HeaderVar as userid as shown below.
• HeaderVar                 HTTP_REMOTE_USERID             uid
• Configure Authentication Rule and Authorization expression in Default Rules.
• Enable the policy domain.
• Stop the Application Server gracefully where OIM is deployed.
• Open the file OIM_HOME/xellerate/config/xlconfig.xml and change the Authentication and AuthHeader elements to SSO and  HTTP_REMOTE_USERID  respectively as shown below.
• From

  <web-client>
  <Authentication>Default</Authentication>
  <AuthHeader>REMOTE_USER</AuthHeader>
  </web-client>

• To

  <web-client>
  <Authentication>SSO</Authentication>
  <AuthHeader>SSO_HEADER_NAME</AuthHeader>
  </web-client>

• Start the Application server.

Test the integration:
Access the OIM console i.e., http://host:port/xlWebApp and you will notice the Form page is displayed for entering the credentials. Enter the login details and see if the logged in user shown on Right side is the actual user logged in.

Observations:

You can observe that the Logout link vanishes after OAM-OIM integration. This is because OIM will be expecting the Logout page specification from OAM as it is already integrated for SSO configuration. I will cover this part in the next post.

References:

Oracle Docs

Share This

As we know the significance of setting headers to return to the target application after authentication and authorization by the Oracle Access Manager, we must also be aware of which browsers are supported to test this and watch for header variables.

So far I was under the impression that we can see the HTTP Headers using the IE HTTP Headers Tool to read the header variables set by OAM, but it was proved to be wrong.

All you can see with IE Http Headers are Cookies, Redirection URLs etc.,

To try that, you can download the IE HTTP Headers tool here (ieHTTPHeadersSetup.exe).

By using this, you can inspect stuff like what happens internally when you access a protected resource and what is the URL constructed & where the redirection happens etc.,

This is very useful for testing purpose. You may also look IE Watch tool. I have tested it personally in Mozilla where we have Live HTTP Headers available as an add-on plugin and this is also not showing the headers.

In case of IE browser, having said that you will not be able to view headers in IE headers tool, still you can use below syntax code to fetch headers in the target application.String userid = request.getHeader(”HTTP_REMOTE_USERID”);

HTTP_REMOTE_USERID is the header variable defined in Authorization actions. Here, I am returning the userid of a user from OAM, you can return any other variables as you wish.

I would summarize like this:

Though you are not able to view headers using IE HTTP Headers tool, you can use the above code to fetch the headers in the target application. This is applicable irrespective of Authentication scheme used as Basic Over LDAP or Form Based Authentication.

These are my personal opinions and does not reflect the views of Oracle.

Share This