19 Configuring Single Sign-on for Administration Consoles

This chapter describes how to configure single sign-on for administration consoles. The administration consoles referred to in the chapter title are:

This chapter includes the following topics:

19.1 Prerequisites

Before configuring single sign-on, ensure that the following tasks have been performed.

  1. Create a WebLogic administrative use in an LDAP directory, as described in Section 19.1.1

19.1.1 Creating WebLogic Administrative Users in an LDAP Directory

In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter domain). The application domains are configured to authenticate using the central Identity Management domain.

By default, when the Oracle WebLogic Server is installed and configured, the WebLogic admin user is created in its local LDAP store with the username weblogic. For an enterprise deployment, it is required to have all users, groups provisioned in an LDAP user directory such as Oracle Internet Directory that is a part of the centralized Identity Management Domain. This section provides details for provisioning a new administrator user and group for managing the Identity Management WebLogic Domain. This section describes the following:

19.1.1.1 Provisioning Admin Users and Groups in an LDAP Directory

As mentioned in the introduction to this section, users and groups from multiple WebLogic domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic admin user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique distinguished name within the directory tree. In this guide, the admin user and group for the IDM WebLogic Domain will be provisioned with the DNs below:

  • Admin User DN:

    cn=weblogic_idm,cn=Users,dc=mycompany,dc=com
    
  • Admin Group DN:

    cn=IDM Administrators, cn=Groups,dc=mycompany,dc=com
    

Follow the steps below to provision the admin user and admin group in Oracle Internet Directory:

  1. Create an ldif file named admin_user.ldif with the contents shown below and then save the file:

    dn: cn=weblogic_idm, cn=Users, dc=us, dc=mycompany, dc=com
    orclsamaccountname: weblogic_idm
    givenname: weblogic_idm
    sn: weblogic_idm
    userpassword: Welcome1
    obver: 10.1.4.0
    mail: weblogic_idm
    objectclass: top
    objectclass: person
    objectclass: organizationalPerson
    objectclass: inetorgperson
    objectclass: orcluser
    objectclass: orcluserV2
    uid: weblogic_idm
    cn: weblogic_idm
    description: Admin User for the IDM Domain
    
  2. Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the user in Oracle Internet Directory. For example:

    ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
    welcome1 -c -v -f admin_user.ldif
    
  3. Create an ldif file named admin_group.ldif with the contents shown below and then save the file:

    dn: cn=IDM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com
    displayname: IDM Administrators
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: orclGroup
    uniquemember: cn=weblogic_idm,cn=users,dc=mycompany,dc=com
    cn: IDM Administrators
    description: Administrators Group for the IDM Domain in OID
    
  4. Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the group in Oracle Internet Directory. For example:

    ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D cn="orcladmin" -w
    welcome1 -c -v -f admin_group.ldif
    

19.1.1.2 Assigning the Admin Role to the Admin Group

After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain. Follow the steps below to assign the Admin role to the Admin group:

  1. Log into the WebLogic Administration Server Console.

  2. In the left pane of the console, click Security Realms.

  3. On the Summary of Security Realms page, click myrealm under the Realms table.

  4. On the Settings page for myrealm, click the Roles & Policies tab.

  5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page.

  6. On the Global Roles page, click the Admin Role to bring up the Edit Global Role page:

    1. On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

    2. On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

    3. On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

  7. Click Finish to return to the Edit Global Rule page.

  8. The Role Conditions table now shows the IDM Administrators Group as an entry.

  9. Click Save to finish adding the Admin Role to the IDM Administrators Group.

  10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

19.1.1.3 Updating the boot.properties File on IDMHOST1 and IDMHOST2

The boot.properties file for the Administration Server and the Managed Servers should be updated with the WebLogic admin user created in Oracle Internet Directory. Follow the steps below to update the boot.properties file.

For the Administration Server on IDMHOST1

  1. On IDMHOST1, go the following directory:

    ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security
    

    For example:

    cd ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
    
  2. Rename the existing boot.properties file.

  3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:

    username=adminUser
    password=adminUserPassword
    

    For example:

    username=weblogic_idm
    password=Password for weblogic_idm user
    

    Note:

    When you start the Administration Server, the username and password entries in the file get encrypted.

    For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, you should start the server as soon as possible so that the entries get encrypted.

Stopping and Starting the Servers

  1. Stop the Administration Server and the wls_ods1 and wls_ods2 managed Servers as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

  2. Verify that the server processes have been successfully stopped.

  3. On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh script located under the ORACLE_BASE/admin/domainName/aserver/domainName/servers/serverName/security/bin directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile parameter:

    ./startWebLogic.sh >logfile 2>&1 &
    

    For example:

    ./startWebLogic.sh > \
    ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/logs/aserver.out\
       2>&1 &
    
  4. Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.

  5. Log in using the credentials of the weblogic_idm user.

  6. Start the wls_ods1 and wls_ods2 Managed Servers using the WebLogic Administration Console.

19.2 Configuring Single Sign-on for Administration Consoles with Oracle Access Manager 10g

This section explains how to configure single sign-on for administration consoles using Oracle Access Manager 10g.

19.2.1 Prerequisites for Configuring Single Sign-On

Make sure that the following tasks have been performed before moving on to the next section:

  1. Install and configure Oracle Access Manager as described in Chapter 10.

  2. Ensure that the policy protecting the Policy Manager ("/access") has been created and enabled. If this is not enabled, use the Policy Manager console to enable it, as described in Section 19.2.1.1.

  3. Determine the host identifier value. It is required for enabling single sign-on.

19.2.1.1 Enable the Policy Protecting the Policy Manager

Follow these steps to enable policy protecting the Policy Manager:

  1. Open a web browser and bring up the Policy Manager Console using the following URL:

    http://oamadminhost.mycompany.com:7777/access/oblix
    
  2. Click the Policy Manager link.

  3. On the Policy Manager landing page, click the My Policy Domains link.

  4. On the My Policy Domains page, click the Policy Manager link.

  5. On the General tab on the Policy Manager page, click Modify.

  6. Click Yes to enable the "/access" policy.

  7. Click the Save button to save the changes.

19.2.2 Updating the Form Authentication for Delegated Administration

The WebGates in the IDM Domain also need to act as delegated authentication WebGates, that is, they receive authentication requests from external applications or domains in the enterprise. To enable delegated authentication, the form authentication scheme created by the OAM Configuration Tool must be modified to add the Challenge Redirect parameter.

Follow the steps below to add the challenge redirect parameter to the Form authentication scheme:

  1. Use a web browser to display the Access Console using the URL below:

    http://oamadminhost.mycompany.com:7777/access/oblix
    
  2. Click the Access System Console link and log in using the credentials for the orcladmin user.

  3. On the main page, click the Access System Configuration tab.

  4. On the Access System Configuration page, click the Authentication Management link on the left hand side.

  5. On the Authentication Management page, under the List all Authentication Schemes table, click the link for form authentication scheme created by the tool. The form authentication scheme created by the tool is called OraDefaultFormAuthNScheme.

  6. On the Details for Authentication Scheme page, click Modify to modify the configuration of the authentication scheme.

  7. On the Modifying Authentication Scheme page, update the Challenge Redirect parameter with the Single Sign-On virtual host configured in the load balancer. Use https://sso.mycompany.com to update the Challenge Redirect parameter.

  8. Click Save to save the updated configuration.

  9. To validate that the configuration was successful, follow the steps below:

    1. Using a web browser, bring up either the Oracle WebLogic Administration Console or Oracle Enterprise Manager Fusion Middleware Control:

      URL for the WebLogic Administration Server Console:

      http://admin.mycompany.com:7777/console
      

      URL for the Enterprise Manager Oracle Fusion Middleware Control:

      http://admin.mycompany.com:7777/em
      
    2. This will redirect your web browser to https://sso.mycompany.com for authentication.

      Log into the console using the administrator user's credentials. For example: orcladmin, password.

    3. Then you will be redirected back to the WebLogic Administration Console login page. Log in using weblogic, password.

19.2.3 Validating the Policy Domain and AccessGate Configurations

The next part of the process is to validate the policy domain configuration and the AccessGate configuration.

19.2.3.1 Validating the Policy Domain Configuration

Follow these steps to verify that the policy domain was created properly:

  1. In a web browser, enter this URL to access the Oracle Access Manager console:

    http://oamadminhost.mycompany.com:port/access/oblix
    
  2. Click Policy Manager.

  3. Click the My Policy Domains link on the left panel. You will see a list of all the policy domains, which includes the domain you just created. For example: IDMEDG. In the third column, URL prefixes, you will see the URIs you specified when creating the policy domain).

  4. Click the link to the policy domain you just created. This displays the General area of this domain.

  5. Click the Resources tab. On this tab you can see the URIs you specified. Click other tabs to view other settings.

19.2.3.2 Validating the AccessGate Configuration

Follow these steps to verify that the AccessGate was configured properly:

  1. In the Oracle Access Manager console, click the Access System Console link. This link is a toggle. When it is the Access System Console link and you click it, it becomes the Policy Manager link. When it is the Policy Manager link and you click it, it becomes the Access System Console link.

  2. Click the Access System Configuration tab.

  3. Click the AccessGate Configuration link on the left panel.

  4. Enter some search criteria and click Go.

  5. When the name of the AccessGate for the domain you created appears (it may have the suffix _AG when created by the OAM Configuration Tool, for example, IDMEDG_AG), click it to view the details of the AccessGate you created.

19.2.4 Setting Up the WebLogic Authenticators

This section describes the steps for setting up Oracle WebLogic Server authenticators.

19.2.4.1 Setting Up the Oracle Internet Directory Authenticator

Follow these steps to set up the Oracle Internet Directory authenticator:

ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/config.xml

  1. Begin by backing up these relevant configuration files:

    ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/config.xml
    
    ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/fmwconfig/jps-config.xml
    
    ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/config/fmwconfig/system-jazn-data.xml
    
  2. Back up the ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/adminServer/boot.properties file for the Administrator Server.

  3. Follow these steps to configure the Identity Store to use LDAP, setting the proper authenticator using the WebLogic Administration Server Console:

    1. Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.

    2. Click the Security Realms link on the left navigational bar.

    3. Click the myrealm default realm entry to configure it.

    4. Click the Providers tab within the realm.

    5. Note that there is a DefaultAuthenticator provider configured for the realm.

    6. Click the New button to add a new provider.

    7. Enter a name for the provider, such as "OIDAuthenticator" for a provider that will authenticate the user to the Oracle Internet Directory.

    8. Select the "OracleInternetDirectoryAuthenticator" type from the list of authenticators.

    9. Click OK.

    10. On the Providers screen, click the newly created OIDAuthenticator.

    11. Set the Control Flag to SUFFICIENT. This indicates that if a user can be authenticated successfully by this authenticator, then it is should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT also. In particular, check the DefaultAuthenticator and set that to SUFFICIENT.

    12. Click Save to save this setting.

    13. Click the Provider Specific tab to enter the details for the LDAP server.

    14. Enter the details specific to your LDAP server, as shown in the following table:

      Parameter Value Description
      Host   The LDAP server's server ID. For example: oid.mycompany.com
      Port   The LDAP server's port number. For example: 636
      Principal   The LDAP user DN used to connect to the LDAP server. For example: cn=orcladmin
      Credential   The password used to connect to the LDAP server
      SSL Enabled Checked Specifies whether SSL protocol is used when connecting to LDAP server.
      User Base DN   Specify the DN under which your Users start. For example: cn=users,dc=mycompany,dc=com
      Group Base DN   Specify the DN that points to your Groups node. For example: cn=groups,dc=mycompany,dc=com
      Use Retrieved User Name as Principal Checked Must be turned on.

      Click Save when done.

    15. Click Activate Changes to propagate the changes.

    16. The console displays a message that a restart is required for the changes to take effect. Do not restart the servers as indicated; this will be done after setting up all the WebLogic Authenticators, as described in Section 19.2.4.4, "Stopping and Starting the WebLogic Administration Servers and Managed Servers."

19.2.4.2 Setting Up the Oracle Access Manager Identity Asserter

Follow these steps to set up the OAM ID Asserter:

  1. Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.

  2. Navigate to SecurityRealms > Default Realm Name > Providers.

  3. Click New and select OAMIdentityAsserter from the drop down menu.

  4. Name the asserter, for example: OAMIDAsserter

    Then click OK.

  5. Click the newly-added asserter to see the configuration screen for OAM Identity Asserter.

  6. Set the Control Flag to REQUIRED, and then click Save.

  7. Configure the additional attributes below for the OAM Identity Asserter on the Provider Specific tab:

    • Application Domain: Provide the Oracle Access Manager policy domain name. Use the app_domain parameter passed to the OAM Configuration Tool. For example: IDMEDG.

    • Primary Access Server: Provide Oracle Access Manager server endpoint information in the host:port format. For example: oamhost1.mycompany.com:6023

    • AccessGate Name: Name of the AccessGate (for example, IDMEDG_WD). Provide the AccessGate name created by the OAM Configuration Tool.

    • AccessGate Password: Password for the AccessGate, if one was provided.

    Accept the default values for all the other attributes, unless required for your environment.

  8. Save the settings.

  9. Click Activate Changes to propagate the changes.

19.2.4.3 Reordering Oracle Access Manager Identity Asserter, Oracle Internet Directory Authenticator, and Default Authenticator

Follow the steps below to reorder the providers in the order shown below:

  1. Log into the WebLogic Administration Server Console and click Lock and Edit to enable editing.

  2. Navigate to SecurityRealms > Default Realm Name > Providers.

  3. Ensure that the Control Flag for each authenticator is set correctly.

  4. Click Reorder under the Authentication Providers table.

  5. On the Reorder Authentication Providers page, reorder the providers as shown below:

    OAM Identity Asserter (REQUIRED) > OID Authenticator (SUFFICIENT) >
    Default Authenticator (SUFFICIENT) > DefaultIdentityAsserter
    
  6. Save the settings.

  7. Click Activate Changes to propagate the changes.

19.2.4.4 Stopping and Starting the WebLogic Administration Servers and Managed Servers

The WebLogic Administration Server and the associated Managed Servers must be restarted for the configuration changes to take effect. Follow the steps below to stop and then start the WebLogic Administration Server and the Managed Servers (wls_ods1 and wls_ods2):

  1. Stop the Administration Server and the wls_ods1 and wls_ods2 managed servers as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

  2. Verify that the server processes have been successfully stopped.

  3. On IDMHOST1, start the WebLogic Administration Server using the startWebLogic.sh script located under the ORACLE_BASE/admin/IDMDomain/aserver/IDMDomainStatus/bin directory using the syntax below. This enables the standard output log messages shown on the screen to be written to the file specified in the logfile parameter.

    ./startWebLogic.sh >logfile 2>&1 &
    

    For example:

    ./startWebLogic.sh > \
     /admin/IDMDomain/aserver/IDMDomainStatus/servers/AdminServer/logs/aserver.out\ 
       2>&1 &
    
  4. Verify that the Administration Server has started up and then bring up the Administration Console using a web browser.

  5. Log into the console using the administrator user's credentials.

  6. Start the wls_ods1 and wls_ods2 Managed Servers using the WebLogic Administration Console, as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

19.2.5 Validating the Oracle Access Manager Single Sign-On Setup

To validate the setup, open a web browser and go the following URLs:

http://admin.mycompany.com:7777/console

http://admin.mycompany.com:7777/em

The Oracle Access Manager Single Sign-On page displays. Provide the credentials for the weblogic_idm user to log in.

19.3 Configuring Single Sign-on for Administration Consoles with Oracle Access Manager 11g