This post describes the aspects of the integration between Oracle Entitlement Server and Oracle Access Manager. As we know that from 11g onwards, Oracle recommends OAM for authentication, SSO and OES for Authorization. Hence it's always good to know how this integration works.
Frankly, there is no integration between OAM and OES. The ease of the product OES allows us to integrate with various applications and utilise OES for ATZ.
In my case, I have implemented the scenario as explained below.
The Weblogic Portal 10.2 will be authenticated using OAM and the authentication scheme can be used as Basic over Ldap or Form (I have done Basic Over LDAP for timebeing).
Upon successful authentication using OAM, access server generates obssocookie and sends it to browser. However the front end here is the OHS proxy server for weblogic portal resource.
Hence the plugin in proxy server (mod_weblogic) will forward this request to the Weblogic Security Framework. WLS framework will inturn trigger the SSPI interface where the weblogic server SSM is being configured (as SSM realm).
The providers that are configured are:
1. OAM Identity Asserter
2. LDAP Authenticator
The OAM 10.1.4.3 package provides the oamAuthnProvider.jar which should be copied to the weblogic server directory (wls_server103\mbeantypes\lib).
Once the request is passed to the SSPI interface of OES, the OAM identity Asserter (flagged as REQUIRED) kicks in and checks for ObSSOCookie in the request. If it exists then weblogic will validate the user against the LDAP using LDAP Authenticator.
At this point, the resource is authorised at page level by OAM.
Now, its time for OES to do the page level and content level authorization.
Based on the resources and policies (ATZ and Role) configured in OES, it fetches the user accessing the resource and executes Role and ATZ policies. If the user is allowed GRANT, then the user will be shown the requested page.
If there are any ALES tags specified in the application for content level atz, it gets executed.
I will attach the architecture diagram soon.
Various products used in this integration are:
1. Oracle Access Manager 10.1.4.3
2. Oracle Entitlement Server 10.1.4.3 (Admin CP3, SSM CP3)
3. Weblogic Portal 10.2.0
You could attach the architecture diagram?
ReplyDeleteplease
Mahendra,
ReplyDeleteCurious if you have the suggested architecture diagram and also, have you implemented this on the same weblogic server hosting OES?
Regards,
Earl
Earl,
ReplyDeleteYes, I have implemented on the same WebLogic Server hosting OES.
Mahendra.
Vic,
ReplyDeleteThe architecture diagram is specific to a client now, I will made it in generic and will share soon.
-Mahendra.
Hi Mahandra,
ReplyDeleteWe are having one requirement to integrate OES & EBS application.I am new in OES.Kindly suggest how to achive this.
Thanks,
rathinavel
Rathinavel,
ReplyDeleteOES has several SSMs that will help to protect target applications based on the way OES can be communicated with target systems. If the target system is a java application, then Java SSM is used and so on. In your case, you have to find out how EBS can talk to other systems. Accordingly, you can approach.
If you can elaborate your requirement whether it is fine grained authorization or coarse grained authorization, then I can provide more inputs.
Hope this helps.
Thanks,
Mahendra.
Hi Mahendra,
ReplyDeleteThanks for your update.
Already we have a environment R12EBS integrated with SSO10g & Oracle Access Manager 10g ,working fine.Now we are planning to extend this to fine grained authorization using OES.
Regards,
Rathinavel
Hi
ReplyDeleteHow can we set a custom cookie upon successful authorization in OAM. I am trying to set a value of cookie from LDAP. It works fine with headervar but for cookie it sets the variable name vs actual value from LDAP.
You help is much appreciated.
Thanks,