Thursday, January 7, 2010

Oracle Access Manager and Weblogic Portal integration

This post will bring out the key points involved in the integration between Weblogic Portal and Oracle Access Manager using SSPI Connector.
Major Products involved:
1. Weblogic Portal 10.3.0
2. OAM 10.1.4.3
3. SSPI Connector 10.1.4.2.2
Key Points:
1. Create portaldmin user in OAM (as in user store) and assign Admin rights.
2. Create group BEA_Administrators and assign portaladmin user a member of that group.
3. Create NetPointRealm using the command as shown below.
./setupNetPointRealm_wl92.sh portal
4. The param "portal" provided in the above command is essential to create realm necessary for Weblogic portal with specific providers.
5. Ensure to add the p13DataSource in the SQLAuthenticator DataSource field. This makes the users weblogic and portaladmin which are part of myrealm to be available in NetPointRealm. Mark SQLAuthenticator as REQUIRED and OblixAuthenticator as OPTIONAL followed by a weblogic server restart.
6. You should be able to see the group BEA_Administrators in the NetpointRealm Users and Groups column. Copy the group name (eg., cn:EBEA_Administrators:Cdc:Eus:Cdc:Eoracle::Cdc:Ecom).
7. Goto the location, NetpointRealm -> Roles and Policies -> Global Roles -> Roles.
8. Goto the Admin Role and add the conditions to include BEA_Administrators.
9. Goto the PortalSystemAdministrator Role and add the conditions to include BEA_Administrators.
10. Delete the SQLAuthenticator and mark OblixAuthenticator as REQUIRED. SQLAuthenticator is no longer needed as weblogic and portaladmin users are part of OblixAuthenticator.
11. Now login as OAM user to the weblogic portal server.
Note: Follow the key steps 12 & 13 of section 10.5.9 Preparing the WebLogic Environment in the SSPI integration guide .
End-to-End Viewlet:
Please contact me to see the end-to-end viewlet of the usecase scenario.

8 comments:

  1. Hi,

    I would like to change the host identifiers configuration using any commandline utility not using oam console.

    Is there any way we can do this.

    Regards,
    Sati

    ReplyDelete
  2. Yes OAM 10.1.4.3 above there a command line tool to specify hostidentifiers.
    In OAM 11g, you can very well define these host identifier details in file and provide it while creating webgate/policy domain etc.,

    ReplyDelete
  3. Thanks Mahendra for your reply. I want to edit the existing host identifier values through command line.

    Regards,
    Sati

    ReplyDelete
  4. Hi Atul,
    I'm trying to integrate Ping Federate in our WLP 10.3.
    Portal has existing Authentication.Login mechanism taking username/password from form coming from JPF controller and then userProfile is created using username.
    But now there would Ping Federate server talking to OAM and do authentication and just pass openToken to our application URL and we will read parameters from openToken like username but password will not be available and now how will we move ahead with current Authentication.login as it ask for password of user and only then creates user profile, but we dont have password and if we authentication then this is two way authentication once OAM and then portal authentication and profile creation.

    ReplyDelete
  5. Varun,

    Can you tell me where does OAM come from? is OAM integrated with WLP or Ping Federate? Are you acting as Service Provider?

    Thanks
    mahendra.

    ReplyDelete
  6. Yes OAM is integrated with Ping Federate Server as IDP provider and our application is Service Provider, we hit ping federate via application URL which in turns land us to OAM page for user to enter username/password, if the credentials are correct then it hits the URL or action of our application with oPenToken which contains the username name and attributes but not the password.
    From existing page flow JPF controller we hit LoginController which hit Login and go for existing Authentication and profile creation.
    now we can not create profile without portal authentication.
    for Authentication method Authentication.Login we need password and another authentication, we don't have control to get password for Login mechanism.

    ReplyDelete
  7. Varun,

    I would have given some help if it had been with OAM or federation. Since it is purely to do with WLP how you handle token to extract username and set user profile, i could not help here.

    Are you not getting SAML assertion from IDP? Are you just getting the Token? If you are getting SAML assertion, then you would need to configure WLP as Service Provider using federation product and extract the user details from SAML assertion. However you won't be getting password through assertion. Hence it is up to you to change auth mechanism in portal to just accept username.

    Hope this helps.

    ReplyDelete
  8. Thanks Mahendra,
    Yes we are able to receive the openToken posted on URL and retrieve the userName and other attributes of user other than the password.
    Login of WLP uses username/password/request/reponse to create Login and internally set some Profile. we tried to create profile of user by passsing just the username and do proxy login in Login mechanism but that didn't worked, seems Login is tightly coupled with Profile creation.
    We need to find a way to Login without password.
    Any ways thanks a lot Mahendra. varunvikramsingh@gmail.com

    ReplyDelete