Tuesday, August 31, 2010

Oracle Access Manager integration with BPEL worklist

This is a new task that I accomplished recently with lots of ups and downs. The objective is to achieve Single Sign-on or authentication of BPEL worklist using Oracle Access Manager.

The various component versions are:
1. OAM
2. BPEL Process Manager
3. Oracle Single Sign-on

There are 2 ways to integrate OAM with BPEL.
1. Direct integration using Access SDK
2. Using Oracle Single Sign-on

I followed the second approach as our environment is AIX and Access SDK is not availble for AIX servers. However, I would suggest first approach as OSSO is not a strategic product for single sign-on from 11g onwards and no further development will be carried upon OSSO.

Integration Process:
I am writing the procedue for integration using second approach.
The integration is divided into 2 bits. OSSO integration with BPEL and OSSO integration with OAM.
I have posted here in detail about the BPEL-OSSO integration. OSSO integration with OAM is avaiable in oracle by example here.

The hiccups and troubleshooting tips I used in this integration process are written here 1, 2.

Tuesday, August 3, 2010

OAM 11g is out

Much awaiting product Oracle Access Manager 11g is released along with few more products Oracle Adaptive Access Manager 11g, Oracle Identity Manager 11g on 20th July.

Software downloads of Oracle Identity and Access Management ( , Oracle Access Manager WebGates ( are available here.
Documentation for the same is available here.

Soon I will come up with more posts working on Oracle Access Manager 11g.

Monday, August 2, 2010

Is WebLogic Server needs to be integrated with Oracle Access Manager always?

I have had this question in my mind for a while that whether WebLogic Server needs to be integrated with Oracle Access Manager always?
Well, No! It depends on what task needs to be achieved. It is apparent that in order to protect a sample application deployed in WebLogic Server using Oracle Access Manager, we need to integrate using Identity Asserter (a common method). If the weblogic application is just reading some header variables passed by front end system (which can be Reverse Proxy) and if the WebLogic server can be configured with Provider that communicates to backend of Oracle Access Manager to fetch the user/group for role membership to set the user subject then Integration is not required.

My research results are:
You have very simple application (that just reads http header variables) deployed on WebLogic Server. A security provider (Authenticator) needs to be created in WebLogic realm to talk to OAM user directory (an LDAP). Employ a Reverse proxy in-line with WebLogic server with a WebGate on it. Assume you have protected the application using an authentication scheme in OAM.
When you access the application, Oracle Access Manager prompts for login details. After OAM authenticates and authorizes the user, the control reaches the WebLogic server where the principal will be set and the Authenticator fetches for group membership details to set the WebLogic user subject. This means that user authenticated by the OAM will be present (part of) in WebLogic Server.

Next research would be to test the sample application, but this time I am going to take the userid from container rather than taking it from header variable.

So keep tuned to this blog for more interesting topics!