Wednesday, January 27, 2010

Oracle Identity & Access Management Questions & Answers

Identity and Access Management:
Q: What is an identity?
A: An identity is a piece of information used to identify an entity whether it is a user or group etc.,.

LDAP:

Q: What is an object class and their different types?
A: An object class specifies set of attributes that are used to define an object.
  • Structural. Indicates the attributes that the entry may have and where each entry may occur in the DIT. A Structural object class defines the backbone of an LDAP entry.  An entry references a Structural object class as the basis for its required and optional attributes. Eg; inetorgperson, organizationalunit etc., Structural class defines the idenity of an object and Auxiliary object class is used to add attributes. An entry must contain one structual and many auxiliary object classes.
  • Auxiliary. Indicates the attributes that the entry may have. Auxiliary object classes allow additional attributes to be "mixed" with a Structural object class.  For example, you can add inetOrgPerson as your structural object class and associate it with the tab in the User Manager application.  You could then add Auxiliary object classes with special attributes for various types of people, such customers, partners, and so on.
  • Abstract. Indicates a "partial" specification in the object class hierarchy; only structural and auxiliary subclasses may appear as entries in the directory.
Q: Give sample ldif structure for scenarios of creating new object class, new attribute, add attr to user entry, add obj class to user entry?
A: 

dn: cn=subschemasubentry
changetype: modify
add: objectclasses
objectclasses: ( 1.2.3.4.5 NAME 'myOC'
 DESC 'my Objectclass definition' MAY myAttr )

dn: cn=subschemasubentry
changetype: modify
add: attributetypes
attributetypes: ( 1.2.3.4.5.6.7 NAME "myAttr" DESC "New attribute definition" EQUALITY caseIgnoreMatch
 SYNTAX "1.3.6.1.4.1.1466.115.121.1.15" )

dn: cn=person one,dc=example,dc=com
changetype: modify
add: myAttr
myAttr: myattrValue1

dn: cn=person one,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: myOC

Adding an Auxiliary object class to a schema:

objectclass ( 1.3.6.1.4.1.6863.2.4.57 NAME 'ourObject'
  DESC 'A very useful object'
  SUP top AUXILIARY 
  MUST ( dohicky $ gobbledegook )
  MAY ageAtBirth )
Adding auxiliary object class to an existing entry:
dn: cn=user1,dc=example,dc=com
changetype: modify
add: objectclasses
objectclasses:inetorgperson
objectclasses: myAuxOC



Q: What is DN and RDN?
A: A DN is the LDAP entry that uniquely identifies and describes the entry in LDAP server.
cn=Jones,dc=oracle,dc=com is the DN of user Jones and RDN is cn=Jones. 


Q: How do you define Identity Management & Access Management?
A: Identity Management enables customers to manage end-to-end lifecycle of user identities across all enterprise resources securely. Access Management provides web access management including authentication, fine grained authorization, federation and proactive online fraud prevention.

Q:What are various domains that fall under identity management?
A: Identity Management, Access Management, Directory Management. Oracle Products that fall under Identity Management are Oracle Identity Manager and Oracle Role Manager. Oracle products that fall under Access Management are Oracle Access Manager, Oracle Entitlement Server, Oracle Adaptive Access Manager, Oracle Identity federation and Enterprise Single Sign-On. Oracle products that fall under Directory Management are OID and OVD.

Oracle Access Manager:

Oracle Access Manager is a state-of-the-art solution for both centralized identity management and access control, providing an integrated standards-based solution that delivers authentication, web single sign-on, access policy creation and enforcement, user self-registration and self-service, delegated administration, reporting, and auditing.    

Q: What is Single Sign On?
A: Single Sign-On allows users to sign on once to a protected application and gain access to the other protected resources within the same domain defined with same authentication level.

Q: What is multi domain Single Sign-On?
A:  Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

Q: What is the authentication mechanism used by Oracle Access Manager?
A: ObSSOCookie and it is stateless.

Q: Explain various security modes present in Oracle Access Manager?
A:
Open: Allows unencrypted communication. In Open mode, there is no authentication or encryption between the AccessGate and Access Server. The AccessGate does not ask for proof of the Access Server's identity and the Access Server accepts connections from all AccessGates. Similarly, Identity Server does not require proof of identity from WebPass.
Simple: Supports encryption by Oracle. In Simple mode communications between Web clients (WebPass and Identity Server, Policy Manager and WebPass, and Access Server and WebGate are encrypted using TLS v1. In both Simple and Cert mode, Oracle Access Manager components use X.509 digital certificates only. This includes Cert Authentication between WebGates and the Access Server where the standard cert-decode plug-in  decodes the certificate and passes certificate information to the standard credential_mapping authentication plug-in. For each public key there exists a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file for the Access Server (or ois_key.pem for Identity Server).
Cert: Requires a third-party certificate. Use Cert (SSL) mode if you have an internal Certificate Authority (CA) for processing server certificates. In Cert mode, communication between WebGate and Access Server, and Identity Server and WebPass are encrypted using Transport Layer Security, RFC 2246 (TLS v1).


Q: Explain the architecture of Oracle Access Manager?
A: Oracle Access Manager architecture mainly consists for components such as Identity Server, WebPass, Policy Manager, Access Server and a WebGate. Identity Server is a standalone C++ server which communicates directly with LDAP.
It also receives requests and sends response to Webpass. WebPass is a web server plugin that passes info between identity server and webserver. It redirects HTTP requests from browser to Access Server, and sends Identity XML SOAP requests to Identity Server.
Policy Manager (PMP or PAP) is a web server plugin that communicates directly with user, configuration and policy repositories. Access Server is a stand alone C++ server and is also called PDP. It receives requests from & sends responses to WebGates/AccessGates.
It also communicates with LDAP. It answers Access Server SDK requests. WebGate (PEP) is a web server plugin that passes info between webserver and access server. It passes user authentication data to access server for processing. 
 
Q: What are the ObSSOCookie Contents?
A: Cookie contains encrypted session token and non-encrypted data.
This Encrypted Session Token consists of : DN of the authenticated user, level of auth scheme, ip address of client to which cookie was issued, time the cookie is issued, time the cookie was last updated. If the user is not idle, then cookie will get automatically updated at a fixed interval to prevent session timeout. The updated interval is the 1/4 th of idle session timeout of accessgate.
The Unencrypted ObSSOCookie data contains cookie expiry time, domain in which cookie is valid, additional flag that determines if cookie can only be sent using SSL.

Q: What is the key used for encrypting the ObSSOCookie?
A: Shared Secret key. It is configured in the Identity Admin console and can be generated by the OAM administrator.

Q: What happens if the ObSSOCookie is tampered?
A:  When access system generates ObSSOCookie, MD-5 hash is taken from session token. So when the user is authenticated again using the cookie, the MD5 hash is compared with original cookie contents. MD-5 hash is a one-way hash, hence it cant be unencrypted. Access server compares the cookie contents with hash. If both are not same, then cookie is tampered in the interim. This cookie does not contain username and password.


Q: What is the difference between WebGate and AccessGate?
A: WebGate is an out-of-the-box plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. An AccessGate is a custom webgate that can intercept requests of HTTP and non-HTTP resources. 
 
Q: What are the major parameters defined in an authentication scheme?
A: The authentication scheme level which defines the level of the security defined for an application.

Q: Explain the flow when a user requests for an application protected by Oracle Access Manager?
A: The following steps describes the flow when a user makes a request to access a resource protected by the Oracle Access Manager.
  • User requests for a resource through a web browser.
  • The Webgate intercepts the requests and checks with the Access Server whether the resource is protected or not.
  • If the resource is not protected, then the user will be shown the requested resource.
  • If the resource is protected, then Access Server will check with policy manager the authentication scheme configured for that resource.
  • User will be prompted to enter their credentials as per the auth scheme defined for the resource.
  • Webgate will send the credentials to the Access Server to check it against the backend (LDAP server).
  • Upon successful authentication, Access server checks whether the user is authorized to access the resource or not.
  • If the user is authorized, then the Access Server will create the session id and passes it to the webgate. An ObSSOCookie is created and will be sent to the user browser and the user will be shown the requested resource.
  • If the user is not authorized, then an error page (if its defined in policy domain) will be shown to the user.
Q: Explain the flow of a Multi domain Single Sign-On?
A: Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.
  • For multi domain SSO to work, Access Servers in all domains must use same policy directory.
  • Multi domain works only with web gates, not Access Gates.
  • Within each individual domain, each web gate must have same “primary HTTP cookie domain”.
In Multi Domain SSO environment, we should designate one web server (where web gate is installed) as "Primary Authentication Server". Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.

Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.
* Host2.domain2.com with web gate (ex: webgate2) installed.
* A resource, abc.html, is protected with Form base authentication on host1.mydomain1.com
* A resource, xyz.html, is protected with Basic over LDAP authentication on host2.mydomain2.com.

Following are the steps that explain how multi domain SSO works
1. User initiates a request for a Web page from a browser.
    For instance, the request could be for host2.mydomain2/xyz.html.
2. Webgate2 (on host2.domain2.com) sends the authentication request back through the user's browser in  search of primary authentication server.  In this example you have designated host1.domain1.com to be the primary authentication server.
3. The request for authentication is sent from the user's browser to the primary authentication server, host1.domain1.com.
This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is set for host1.domain1.com. The Access Server also generates a session token with a URL that contains the obSSO Cookie.
4. The session token and obSSOCookie are returned to the user’s browser.
5. The session token and obSSOCookie are sent to host2.domain2.com
6. The Web gate (webgate2) on host2.domain2.com sets the obSSOCookie for its own domain (.domain2.com) and satisfies the user’s original request for the resource host2.domain2.com/xyz.html. User gets the resource.
7. On the same browser if user accesses the host1.domain1.com page then resource will be presented without asking credentials as obSSOCookie is already available with .domain1.com (see step 3).

Q: Explain the authentication plugins credential_mapping and validate_password?
A: credential_mapping plugin performs the task of mapping the user credentials to a unique DN in the directory server. WebGate searches the directory server for user profiles matching these attributes. validate_password plugin gets called only after username is validated.
Q: What is an Access Server SDK?
A: The Access Manager Software Developer's Kit (SDK) enables you to enhance the access management capabilities of the Access System. This SDK enables you to create a specialized AccessGate. The Access Manager SDK creates an environment for you to build a dynamic link library or a shared object to perform as an AccessGate. You also need the configureAccessGate.exe tool to verify that your client works correctly.

Q: What is an Identity XML?
A: IdentityXML provides a programmatic interface for carrying out the actions that a user can perform when accessing a COREid application from a browser. For instance, a program can send an IdentityXML request to find members of a group defined in the Group Manager application, or to add a user to the User Manager.

IdentityXML enables you to process simple actions and multi-step workflows to change user, group, and organization object profiles.
                 After creating the IdentityXML request, you construct a SOAP wrapper to send the IdentityXML request to WebPass using HTTP. The IdentityXML API uses XML over SOAP. We pass IdentityXML parameters to the COREid Server using an HTTP request.This HTTP request contains a SOAP envelope.When WebPass receives the HTTP request, the SOAP envelope indicates that it is an IdentityXML request rather than the usual browser request.
                  The request is forwarded to the COREid Server, where the request is carried out and a response is returned. Alternatively, you can use WSDL to construct the SOAP request. The SOAP content looks like this, SOAP envelope (with oblix namespace defined), SOAP body (with authentication details), actual request (with application name and params). The application name can be userservcenter, groupservcenter or objservcenter (for organizations).

Q: What is an SSPI connector and its role in Oracle Access Manager integrations?
A:  The Security Provider for WebLogic SSPI (Security Provider) ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.
The WebLogic security framework provides Security Service Provider Interfaces (SSPIs) to protect J2EE applications. The Security Provider takes advantage of these SSPIs, enabling you to use Oracle Access Manager to protect WebLogic resources via:
  • User authentication
  • User authorization
  • Role mapping
The Security Provider consists of several individual providers, each of which enables a specific Oracle Access Manager function for WebLogic users:
Authenticator: This security provider uses Oracle Access Manager authentication services to authenticate users who access WebLogic applications. Users are authenticated based on their credentials, such as user name and password.
The security provider also offers user and group management functions. It enables the creation and deletion of users and groups from the BEA WebLogic Server. It also provides single sign-on between WebGates and portals.
Identity Asserter: Like the Authenticator, this security provider uses Oracle Access Manager authentication services to validate already-authenticated Oracle Access Manager users using the ObSSOCookie and to create a WebLogic-authenticated session.
Authorizer: This security provider uses Oracle Access Manager authorization services to authorize users who are accessing a protected resource. The authorization is based on Oracle Access Manager policies.
Role Mapper: This security provider returns security roles for a user. These roles are defined in Oracle Access Manager, and they are provided by Oracle Access Manager using return actions on a special authentication policy. This authentication policy contains a resource with a URL prefix of /Authen/Roles. Role Mapper maps these roles to predefined security roles in WebLogic.

Q: Explain the integration and architecture of OAM-OAAM integration?
A: Using these products in combination will allow you fine control over the authentication process and full capabilities of pre-/post- authentication checking against Adaptive Risk Manager models.
The OAAM’s ASA-OAM integration involves two Oracle Access Manager AccessGates: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK to be installed and configureAccessGate tool to be run. The ASA bharosa files to updated with ASDK location. An application to be protected using ASA authentication scheme and to be tested for ASA landing page for login.

Here is how the flow goes:
1. User requests for a resource.
2. Webgate acting in the front end for ASA application will intercept the request and will redirect to the ASA application.
3. The user enter credentials and the Access SDK setup in the ASA application will contact the Access gate which inturn contacts the access server for validating the credentials.
4. Upon successful authentication, access server will generate obSSOCookie and will forwards it to the browser.
5. Then the user will be shown the requested resource.

Q: Explain IWA mechanism in Oracle Access manager?
A: The OAM has a feature which enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication.

  1. user logs in to the desktop machine, and local authentication is completed using the Windows Domain Administrator authentication scheme.
  2. The user opens an Internet Explorer (IE) browser and requests an Access System-protected Web resource.
  3. The browser notes the local authentication and sends a token to the IIS Web server.
  4. The IIS Web server uses the token to authenticate the user and set up the REMOTE_USER HTTP header variable that specifies the user name supplied by the client and authenticated by the server.
  5. The WebGate installed on the IIS Web server uses the hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization.
  6. The WebGate creates an ObSSOCookie and sends it back to the browser.
  7. The Access System authorization and other processes proceed as usual.
    The maximum session timeout period configured for the WebGate is applicable to the generated ObSSOCookie.

Q: Explain various major params defined in webgate instance profile?
A:
  • Hostname: name of the machine hosting the access gate.
  • Maximum User Session Time: Maximum amount of time in seconds that a user's authentication session is valid, regardless of their activity. At the expiration of this session time, the user is re-challenged for authentication. This is a forced logout. Default = 3600. A value of 0 disables this timeout setting.
  • Idle Session Time (seconds): Amount of time in seconds that a user's authentication session remains valid without accessing any AccessGate protected resources.
  • Maximum Connections: Maximum number of connections this AccessGate can establish. This parameter is based on how many Access Server connections are defined to each individual Access Server. This number may be greater than the number allocated at any given time.
  • IPValidationException: IPValidationException is specific to WebGates. This is a list of IP addresses that are excluded from IP address validation. It is often used for excluding IP addresses that are set by proxies.
  • Maximum Client Session Time  :Connection maintained to the Access Server by the AccessGate. If you are deploying a firewall (or another device) between the AccessGate and the Access Server, this value should be smaller than the timeout setting for the firewall.
  • Failover Threshold: Number representing the point when this AccessGate opens connections to Secondary Access Servers. If you type 30 in this field, and the number of connections to primary Access Servers falls to 29, this AccessGate opens connections to secondary Access Servers.
  •  Preferred HTTP Host : Defines how the host name appears in all HTTP requests as they attempt to access the protected Web server. The host name in the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user's HTTP request.
  • Primary HTTP Cookie Domain: This parameter describes the Web server domain on which the AccessGate is deployed, for instance, .mycompany.com. 
  • IPValidation: IP address validation is specific to WebGates and is used to determine whether a client's IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on.
      
Q: What is Policy Manager API?
A:  The Policy Manager API provides an interface which enables custom applications to access the authentication, authorization, and auditing services of the Access Server to create and modify Access System policy domains and their contents.

Q: When do you need an access gate?
A: An access gate is required instead of a standard webgate when you need to control access to a resource where OAM doesnot provide OOTB solution. These might include:

  1. protection for non-http resources (EJB, JNDI etc.,)
  2. Implementation of SSO to protect a combination of http and non-http resources.
A file called obAccessClient.xml is stored in the server where access gate is installed. this file contains config params entered through the configureAccessGate tool.

Q: Explain the flow when a user makes a request protected by an access gate (not webgate)?
A: The flow is shown below.
  • The application or servlet containing the access gate code receives resource request from the user.
  • The access gate code constructs ObResourceRequest structure and access gate contacts Access server to find whether resource is protected or not.
  • The access server responds. 
  • If the resource is not protected, access gate allows user to access the resource. Otherwise..,
  • Access Gate constructs ObAuthenticationScheme structure to ask Access Server what credentials the user needs to supply.
  • The access server responds. 
  • The application uses a form or some other means to fetch the credentials.
  • The AccessGate constructs ObUserSession structure which presents user details to Acc Server.
  • If credentials are proven valid, access gate creates a session token for the user and then sends an authorization request to the access server.
  • Access server validates if the user is authz to access that resource. 
  • Access gate allows user to access the requested resource.


Oracle Identity Federation: 
Q: What is Federation?
A: Federation is the user account linking between providers in a circle of trust.


Q: What is Federated Identity?
A: Identity across domains is called Federation. The identity that is federated encircled with trust by linking of one more more accounts with one or more identity and service providers is called Federated Identity.

Q: What is the difference between Multi Domain SSO and Federation?
A: There are couple of differences and are listed below.

  • Multi domain SSO can happen if the applications are residing in different domains within same organization or a company. Federation happens if the applications are residing within same organization as well as between organizations. 
  • In Federation, there is a trust established between both the providers residing in different domains, whereas in Multi Domain SSO, trust is not established.
  • The mechanism used in MD - SSO is cookie and is SAML Assertion in case of Federation.
  • The attributes passed in the header cannot be encrypted OOTB in MD-SSO where as it can be digitally signed.
  • There is more of security involved along with interoperability in case of federation.

Q: What is an Identity Provider and Service Provider?
A: IDP is the site that authenticates the user and sends an assertion to the destination site or SP. SP is the site that consumes the assertion and determines the entitlements of the user and grants or deny access to the requested resource.

Q: Explain the flow when an user makes a federation request?
A:
Step 1: The user logs in to the identity provider using an ID and password for authentication. Once the user is authenticated, a session cookie is placed in the browser.
Step 2: The user then clicks on the link to view an application residing on the service provider. The IdP creates a SAML assertion based on the user’s browser cookie, digitally signs the assertion, and then redirects to the SP.
Step 3: The SP receives the SAML assertion, extracts the user’s identity information, and maps the user to a local user account on the destination site.
Step 4: An authorization check is then performed and if successfully authorized, redirects the user’s browser to the protected resource. If the SP successfully received and validated the user, it will place its own cookie in the user’s browser so the user can now navigate between applications in both domains without additional logins.

Q: What is the authentication mechanism used for federation?
A: Assertions. The assertion created by the IDP will be sent to SP where it will be validated.

Q: Explain how Form login works if the form login page is present in different domain from OAM?
A: The mechanism here is same as how the multi domain SSO works. Importantly, all of the activities for form authentication are carried out between the browser and one web server.
Now, suppose you want to access a resource http://www.B.com/pageB.html but still be authenticated by the login form on www.A.com.

  • The authentication scheme required by pageB needs to have a redirect URL set to http://www.A.com. 
  • The WebGate at www.B.com redirects you to the NetPoint URL obrareq.cgi on www.A.com, with a query string that contains the original request (wu and wh).
  • The WebGate on www.A.com will determine that you need to do a form login for that resource, so it will set the ObFormLoginCookie with the wu and wh values from the query string, but will set the ru field to /obrareq.cgi. WebGate on A then redirects your browser to the login form on A. 
  • When you post your credentials back to A, the ObFormLoginCookie is set back. WebGate on A authenticates your userid and password, sets the ObSSOCookie for the .A.com domain and redirects you back to the ru value from the ObFormLoginCookie, which is /obrareq.cgi.
  • This time when your browser requests http://www.A.com/obrareq.cgi, it will pass the ObSSOCookie. 
  • WebGate will then redirect your browser back to the B webserver, http://www.B.com/obrar.cgi, with the cookie value and the original URL in the query string.
  • The WebGate on www.B.com will extract the cookie value and set the ObSSOCookie for domain .B.com, and finally redirect you to http://www.B.com/pageB.html that you originally requested.
Oracle Adaptive Access Manager:

Q: What is auto-learning?
A: Auto-learning is a set of functions in OAAM that profiles behavior. The behavior of users, devices and locations themselves are recorded and used to evaluate current behavior. For example, OAAM can profile a user based on login time. If John logs in between 8am - 10am 87% of the time then the risk level is elevated if he is attempting to login at 2am. In other words he is outside of his normal login time profile.

Q: How does OAAM prevent session-hijacking?
A: To protect against fraudulent transactions occurring over hijacked sessions, Adaptive Strong Authenticator can be easily deployed in session during a sensitive transaction. This requires a human interaction (entering a PIN/OTP/Password on a PinPad/KeyPad) in a process which an automated attack cannot easily navigate using software. For example, the destination account number in a wire transfer transaction could be entered using a PinPad to prevent an automated attack from alerting the account number.
Adaptive Risk Manager offers extensive protections against fraudulent transactions in session. Once a login has cleared our pre-authentication security gateway (computer and location fraud patterns) and has authenticated successfully with the proper credentials, there are still multiple strong security gateways remaining, within the Adaptive Risk Manager model.

Q: How can OAAM prevent phishing?
A: There are a number of anti-phishing features of OAAM. Phishing attacks are often aimed at credential theft. A Phishing site will usually send the users to the real site once they steal their credentials so the user does not suspect anything has gone wrong. When this happens OAAM can recognize that the user is coming from a referral URL not sanctioned by the bank. When OAAM sees this it can add the user to a "phishing victims" group. Membership in this group will increase their risk when attempting transactions such as a wire transfer. As well an investigation case will be created so the referral URL and the user can be evaluated. If all is OK the URL can be white listed and the user removed from the group.
There are also a number of other symptoms of credential theft that OAAM can detect. Factors such as max velocity, device and location usage can be very valuable in determining risk that an access attempt is not from the valid user.

Q: What are different keystores used in OAAM?
A: There are 3 keystores, System, Database and SOAP/WebServices. Encryption of SOAP keystore is optional.
  1. System Keystore: Used for encrypting properties and other non-db related data
  2. Database: VCryptPassword and Transaction tables. Containing data such as password, PIN, Transaction data (like credit card #, etc)...
  3. SOAP/WebServices: On the client side to authenticate Web Services request
Q: Can OAM provide SSO access to the OAAM admin console application? 
A: Yes, OAAM Admin is a standard web application and uses container provided Authentication out of the box. Since OAAM Admin works with predefined Roles (CSR, CSR Manager so on), the identity store used by OAM should have user & role mappings. The OAAM Admin guide contains these details. Simply assume that OAAM admin console is a generic web application deployed on an application server. And then a customer wants OAM SSO on the admin console. Hence, a web server proxy is needed and then a webgate on the proxy web server and then connector on the app server to perform identity assertion.

This is pretty much standard integration for OAM that we support for any custom application. This case is simply more special because the custom application turns out to be OAAM.


Oracle Identity Manager:

Q: What is user provisioning?
Q: What is reconciliation?




Note: I will be updating this post every now and then. So keep tuned to this.

Friday, January 8, 2010

Integration between OAM 10.1.4.3 and E-Business suite

I have been watching lot of posts about the integration of Oracle Access Manager 10.1.4.3 with E-Business suite. It is an essential integration as it provides Single Sign-On for E-Business applications using Oracle Access Manager. However, the integration was straight forward with Oracle Access Manager 10.1.4.2. The integration included 2 individual sub-integrations which are OAM-OSSO and OSSO-Ebz. Since Oracle Fusion Middleware 11g is introduced, Oracle Access Manager has been the recommended solution for authentication mechanism. Who will forget the implementation time of almost 1.5 yrs that Oracle took to get the integration working between EBusinessSuite and OSSO. Though the OSSO is not released in Fusion Middleware 11g, the backward compatibility of OAM with older webgates helps here. So the solution is simple and it is to integration OAM 10.1.4.3 with older OSSO and integrate OSSO-Ebz.

Though I have not done this practically, but I know this can be done.

Here is some more documentation on it.
http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12492/osso.htm#BJFJBCHB.

Oracle Access Manager and Weblogic Portal integration

This post will bring out the key points involved in the integration between Weblogic Portal and Oracle Access Manager using SSPI Connector.
Major Products involved:
1. Weblogic Portal 10.3.0
2. OAM 10.1.4.3
3. SSPI Connector 10.1.4.2.2
Key Points:
1. Create portaldmin user in OAM (as in user store) and assign Admin rights.
2. Create group BEA_Administrators and assign portaladmin user a member of that group.
3. Create NetPointRealm using the command as shown below.
      ./setupNetPointRealm_wl92.sh portal
4. The param "portal" provided in the above command is essential to create realm necessary for Weblogic portal with specific providers.
5. Ensure to add the p13DataSource in the SQLAuthenticator DataSource field. This makes the users weblogic and portaladmin which are part of myrealm to be available in NetPointRealm. Mark SQLAuthenticator as REQUIRED and OblixAuthenticator as OPTIONAL followed by a weblogic server restart.
6. You should be able to see the group BEA_Administrators in the NetpointRealm Users and Groups column. Copy the group name (eg., cn:EBEA_Administrators:Cdc:Eus:Cdc:Eoracle::Cdc:Ecom).
7. Goto the location, NetpointRealm -> Roles and Policies -> Global Roles -> Roles.
8. Goto the Admin Role and add the conditions to include BEA_Administrators.
9. Goto the PortalSystemAdministrator Role and add the conditions to include BEA_Administrators.
10. Delete the SQLAuthenticator and mark OblixAuthenticator as REQUIRED. SQLAuthenticator is no longer needed as weblogic and portaladmin users are part of OblixAuthenticator.
11. Now login as OAM user to the weblogic portal server.

Note: Follow the key steps 12 & 13 of section 10.5.9 Preparing the WebLogic Environment in the SSPI integration guide .

For Viewlet, please contact me @mahi.babu@gmail.com

Thursday, January 7, 2010

Integration between Oracle Access Manager and Oracle Entitlement Server

This post describes the aspects of the integration between Oracle Entitlement Server and Oracle Access Manager. As we know that from 11g onwards, Oracle recommends OAM for authentication, SSO and OES for Authorization. Hence it's always good to know how this integration works.

Frankly, there is no integration between OAM and OES. The ease of the product OES allows us to integrate with various applications and utilise OES for ATZ. 

In my case, I have implemented the scenario as explained below.

The Weblogic Portal 10.2 will be authenticated using OAM and the authentication scheme can be used as Basic over Ldap or Form (I have done Basic Over LDAP for timebeing). 

Upon successful authentication using OAM, access server generates obssocookie and sends it to browser. However the front end here is the OHS proxy server for weblogic portal resource.
Hence the plugin in proxy server (mod_weblogic) will forward this request to the Weblogic Security Framework. WLS framework will inturn trigger the SSPI interface where the weblogic server SSM is being configured (as SSM realm). 

The providers that are configured are:
1. OAM Identity Asserter
2. LDAP Authenticator

The OAM 10.1.4.3 package provides the oamAuthnProvider.jar which should be copied to the weblogic server directory (wls_server103\mbeantypes\lib).
Once the request is passed to the SSPI interface of OES, the OAM identity Asserter (flagged as REQUIRED) kicks in and checks for ObSSOCookie in the request. If it exists then weblogic will validate the user against the LDAP using LDAP Authenticator. 

At this point, the resource is authorised at page level by OAM.
Now, its time for OES to do the page level and content level authorization.
Based on the resources and policies (ATZ and Role) configured in OES, it fetches the user accessing the resource and executes Role and ATZ policies. If the user is allowed GRANT, then the user will be shown the requested page.
If there are any ALES tags specified in the application for content level atz, it gets executed.

I will attach the architecture diagram soon.
Various products used in this integration are:
1. Oracle Access Manager 10.1.4.3
2. Oracle Entitlement Server 10.1.4.3 (Admin CP3, SSM CP3)
3. Weblogic Portal 10.2.0

Uninstall ALES Schema or Re-running DB Config tool



          As we know that it is pretty straight forward to create the ALES schema using DB Config tool. I am writing here something which is not documented anywhere as to how to re-run the DB config tool if wrong values are specified for oes username or password etc.,
               Here are the steps to be followed to revert and re-run the DB config tool. This assumes that the user created is oesdbuser while running the dbconfig tool.

  1. Connet to sqlplus as sys user.
  2. Execute the command "revoke asi_role from oesdbuser; "
  3. Execute the command Execute the command "drop user oesdbuser cascade; "
  4. Execute the command "revoke create trigger from asi_role;"
  5. Execute the command "revoke create sequence from asi_role;"
  6. Execute the command "revoke create table from asi_role;"
  7. Execute the command "revoke create session from asi_role;"
  8. Execute the command "drop tablespace ales_oracle including contents and datafiles;" 
Now, you can re-run the DB config tool safely.

Fine grained authorization of Weblogic Portal using Oracle Entitlement Server

Hi all,
This time I have come up with a viewlet which shows the fine grained atz of weblogic portal using OES. Fine grained atz includes page (portlet) level access and content level access based on roles specified in the OES.

I would also like to share some of the gotchas that I came up with during this OES-WLP integration. I followed the OOTB SimplePortalExample that is provided in examples folder of WL-SSM. I have found few differences with my application and SimplePortalExample. The resource PortalDefinitionManager should be created in netuix.jar which is under ejb resource.
So the final resource structure should look like ejb -> netuix.jar -> PortalDefinitionManager -> create. The authorization policy should be defined to provide execute permission to Administrator users which are weblogic and portaladmin.

Products used:
Oracle Entitlement Server 10.1.4.3 (CP3 for Admin WL-SSM)
Weblogic Portal 10.2.0

Note: Only weblogic Portal 10.2.0 is certifed with OES at the moment. I tried with Weblogic Portal 10.3.0 to test it and it failed to start the portal server after SSM instance creation.

For Viewlet and sample portal application with OES tags, please contact me.
 

Installing OES on 11g R1 Weblogic 10.3.1

Now its time to share the information that OES Admin server works with Weblogic server 10.3.1.
The steps followed are as shown in blog.
I have also tried with WLS 10.3.2 and it worked fine with Admin server and patching to CP3 had no problems. We are also able to access the OES consoles. However the problems arised after running configtool for WLS SSM. Hence its good not to try with WLS 10.3.2.
Watch this blog for more info on integrations with Weblogic Portal and Sharepoint coming soon.

Cookie less SSO with OAM











The cookieless single sign-on session support with OAM can be provided by placing the Oracle WebCache between user's browser and web server as depicted in above figure.
End-user can either use separate WebCache instances for each backend web server, or use the common WebCache instance which will be shared by multiple backend web servers. 
The Web Cache component provides cookie management, using the SSL session Id as key. The SSL sessions are mandatory for this solution, and they are established between the user’s browser and the OHS servers.    
The Single Domain single sign-on flow will be very similar to the cookie-based solution.  The main difference will be when the Oracle Access Manager WebGate sets a cookie, the cookie will be cached in the Web Cache instance, keyed using the SSL session ID.  When the user accesses the servers again later on, Web Cache retrieves the relevant cookies tied to this SSL session ID, and makes them available to the downstream servers and applications. 
Note that in this solution, the cookies are never made available to the end-user’s browser.  Assuming the Web Cache instances are protected by a firewall, then the cookies never need to go outside the protection of the firewall.
During logout, Oracle Access Manager WebGate will clean up their respective cookies by setting the obssocookie to “loggedoutcontinue”The Web Cache, when received such requests, removes the cookies from its cookie cache.

Oracle SSO provisioning for APEX

This section deals with provisioning Oracle SSO for APEX application.
1. Register APEX as partner application in Oracle Application server.
Note some of the details as shown below.
ID: 80F63272
Token: 51J0903680F63272
Encryption Key: EBBD933BC541FAFF
Login URL: http://directory_server_hostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
Single Sign-Off URL: http://directory_server_hostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout
Name : APEX
Home URL : http://apex_hostname:8080/apex
Success URL : http://apex_hostname:8080/apex/wwv_flow_custom_auth_sso.process_success
Logout URL :http://apex_hostname:8080/apex
This Application Name APEX will be used in 5th step while associating SSO application name in the Authentication scheme.
2. Next step is to install SDK package and configuration.
Extract the sdk902.zip file present in middle tier to the local machine.
Login as FLOWS_xxxx user and execute @loadsdk.sql.
Then logout and login again, and execute @regapp.sql by inputting some parameters of Partner application.
Enter value for listener_token: HTML_DB:sbpdb.idc.oracle.com:8080
Enter value for site_id: 80F63272
Enter value for site_token: 51J0903680F63272
Enter value for login_url: http://directory_server_hostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
Enter value for encryption_key: EBBD933BC541FAFF
Enter value for ip_check: N
It is important that listener_token should be in the format HTML_DB:hostname_where_apex_installed:port_no_apex_listens.
When the registration is successful, then the result will be as shown below:
Registration successful.
Listener token: HTML_DB:sbpdb.idc.oracle.com:8080
Site id : 80F63272
Site token : 51J0903680F63272
Encryption key: EBBD933BC541FAFF
Login URL : http://directory_server_hostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
Logout URL : http://directory_server_hostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout
IP check : N
3. Third step is to execute custom_auth_sso_902.sql and custom_auth_sso_902.plb as FLOWS_xxxx user.
4. Grant execute permissions as shown below:
grant execute on wwv_flow_custom_auth_sso to APEX_PUBLIC_USER;
5. Login to APEX console, and create Authentication scheme with name CUSTOM SSO and map the SSO Partner application as APEX (as in the first step).

Congrats, you have finished SSO configurations for APEX.
Now login to apex application (for eg, http://apex_hostname:8080/apex/f?p=104:2) and check SSO login page will be displayed.

Caveats & Bugs identified while installing OAM on Linux

Ensure that following conditions are met while installing OAM on linux. Typically you will face issue after webpass installation while starting HTTP Server.
OAM 10.1.4.3:
1. While starting OIS Server
Error:
/disk1/oracle/Middleware/OAM/identity/oblix/apps/common/bin/ois_server: error while loading shared

libraries: libdl.so.2: cannot open shared object file: No such file or directory
rm: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or

directory
OIS Server started with pid: 21290
[oracle@ATL2-LNX01 bin]$ /bin/sh: error while loading shared libraries: libdl.so.2: cannot open shared

object file: No such file or directory

Solution: comment out all the lines where it is setting LD_ASSUME_KERNEL to 2.4.19 in start_ois_server

script OR run the script start_ois_server_nptl.

2. gcc libraries incompatibilty
Error:
/disk1/oracle/Middleware/WebTier/ohs/bin/apachectl startssl: execing httpd
httpd.worker: Syntax error on line 1047 of

/disk1/oracle/Middleware/WebTier/instances/instance1/config/OHS/ohs1/httpd.conf: Cannot load

/disk1/oracle/Middleware/OAM/ohswebpass/identity/oblix/lib/libgcc_s.so.1 into server:

/disk1/oracle/Middleware/OAM/ohswebpass/identity/oblix/lib/libgcc_s.so.1: wrong ELF class: ELFCLASSS32

Solution: libgcc_s.so.1 will be present in /usr/lib64 or /lib64 directories. So should copy those gcc lib

into the oblix lib location.
Similarly copy libstdc++.so.5 from OS binaries.


OAM 10.1.4.2:
1. Open the httpd.conf file and comment the perl module as shown below.

 #LoadModule perl_module        libexec/libperl.so

2. Add Kernel param value in OHS/opmn/conf/opmn.xml file as shown below.
                        
               

               
           
               
               

           
                      .......
                          
3. Disable ssl in OHS/opmn/conf/opmn.xml as shown below for HTTP_Server component tab.

             
                 
                 
             

             
              


Bugs identified while upgrading to OAM 10.1.4.0.2 BP02:

When installing the 10.1.4.2.0 BP02 patch (Patch 6748699 or 5957301), against a 10.1.4.2.0 installation, you will receive the following error:

For Webpass:

    --- Oracle Access Manager install ---
    Error: You are trying to apply patch of Oracle WebPass for different server
    while the component Oracle WebPass is installed for different server.
    This is not supported

For Policy Manager:

    --- Oracle Access Manager install ---
    Error: You are trying to apply patch of Oracle Policy Manager for different
    server while the component Oracle Access Manager is installed for different
    server.
    This is not supported.

For WebGate :
    --- Oracle Access Manager install ---
    Error: You are trying to apply patch of Oracle Webgate for different
    server while the component Oracle Access Manager is installed for different
    server.
    This is not supported.


You are sure that you are using the correct patch installer for the component you are trying to patch
It is caused by a long path to the installation binary identified as Bug 6996850.

As a workaround, move the binary for the patch to a location with a shorter path. For example:
This fails:
    /scratch/download/OAM10_Release2_BP02_Patch/Oracle_Access_Manager10_1_4_2_0_BP02_Patch_linux_APACHE2_WebPass_binary_parameter
This works:
    /u01/orasoft/wgpatch/Oracle_Access_Manager10_1_4_2_0_Patch_linux_OHS_WebGate_binary_parameter

Integrating Access Manager with Oracle SSO

The following steps discuss the integration of Oracle Access Manager with Oracle Application Server.
(This is not applicable to a standalone oc4j.).

1. User accesses OAM protected application deployed on Oracle Application Server and webgate intercepts that request.
2. Webgate checks with the Access Server if the resource is protected.
3. When the resource is protected, Webgate prompts for the username and password (depends on authentication scheme selected for the resource in Policy Manager).
4. The credentials are validated by the Access Server against the LDAP server.
5. When authentication is successful, OAM cookie ObSSOCookie is set in the browser.
6. Upon successful authentication, Access System determines if the user is authorized to access the resource.
6. Upon successful authorization, Access system executes actions and sets HTTP Header variables that maps to the Oracle AS userid.
7. mod_osso (part of OSSO) intercepts the request and redirects to the Oracle SSO for authentication.
8. SSOOblixAuth.class is registered with OSSO and retrieives userid set in the HeaderVar by the OAM as part of Authz actions execution.
9. OSSO Cookie is set and user is redirected back to the requested URL.
10. Hence for any sub-sequent requests it uses ObSSOCookie as reference.

Note: The Header Variable name should be set as HTTP_REMOTE_USER.

Trouble Shooting OAM-Sharepoint Integration

This post will describe some of the trouble shooting tips of OAM and Sharepoint Integration.
Error: Images not appearing:-
Simulation:
1. Access the sharepoint portal page.
2. Enter the OAM credentials to login to portal.
3. Sharepoint portal page will be shown but images are not displayed.
Probable Solution: Check the Anonymous Access checkbox is enabled in Sharepoint Administration website. If not enable it and restart IIS web server.
Create a new web site and create 2 sites, first for default as / and second for testing purpose as sample.
Add the same hostname:port in the host identifiers section.
Restart Access Server.
Goto IIS console and to the new website created, enable the anonymous authentication in the Directory Security. Add the IIS impersonation dll in the Home Directory --> Configurations. Move the IIS dll upwards.
Restart IIS server and test the new sharepoint portal for OAM integration.

Error: Authentication prompting twice:-
Simulation:
1. Access the sharepoint portal page.
2. A windows pops up, user enters OAM credentials and submits.
3. Again a window appears (for Windows Native Authentication) for credentials.
4. Enter the credentials again with DOMAIN (eg., domain_name\orcladmin) and submit.
5. Sharepoint portal page will be shown.
Probable Solution : Check the Integrated Windows Authentication checkbox is enabled in the Sharepoint website. If so, uncheck it and restart IIS webserver.
Error : Access is Denied:
Description:
1. Access the sharepoint portal page.
2. A windows pops up, user enters OAM credentials and submits.
Probable Solutions:
1.Check if there is time difference between OAM machine and webgate Sharepoint machine.
2. Check the web based policies in Sharepoint Portal Administration Page to see if the authorized to see the resource.

Error : 401 UnAuthorized
Solution: Check if the anonymous access is diasabled in the sharepoint website. If so, enable the checkbox and restart IIS server.
Error:The following file(s) have been blocked by the administrator: /access/oblix/apps/webgate/bin/webgate.dll
Probable Solution: Goto Policy Manager console, access the sharepoint policy domain. Goto Authorization rules and check the access is allowed to all users. If not select Any One and try accessing the SPPS resource.

Keypoints to remember for this integration:
1. SPPSImpersonator should be added in DomainController Security Policy and Domain Security Policy. Goto LocalPolicies --> User Rights Assignments and double click act as part of operating system and add the SPPSImpersonator user.
2. Sharepoint machine and OAM installed machine should not have time difference.
3. Sharepoint Administrator website should not have IISImpersonation dll.
4. Sharepoint Administrator website should have both anonymous access and Integrated Windows Authentication checkboxes enabled.
5. The Sharepoint portal website should have anonymous access checkbox enabled, but IWA checkbox disabled.
6. Make the IISImpersonationExtension.dll as the first option in the Wildcard application maps in the sharepoint portal website properties.
7. Ensure that Allow option for Oracle Webgate in Web Service Extensions is greyed.
8. While installing .Net Framework 3.0 (before installing sharepoint) ensure that you are online (internet connection).
9. The Sharepoint policy domain should have Headervar as IMPERSONATE with attribute as uid in the Authentication Actions.
10. Ensure that port is specfied in IIS access gate in the Access System Console before IIS webgate installation.

KeyPoints for Multi Domain SSO:
The above integration has E-business Suite, OAM and Sharepoint were existing on different machines in different domains. OAM will provide multi domain SSO for E-biz and Sharepoint applications.
The OHS webgate installed on OAM machine should act as primary authentication server and IIS webgate installed on Sharepoint machine will act as secondary server.
However, both the webgates will have primary HTTP cookie domain and preferred hostnames specified with their respective domain and machine names.
The Authentication scheme for IIS webgate should have challenge redirect field specified as OHS server (eg., http://ohs_installed_hostname:port).
The Authentication scheme for E-business suite application should have authentication level (say 0) less than that of Auth level for IIS webgate(say 1).

OAM Password Policies

This post outlines the password policies, user challenges in Oracle Access Manager that are possible OOTB.
Lost Password Policy: Lost Password Policy creation is used to challenge the user with registered questions at first login and followed by reset password.
Password Policy: Password Policy is used for specifying the Password Specifications (if any), Password validity period, Password History etc.,
The Change on Reset option enables user to change their password at their first login.
The following steps describe the usage of password reset, lost password management.
1. New User gets created in OAM without registering challenge questions.
2. New user attempts to login to OAM console.
3. OAM forces the user to change their password. Upon changing, user will have to register their challenge questions (either user defined or system defined).
4. Upon successful password reset and questions registration, user will be shown the OAM console.
5. User forgets their password and clicks Loss Password button.
6. User will be challenged with registered questions. After answering the questions correctly, user will be prompted to change their password.
7. User logs in to OAM console successfully and attempts to reset password.
8. User navigates to My Profile, clicks on Modify and enters the existing and new passwords.

Viewlet:
To see the viewlet of configuring the OAM password policies, drop me a mail.

Troubleshooting OAM-OAAM integration

1. Error:
Oracle Access Manager Operation Error
The login form /oasa/loginPage.jsp defined for form authentication itself requires form authentication. It should be unprotected.
Contact your website administrator to remedy this problem.
Probable Solution:
Disable the policy protecting the /oasa/loginPage.jsp (if exists). Restart both webserver and access server.
2. Error:

UnsatisfiedLinkError: no obaccess in java.library.path (in webserver logs)
Probable Solution:
Add this E:\product\oracle\NetPoint\AccessSDK\AccessServerSDK\oblix\lib to the tomcat (where OASA is hosted) path variable. If the server hosting OASA application is weblogic, add this to startWeblogic.cmd to the LD_LIBRARY_PATH variable.

Troubleshooting tips on Oracle IDM 11g installations

1. Error:
Message from syslogd@itechdemo at Tue Aug  4 21:18:34 2009 ...
itechdemo Oblix: 2009/08/04@15:48:34.019699     17769   17783   ACCESS_GATE    FATAL    0x0000182C      /usr/abuild/Oblix/coreid1014/palantir/webgate2/src/apache2entry_web_gate.cpp:434        "The AccessGate is unable to contact any Access Servers."       raw_code^301
Solution: 1. Check the preferred hostname given in webgate (in Access console) in the Host Identifiers section.
              2. Rearrange the modules in httpd.conf by moving load modules to the end of file.
2. Error:
[oracle@atl2-lnx01 bin]$ ./start_ois_server
Using Linux Threading Library.
/disk1/identity_mgmt/Oracle/Middleware/OAM/identitySvr/identity/oblix/apps/common/bin/ois_server: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
rm: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
OIS Server started with pid: 23568
[oracle@atl2-lnx01 bin]$ /bin/sh: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory.
Solution: Comment out all the lines where it is setting LD_ASSUME_KERNEL to 2.4.19 in start_ois_server and start identity server.
Note: Follow the same solution for starting access server too.

Single Sign-on between Weblogic Server and Weblogic Portal using Oracle Access Manager

This post talks about the architecture, integration aspects and troubleshooting tips for the SSO implementation between WLS and WLP applications.
Architecture:

Description:
The components present in this architecture are Oracle Access Manager 10.1.4.3, Weblogic Server 10.3.0 and Weblogic Portal 10.3.0, SSPI Connector 10.1.4.2.2 and OHS webserver 11g .
The objective is to get Single Sign-On between Weblogic server and weblogic portal resources using SSPI connector.
Two SSPI connectors are used for Weblogic Server and Portal acting in Identity Assertion Provider mode which is available by default configuration. The OHS webserver acting as reverse proxy for both Weblogic Server and portal applications.
Here, the authentication & authz for Weblogic server resource happens through Oracle Access Manager using SSPI connector. However for the Weblogic Portal, only the authentication happens through OAM and Authz happens via Weblogic Portal.
The flow is described as shown below for Single Sign-On when user traverse from WLS to WLP applications:
1. User access Weblogic Server application through Proxy server and it is intercepted by OHS Webgate and checks with Policy Manager if the resource is protected or not.
2. If resource is protected, Webgate challenges user with form login. Form scheme is recommended for SSO solutions.
3. Login details are validated by Access Server and upon successful authentication, it checks if user is authorized to access the resource.
4. If user is authorized to access then Access server creates cookie and passes it to the browser.
5. The mod_proxy plugin present in the OHS server forwards the request to the Weblogic Server.
5. The Weblogic Security Framework invokes the SSPI connector and Identity Assertion provider listens for ObSSOCookie.
6. IAP will then check the user identity taken from the ObSSOCookie with the weblogic.
7. Upon successful verification, requested resource is shown.
8. User will then access the WLP portal application through the reverse proxy server.
Note: The WLP application is not protected by the OAM where as WLS application is protected by OAM.
9. The OHS webgate checks for the presence of cookie in the user session.
10. The ObLoginFilter configured in the web.xml gets invoked and checks for the ObSSOCookie. If its not present then it will present ObLogin.jsp. Since cookie is present in this scenario, it will check with the weblogic if the user is authorized to access the portal.
11. Upon successful authz, portal will be shown.

The flow is described as shown below for Single Sign-On when user traverse from WLP to WLS applications:
1. User access Weblogic portal application through Proxy server and it is intercepted by OHS Webgate and checks with Policy Manager if the resource is protected or not.
2. Since the user session does not have ObSSOCookie present, then ObLogin.jsp will be shown to enter login details.
3. Login details are validated by ASDK against Access Server and generates ObSSOCookie programatically.
4. It also checks against Weblogic if user is authorised to access the portal.
5. If user is authorized then portal page will be shown.
6.The user will then access the WLS application through the reverse proxy.
7. The OHS webgate intercepts request and check for cookie.
8. Since cookie is present, the mod_proxy plugin in OHS will forward request to Weblogic Server.
9. The Weblogic Security Framework invokes the SSPI connector and Identity Assertion provider listens for ObSSOCookie.
10. IAP will then check the user identity taken from the ObSSOCookie with the weblogic.
11. Upon successful verification, requested resource is shown.

Troubleshooting Tips:
1. Ensure that IPValidation for OHS webgate and both Access gates (portal and server) are OFF. Otherwise when user access WLS resource it will prompt for authentication.
2. Ensure that Login filter mappings are added in the portal application web.xml as shown below.

          OblixLoginFilter
          com.oracle.login.ObLoginFilter
     


         
          OblixLoginFilter
          /portlets/login_validate/*
     

web.xml

Oracle Access Manager and Weblogic Portal integration

This post will bring out the key points involved in the integration between Weblogic Portal and Oracle Access Manager using SSPI Connector.
Major Products involved:
1. Weblogic Portal 10.3.0
2. OAM 10.1.4.3
3. SSPI Connector 10.1.4.2.2
Key Points:
1. Create portaldmin user in OAM (as in user store) and assign Admin rights.
2. Create group BEA_Administrators and assign portaladmin user a member of that group.
3. Create NetPointRealm using the command as shown below.
./setupNetPointRealm_wl92.sh portal
4. The param "portal" provided in the above command is essential to create realm necessary for Weblogic portal with specific providers.
5. Ensure to add the p13DataSource in the SQLAuthenticator DataSource field. This makes the users weblogic and portaladmin which are part of myrealm to be available in NetPointRealm. Mark SQLAuthenticator as REQUIRED and OblixAuthenticator as OPTIONAL followed by a weblogic server restart.
6. You should be able to see the group BEA_Administrators in the NetpointRealm Users and Groups column. Copy the group name (eg., cn:EBEA_Administrators:Cdc:Eus:Cdc:Eoracle::Cdc:Ecom).
7. Goto the location, NetpointRealm -> Roles and Policies -> Global Roles -> Roles.
8. Goto the Admin Role and add the conditions to include BEA_Administrators.
9. Goto the PortalSystemAdministrator Role and add the conditions to include BEA_Administrators.
10. Delete the SQLAuthenticator and mark OblixAuthenticator as REQUIRED. SQLAuthenticator is no longer needed as weblogic and portaladmin users are part of OblixAuthenticator.
11. Now login as OAM user to the weblogic portal server.
Note: Follow the key steps 12 & 13 of section 10.5.9 Preparing the WebLogic Environment in the SSPI integration guide .
End-to-End Viewlet:
Please contact me to see the end-to-end viewlet of the usecase scenario.