• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Integration of Oracle Access Manager with Oracle Identity Manager

    Posted by "" in "idm, integration, oam, OIM" on 2010-07-22

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    This post covers the steps for Integration of Oracle Access Manager with Oracle Identity Manager.

    The objective of this integration is to protect the Oracle Identity Manager User Administration Console using Oracle Access Manager.

    The authentication scheme used in this Post is Form Based authentication. The other schemes such as Basic Over LDAP, Certificate and Custom are also possible but are not covered in this post.

    In this case, OIM is deployed in Oracle Application Server and hence this post will cover only configurations required for OAS as part of this integration.

    During the time of installation of Oracle Identity Manager, we would select Default Mode generally, wherein the OIM will handle the authentication by itself. The other option available is Single sign-on mode, wherein the OIM looks for a header variable passed by external authentication system (it is OAM in our case).

    The architecture is as given below.

    OAM-OIM

    The integration flow is explained below:

    1. User access the OIM user administration console.
    2. The WebGate installed on WebServer (acting as proxy server for Application Server where OIM is deployed) will intercept that request and check if the OIM is protected or not and accordingly challenges the user as per the authentication scheme configured.
    3. Form page gets displayed and user enters credentials.
    4. WebGate passes login details to Access Server for authentication.
    5. Upon successful authentication, Access Server generates ObSSOCookie and sends it to  WebGate which in turn sends it to browser. WebGate checks with Access Server if the user is authorized to access the resource or not.
    6. Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable.
    7. The WebServer will forward the request to the Oracle Identity Manager and it is configured to read the header variable and treats that userid as logged in user.

    Configuration changes:

    • We assume that OIM is already deployed in Oracle Application Server. A WebServer acting as proxy server is also installed and configured accordingly.
    • We need to install a WebGate on the WebServer.
    • Create Policy Domain in OAM with resource to be protected as host:port/xlWebApp
    • Create Authorization rule accordingly and set the action tab to set the HeaderVar as userid as shown below.
    • HeaderVar                 HTTP_REMOTE_USERID             uid
    • Configure Authentication Rule and Authorization expression in Default Rules.
    • Enable the policy domain.
    • Stop the Application Server gracefully where OIM is deployed.
    • Open the file OIM_HOME/xellerate/config/xlconfig.xml and change the Authentication and AuthHeader elements to SSO and  HTTP_REMOTE_USERID  respectively as shown below.
    • From
      <web-client>
      <Authentication>Default</Authentication>
      <AuthHeader>REMOTE_USER</AuthHeader>
      </web-client>
    • To
      <web-client>
      <Authentication>SSO</Authentication>
      <AuthHeader>SSO_HEADER_NAME</AuthHeader>
      </web-client>
    • Start the Application server.

    Test the integration:
    Access the OIM console i.e., http://host:port/xlWebApp and you will notice the Form page is displayed for entering the credentials. Enter the login details and see if the logged in user shown on Right side is the actual user logged in.

    Observations:

    You can observe that the Logout link vanishes after OAM-OIM integration. This is because OIM will be expecting the Logout page specification from OAM as it is already integrated for SSO configuration. I will cover this part in the next post.

    References:

    Oracle Docs

    8 Responses to “Integration of Oracle Access Manager with Oracle Identity Manager”

    1. dearsud1981 says:

      Hi Mahendra,

      Its nice post however i would like to understand step 6 here :-

      Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable. Access Server generates ObSSOCookie and sends it to WebGate which in turn sends it to browser.

      As per my understanding usually Oracle Access Server generate ObSSOCookie after successful authentication itself not during authorization. Please correct me if i am missing here anything.

    2. gemini says:

      Hi,
      Do you know how to do OIM-OAM integration for 11g?
      Please upload the same if you have done it.

    3. Odesa says:

      Hola mahendras, How are you?
      Do you know how to do OIM-OAM integration for 11g? I need an example if you have done it.

      Thanks you

    4. Mahendra says:

      Odesa,

      Please post your queries on OAM-OIM integration in 11g. Please read the Oracle documentation and let me know if you run into any issues.

      -Mahendra.

    5. Sankar says:

      Mahendra,
      How to get the HTTP header variables in oracle forms11g application?

    6. German Pabon says:

      Hi Mahendra.

      I followed up all the docs to integrate OAM vs OIM but with different hosts not in just one machine.

      http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/oim.htm

      After finish the step 5.2, I cannot login on Identity Manager and I get the following error:

      <An error occurred while initializing the event handler that adds missing LDAP object classes, and the corresponding error is – com.thortech.xl.dataaccess.tcDataSetException: Dataset is not open

      I did every steps no skip of anyone.

      Hope you can help.

      Thanks

    7. Mahendra says:

      This OIM error could be due to DB connectivity problems. Did you restart OIM and OAM services? Does it prompt for authentication at all?

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP