Tuesday, December 20, 2011

OAM 11g - UCM Integration

I have been involved with many customer's who are integrating OAM 11g with Universal Content Manager 11g (UCM) and I know that trying to follow the OAM documentation can be daunting. So I put together my own integration document/Blog. Not to re-invent the wheel, this post utilizes what we already have in terms of documentation. Think of this as a checklist and the steps that I implemented to get my own internal environment working.


Prerequisites

  1. Install and configure UCM
  2. Install a weblogic plug-in on OHS that fixes a bug for UCM. http://www.oracle.com/technetwork/middleware/ias/downloads/wls-plugins-096117.html

High Level Steps/Checklist

  1. Configure an OHS server to proxy all request to UCM (/cs, /adfAuthentication and /_ocsh).
  2. Register a webgate with the URL’s you want to protect.
  3. Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic.
  4. Validate users can access UCM with WLS Security.
  5. Install a webgate on OHS server and validate.

Detail Steps

  1. Follow the documentation to configure OAM Access Manager 11g with Oracle UCM, Section 5.2.3.1: http://download.oracle.com/docs/cd/E21764_01/doc.1111/e10792/c03_security.htm#CDDHGCCC

Note: The documentation is not clear whether to install the Webgate on the OHS server first. Recommend to install the webgate at the end.


5.2.3.1 - Configuring Oracle Access Manager 11g with Oracle UCM
1.
a. In our use case, we only need to protect the UCM URI’s below.

# UCM Content Server

<Location /cs>

SetHandler weblogic-handler

WebLogicHost <hostname>

WebLogicPort <portnumber>

</Location>

# UCM Content Server authentication

<Location /adfAuthentication>

SetHandler weblogic-handler

WebLogicHost<hostname>

WebLogicPort <portnumber>

</Location>

#UCM online help

<Location /_ocsh>

SetHandler weblogic-handler

WebLogicHost <hostname>

WebLogicPort <portnumber>

</Location>


b. Use the remote registration tool oamreg as follows in section 15.2.2.2:

http://download.oracle.com/docs/cd/E21764_01/core.1111/e100/osso_b_oam11g.htm#JISEC9104


15.2.2.2 - Provision with 11g Webgate
1. Acquire the tool
a. The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
2. Created a new UCM-Request.xml:

<OAM11GRegRequest>

<serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress>

<hostIdentifier>UCM-INT</hostIdentifier>

<agentName>UCM-INT</agentName>

<protectedResourcesList>

<resource>/adfAuthentication</resource>

</protectedResourcesList>

<publicResourcesList>

<resource>/cs</resource>

<resource>/_ocsh</resource>

</publicResourcesList>

</OAM11GRegRequest>

3. On the command line, execute the following:

./bin/oamreg.sh inband input/UCM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1)

2. Continuing Section 5.2.3.1
Notes:

You can configure the OAM Asserter and LDAP/OVD Authenticator before installing a webgate. Once the LDAP/OVD authenticator is configured, recommend to test UCM and make sure that you can bind to a user that is created within the provider you configured.

The order of the provider’s should be as follows:


OAM Identity Asserter
The following ‘Common’ parameters should be set as:


Leave the default values for the ‘Provider Specific’ tab.

OVD Provider
‘Common’ tab:


‘Provider Specific’ tab:

Based on the backend LDAP repository, make sure that you specify the correct object class and user name attribute within the LDAP filters. In our case, we used ‘inetorgperson’ and ‘uid’ for a user object and ‘groupofuniquenames’ and ‘uniqumembers’ for groups.


3. After Installing and configuring OAM 11g……

a. Recommend installing the webgate now. No good links in the documentation to install webgate 11g. Use the following: http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/webgate.htm#CACCBCFF

Notes:
Section 20.2.4
You will need the gcc libraries. Can get them here:
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

Look for ‘GCC Libraries for Oracle Identity Federation’

Use the following cpio file to extract the gcc libraries:
cpio -idvm <cpio-file>

Section 20.4
Step 2 - Ran the command:
./deployWebgateInstance.sh –w /u0/Oracle/Middleware11.1.1.5/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /u0/Oracle/Middleware11.1.1.5/Oracle_OAMWebgate1

Step 3 –
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/Oracle/Middleware11.1.1.5/Oracle_WT1/lib

Step 5 – Ran the command:
./EditHttpConf –w /u01/Oracle/Middleware11.1.1.5/Oracle_WT1/instances/instance1/config/OHS/.ohs1

b. Next you will need to copy the artifacts that were generated in step 3 from section 15.2.2.2. Copy the ‘ObAccessClient.xml’ and ‘cwallet.sso’ located in the ‘output/UCM-INT’ directory under ‘rreg’ to the /config directory.

Webgate installation completed. Make sure that the oam managed server is running and restart the OHS server.


Trouble shooting tips:

  • Cannot login via OAM – A few things to verify:
  • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
  • Make sure that the OVD provider in WLS matches the same OAM data store configuration.
  • Login looping issue
  • In some cases we see a looping issue when using IE when the time sync of off between the webgate machine and the OAM server machine.
  • Logout not working
    • Please follow the instructions to configure UCM logout with OAM. http://download.oracle.com/docs/cd/E17904_01/doc.1111/e14770/ucm.htm#ASRLA3579

In my next post, I will continue to integrate my OAM environment to include the Image Processing Management (IPM) tool, which requires UCM.

Tuesday, December 13, 2011

Multiple Identity Providers with Oracle Identity Federation and Access Manager as Service Provider

Whew, that’s a mouthful for a title, but IdP N..1 SP [OIF+OAM] was probably too cryptic. Let me describe the use-case in a little more detail. Imagine if you will an education application that the state wants to surface to the various school districts. The districts want to manage user accounts and federate into the state’s application. In order to consolidate policy enforcement for both internal and external users, the state needs a single point of entry controlled by an access control system.

The documentation for Oracle Access Manager (OAM) and Oracle Identity Federation (OIF) integration on the service provider (SP) (http://docs.oracle.com/cd/E21764_01/doc.1111/e15740/oif.htm#CACJDDGE) implies that this can only be done with a single identity provider (IdP). By setting OIFScheme as the authentication scheme for the application, OAM can redirect to the service provider on OIF, which will trigger an SP-initiated Single Sign-On (SSO). There is no way to declare which IdP to use in this scenario, however. Thus, a different trigger mechanism is required for the multiple IdP scenario, plus we need to account for internal state users as well. One approach is to leverage OAM form authentication with hyperlinks to an IdP discovery page, or static links to each campus trigger for SP-initiated SSO. The format in OIF for this is http(s)://<oif>: <oif_port>/fed/sp/initiatesso?providerid=CAMPUS1&returnurl=<URL of destination app>. Once the IdP sends its SAML Response to the OIF service provider, OIF will make authentication & authorization request to OAM Policy Decision Point (PDP) based on the returnurl parameter. If successful, OIF will redirect client to the destination application with a token that the OAM Policy Enforcement Point (PEP) will honor.

One gotcha here is that the returnurl must be protected by the OIFScheme, not the form-based scheme used for internal users. That creates a challenge in that you essentially need two protected URLs for entry into the app, one to trigger the initial form authentication and one to map the external/federated users. If having all external users end up at the same portal site after authentication is acceptable, one can map the OIFScheme to a pseudoURL. You can then configure an OnAuthenticationSuccess redirect to the landing page. This pattern is only suitable if all external users come to the same page upon successful federation. I tried basing the federation policy on a query parameter, i.e. returnurl=/mysite?external=true, but OAM did not seem evaluate the query parameter, only the application context.

Another hitch is that I don’t think a 10g WebGate can consume the identity token set by the service provider. I haven’t tested to validate, but I suspect that only the 11g WebGate can consume the OAM_ID cookie. Thus, if you have a mixed environment, you will need an OHS 11g instance to handle external user traffic, while redirecting to other web servers only after an authentication cookie has been set.