Managing Security and User Access 5-13 Version: 1 Trust this certificate? [no]: yes Certificate was added to keystore

5.2.3 Configuring Oracle UCM for Single Sign-On

Oracle provides several single sign-on solutions. Oracle Access Manager OAM is the recommended single sign-on SSO solution for Oracle Fusion Middleware enterprise-class installations including Oracle Universal Content Management Oracle UCM. OAM is part of Oracles suite of enterprise-class products for identity management and security. For more information, see Choosing the Right SSO Solution for Your Deployment in Oracle Fusion Middleware Application Security Guide. If your enterprise-class installation uses Microsoft desktop logins that authenticate with a Microsoft domain controller with user accounts in Active Directory, then configuring single sign-on may be an option. See Section 5.2.3.6, Configuring Oracle UCM and Single Sign-On for WNA. Configuration information is provided in the following sections: ■ Section 5.2.3.1, Configuring Oracle Access Manager 11g with Oracle UCM ■ Section 5.2.3.2, Configuring Oracle Access Manager 10g with Oracle UCM ■ Section 5.2.3.3, Configuring Oracle Single Sign-On for Oracle UCM ■ Section 5.2.3.4, Configuring the First Authentication Provider ■ Section 5.2.3.5, Configuring the Oracle UCM URL for Single Sign-On ■ Section 5.2.3.6, Configuring Oracle UCM and Single Sign-On for WNA

5.2.3.1 Configuring Oracle Access Manager 11g with Oracle UCM

This section describes how to integrate Oracle UCM with Oracle Access Manager OAM 11g. Configuration information is provided for Universal Content Management UCM, Universal Records Management URM, Inbound Refinery IBR, and Site Studio SS. Before you can configure Oracle Access Manager OAM 11g, install the software using the instructions provided in Installing the Oracle Identity Management 11g Software in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. 1. Configure Oracle Access Manager OAM, Oracle HTTP Server OHS, and WebGate as described in Setting Up OAM Agents in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. a. Append entries to the mod_wl_ohs.conf file for Oracle UCM to add Enterprise Content Management ECM Uniform Resource Identifiers URIs to forward. Use the appropriate location entries from the following example. Each entry in the example maps the incoming path to the appropriate Oracle WebLogic Server on which the corresponding application resides. In the following list of entries, hostname represents the name of the computer hosting the Oracle UCM server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your systems host name and port name. 5-14 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server UCM Content Server Location cs SetHandler weblogic-handler WebLogicHost hostname WebLogicPort portnumber Location UCM Content Server authentication Location adfAuthentication SetHandler weblogic-handler WebLogicHost hostname WebLogicPort portnumber Location UCM online help Location _ocsh SetHandler weblogic-handler WebLogicHost hostname WebLogicPort portnumber Location IBR Location ibr SetHandler weblogic-handler WebLogicHost hostname WebLogicPort portnumber Location URM Location urm SetHandler weblogic-handler WebLogicHost hostname WebLogicPort portnumber Location SS Location customer-configured-site-studio SetHandler weblogic-handler WebLogicHost hostname WebLogicPort portnumber Location Note: The URIs you forward depend on the Oracle UCM functionality that you have installed. Use the appropriate location entry for your functionality. For example: cs, adfAuthentication, _ocsh, ibr, urm. For Site Studio, the URI to forward is configured by the customer. For example, if the site is accessed as mysite, then you need to append a location entry for mysite. Caution: The Oracle UCM Content Server location cs can be customized, so the cs designation can not guarantee that HTTP requests will include the correct location. If cs has been changed, then forward the location the administrator has configured. Managing Security and User Access 5-15 b. Use the OAM remote registration tool oamreg to register an OAM Agent, specifying Oracle UCM URIs to protect and to make public. See Provisioning an OAM Agent with Oracle Access Manager 11g in Oracle Fusion Middleware Application Security Guide. For more information, see Setting Up OAM Agents in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. 2. Configure the Oracle UCM domain by ensuring you perform these tasks. See Deploying the Oracle Access Manager 11g SSO Solution in Oracle Fusion Middleware Application Security Guide. a. Configure the OAM Identity Asserter. The control flag for the OAM Identity Asserter must be set to REQUIRED, and both OAM_REMOTE_USER and ObSSOCookie must be selected as Active Types. See Identity Asserter for Single Sign-on Function, About Using the Identity Asserter for SSO with OAM 11g and 11g WebGates, and Configuring Identity Assertion for SSO with Oracle Access Manager 11g in Oracle Fusion Middleware Application Security Guide. b. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory OID or Oracle Virtual Directory OVD, to match the LDAP server used by Note: The URIs you protect and make public depend on the Oracle UCM functionality that you have installed: Universal Content Management UCM, Inbound Refinery IBR, Universal Records Management URM, Site Studio SS. For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as mysite, then you need to specify the URI mysite. Functionality Type URI UCM Protect adfAuthentication UCM Public cs UCM Public _ocsh IBR Protect ibradfAuthentication IBR Public ibr URM Protect urmadfAuthentication URM Public urm SS Protect customer-configured-for-site-studio Note: If the URL for Oracle UCM does not link correctly after completing the OAM configuration, you might need to change the server host and server port values. For details, see Section 5.2.3.5, Configuring the Oracle UCM URL for Single Sign-On. 5-16 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server OAM. For example, if OAM is using OID, then an OID Authentication provider must be added to the Oracle UCM domain. See Installing the Authentication Provider with Oracle Access Manager 11g and Setting Up Providers for Oracle Access Manager Identity Assertion in Oracle Fusion Middleware Application Security Guide. See Table 12-1 in Oracle Fusion Middleware Application Security Guide for information on the differences when deploying the Authentication Provider with OAM 10g versus OAM 11g. c. Configure the OPSS OAM Single Sign-On provider. See Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM SSO, and OPSS SSO in Oracle Fusion Middleware Application Security Guide. 3. After installing and configuring OAM 11g, check that you can access all of the configured applications, and that the login is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout where available and make sure you are logged out of all other related applications. For more information, see Configuring Centralized Log Out for Oracle Access Manager 11g in Oracle Fusion Middleware Application Security Guide and Oracle Fusion Middleware Administrators Guide for Oracle Access Manager.

5.2.3.2 Configuring Oracle Access Manager 10g with Oracle UCM