Configuring Single Sign-On with Oracle Access Manager 11g 15-17 Each WebLogic security realm must have one at least one Authentication Provider configured. The WebLogic Security Framework is designed to support multiple Authentication Providers and thus multiple LoginModules for multipart authentication. As a result, you can use multiple Authentication Providers as well as multiple types of Authentication Providers in a security realm. The Control Flag attribute determines how the LoginModule for each Authentication Provider is used in the authentication process. Oracle WebLogic Server offers several types of Authentication and Identity Assertion providers including, among others: ■ The default WebLogic Authentication Provider Default Authenticator allows you to manage users and groups in one place, the embedded WebLogic Server LDAP server. This Authenticator is used by the Oracle WebLogic Server to login administrative users. ■ Identity Assertion uses token-based authentication; the Oracle Access Manager Identity Asserter is one example. This must be configured to use the appropriate action for the installed WebGate either 10g or 11g. ■ LDAP Authentication Providers store user and group information in an external LDAP server. They differ primarily in how they are configured by default to match typical directory schemas for their corresponding LDAP server. Oracle WebLogic Server 10.3.1+ provides OracleInternetDirectoryAuthenticator. When you configure multiple Authentication Providers, use the JAAS Control Flag for each provider to control how the Authentication Providers are used in the login sequence. You can choose the following the JAAS Control Flag settings, among others: ■ REQUIRED—The Authentication Provider is always called, and the user must always pass its authentication test. Regardless of whether authentication succeeds or fails, authentication still continues down the list of providers. ■ SUFFICIENT—The user is not required to pass the authentication test of the Authentication Provider. If authentication succeeds, no subsequent Authentication Providers are executed. If authentication fails, authentication continues down the list of providers. ■ OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication Provider. However, if all Authentication Providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers. When additional Authentication Providers are added to an existing security realm, the Control Flag is set to OPTIONAL by default. You might need to change the setting of the Control Flag and the order of providers so that each Authentication Provider works properly in the authentication sequence.

15.2.3.2.2 About the Oracle WebLogic Scripting Tool WLST This topic introduces WLST, if

you are new to it. You can add providers to a WebLogic domain using either the Oracle WebLogic Administration Console or Oracle WebLogic Scripting Tool WLST command-line tool. See Also: Configuring Authentication Providers in Oracle Fusion Middleware Securing Oracle WebLogic Server for a complete list of Authentication Providers and details about configuring the Oracle Internet Directory provider to match the LDAP schema for user and group attributes 15-18 Oracle Fusion Middleware Application Security Guide WLST is a Jython-based command-line scripting environment that you can use to manage and monitor WebLogic Server domains. Generally, you can use this tool online or offline. You can use this tool interactively on the command line in batches supplied in a file Script Mode, where scripts invoke a sequence of WLST commands without requiring your input, or embedded in Java code. When adding Authentication Providers to a WebLogic domain, you can use WLST online to interact with an Authentication Provider and add, remove, or modify users, groups, and roles. When you use WLST offline to create a domain template, WLST packages the Authentication Providers data store along with the rest of the domain documents. If you create a domain from the domain template, the new domain has an exact copy of the Authentication Providers data store from the domain template. However, you cannot use WLST offline to modify the data in an Authentication Providers data store.

15.2.3.2.3 Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM

SSO, and OPSS SSO On the Oracle WebLogic Server, you can run a Web application that uses Oracles Application Development Framework Oracle ADF security, integrates with Oracle Access Manager Single Sign On SSO, and uses Oracle Platform Security Services OPSS SSO for user authentication. However before the Web application can be run, you must configure the domain-level jps-config.xml file on the applications target Oracle WebLogic Server for the Oracle Access Manager security provider. The domain-level jps-config.xml file is in the following path and should not be confused with the deployed applications jps-config.xml file: domain_homeconfigfmwconfigjps-config.xml You can use an Oracle Access Manager-specific WLST script to configure the domain-level jps-config.xml file, either before or after the Web application is deployed. This Oracle JRF WLST script is named as follows: Linux : wlst.sh Windows : wlst.cmd The Oracle JRF WLST script is available in the following path if you are running through JDev: JDEV_HOMEoracle_commoncommonbin In a standalone JRF WebLogic installation, the path is: Middleware_homeoracle_commonwlst Note: You cannot use WLST offline to modify the data in an Authentication Providers data store. See Also: ■ Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM SSO, and OPSS SSO ■ Oracle Fusion Middleware Oracle WebLogic Scripting Tool ■ Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Infrastructure Security Commands chapter