18-36 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management

18.4.4.7 Updating the Default Authentication Engine to Oracle Access Manager

In Section 18.4.4.4, Updating the Default Authentication Engine to LDAP Engine, you set the Default Authentication Engine to LDAP Engine for validating the SP Mode configuration. You must set it back to Oracle Access Manager. This step is not required when the Oracle Identity Federation instances are configured to protect a resource only in the SP mode or in the IdP mode. To set the Default Authentication Engine, log in to the Oracle Enterprise Manager Fusion Middleware Control at http:admin.mycompany.comem as the WebLogic administration user. Then perform the following steps:

1. Locate and select the Oracle Identity Federation instance under Identity and

Access.

2. Navigate to Administration, then Authentication Engines.

3. Select Oracle Access Manager as the Default Authentication Engine from the list.

4. Click Apply to save the changes.

18.4.4.8 Validating Authentication Mode Configuration

Follow these steps to validate the Authentication mode configuration: 1. Access the Test SP SSO page at: https:sso.mycompany.comfedusertestspsso 2. Make the following selections on the Initiate Federation SSO page:

a. Set the value for the IdP Provider ID from the list, for example: Default

b. Set the value for Authn Request Binding to HTTP POST from the list.

c. Select Use Default Configuration.

3. Click Start SSO.

4. Enter the credentials of the weblogic_idm user on the Oracle Access Manager login page. 5. The Federation SSO Operation Result page is displayed. Validate that the SSO Authentication Result is successful for the user.

18.5 Auditing Identity Management

Oracle Fusion Middleware Audit Framework is a new service in Oracle Fusion Middleware 11g, designed to provide a centralized audit framework for the middleware family of products. The framework provides audit service for platform components such as Oracle Platform Security Services OPSS and Oracle Web Services. It also provides a framework for JavaEE applications, starting with Oracles own JavaEE components. JavaEE applications are able to create application-specific audit events. For non-JavaEE Oracle components in the middleware such as C or JavaSE components, the audit framework also provides an end-to-end structure similar to that for JavaEE applications. Figure 18–1 is a high-level architectural diagram of the Oracle Fusion Middleware Audit Framework. Integrating Components 18-37 Figure 18–1 Audit Event Flow The Oracle Fusion Middleware Audit Framework consists of the following key components: ■ Audit APIs These are APIs provided by the audit framework for any audit-aware components integrating with the Oracle Fusion Middleware Audit Framework. During run-time, applications may call these APIs where appropriate to audit the necessary information about a particular event happening in the application code. The interface enables applications to specify event details such as username and other attributes needed to provide the context of the event being audited. ■ Audit Events and Configuration The Oracle Fusion Middleware Audit Framework provides a set of generic events for convenient mapping to application audit events. Some of these include common events such as authentication. The framework also enables applications to define application-specific events. 18-38 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services. Configurations can be updated through Enterprise Manager UI and WLST command-line tool. ■ The Audit Bus-stop Bus-stops are local files containing audit data before they are pushed to the audit repository. In the event where no database repository is configured, these bus-stop files can be used as a file-based audit repository. The bus-stop files are simple text files that can be queried easily to look up specific audit events. When a DB-based repository is in place, the bus-stop acts as an intermediary between the component and the audit repository. The local files are periodically uploaded to the audit repository based on a configurable time interval. ■ Audit Loader As the name implies, audit loader loads the files from the audit bus-stop into the audit repository. In the case of platform and JavaEE application audit, the audit loader is started as part of the JavaEE container start-up. In the case of system components, the audit loader is a periodically spawned process. ■ Audit Repository Audit Repository contains a pre-defined Oracle Fusion Middleware Audit Framework schema, created by Repository Creation Utility RCU. Once configured, all the audit loaders are aware of the repository and upload data to it periodically. The audit data in the audit repository is expected to be cumulative and grow over time. Ideally, this should not be an operational database used by any other applications - rather, it should be a standalone RDBMS used for audit purposes only. In a highly available configuration, Oracle recommends that you use an Oracle Real Application Clusters Oracle RAC database as the audit data store. ■ Oracle Business Intelligence Publisher The data in the audit repository is exposed through pre-defined reports in Oracle Business Intelligence Publisher. The reports enable users to drill down the audit data based on various criteria. For example: – Username – Time Range – Application Type – Execution Context Identifier ECID For more introductory information for the Oracle Fusion Middleware Audit Framework, see the Introduction to Oracle Fusion Middleware Audit Framework chapter in the Oracle Fusion Middleware Application Security Guide. For information on how to configure the repository for Oracle Fusion Middleware Audit Framework, see the Configuring and Managing Auditing chapter in the Oracle Fusion Middleware Application Security Guide. The EDG topology does not include Oracle Fusion Middleware Audit Framework configuration. The ability to generate audit data to the bus-stop files and the configuration of the audit loader are available once the products are installed. The main consideration is the audit database repository where the audit data is stored. Because of the volume and the historical nature of the audit data, it is strongly recommended that customers use a separate database from the operational store or stores being used for other middleware components. 19 Configuring Single Sign-on for Administration Consoles 19-1 19 Configuring Single Sign-on for Administration Consoles This chapter describes how to configure single sign-on SSO for administration consoles. The administration consoles referred to in the chapter title are: ■ Oracle Enterprise Manager Fusion Middleware Control ■ Oracle WebLogic Server Administration Console ■ Oracle Access Manager Console ■ Oracle Identity Manager Console ■ Oracle APM Console ■ Oracle Adaptive Access Manager Administration Console This chapter includes the following topics: ■ Section 19.1, Configuring Single Sign-On for Administration Consoles with Oracle Access Manager 11g