Introduction to Single Sign-On in Oracle Fusion Middleware 14-11 WebLogic administrators to use Oracle Access Manager to control user access to business applications. The Oracle Access Manager Security Provider for WebLogic SSPI provides authentication to Oracle WebLogic Portal resources and supports single sign-on between Oracle Access Manager and Oracle WebLogic Portal Web applications. Apart from this, the Security Provider for WebLogic SSPI also offers user and group management functions. The Oracle Access Manager Authentication Provider is more easily installed and configured than the Security Provider for WebLogic SSPI. The Authentication Provider offers authentication and single sign-on SSO services, and also works with all platforms supported by Oracle WebLogic Server. If your application has been using the Oracle Access Manager Security Provider for WebLogic SSPI for only authentication and SSO, the deployment is a good candidate for the latest Authentication Provider. However, if your application relies on features other than those offered by the latest Oracle Access Manager Authentication Provider, you can continue to use the Oracle Access Manager 10g Security Provider for WebLogic SSPI.

14.2.4 Implementation: Using the Provider with OAM 11g versus OAM 10g

With a very few differences, implementing solutions is similar whether you are using OAM 11g or OAM 10g to protect for applications in a WebLogic container. Table 14–1 outlines the differences when deploying the Authentication Provider with OAM 11g versus OAM 10g. Topic headings are highlighted. Note: Security Provider for WebLogic SSPI is also known as Security Provider in the 10g 10.1.4.3 Oracle Access Manager Integration Guide. Note: WebLogic SSPI connector can be used with Oracle Access Manager 10g but is not supported with Oracle Access Manager 11g See Also: Applications Using OAM Security Provider for WebLogic SSPI on page 14-10 14-12 Oracle Fusion Middleware Application Security Guide

14.2.5 Requirements for the Provider with Oracle Access Manager

The required components and files for implementing the Authentication Provider are nearly identical whether you have OAM 11g or OAM 10g as the SSO solution. The few exceptions are noted in the following list: ■ An enterprise directory server Oracle Internet Directory or Oracle Sun One directory server for Oracle Access Manager and Oracle WebLogic Server. ■ Oracle WebLogic Server 10.3.1+ to be configured to use the Oracle Access Manager Authentication Provider as described later in this chapter. ■ Optional : A Fusion Middleware product Oracle Identity Manager, Oracle SOA Suite, or Oracle Web Center for example. ■ Authentication Provider : For applications deployed in a WebLogic container, Oracle Access Manager JAR are WAR files are available when you install an Oracle Fusion Middleware product Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter. – oamAuthnProvider.jar : Includes files for both the Oracle Access Manager Identity Asserter for single sign-on and the Authenticator for Oracle WebLogic Server 10.3.1+. A custom Oracle Access Manager AccessGate is also provided to process requests for Web and non-Web resources non-HTTP from users or applications. Table 14–1 Differences in Authentication Provider Implementation Tasks for OAM 11g versus OAM 10g OAM 11g Implementation Details OAM 10g Implementation Details Included in the OAM 11g implementation are the following tasks, which are described in the Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service: ■ Installing the Authentication Provider with Oracle Access Manager 11g ■ Previewing Pre-Seeded OAM 11g Policies for Use by the OAM 10g AccessGate ■ Provisioning an OAM Agent with Oracle Access Manager 11g Note: The OAM 11g remote registration tool automates provisioning WebGates and policies. For WebLogic Server resources, a wl_authen resource type is created by default. The remote registration tool is used for all OAM 11g scenarios. ■ Configuring Identity Assertion for SSO with Oracle Access Manager 11g ■ Configuring the Authenticator Function for Oracle Access Manager 11g ■ Configuring Identity Assertion for Oracle Web Services Manager and OAM 11g ■ Configuring Centralized Log Out for Oracle Access Manager 11g Tasks for implementing SSO solutions with OAM 10g are described in this chapter: ■ Installing and Setting Up Authentication Providers for OAM 10g ■ Configuring OAM Identity Assertion for SSO with Oracle Access Manager 10g Note: OAM 10g OAMCfgTool automates provisioning WebGates and policies. Install 10g WebGate: Oracle Access Manager Installation Guide. ■ Configuring the Authenticator for Oracle Access Manager 10g requires manual policy domain creation Configuring Identity Assertion for Oracle Web Services Manager and OAM 10g ■ Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates Note: With a stand-alone Oracle WebLogic Server no Fusion Middleware, you must obtain the Authentication Provider JAR and WAR files from Oracle Technology Network as described in Step 1 of procedures later in this chapter. Introduction to Single Sign-On in Oracle Fusion Middleware 14-13 – oamauthenticationprovider.war : Restricts the list of providers that you see in the Oracle WebLogic Server Console to only those needed for use with Oracle Access Manager. When you deploy the extension, the WebLogic Administration Console creates an in-memory union of the files and directories in its WAR file with the files and directories in the extension WAR file. Once the extension is deployed, it is a full member of the WebLogic Administration Console: it is secured by the WebLogic Server security realm, it can navigate to other sections of the Administration Console, and when the extension modifies WebLogic Server resources, it participates in the change control process For more information, see the Oracle Fusion Middleware Extending the Administration Console for Oracle WebLogic Server. – Oracle Access Manager 11g : A remote registration command-line utility streamlines WebGate provisioning and creates a fresh application domain with security policies. Administrators can specify WebGate parameters and values using a template. – Oracle Access Manager 10g : The platform-agnostic OAMCfgTool and scripts oamcfgtool.jar automate creation of the Oracle Access Manager form-based authentication scheme, policy domain, access policies, and WebGate profile for the Identity Asserter for single sign-on. OAMCfgTool requires JRE 1.5 or 1.6. Internationalized login forms for Fusion Middleware applications are supported with the policies protecting those applications. ■ OHS 11g must be configured as a reverse proxy for the WebGate required by the Oracle Access Manager Identity Asserter ■ Oracle Access Manager: OAM 11g : Deployed with initial configuration using the Oracle Fusion Middleware Configuration Wizard, as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. See Deploying the Oracle Access Manager 11g SSO Solution on page 15-7. OAM 10g : Installed with initial setup as described in Oracle Access Manager Installation Guide. See Deploying SSO Solutions with Oracle Access Manager 10g on page 16-1. ■ WebGateAccessGate : Whether you need to provision a WebGate or an AccessGate with Oracle Access Manager depends on your use of the OAM Authentication Provider: Identity Asserter for Single Sign-On : Requires a separate WebGate for each application to define perimeter authentication. Authenticator or Oracle Web Services Manager : Requires the custom 10g AccessGate that is available with the Authentication Provider.

14.3 Setting Up Debugging in the WebLogic Administration Console

The Authentication Providers use messages with verbose descriptions of low-level activity within the application when Debug mode issued. Ordinarily, you do not need this much information. However, if you must call Oracle Support, you might be advised to set up debugging. When set, Authentication Providers messages appear in the Oracle WebLogic Server default log location. To set up debugging 1. Log into WebLogic Administration Console. 14-14 Oracle Fusion Middleware Application Security Guide 2. Go to Domain, Environment, Servers, yourserver. 3. Click the Debug tab.

4. Under Debug Settings for this Server, click to expand the following: weblogic,

security , atn. 5. Click the option beside DebugSecurityAtn to enable it. 6. Save Changes. 7. Restart the Oracle WebLogic Server. 8. In the Oracle WebLogic Server default log location, search for SSOAssertionProvider. For example: Apr 10, 2009 2:32:16 AM PDT Debug SecurityAtn sta00483 AdminServer [ACTIVE] ExecuteThread: 0 for queue: weblogic.kernel.Default self-tuning WLS Kernel 1239355936490 BEA-000000 SSOAssertionProvider:Type = Proxy-Remote-User