Configuring Single Sign-On Using Oracle Access Manager 10g 16-41 ■ About the Oracle WebLogic Scripting Tool WLST ■ Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM SSO, and OPSS SSO ■ Setting Up Providers for Oracle Access Manager Identity Assertion

16.4.3.1 About Oracle WebLogic Server Authentication and Identity Assertion Providers

This topic introduces only a few types of Authentication Providers for a WebLogic security realm, if you are new to them. Each WebLogic security realm must have one at least one Authentication Provider configured. The WebLogic Security Framework is designed to support multiple Authentication Providers and thus multiple LoginModules for multipart authentication. As a result, you can use multiple Authentication Providers as well as multiple types of Authentication Providers in a security realm. The Control Flag attribute determines how the LoginModule for each Authentication Provider is used in the authentication process. Oracle WebLogic Server offers several types of Authentication and Identity Assertion providers including, among others: ■ The default WebLogic Authentication Provider Default Authenticator allows you to manage users and groups in one place, the embedded WebLogic Server LDAP server. This Authenticator is used by the Oracle WebLogic Server to login administrative users. ■ Identity Assertion providers use token-based authentication; the Oracle Access Manager Identity Asserter is one example. ■ LDAP Authentication Providers store user and group information in an external LDAP server. They differ primarily in how they are configured by default to match typical directory schemas for their corresponding LDAP server. Oracle WebLogic Server 10.3.1+ provides the OracleInternetDirectoryAuthenticator. When you configure multiple Authentication Providers, use the JAAS Control Flag for each provider to control how the Authentication Providers are used in the login sequence. You can choose the following the JAAS Control Flag settings, among others: ■ REQUIRED—The Authentication Provider is always called, and the user must always pass its authentication test. Regardless of whether authentication succeeds or fails, authentication still continues down the list of providers. ■ SUFFICIENT—The user is not required to pass the authentication test of the Authentication Provider. If authentication succeeds, no subsequent Authentication Providers are executed. If authentication fails, authentication continues down the list of providers. ■ OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication Provider. However, if all Authentication Providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers. When additional Authentication Providers are added to an existing security realm, the Control Flag is set to OPTIONAL by default. You might need to change the setting of the Control Flag and the order of providers so that each Authentication Provider works properly in the authentication sequence. 16-42 Oracle Fusion Middleware Application Security Guide

16.4.3.2 About the Oracle WebLogic Scripting Tool WLST

This topic introduces WLST, if you are new to it. You can add providers to a WebLogic domain using either the Oracle WebLogic Administration Console or Oracle WebLogic Scripting Tool WLST command-line tool. WLST is a Jython-based command-line scripting environment that you can use to manage and monitor WebLogic Server domains. Generally, you can use this tool online or offline. You can use this tool interactively on the command line in batches supplied in a file Script Mode, where scripts invoke a sequence of WLST commands without requiring your input, or embedded in Java code. When adding Authentication Providers to a WebLogic domain, you can use WLST online to interact with an Authentication Provider and add, remove, or modify users, groups, and roles. When you use WLST offline to create a domain template, WLST packages the Authentication Providers data store along with the rest of the domain documents. If you create a domain from the domain template, the new domain has an exact copy of the Authentication Providers data store from the domain template. However, you cannot use WLST offline to modify the data in an Authentication Providers data store.

16.4.3.2.1 Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM

SSO, and OPSS SSO On the Oracle WebLogic Server, you can run a Web application that uses Oracles Application Development Framework Oracle ADF security, integrates with Oracle Access Manager Single Sign On SSO, and uses Oracle Platform Security Services OPSS SSO for user authentication. However before the Web application can be run, you must configure the domain-level jps-config.xml file on the applications target Oracle WebLogic Server for the Oracle Access Manager security provider. The domain-level jps-config.xml file is in the following path and should not be confused with the deployed applications jps-config.xml file: domain_homeconfigfmwconfigjps-config.xml See Also: Configuring Authentication Providers in Oracle Fusion Middleware Securing Oracle WebLogic Server for a complete list of Authentication Providers and details about configuring the Oracle Internet Directory provider to match the LDAP schema for user and group attributes Note: You cannot use WLST offline to modify the data in an Authentication Providers data store. See Also: ■ Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM SSO, and OPSS SSO ■ Oracle Fusion Middleware Oracle WebLogic Scripting Tool ■ Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Infrastructure Security Commands chapter Configuring Single Sign-On Using Oracle Access Manager 10g 16-43 You can use an Oracle Access Manager-specific WLST script to configure the domain-level jps-config.xml file, either before or after the Web application is deployed. This Oracle JRF WLST script is named as follows: Linux : wlst.sh Windows : wlst.cmd The Oracle JRF WLST script is available in the following path if you are running through JDev: JDEV_HOMEoracle_commoncommonbin In a standalone JRF WebLogic installation, the path is: Middleware_homeoracle_commonwlst Command Syntax addOAMSSOProviderloginuri, logouturi, autologinuri Table 16–11 defines the expected value for each argument in the addOAMSSOProvider command line. Prerequisites Before starting this task, ensure that all previous tasks have been performed as described in: ■ Establishing Trust with Oracle WebLogic Server ■ Configuring the Authentication Scheme for the Identity Asserter To modify domain-level jps-config.xml for a Fusion Web application with Oracle ADF Security enabled 1. On the computer hosting the Oracle WebLogic Server and the Web application using Oracle ADF security, locate the Oracle JRF WLST script. For example: cd ORACLE_HOMEoracle_commoncommonbin 2. Connect to the computer hosting the Oracle WebLogic Server: Note: The Oracle JRF WLST script is required. When running WLST for Oracle Java Required Files JRF, do not use the WLST script under JDEV_HOMEwlserver_10.3commonbin. Table 16–11 addOAMSSOProvider Command-line Arguments Argument Definition loginuri Specifies the URI of the login page logouturi Specifies the URI of the logout page autologinuri Specifies the URI of the autologin page See Also: ■ Oracle Fusion Middleware Oracle WebLogic Scripting Tool ■ Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Infrastructure Security Commands chapter 16-44 Oracle Fusion Middleware Application Security Guide connect login_id password hostname:port For example, the Oracle WebLogic Administration Server host could be localhost using port 7001. However, your environment might be different. 3. Enter the following command-line arguments with values for the application with ADF security enabled: addOAMSSOProviderloginuri={app.context}adfAuthentication, logouturi=oamssologout.html, autologinuri=obrar.cgi 4. Stop and start the Oracle WebLogic Server. 5. Perform the following tasks as described in this chapter: ■ Setting Up the Login Form for the Identity Asserter and OAM 10g ■ Testing Identity Assertion for SSO with OAM 10g ■ Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates 6. Run the application.

16.4.3.3 Setting Up Providers for Oracle Access Manager Identity Assertion

This topic describes how to configure providers in the WebLogic security domain to perform single sign-on with the Oracle Access Manager Identity Asserter. Several Authentication Provider types must be configured and ordered: ■ OAM Identity Asserter: REQUIRED ■ OID Authenticator: SUFFICIENT ■ DefaultAuthenticator: SUFFICIENT The following procedure uses the WebLogic Administration Console. To set up Providers for Oracle Access Manager single sign-on in a WebLogic domain

1. No Oracle Fusion Middleware Application

: Obtain the Oracle Access Manager provider: a. Log in to Oracle Technology Network at: http:www.oracle.comtechnologysoftwareproductsmiddlewareht docs111110_fmw.html b. Locate the oamAuthnProvider ZIP file with Access Manager WebGates 10.1.4.3.0: oamAuthnProviderversion number.zip c. Extract and copy oamAuthnProvider.jar to the following path on the computer hosting Oracle WebLogic Server: BEA_HOMEwlserver_10.xserverlibmbeantypesoamAuthnProvider.jar See Also: About Oracle WebLogic Server Authentication and Identity Assertion Providers on page 16-41 Note: With an Oracle Fusion Middleware application installed, you have the required provider JAR file. Skip Step 1.