Managing Security 2-27
b.
Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory
OID or Oracle Virtual Directory OVD, to match the LDAP server used by OAM. For example, if OSSO is using OID, then an OID Authentication
provider must be added to the Oracle UCM domain.
2.3.8 Configuring Oracle IPM and Single Sign-On for Windows Native Authentication
Setting up Oracle IPM and single sign-on SSO with Microsoft clients requires configuring the Microsoft Active Directory, the client, and the Oracle WebLogic Server
domain. Details including system requirements for SSO with Microsoft clients are provided in Configuring Single Sign-On with Microsoft Clients in Oracle Fusion
Middleware Securing Oracle WebLogic Server.
As part of configuring SSO with Microsoft clients, you must specify an LDAP authentication provider to access the external Microsoft Active Directory. Oracle
WebLogic Server offers an LDAP provider already configured for Microsoft Active Directory: the Active Directory Authentication provider. See Configuring LDAP
Authentication Providers in Oracle WebLogic Server Securing Oracle WebLogic Server.
As part of configuring SSO with Microsoft clients, you must configure the Negotiate Identity Assertion provider in Oracle WebLogic Server security realm. The identity
assertion provider decodes Simple and Protected Negotiate SPNEGO tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to
WebLogic users. Use the Oracle WebLogic Server Administration Console to add a new provider in the appropriate security realm in the domain structure, assign it a
name, then select NegotiateIdentityAsserter for its Type. Activate the changes and restart the Oracle WebLogic Server. Now your server can use the Kerberos ticket it
receives from the browser.
Note: When the Oracle WebLogic Server domain for Oracle IPM is
configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must
be the first authentication provider listed in the security realm configuration, or Oracle IPM will fail to load any user privileges.
Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator
provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see the section
Configuring the First Authentication Provider in the Oracle Fusion Middleware System Administrators Guide for Oracle Content Server.
Note:
When the Oracle WebLogic Server domain for Oracle IPM is configured to use a different authentication provider than the
DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm
configuration, or Oracle IPM will fail to load any user privileges. Make sure to re-order the authentication providers so the new
authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag
is set to SUFFICIENT. For more information, see the section Configuring the First Authentication Provider in the Oracle Fusion
Middleware System Administrators Guide for Oracle Content Server.
2-28 Administrators Guide for Oracle Imaging and Process Management
You must redeploy Oracle IPM using the Oracle IPM deployment plan. A deployment plan is an XML document. Oracle provides a plan for Oracle IPM, or you
also can create a deployment plan using the Oracle WebLogic Scripting Tool. To deploy using the provided plan, do the following:
1.
Log in to the Oracle WebLogic Server Administration Console.
2. Click Deployments in the Domain Structure navigation tree.
3. On the Control tab, click Next until you see the Oracle IPM deployment.
4.
Select the checkbox to the left of the deployment.
5. Click Update.
6. Under the Deployment plan path, select Change Path.
7. Navigate to and select the ipm-deployment-plan.xml plan file.
8. Verify that Redeploy this application using the following deployment files is
selected.
9. Click Next.
10. Click Finish.
11.
To verify that SSO with Microsoft clients is configured properly, access the Microsoft Web application or Web service you want to use using a browser. If you
are logged on to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web
application or Web service without providing a username or password.
ipm-deployment-plan.xml Use the provided ipm-deployment-plan.xml file, or create an .xml file and name it
ipm-deployment-plan.xml
. ?xml version=1.0 encoding=UTF-8?
deployment-plan xmlns=http:xmlns.oracle.comweblogicdeployment-plan
xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:xmlns.oracle.comweblogicdeployment-plan
http:xmlns.oracle.comweblogicdeployment-plan1.0deployment-plan.xsd global-variables=false
application-nameipm.earapplication-name variable-definition
variable namehttp-onlyname
valuefalsevalue variable
variable-definition module-override
module-nameipm.warmodule-name module-typewarmodule-type
module-descriptor external=false root-elementweblogic-web-approot-element
uriWEB-INFweblogic.xmluri variable-assignment
namehttp-onlyname xpathweblogic-web-appsession-descriptorcookie-http-onlyxpath
variable-assignment module-descriptor
module-override deployment-plan
3
Changing Configuration Settings 3-1
3
Changing Configuration Settings
This section describes the configuration options available to an Oracle IPM administrator and how they are accessed. It contains the following topics:
■
Section 3.1, Configuration Overview