Managing Security 2-27 b. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory OID or Oracle Virtual Directory OVD, to match the LDAP server used by OAM. For example, if OSSO is using OID, then an OID Authentication provider must be added to the Oracle UCM domain.

2.3.8 Configuring Oracle IPM and Single Sign-On for Windows Native Authentication

Setting up Oracle IPM and single sign-on SSO with Microsoft clients requires configuring the Microsoft Active Directory, the client, and the Oracle WebLogic Server domain. Details including system requirements for SSO with Microsoft clients are provided in Configuring Single Sign-On with Microsoft Clients in Oracle Fusion Middleware Securing Oracle WebLogic Server. As part of configuring SSO with Microsoft clients, you must specify an LDAP authentication provider to access the external Microsoft Active Directory. Oracle WebLogic Server offers an LDAP provider already configured for Microsoft Active Directory: the Active Directory Authentication provider. See Configuring LDAP Authentication Providers in Oracle WebLogic Server Securing Oracle WebLogic Server. As part of configuring SSO with Microsoft clients, you must configure the Negotiate Identity Assertion provider in Oracle WebLogic Server security realm. The identity assertion provider decodes Simple and Protected Negotiate SPNEGO tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. Use the Oracle WebLogic Server Administration Console to add a new provider in the appropriate security realm in the domain structure, assign it a name, then select NegotiateIdentityAsserter for its Type. Activate the changes and restart the Oracle WebLogic Server. Now your server can use the Kerberos ticket it receives from the browser. Note: When the Oracle WebLogic Server domain for Oracle IPM is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or Oracle IPM will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see the section Configuring the First Authentication Provider in the Oracle Fusion Middleware System Administrators Guide for Oracle Content Server. Note: When the Oracle WebLogic Server domain for Oracle IPM is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or Oracle IPM will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see the section Configuring the First Authentication Provider in the Oracle Fusion Middleware System Administrators Guide for Oracle Content Server. 2-28 Administrators Guide for Oracle Imaging and Process Management You must redeploy Oracle IPM using the Oracle IPM deployment plan. A deployment plan is an XML document. Oracle provides a plan for Oracle IPM, or you also can create a deployment plan using the Oracle WebLogic Scripting Tool. To deploy using the provided plan, do the following: 1. Log in to the Oracle WebLogic Server Administration Console.

2. Click Deployments in the Domain Structure navigation tree.

3. On the Control tab, click Next until you see the Oracle IPM deployment.

4. Select the checkbox to the left of the deployment.

5. Click Update.

6. Under the Deployment plan path, select Change Path.

7. Navigate to and select the ipm-deployment-plan.xml plan file.

8. Verify that Redeploy this application using the following deployment files is

selected.

9. Click Next.

10. Click Finish.

11. To verify that SSO with Microsoft clients is configured properly, access the Microsoft Web application or Web service you want to use using a browser. If you are logged on to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web service without providing a username or password. ipm-deployment-plan.xml Use the provided ipm-deployment-plan.xml file, or create an .xml file and name it ipm-deployment-plan.xml . ?xml version=1.0 encoding=UTF-8? deployment-plan xmlns=http:xmlns.oracle.comweblogicdeployment-plan xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:xmlns.oracle.comweblogicdeployment-plan http:xmlns.oracle.comweblogicdeployment-plan1.0deployment-plan.xsd global-variables=false application-nameipm.earapplication-name variable-definition variable namehttp-onlyname valuefalsevalue variable variable-definition module-override module-nameipm.warmodule-name module-typewarmodule-type module-descriptor external=false root-elementweblogic-web-approot-element uriWEB-INFweblogic.xmluri variable-assignment namehttp-onlyname xpathweblogic-web-appsession-descriptorcookie-http-onlyxpath variable-assignment module-descriptor module-override deployment-plan 3 Changing Configuration Settings 3-1 3 Changing Configuration Settings This section describes the configuration options available to an Oracle IPM administrator and how they are accessed. It contains the following topics: ■ Section 3.1, Configuration Overview