Introduction to Single Sign-On in Oracle Fusion Middleware 14-7 Figure 14–1 and the overview that follows it describe processing between components when the Identity Asserter function is used with Web-only applications. This implementation handles nearly all SSO use cases. Exception: Oracle Web Services Manager protected Web services. In this case, there is no trusted WebGate. Instead the AccessGate provided with the Identity Asserter dotted line in Figure 14–1 is contacted and interacts with the 11g OAM Server or 10g OAM Access Server; all other processing is essentially the same. For more information, see Oracle Access Manager Authentication Provider Parameter List on page 16-14. Figure 14–1 Identity Asserter Configuration with Oracle Access Manager and WebGates Process overview: Identity Assertion with OAM 11g, 11g WebGate, and Web-only applications 1. A user attempts to access an Oracle Access Manager protected Web application that is deployed on the Oracle WebLogic Server. 2. WebGate on a reverse proxy Web server intercepts the request and queries the OAM Server to determine whether the requested resource is protected. 3. If the requested resource is protected, WebGate challenges the user for credentials based on the type of Oracle Access Manager authentication scheme configured for the resource Oracle recommends Form Login. The user presents credentials such as user name and password. 4. WebGate forwards the authentication request to the OAM Server. 5. OAM 11g Server validates user credentials against the primary user identity store and returns the response to WebGate OAM 10g Access Server validates user credentials against configured user directories. Upon: ■ Successful Authentication : Processing continues with Step 6. ■ Authentication Not Successful : The login form appears asking the user for credentials again; no error is reported. 6. OAM Server generates the session token and sends it to the WebGate: 11g WebGate : Sets and returns the OAMAuthn cookie and triggers the OAM_ REMOTE_USER token. 10g WebGate : Sets and returns the ObSSOCookie. 14-8 Oracle Fusion Middleware Application Security Guide The Web server forwards this request to the proxy, which in turn forwards the request to the Oracle WebLogic Server using the mod_weblogic plug-in. mod_weblogic forwards requests as directed by its configuration. 7. WebLogic Server security service invokes the Oracle Access Manager Identity Asserter which is configured to accept tokens of type OAM_REMOTE_USER. The Identity Asserter initializes a CallbackHandler with the header. In addition, the Identity Asserter sets up NameCallback with the username for downstream LoginModules. 8. Oracle WebLogic Security service authorizes the user and allows access to the requested resource. 9. A response is sent back to the reverse proxy Web server. 10. A response is sent back to the browser.

14.2.2 About Using the Authenticator Function with Oracle Access Manager

This topic describes and illustrates use of the Authenticator configured to protect access to Web and non-Web resources with Oracle Access Manager. The Authenticator function relies on Oracle Access Manager services to authenticate users who access applications deployed in WebLogic Server. Users are authenticated based on their credentials, such as a user name and password. When a user attempts to access a protected resource, the Oracle WebLogic Server challenges the user for credentials according to the authentication method specified in the application’s web.xml file. Oracle WebLogic Server then invokes the Authentication Provider, which passes the credentials to Oracle Access Manager Access Server for validation through the enterprise directory server. Figure 14–2 illustrates the distribution of components and flow of information for Oracle Access Manager authentication for Web and non-Web resources. Details follow the figure. In this case, the Authenticator communicates with the 11g OAM Server or the OAM 10g Access Server through a custom AccessGate. Note: mod_weblogic is the generic name of the WebLogic Server plug-in for Apache For Oracle HTTP Server 11g, the name of this plug-in is mod_wl_ohs. Note: Unless explicitly stated, information applies equally to Oracle Access Manager 11g and Oracle Access Manager 10g. Introduction to Single Sign-On in Oracle Fusion Middleware 14-9 Figure 14–2 Authenticator for Web and non-Web Resources Process overview: Authenticator Function for Web and non-Web Resources 1. A user attempts to access a Java EE application secured with the authentication mechanism in the application’s web.xml file that is deployed on the Oracle WebLogic Server.

2. Oracle WebLogic Server intercepts the request.

3. Oracle Access Manager Authentication Provider LoginModule is invoked by the

Oracle WebLogic security service. The LoginModule uses the OAP library to communicate with the 11g OAM Server or 10g Access Server and validate the user credentials. ■ If the user identity is authenticated successfully, WLSUserImpl and WLSGroupImpl principals are populated in the Subject. ■ If Oracle Access Manager LoginModule fails to authenticate the identity of the user, it returns a LoginException authentication failure and the user is not allowed to access the Oracle WebLogic resource.

4. Oracle Access Manager Authenticator supports Oracle WebLogic Server

UserNameAssertion.

5. Oracle Access Manager Authenticator can be used with any Identity Asserter. In

this case, the Oracle Access Manager Authenticator performs user name resolution and gets the roles and groups associated with the user name.

14.2.3 Choosing Applications for Oracle Access Manager SSO Scenarios and Solutions

This section introduces choosing applications to use Oracle Access Manager and the Authentication Provider according to current application setup. Details are similar whether you plan to use Oracle Access Manager 11g or 10g with the Authentication Provider: ■ Applications Using Oracle Access Manager for the First TIme ■ Applications Migrating from Oracle Application Server to Oracle WebLogic Server ■ Applications Using OAM Security Provider for WebLogic SSPI See Also: ■ Configuring the Authenticator Function for Oracle Access Manager 11g on page 15-22 ■ Configuring the Authenticator for Oracle Access Manager 10g on page 16-48 14-10 Oracle Fusion Middleware Application Security Guide

14.2.3.1 Applications Using Oracle Access Manager for the First TIme

If your application is to use Oracle Access Manager Authentication Provider for the first time, proceed based on the functionality that you want to use: ■ Identity Asserter for Single Sign-On : The Web-only applications implementation handles nearly all SSO use cases. See Installing the Authentication Provider with Oracle Access Manager 11g on page 15-8. Oracle Web Services Manager-Protected Web Services : This requires the AccessGate that is provided with the Identity Asserter to interact with the OAM Server. See Configuring Identity Assertion for Oracle Web Services Manager and OAM 11g on page 15-28. ■ Authenticator : No single sign-on is provided. The Authenticator requests credentials from the user based on the authentication method specified in the application configuration file, web.xml. See Configuring the Authenticator Function for Oracle Access Manager 11g on page 15-22.

14.2.3.2 Applications Migrating from Oracle Application Server to Oracle WebLogic Server

If your application has been deployed on the old Oracle Application Server OC4J, you can perform a few steps to make the application use the Authentication provider with Oracle WebLogic Server, proceed as follows: ■ Remove all OC4J-specific settings from the application configuration ■ Identity Asserter for Single Sign-On : The Web-only applications implementation handles nearly all SSO use cases. See the appropriate topic for your environment: —OAM 11g: Configuring Identity Assertion for SSO with Oracle Access Manager 11g on page 15-13 —OAM 10g: Configuring OAM Identity Assertion for SSO with Oracle Access Manager 10g on page 15-13 ■ Oracle Web Services Manager-Protected Web Services : Require the AccessGate provided with the Identity Asserter. See the appropriate topic for your environment: —OAM 11g: Configuring Identity Assertion for Oracle Web Services Manager and OAM 11g on page 15-28 —OAM 10g: Configuring Identity Assertion for Oracle Web Services Manager and OAM 10g on page 16-59 ■ Authenticator : No single sign-on is provided. The Authenticator requests credentials from the user based on the authentication method specified in the application configuration file, web.xml. See the appropriate topic for your environment: —OAM 11g: Configuring the Authenticator Function for Oracle Access Manager 11g on page 15-22 —OAM 10g: Configuring the Authenticator for Oracle Access Manager 10g on page 16-48

14.2.3.3 Applications Using OAM Security Provider for WebLogic SSPI

The Oracle Access Manager Security Provider for WebLogic SSPI provides authentication, authorization, and single sign-on across Java EE applications that are deployed in the WebLogic platform. The Security Provider for WebLogic SSPI enables