Managing OAM Identity Assertion on IBM WebSphere 7-3 Figure 7–1 Components and Process Flow with OAM 10g 10.1.4.3 and the IAP Process overview: Identity Assertion on IBM WebSphere 1. Browser to IHS Proxy Web Server: User accesses the IBM WebSphere resource using the proxy IHS host and port, which triggers the 10g 10.1.4.3 WebGate installed on IHS Web server to authenticate and authorize the user. 2. WebGate to Access Server: WebGate communicates with OAM 10g 10.1.4.3 Access Server using Oracle Access Protocol OAP. Access Server checks the Policy Store to locate any policies protecting the requested resource. WebGate through Access Server collects credential information from the user based on the Authentication Scheme specified and then validates whether the user can be authenticated. On successful authentication, WebGate through Access Server authorizes the user to access the requested resource on the IHS Web server. Additionally, WebGate sets authorization headers in the request as specified in the OAM Policy. 3. Web Server to IBM WebSphere: IHS Web Server acts as a proxy for IBM WebSphere and forwards the request to IBM WebSphere after successful authorization by OAM 10g 10.1.4.3 WebGate. IHS Web Server will also forward the HTTP Cookies and Request Headers set in the request to the IBM WebSphere. Requests are intercepted at IBM WebSphere by OAM IAP. The TAI of OAM then validates the Cookie and HTTP Header. OAM IAP communicates with 10g 10.1.4.3 Access Server for Cookie-based assertions, to validate the session token and retrieve user information for the session. The TAI asserts this user identity to IBM WebSphere. IBM WebSphere checks for the existence of user in the user registry configured LDAP instance supplied by the OAM IAP. If the user is found, the assertion is successful. IBM WebSphere does not check for or request users password in this scenario. 4. SSO Logout: See Configuring SSO Logout for OAM IAP for IBM WebSphere on page 7-20.

7.1.2 Scenario 2: OAM 11g with the IAP and IBM WebSphere

This scenario describes a Java EE application that relies on Oracle Access Manager 11g for authentication and authorization of its users. The Java EE application is deployed on IBM WebSphere to use the OAM IAP for IBM WebSphere for integrating the SSO with Oracle Access Manager 11g. 7-4 Oracle Fusion Middleware Third-Party Application Server Guide Figure 7–2 Components and Process Flow with OAM 11g and the IAP Process overview: Identity Assertion with Oracle Access Manager 11g 1. Browser to IHS Proxy Web Server: The user accesses the resource Sample Application on IBM WebSphere using the proxy IHS host and port, which triggers the OAM 10g 10.1.4.3 WebGate installed to authenticate and authorize the user.

2. OAM 10g 10.1.4.3 IHS WebGate communicates with OAM 11g Server across the

Oracle Access Protocol OAP. OAM 11g Server checks its policy store to locate policies protecting the resource. WebGate and OAM 11g Server collect credentials from the user based on the authentication scheme specified in the policy, and the OAM 11g Server validates if the user can be authenticated. On successful authentication, WebGate and OAM Server authorize the user before access to the requested resource on the IHS Web server is granted. WebGate sets authorization headers in the request as specified in the OAM policy.

3. Web Server to IBM WebSphere: IHS Web Server acts as a proxy for IBM WebSphere

and forwards the request to IBM WebSphere after successful authorization by OAM 10g 10.1.4.3 WebGate. IHS Web Server also forwards to IBM WebSphere the HTTP Cookies and Request Headers set in the request. Requests are intercepted at IBM WebSphere by OAM IAP. The TAI for OAM then validates the Cookie or HTTP Header. OAM IAP communicates with OAM 11g Server for Cookie-based assertions, to validate the session token, and retrieve user information for the session. TAI is responsible for asserting this user identity to IBM WebSphere. IBM WebSphere checks the existence of the user supplied by the OAM IAP in its user registry configured LDAP instance. If user is found in the user registry, the assertion is successful. IBM WebSphere does not request nor check the users password in this scenario.

4. SSO Logout: See

Configuring SSO Logout for OAM IAP for IBM WebSphere on page 7-20. Managing OAM Identity Assertion on IBM WebSphere 7-5

7.2 Installing Components for the Oracle Access Manager IAP for IBM WebSphere