15-30 Oracle Fusion Middleware Application Security Guide The Oracle Access Manager Identity Asserter uses the ObSSOCookie token to assert the identity of users who try to access a Web service protected by the oraclewss_ oam_token_service_policy policy. A Web service that is protected by this policy must be presented with an ObSSOCookie token in a SOAP header. That is, the Web service consumes the ObSSOCookie token; it is not involved in how the token is generated. Specifically, the WebLogic Server security service detects the token type and invokes the Oracle Access Manager Identity Asserter. The Oracle Access Manager Identity Asserter then validates the ObSSOCookie token against the Oracle Access Manager Access Server and obtains the username. The username is populated as the principal in the authenticated subject. The Web service client, for example the Web application, must obtain the ObSSOCookie token to send it to the Web service. This is typically done using an AccessGate. AccessGate challenges the Web service client user for credentials depending on the authentication scheme configured in Oracle Access Manager and authenticates the user. The WebGate sends the ObSSOCookie to the users browser upon successful authentication The Web service client then sends the ObSSOCookie token in the SOAP request to the Web service. About oraclewss_oam_token_client_policy This Oracle Web Services Manager policy contains the following policy assertion: oraclewss_oam_token_client_template. This template inserts Oracle Access Manager credentials into the WS-Security header as part of the binary security token. oraclewss_oam_token_client_policy is the analogous client policy to the oraclewss_oam_token_service_policy service endpoint policy. This policy can be enforced on any SOAP-based endpoint. The following task overview outlines the procedures you must perform. Task overview: Setting policies in Oracle Web Services Manager 1. Using Oracle Web Services Manager, set up a Web service with the oraclewss_ oam_token_service_policy policy. 2. Using Oracle Web Services Manager, set up a corresponding client for the Web service with the oraclewss_oam_token_client_policy policy. 3. Configuring Providers in a WebLogic Domain for Oracle Web Services Manager . Note: Settings for the wss_oam_token_service_template are identical to the client version of the assertion: wss_oam_token_ client_template. Identity store configuration for the service template is identical to the client version of the assertion. See Also: ■ Oracle Fusion Middleware Security and Administrators Guide for Web Services Configuring Policies Predefined Assertion Templates Configuring Single Sign-On with Oracle Access Manager 11g 15-31

15.2.5.2 Configuring Providers in a WebLogic Domain for Oracle Web Services Manager

To use Oracle Access Manager Identity Asserter with Oracle Web Services Manager protected Web services, several Authentication providers must be configured and ordered in a WebLogic domain: ■ OAM Identity Asserter: REQUIRED ■ OID Authenticator: SUFFICIENT ■ DefaultAuthenticator: SUFFICIENT This procedure is nearly identical to the one for the Oracle Access Manager Identity Asserter with OAM 11g. The difference in this case is that Oracle Web Services Manager requires the custom 10g AccessGate and additional provider-specific values: ■ Primary Access Server: Specify the host and part. For example: mnop:8888 ■ Access Gate Name: The name of the AccessGate registration protecting the application. For example: AG1 ■ Access Gate Password: The AccessGate password as specified in the Oracle Access Manager Console. You can add these using either the Oracle WebLogic Administration Console or Oracle WebLogic Scripting Tool WLST command-line tool. To set up providers in a WebLogic domain 1. No Oracle Fusion Middleware Application : Obtain the Oracle Access Manager provider if you have no Oracle Fusion Middleware application. a. Log in to Oracle Technology Network at: http:www.oracle.comtechnologysoftwareproductsmiddlewareht docs111110_fmw.html b. Locate the oamAuthnProvider ZIP file with Access Manager WebGates 10.1.4.3.0. For example: oamAuthnProviderversion.zip c. Extract and copy the oamAuthnProvider.jar to the following path on the computer hosting Oracle WebLogic Server: BEA_HOMEwlserver_10.xserverlibmbeantypesoamAuthnProvider.jar 2. Log in to the Oracle WebLogic Administration Console.

3. OAM Identity Asserter

: Perform the following steps to add this provider: See Also: ■ About Oracle WebLogic Server Authentication and Identity Assertion Providers on page 15-16 ■ Oracle Fusion Middleware Oracle WebLogic Scripting Tool ■ Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Note: With a Oracle Fusion Middleware application installed, you have the required provider file. Skip Step 1. 15-32 Oracle Fusion Middleware Application Security Guide

a. Click Security Realms, Default Realm Name, and click Providers.

b. Click Authentication, click New, and then enter a name and select a type: Name: OAM Identity Asserter Type: OAMIdentityAsserter OK c. In the Authentication Providers table, click the newly added authenticator.

d. On the Common tab, set the Control Flag to REQUIRED, and click Save.

e. Click the Common tab, specify ObSSOCookie as the chosen Active Type for

the 10g custom AccessGate, and click Save.

f. Click the Provider Specific tab and configure these parameters:

Primary Access Server: Specify the host and part. For example: abcd:7777 Access Gate Name: The name of the OAM Agent registration protecting the application. For example: AG1 Access Gate Password: The AccessGate password, if any, that was specified in during provisioning. Save.

4. OID Authenticator

: Perform the following steps to add this provider.

a. Click Security Realms, Default Realm Name, and click Providers

b. Click New, enter a name, and select a type: Name: OID Authenticator Type: OracleInternetDirectoryAuthenticator Click OK. c. In the Authentication Providers table, click the newly added authenticator.

d. On the Settings page, click the Common tab, set the Control Flag to

SUFFICIENT , and then click Save.

e. Click the Provider Specific tab and specify the following required settings

using values for your own environment: Host: Your LDAP host. For example: localhost Port: Your LDAP host listening port. For example: 6050 Principal: LDAP administrative user. For example: cn=orcladmin Credential: LDAP administrative user password. User Base DN: Same searchbase as in Oracle Access Manager. All Users Filter: For example: uid=objectclass=person User Name Attribute: Set as the default attribute for username in the LDAP directory. For example: uid Group Base DN: The group searchbase same as User Base DN Note: Do not set the All Groups filter as the default works fine as is.