Configuring Single Sign-On Using Oracle Access Manager 10g 16-51 Examples in the following procedure are for illustration only. Be sure to enter appropriate values for your environment. To create a policy domain for the Oracle Access Manager Authenticator 1. Go to the Policy Manager and log in. For example: http:Webserver:portaccessoblix where Webserver refers to computer that hosts the Policy Manager Web server; port refers to the HTTP port number of the Web server instance; accessoblix connects to the Access System. 2. Click Policy Manager. 3. Click Create Policy Domain in the left navigation pane to display the Create Policy Domain page.

4. General Tab

: Fill in the name and optional description that appear in pages showing lists of policy domains, and then click Save. For example: Name: Default OAM Authenticator Description: For Username Resolution

5. Resources Tab

: Click the Resources tab, click the Add button, select resource types, enter URL prefixes, and save as follows: Resource Type: wl_authen Host Identifier optional: Select the Preferred HTTP host for the AccessGate. URL prefix: AuthenBasic Description: OAM Authenticator validates user name, password Click Add. Resource Type: wl_authen URL prefix: AuthenUsernameAssertion Description: Authenticator Resource to validate user name Click Save.

6. Default Rules Tab

: From this tab you add the authentication rule, authorization expression, and audit rule for this policy domain. The policy domains default rules apply to the resources it contains, unless the resource is protected by a specific policy.

a. Click Default Rules, and then click Add to create the rule for the Basic

Authentication scheme. Note: The Authenticator does not perform authorization. However, you must create the authorization rule to allow access by anyone but no authorization expression is required. Note: Do not enable this policy domain until you finish all specifications. 16-52 Oracle Fusion Middleware Application Security Guide

b. Authentication Rule

: A policy domain must have at least one authentication rule, which specifies one authentication scheme and authentication actions. Enter a Name, optional description, and choose an Authentication Scheme. Click Authentication Rule and fill in the General tab as follows. Name: Basic Authentication Scheme Description: User name and password based authentication Authentication Scheme: Basic over LDAP Click Save.

c. Authentication Rule, Actions

: For the Authenticator or to boot Oracle WebLogic with Administrator users who exist in Oracle Access Manager, or if you are using Oracle Web Services Manager. Click the Actions tab, click Add. Enter the following for Authentication Success: Redirection URL: Leave blank Return Type: WL_REALM Name: obmygroups Return Attribute: obmygroups This return attribute directs the Access Server to return all groups to which the user belongs. Next, enter the name of the login parameter for user name to help in identifying the user uniquely in the LDAP directory server Type: WL_REALM Name: uid Return Attribute: uid This return attribute should be the name of the login parameter for the user name. This helps in identifying the user uniquely in the LDAP directory server used by Oracle Access Manager.

7. Authorization Rule

: Click the Authorization Rules tab, click Add and: a. Specify a rule name and, optionally, a brief description. For example: Name : Default rule for Authenticator. Description: Default rule enables Authenticator function for anyone . b. Select Yes from the Enabled list and then click Save. Note: For the Authenticator you need only an Authentication Success Return Action in the rule for the ObMyGroups attribute. This Access Server-specific attribute returns all the groups to which the user belongs. Two other implementations require this action, as described in Step C.