8-4 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Oracle Directory Services Manager maintains a list of Oracle Virtual Directory servers that SSO-authenticated users can manage. To validate whether an SSO-authenticated user has the required privileges to manage Oracle Virtual Directory, Oracle Directory Services Manager maps the SSO-authenticated user to a DN in the Oracle Virtual Directory server. Oracle Directory Services Manager uses proxy authentication to connect to the directory. The proxy users DN and password are stored in a secure storage framework called the Credential Store Framework CSF. To map an SSO-authenticated user, Oracle Directory Services Manager authenticates to the Oracle Virtual Directory server using the credentials of a user with proxy privileges. Oracle Directory Services Manager then tries to map the SSO-authenticated users unique identifier to the Oracle Virtual Directory users unique identifier. The WLS Administrator configures the proxy users credentials, unique identifier attribute, and the base DN under which Oracle Directory Services Manager searches for the user, which are stored in the CSF. If Oracle Directory Services Manager gets a valid DN, it maps the SSO-authenticated user to that DN. When the SSO-authenticated user is mapped to a valid DN, Oracle Directory Services Manager uses proxy authentication to connect to the Oracle Virtual Directory server with the SSO-authenticated users mapped DN. You configure the proxy identity, look-up attribute, user container, and other information by using the Oracle Directory Services Manager Proxy Bind Configuration Screen as described in Configuring SSO Integration .

8.3.2 Configuring SSO Integration

To configure Oracle Directory Services Manager-SSO integration, use the Oracle Directory Services Manager Proxy Bind Configuration Screen, at http:host:portodsm-config. Log in as the WebLogic administrator. On this screen, you provide Oracle Directory Services Manager with the set of directory servers that SSO users can manage. This screen lists the Single Sign-On accessible directories. Use the View list to modify the number and order of the columns. To remove an existing directory, click Remove. To modify an existing directory, click Modify. To add a new Single Sign-On accessible directory, click Add. When you click Modify or Add, the Directory Details screen appears. Proceed as follows:

1. Select Non-SSL or SSL from the Port Type list.

2. Select OID or OVD from the Directory Type list.

Note: SSO-authenticated users must be members of the Oracle Virtual Directorys admin group to manage Oracle Virtual Directory. Even with a valid DN, users cannot manage Oracle Virtual Directory unless they are in the admin group. The container DN under which Oracle Directory Services Manager searches for a users DN can be from any adapter configured in Oracle Virtual Directory. Getting Started with Administering Oracle Virtual Directory 8-5 3. Provide the following information: ■ Host and Port of the directory. ■ Proxy Users DN and Password: The DN and password that Oracle Directory Services Manager uses for proxy authentication. ■ User Container DN : The DN under which user entries are located in the directory. ■ User Lookup Attribute : A unique attribute for looking up a users DN in the directory. For example, if the SSO server sends the user’s mail ID to Oracle Directory Services Manager as the user’s unique identifier, you can configure mail as the user look-up attribute.

4. Click Validate to verify your directory connection details.

Oracle Directory Services Manager authenticates to the directory server with the credentials provided.

5. Click Apply to apply your selections.

Click Revert to abandon your selections. 6. Specify the SSO server’s Logout URL in the SSO Logout URL text box. For example, http:myoamhost.mycompany.com:14100oamserverlogout is the default Logout URL for the Oracle Access Manager 11g server. If you only configure this field, Oracle Directory Services Manager displays the Login link at the top right corner of the Oracle Directory Services Manager page.

8.3.3 Configuring the SSO Server for Oracle Directory Services Manager Integration

To make SSO-Oracle Directory Services Manager integration work correctly, you must configure specific Oracle Directory Services Manager URLs as protected or unprotected. Oracle Directory Services Managers home page must be an unprotected URL. That is, all users must be able to access the Oracle Directory Services Manager home page, including those who have not gone through the SSO authentication process. The URL odsmodsm-sso.jsp must be protected by the SSO server. When a user clicks the Login link appearing on the top right corner of the home page, Oracle Directory Services Manager redirects the user to odsmodsm-sso.jsp. The SSO server challenges the user for a username and password, if the user is not already authenticated. Upon successful authentication, the user is directed back to the Oracle Directory Services Manager home page. You must configure odsmodsm-sso.jsp as a protected URL. In addition you must configure the following URLs as unprotected URLs: ■ odsmfacesodsm.jspx ■ odsm... You can use either Oracle Access Manager 11g or Oracle Access Manager 10g as your SSO provider. You must configure an Oracle Access Manager server to send the SSO-authenticated users unique identifier through an HTTP header to Oracle Directory Services Manager. Oracle Directory Services Manager looks for the OAM_REMOTE_USER HTTP header. The Oracle Access Manager server sets the OAM_REMOTE_USER header by default. If this header is not available, Oracle Directory Services Manager looks for the odsm-sso-user-unique-id HTTP header. If Oracle Directory Services Manager