14-2 Oracle Fusion Middleware Application Security Guide ■ Development or Small Stand-Alone Environment : Oracle recommends a light-weight SSO solution when deployed applications are not integrated into an enterprise-level single sign-on framework. In such cases, a SAML-based solution that uses the Oracle WebLogic Server SAML Credential Mapping Provider is best. The embedded LDAP server is used as the default user repository. Alternatively, an LDAP Authenticator can be configured to leverage an external LDAP server as a user repository. ■ Enterprise-Level SSO with Oracle Fusion Middleware 11g : Oracle Access Manager supports: – A wide variety of LDAP vendors as the user and group repository and also works with Oracle Virtual Directory – Integration with non-Oracle application server vendors and Web Tier components on a large variety of OS platforms to provide a flexible solution. – Oracle Access Manager 11g supports out-of-the-box integration with Oracle Fusion Middleware applications Oracle Access Manager 11g Release 1 : Oracle recommends Oracle Access Manager 11g whether: – You are new to Oracle Fusion Middleware – You are considering a migration from OSSO – You are considering an enterprise-level SSO solution – You want to implement Identity Propagation with the OAM Token, as described in the Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service Oracle Access Manager 10g 10.1.4.3: You can continue using this when you have: – Existing Oracle Access Manager 10g implementations – An enterprise-level SSO solution Selecting the right Oracle Access Manager solution 11g versus 10g 10.1.4.3 as your enterprise-level Single-Sign-on solution depends upon your requirements. Refer to product documentation in this chapter and in the respective administration guides to evaluate the release that best meets your overall requirements. ■ Existing OSSO 10g Customers : Oracle Single Sign-On is part of the 10g Oracle Application Server suite. OSSO is an enterprise-level single sign-on solution that works with the OC4J application server in conjunction with Oracle Internet Directory and Oracle HTTP Server 11g. If OSSO is already in place as the enterprise solution for your existing Oracle deployment, Oracle Fusion Middleware continues to support the existing OSSO as a solution. However, Oracle recommends that you consider upgrading to Oracle Access Manager 11g Single Sign on solution, which is a strategic Oracle SSO See Also: Configuring Single Sign-On with Web Browsers and HTTP Clients in Oracle Fusion Middleware Securing Oracle WebLogic Server See Also: Introduction: OAM Authentication Provider for WebLogic Server on page 14-4 Introduction to Single Sign-On in Oracle Fusion Middleware 14-3 solution. For more information when planning your upgrade, check the Lifetime Support Middleware Policy for the OSSO end of support dates at: http:www.oracle.comsupportlifetime-support-policy.html ■ Portal, Forms, Reports, and Discoverer 11g : Oracle Access Manager 11g is certified with Oracle Portal, Forms, Reports, and Discover 11g. With Oracle classic components, Oracle Delegated Administration Services 10g is a required and important feature of the Oracle Identity Management infrastructure. See the Oracle Identity Management Guide to Delegated Administration in the Oracle Identity Management 10g 10.1.4.0.1 Online Documentation Library at: http:www.oracle.comtechnologydocumentationoim1014.html See the Oracle Fusion Middleware Supported System Configurations page for more details: http:www.oracle.comtechnologysoftwareproductsiasfilesfusion _certification.html ■ Oracle Access Manager Integration with OSSO : Oracle recommends Oracle Access Manager 11g as the recommended enterprise-wide solution. If applications Oracle Portal for example are deployed that previously required OracleAS Single Sign-On, you can delegate the authentication from OSSO 10g to Oracle Access Manager 11g. Oracle Internet Directory is needed for applications that require integrating Oracle Access Manager and OSSO. See Also: ■ Introduction: OAM Authentication Provider for WebLogic Server on page 14-4 ■ Oracle Fusion Middleware Upgrade Planning Guide ■ Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management—For information about the types of Java EE environments available in 10g and instructions for upgrading those environments to Oracle Fusion Middleware 11g See Also: The following topics and other 11g manuals: ■ Introduction: OAM Authentication Provider for WebLogic Server on page 14-4 ■ Chapter 17, Configuring Single Sign-On using OracleAS SSO 10g ■ Oracle Fusion Middleware Administrators Guide for Oracle Portal ■ Oracle Fusion Middleware Forms Services Deployment Guide ■ Oracle Fusion Middleware Publishing Reports to the Web with Oracle Reports Services ■ Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer 14-4 Oracle Fusion Middleware Application Security Guide ■ Windows Native Authentication for Microsoft Clients : OSSO and Oracle Access Manager 11g both support this integration. Oracle WebLogic Server can be configured to use the Simple and Protected Negotiate SPNEGO mechanism for authentication to provide Windows Native Authentication support.

14.2 Introduction: OAM Authentication Provider for WebLogic Server

Unless explicitly stated, information here applies equally to both Oracle Access Manager 11g and 10g deployments. The Oracle Access Manager Authentication Provider is one of several Providers that operate with Oracle WebLogic Server. The Oracle Access Manager Authentication Provider does not require the entire Oracle WebLogic Suite nor Oracle Java Required Files JRF to operate with Oracle Access Manager 11g or 10g. In a WebLogic Server domain where JRF is installed, the JRF template is present as part of the domain in an Oracle Fusion Middleware product. In this case, the OAM Identity Asserter and OAM Authentication Provider are automatically available for configuration. If JRF is not installed in your WebLogic domain, you must add the OAMAuthnProvider.jar to a specific location in your domain as described later. You can use the OAM Authentication Provider for WebLogic Server when you have: ■ Applications that are or will be deployed in a WebLogic container outside the Identity Management domain ■ WebGate is or will be deployed in front of the Authentication Provider See Also: ■ Introduction: OAM Authentication Provider for WebLogic Server on page 14-4 ■ Oracle Fusion Middleware Administrators Guide for Oracle Access Manager for details about registering OSSO mod_osso Agents with Oracle Access Manager 11g to delegate authentication and for details about co-existence with Oracle Access Manager 11g during the OSSO 10g upgrade. ■ Oracle Fusion Middleware Upgrade Guide for Java EE—For information about the types of Java EE environments available in 10g and instructions for upgrading those environments to Oracle Fusion Middleware 11g ■ Integrating with Oracle Application Servers in the 10g 10.1.4.3 Oracle Access Manager Integration Guide. See Also: ■ The chapter on configuring Oracle Access Manager 11g to use Windows Native Authentication for Microsoft Clients in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager ■ Configuring Single Sign-On with Microsoft Clients in Oracle Fusion Middleware Securing Oracle WebLogic Server Note: The JRF template is present as part of the domain in an Oracle Fusion Middleware product. Introduction to Single Sign-On in Oracle Fusion Middleware 14-5 The Authentication Provider can be configured to provide either or both of the following functions for WebLogic users: ■ Identity Asserter for Single Sign-on function ■ Authenticator function Identity Asserter for Single Sign-on Function A Web-only applications implementation handles nearly all SSO use cases. The exception is when you have Oracle Web Services Manager protected Web services. In this case, there is no trusted WebGate. Instead the AccessGate provided with the Identity Asserter is contacted and interacts with the OAM 10g Access Server or 11g OAM Server; all other processing is essentially the same. The Identity Asserter only asserts the incoming identity OAM_REMOTE_USER and passes control to the configured Authentication Providers to continue with the rest of the authentication process populating the subject with the right principals. The Identity Asserter must be configured differently depending on which WebGate release 10g versus 11g serves the request. For instance, when the application is protected by: ■ 10g WebGate: The Identity Asserter is triggered for the token ObSSOCookie The Identity Asserter can also be triggered for the token OAM_REMOTE_USER which is present for applications protected by OAM 10g WebGate. See About Using the Identity Asserter Function with Oracle Access Manager on page 14-5 for details. ■ 11g WebGate: The Identity Asserter is triggered for the token OAM_REMOTE_ USER and there is no ObSSOCookie. Authenticator Function The Authenticator function does not provide single sign-on. The Authenticator requests credentials from the user based on the authentication method specified in the application configuration file, web.xml, not according to the Oracle Access Manager authentication scheme. However, an Oracle Access Manager authentication scheme is required for the application domain. For more information, see the following topics: ■ About Using the Identity Asserter Function with Oracle Access Manager ■ About Using the Authenticator Function with Oracle Access Manager ■ Choosing Applications for Oracle Access Manager SSO Scenarios and Solutions

14.2.1 About Using the Identity Asserter Function with Oracle Access Manager

This topic describes and illustrates the use of the Identity Asserter function with Oracle Access Manager 11g and 10g WebGates. Processing is similar, with few exceptions, whether you have OAM 11g with 11g or 10g WebGates or OAM 10g with 10g WebGates. For instance, with Oracle Access Manager 11g, the Access Server is known as the OAM Server. All requests are first routed to a reverse proxy Web server and requests are intercepted by WebGate. The user is challenged for credentials based on the authentication scheme that is configured within Oracle Access Manager. Oracle recommends Form form-based login as the authentication scheme. 14-6 Oracle Fusion Middleware Application Security Guide The Identity Asserter function relies on perimeter authentication performed by WebGate on the Web Tier. Triggering the Identity Asserter function requires the appropriate chosen Active Type for your WebGate release. After triggering the Identity Asserter function, configured Authentication Providers Login Modules for constructing the Subject and populating it with the appropriate Principals are invoked. Chosen Active Types The Identity Asserter functions Active Type configuration parameter lists two values under the Available UI section. One of the two must be selected as the Chosen type to trigger the Identity Asserter function to the presence of the: ■ 10g WebGate: ObSSOCookie should be the Chosen type to trigger the OAM_ REMOTE_USER token ■ 11g WebGate: Uses the OAMAuthnCookie, and requires OAM_REMOTE_USER as the Chosen type for the provider OAM_REMOTE_USER header includes the uid of the logged in user. Configuring OAM_REMOTE_USER as the chosen Active Type for the Identity Asserter requires Oracle Access Manager policies that set OAM_REMOTE_USER as part of the authorization success response headers. Authentication Processing and the Identity Assertion Function Unless explicitly stated, information here applies equally to Oracle Access Manager 11g and Oracle Access Manager 10g. WebGate, using the configured authentication scheme, authenticates the user, and then: ■ WebGate: 11g WebGate sets the OAMAuthnCookie and triggers the OAM_REMOTE_USER token. 10g WebGate sets the ObSSOCookie and triggers the OAM_REMOTE_USER token. ■ The OHS Web server mod_weblogic module forwards the request to Oracle WebLogic Server ■ OAM_REMOTE_USER: The configured Identity Asserter is invoked by the presence of the OAMAuthnCookie or ObSSOCookie and subsequently asserts the OAM_REMOTE_USER header ■ After the Assertion Process: Authentication Providers configured in the security realm are invoked to populate the Subject with Principals Users and Groups Note: The only difference between using the Identity Asserter function with 11g WebGates versus 10g WebGates is the provider’s chosen Active Type. Note: mod_weblogic is the generic name of the WebLogic Server plug-in for Apache. For Oracle HTTP Server 11g, the name of this plug-in is mod_wl_ohs; the actual binary name is mod_wl_ohs.so. Introduction to Single Sign-On in Oracle Fusion Middleware 14-7 Figure 14–1 and the overview that follows it describe processing between components when the Identity Asserter function is used with Web-only applications. This implementation handles nearly all SSO use cases. Exception: Oracle Web Services Manager protected Web services. In this case, there is no trusted WebGate. Instead the AccessGate provided with the Identity Asserter dotted line in Figure 14–1 is contacted and interacts with the 11g OAM Server or 10g OAM Access Server; all other processing is essentially the same. For more information, see Oracle Access Manager Authentication Provider Parameter List on page 16-14. Figure 14–1 Identity Asserter Configuration with Oracle Access Manager and WebGates Process overview: Identity Assertion with OAM 11g, 11g WebGate, and Web-only applications 1. A user attempts to access an Oracle Access Manager protected Web application that is deployed on the Oracle WebLogic Server. 2. WebGate on a reverse proxy Web server intercepts the request and queries the OAM Server to determine whether the requested resource is protected. 3. If the requested resource is protected, WebGate challenges the user for credentials based on the type of Oracle Access Manager authentication scheme configured for the resource Oracle recommends Form Login. The user presents credentials such as user name and password. 4. WebGate forwards the authentication request to the OAM Server. 5. OAM 11g Server validates user credentials against the primary user identity store and returns the response to WebGate OAM 10g Access Server validates user credentials against configured user directories. Upon: ■ Successful Authentication : Processing continues with Step 6. ■ Authentication Not Successful : The login form appears asking the user for credentials again; no error is reported. 6. OAM Server generates the session token and sends it to the WebGate: 11g WebGate : Sets and returns the OAMAuthn cookie and triggers the OAM_ REMOTE_USER token. 10g WebGate : Sets and returns the ObSSOCookie.