19-2 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management

19.1.1 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure Ensure that the following tasks have been performed:

1. Configure Oracle HTTP Server, as described in

Chapter 5, Configuring the Web Tier.

2. Configure Oracle Access Manager, as described in

Chapter 11, Extending the Domain with Oracle Access Manager 11g.

3. Weblogic Administrators have been provisioned in LDAP as described in

Chapter 10.4.5, Creating Users and Groups for Oracle WebLogic Server.

19.1.2 Creating Oracle Directory Authenticator

This section sets up a directory authenticator to enable you to use the users in your LDAP directory to access administration consoles. You do not need to perform these steps if you have Integrated Oracle Access Manager and Oracle Identity Manager as described in Section 18.1, Integrating Oracle Identity Manager and Oracle Access Manager 11g. 1. Log in to the WebLogic Administration Console at http:admin.mycompany.comconsole.

2. Click Security Realms from the Domain structure menu.

3. Click Lock and Edit in the Change Center.

4. Click myrealm.

5. Select the Providers tab.

6. Click DefaultAuthenticator.

7. Set Control Flag to SUFFICIENT.

8. Click Save.

9. Click Security Realms from the Domain structure menu.

10. Click myrealm.

11. Select the Providers tab.

12. Click New.

13. Supply the following information if you are using Oracle Virtual Directory: Note: Once you have enabled single sign-on for the administration consoles, ensure that at least one Oracle Access Manager server is running to enable console access. If you subsequently enable OAAM to protect your entire domain or integrate OAAM with Oracle Identity Manager, you must also have an OAAM server running to enable console access. If you have used the Oracle Weblogic console to shut down all of the Oracle Access Manager Managed Servers, then restart one of those Managed Servers manually before using the console again. To start WLS_OAM1 manually, use the command: DOMAIN_HOME binstartManagedWeblogic.sh WLS_OAM1 t3:ADMINVHN:7001 Configuring Single Sign-on for Administration Consoles 19-3 For Oracle Virtual Directory: ■ Name : OVDAuthenticator ■ Type : OracleVirtualDirectoryAuthenticator For Oracle Internet Directory: ■ Name : OIDAuthenticator ■ Type : OracleInternetDirectoryAuthenticator

14. Click OK.

15. Click OVDAuthenticator or OIDAuthenticator.

16. Set Control Flag to SUFFICIENT.

17. Click Save.

18. Select the Provider Specific tab.

19. Enter the following details: ■ Host : idstore.mycompany.com ■ Port : 389 ■ Principal : cn=oamLDAP,cn=Users,dc=us,dc=oracle,dc=com ■ Credential : oamLDAP password ■ Confirm Credential : oamLDAP password ■ User Base DN : cn=Users,dc=mycompany,dc=com ■ All Users Filter : uid=objectclass=person User From Name Filter : uid=uobjectclass=person User Name Attribute : uid ■ Group Base DN : cn=Groups,dc=mycompany,dc=com ■ GUID Attribute : orclguid

20. Click Save.

21. Click Activate Changes from the Change Center.

22. Restart WebLogic Administration Server and all the Managed Servers, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. Validating the Configuration Validate the configuration by logging in to the OAM console as the user oamadmin. You can perform a further validation test by using the Oracle WebLogic Administration Console, as follows. 1. Log in to the console, which is at http:admin.mycompany.comconsole.

2. Select Security Realms from the Domain structure menu.

3. Click myrealm.

4. Click the Users and Groups tab.

5. Click Users.

LDAP users are displayed. 19-4 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management

19.1.3 Creating Oracle Access Manager Identity Asserter