Thursday, October 8, 2015

OAM - OID Integration Steps

Please follow below steps for integration between OAM and OID


Step 1) Run RCU to create schema. 

Step 2) Install Oracle Internet Directory (OID) 

Step 3) Configuration of Oracle Internet Directory. 

Step 4) InstallOracle Access Manager 11gR2 

Step 5) Configuration of Oracle Access Manager 11gR2

Part 1:

Step 1) Invoke OracleDirectory Services Manager(ODSM Console)
Username: orcladmin (usually)
Password: ******
Click Connect. 

Step 2) Create a new group in your OID for OAM administration (ex: oamadmin_group ).
Ensure this new group is available in the group search base (cn=Groups, dc=us,dc=oracle,dc=com). 

Step 3) Create a new user in your OID for OAM administration (ex: oamadmin ).
Ensure this new user is available in the user search base (cn=Users, dc=us,dc=oracle,dc=com). 

Step 4) Add this new user(oamadmin) as unique member of the OAM administration group(oamadmin_group)

Note: Add all those user that you want should be able to login to /oamconsole in this group(oamadmin_group)

Part 2:

 Step 1) Login to the Weblogic Server Administration Console
Username: weblogic (usually)
Password: ******
Click Login 

Step 2) Create Authentication Providers for your LDAP provider and Configure WebLogic Server to use them to avoid multiple login pages when accessing the Oracle Access Manager Console. 

Step 3) Go to Security Realms --> myrealm --> Providers tab, and click New. Enter a name, and select OracleInternetDirectoryAuthenticator type. For example:

Name: OIDAuthenticator
Type: OracleInternetDirectoryAuthenticator
Click OK 

Step 4) In the Authentication Providers sub tab, click on the newly added authenticator provider (OIDAuthenticator in this example),
4.1)Click the Common tab and set the Control Flag to SUFFICIENT, and click Save.
4.2) Click the Provider Specific tab and specify the following values as per your env:
Host: OID host
Port: OID port 3060 (default Port is 3060)
Principal: OID administrative user. For example: cn=orcladmin
Credential: LDAP administrative user password. ********
User Base DN: Same search base as the OID user. For example: cn=Users, dc=es, dc=oracle, dc=com
All Users Filter: For example: (&(cn=*)(objectclass=person))
User Name Attribute: Set as the default attribute for username in the LDAP directory. For example: cn
Group Base DN: The group searchbase. For example: cn=Groups, dc=es, dc=oracle, dc=com
4.3 Click Save.

Step 5) Go to Security Realms --> myrealm --> Providers tab and click the Reorder button
Select a provider name and use the arrows beside the list to order the providers as follows:

WebLogic Provider (DefaultAuthenticator by default)
OracleInternetDirectoryAuthenticator (OIDAuthenticator in our example)

Note : Please take backup of config folder before making this change 

Step 6) Click OK to save your changes. 

Step 7) Activate Changes and restart Oracle WebLogic Server.

Part 3

Step 1) Login to OAM Admin console
Http://Hostname:7001/oamconsole ( Enter the user(weblogic) and password by default, the same than for the Oracle WebLogic Server Administration Console). 

Step 2) Register the Oracle Internet Directory Server as a new User Identity Store
System Configuration --> Data Sources  --> Create new as below


Step 3) Make the new User Identity Store (OIDIdentityStore1) as system store 

Step 4) As soon as you apply the System Store designation,we need to add the OAM administration group(oamadmin_group) and the OAM administration user created in OID(oamadmin) at Part 1.

Step 5) Change User Identity Store for LDAP Authentication module so that it uses newly created user identity store created in step 2 Part 3. 

Step 6) In the Oracle Access Manager Console go to Policy Configuration tab > Shared Components node > Authentication Schemes node and click on the desired scheme (OAMAdminConsoleScheme in this case)

Make sure Authentication Module = LDAP 

Step 7)  Restart your Oracle Access Manager environment and make sure you can login into your Oracle Access Manager Administration Console (http://<oamhostname>:<AdminServer Port>/oamconsole) using oamadmin user (not weblogic)

No comments:

Post a Comment

Other Posts