There are different types of integration
Basic Integration:
Advanced Integration:
Features:Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows. OAAM can also be integrated with third party single sign-on products via systems integrators if required.
Advanced Using TAP
Features: Authentication schemes, device fingerprinting, risk analysis, KBA challenge mechanisms, and additional advanced security access features, such as step up authentication
Advanced features and extensibility such as OTP Anywhere, challenge processor framework, shared library framework, and secure self-service password management flows.
OAAM can also be integrated with third party single sign-on products via systems integrators if required.
Pre-requisites :
- For Advanced Integration OAAM should have separate OAAM managed server (Not in OAM managed server)
- OAAM Admin server is required.
- OAAM Database is required
- Supported Agents
- 10g WebGate and Single Sign-On (OSSO) Agent (For Basic Integration)
- 10g WebGate (For Advanced Integration)
- 10g and 11g WebGates (For Advanced using TAP Integration)
Steps:
To perform Advanced using TAP first we need to integrate in Advanced mode and then do additional configuration for TAP Scheme.
- Install OAM, OAAM, OHS Server, Webgate on OHS
- OAM and OAAM can be on same domain or on separate domains, if they are on separate domain then the oaam.csf.useMBeans property must be set to true. (refer : http://docs.oracle.com/cd/E37115_01/admin.1112/e27207/post.htm#AAMAD8640)
For External LDAP we need to configure IDStore using idmConfigTool. (http://docs.oracle.com/cd/E37115_01/integration.1112/e27123/idmcfgtool.htm#autoId7)
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
Prerequisite OUD: (Run below batch files to extend OUD schems for supporting OAAM) :
idmConfigTool.bat -preConfigIDStore input_file=OUD.properties
idmConfigTool.bat -preConfigIDStore input_file=OUD.properties
----------------------------------------
Load Basic Snap Shot of OAAM
For OAAM Admin User and groups:
http://www.iamidm.com/2013/04/oaam-11g-r2-ps1-and-11g-r2-default.html
Login to OAAM Admin Console (http://localhost:14200/oaam_admin/) and click on System Shots then followed by Load from File
If you get following error :
Failed to load snapshot file The snapshot file should be a ZIP file
Load Basic Snap Shot of OAAM
For OAAM Admin User and groups:
http://www.iamidm.com/2013/04/oaam-11g-r2-ps1-and-11g-r2-default.html
Login to OAAM Admin Console (http://localhost:14200/oaam_admin/) and click on System Shots then followed by Load from File
If you get following error :
Failed to load snapshot file The snapshot file should be a ZIP file
Then un-install any winrar or other softwares which are used to open zip files.
Select oaam_base_snapshot.zip from %Middleware_Home%/Oracle_IDM1/oaam/init and click on load then click on Restore
------------------------------------------------------------------
Validating Initial
- Verify Login to OAM console (localhost:7001/oamconsole) and see if you are able to login or not. If you are able to login successfully then OAM validation is done.
- Login to OAAM Server (http://host:port/oaam_server)
- Enter Any user name and click continue
- Enter Password as test
- User should get Security Questions followed by Successful screen.
--------------------------------------------------------------------------------
Validating OHS and Webgate Setup :
- Make sure that OHS is installed
- Register Webgate with OHS Server
- Make sure that http://OHSURL:PORT/ is protected using OAM
----------------------------------------------------------------------------------
Register OAAM Server as Trusted Partner:
After Registration OAAM Server can communicate with OAM server using TAP (Trusted Application Protocol) and validates user Authentications with OAM so that OAM creates required cookies.
Steps to Register OAAM Server as Trusted Partner for OAM:
- Make sure that Access Manager server is up and running
- Navigate to C:\Oracle\Middleware\Oracle_IDM1\common\bin using command prompt
- Run commands as shown below
- Create folder for TAP key store using other command prompt as shown below
- registerThirdPartyTAPPartner(partnerName = "OAAMTAPPartner", keystoreLocation= "C:/Oracle/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks", password="Password123", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://chinni-pc:14300/oaam_server/oamLoginPage.jsp")
you should receive Registration successful message.
- exit() from WLST console
-----------------------------------------------------------------
Setting Agent Password:
Agent password need to be set because it uses Agent password in multiple places for Integration
- Login to OAM Console --> System Configuration --> Access Manager --> SSO Agents --> open OAM Agents --> Search --> Open IAM Suite Agent --> Specify Access Client Password and click Apply
- Login to Weblogic Console --> Security Realms --> myrealm --> Providers --> IAMSuiteAgent --> Provider Specific --> Enter Agent Password and Confirm Password and click Save
Restart all 4 server (Admin server, OAM managed server, OAAM Admin server and OAAM server)
---------------------------------------------------------------------------
Verify TAP Partner Registration:
Login to OAM Console --> Policy Configuration --> Authentication Schemes --> TAP Scheme
Check following parameters:
Challenge Mode: DAP
Authentication Module: DAP
Challenge URL: /oaam_server/oamLoginPage.jsp
Challenge Parameters:
TAPPartnerId=OAAMTAPPartner
SERVER_HOST_ALIAS=HOST_ALIAS_1
---------------------------------------------------------------------------
Adding Challenge Parameter in TAP authentication Scheme (in new line):
MatchLDAPAttribute=uid
---------------------------------------------------------------------------
Validate IAM SuiteAgent Setup:
- Launch OAMTest.jar
- Test Following::
-------------------------------------------------------------------------------
Setting TAP Integration Parameters in OAAM:
- Make sure that OAAM Managed Server is up and running
- Create new folder temp under oaam folder
- Create oaam_cli under temp
- Navigate to C:\Oracle\Middleware\Oracle_IDM1\oaam\temp\oaam_cli\conf\bharosa_properties and open oaam_cli.properties using editor(notepad)
Edit file as shown below:
Run setupOAMTapIntegration conf/bharosa_properties/oaam_cli.properties
Provide Requested details.
--------------------------------------------------------------------
Create New Resource Under application domain:
Login to OAM Console --> Policy Configuration --> Application Domains --> search --> IAM Suite --> Resources Tab --> New Resource --> Create one Resource.
Create Authentication Policy with TapScheme.
-----------------------------------------------------------------------------
Testing Scenario: (Protecting Normal resource using Tap Scheme)
Try to access the normal protected resource:
Which should display OAAM login page instead of OAM login page
Document Reference: (for both 11g R2 PS1 and 11g R2)
Hi Ravi,
ReplyDeleteHope you are doing good,
Could you please suggest on the following.
I am running into the Lots of Issues while doing a Simple Basic
Integration of OAM with OAAM 11g. Any suggestion would be highly
appreciated.
I am trying to do Basic OAM integration with OAAM 11g for that i 've followed this Doc
http://docs.oracle.com/cd/E28280_01/doc.1111/e15740/aam.htm
as
I don't find any other Docs on metalink or on net different than this.
There are certain Configuration Parameter which are not mentioned in
the oracle Doc's that i 've refereneced so far.
for Basic OAM integration with OAAM (IAM Software version : Oracle Identity and Access Management 11g (11.1.2.0.0) OS: RHEL 6.
I got stuck up while configuring or rather finding IDMDomainAgent. as mentioed in the oracle Doc link instead I find IAMSuitagent
so when i tried to create the Resources under IAMSuiteagent and provide the followeing information. i.e
Host Identifier: IAMDomain
Resource URL: /approver/.../* OR FOR Resource URL: /hostname:80/.../* as am not Sure which url to mention here As this is a Test server so no application is there.
Wonder what should be value of Resource URL in this case ?
After I Created a new Authentication Policy under IAMSuite Agent and set the Authentication Scheme to OAAMBasic. But when i tried to create Authorization Policy under IAMSuiteagent
getting this error :
At least one of the policy rules must hold conditions selected for evaluation.
The Following steps that i 've so far performed. This is Single Node Installation
1. Created the required schemas using rcu in oracle database.11g.
2. Install WebLogic Servers 10.3.6
3. Install Oracle Identity and Access Management 11g (11.1.2.0.0)
4. Configured the OAM & OAAM Domains that are oaam_admin_server1, oaam_offline_server1,oaam_server_server1 , oam_server1,
5. set the OAAMEnabled value in oam-config.xml to true.
6.Configured the DB Policy store using /Middleware/Oracle_IAM/common/tools/configureSecurityStore.py ...... Successfully.
7. Created the oaamadmin user and assigned the OAAM*in group to it. by Using Weblogic Admin Console.
After starting All the managed servers with Admin server successfully. the following Issues that i 've encountered
1. The Url http://hostname:14200/oaam_admin/ is Not accessible as It is getting Redirected OAM url http://hostname:14100/oam/server/obrareq.cgi?wh%3DIAMSuiteAgent+wu%3D%2Foaam_admin%2FadfAuthentication+wo%3DGET+rh…
Even though There is NO OHS and Webgate installed and configured.
Could you tell what could be the reason why this oaam_admin url is Not
Accesible. Even though all the Managed server are running fine and there
is no error managed & Admin server Log files.
2. The http://hostname:14300/oaam_server/loginPage.jsp
url is accessible and i can login with the oaamadmin user that i've
created using the default Password test Only Not with the password that
i 've set during the creation of the user oaamadmin
. ALso when i tried to set the Challanging question it logged the
User Out with this error : There was some technical error processing
your request. Please try again.
This might well be Becoz I 've yet to Import or load the neccessary Policies into the
oaam_admin server who's url is Not accesible....... Not sure why.
Also I am supposing that there is NO need to Install the OHS and
configured Webgate for Basic OAM integration with OAAM on a test server
.. Please Correct.
Thanks
Priya
Great article. How can I provide a forgot password reset capability using that integration?
ReplyDeleteHey Jin,
ReplyDeleteIf you are looking for Forgot Password and other advanced password services you need to integrate OAM with OIM.
OAAM have capability of validating secret questions but don't have any functionality to change password so you need to have OIM in place or you can have custom application for change password.
Thanks.