Thursday, May 26, 2016

OIM R2 PS3 Integration with Siteminder

Requirement
  • Oracle Identity Manager is installed and configured.
  • CA Siteminder is installed and configured.
  • Identitypopulation in Oracle Identity Manager is synchronized with identity information in the LDAP registry used by the SSO provider. Oracle Identity Manger's LDAP synchronization feature can be used for this purpose.
  • Oracle Identity Manager system administrator (xelsysadm) account should be created in the LDAP repository so that you can perform SSO login to OIM using this administrator account. This account should be created in the same user container that has other OIM users in the LDAP repository. Also ensure that the LDAP user attribute, which is mapped to Oracle Identity Manager user login (uid or samAcountName), has the value set as XELSYSADM.
  • It is required that the SSO header returned by the SSO provider contains the username value which maps to OIM User Login field.

Configuration Steps


 1. Install Siteminder WebLogic Agent by referring to Siteminder installation documentation. Follow install GUI instructions.

 2. Edit the setDomainEnv.sh file to set the variables, as shown:
  •     ASA_HOME='PATH_TO_SITEMINDER_AGENT_HOME'
  •     export ASA_HOME
  •  SMASA_CLASSPATH="$ASA_HOME/conf:$ASA_HOME/lib/smagentapi.jar:$ASA_HOME/lib/smjavasdk2.jar:$ASA_HOME/lib/sm_jsafe.jar:$ASA_HOME/lib/smclientclasses.jar:$ASA_HOME/lib/sm_jsafeJCE.jar"
  •     export SMASA_CLASSPATH
  •     SM_JAVA_OPTIONS=" -Dsmasa.home=$ASA_HOME"
  •    export SM_JAVA_OPTIONS
  •     CLASSPATH=${SMASA_CLASSPATH}:${CLASSPATH}
  •    export CLASSPATH

    3. Edit the startWebLogic.sh file to add SM_JAVA_OPTIONS to the JAVA command, as shown:

    $JAVA_HOME/bin/java ${JAVA_VM} ${MEM_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}
    ${SM_JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS}

    4. Edit the ASA_HOME/conf/WebAgent.conf file to change the value of the EnableWebAgent parameter to YES.

    5. Restart all Managed and Admin servers.
    6. Add/Configure SiteminderIdentityAsserter and SiteminderAuthenticationProvider in the Weblogic authentication chain. In Identity Asserter common configuration, select SMSESSION.

    In the Provider Specific subtab, set the "SMIdentity Asserter Config File:" field to ASA_HOME/conf/WebAgent.conf.

    In SiteminderAuthenticationProvider 'ProviderSpecific', update "SMAuth Provider Config File:" to ASA_HOME/conf/WebAgent.conf.

    7. Remove existing OIMAuthenticationProvider from the authentication chain.

    8. Add OIMSignatureAuthenticator to the authentication chain. Set the control flag to SUFFICIENT. This authenticator is added only to handle signature based login to Oracle Identity Manager.

    9. Add LDAP Authenticator (OID, Iplanet, and so on) to the authentication chain, and set its control flag as SUFFICIENT. Ensure that this authenticator is configured to point to the same LDAP provider, that is :

        Synchronized with Oracle Identity Manager, that is, have all the OIM Identity population
        Used by the Siteminder server for authentication purposes
        LDAPAuthenticator needs to be added in order to handle non-http based login requests (For example, login to OIM design console, or any other OIM client login) and OPSS based Assertion requests.

    10. Rearrange the authentication chain, as listed below.

    Authentication Provider Control Flag

    SiteminderIdentityAsserter
    OIMSignatureAuthenticator SUFFICIENT
    SiteminderAuthenticationProvider SUFFICIENT
    LDAPAuthenticator SUFFICIENT
    DefaultAuthenticator SUFFICIENT
    DefaultIdentityAsserter  

    11. Restart Admin server and all the Managed Servers in the domain.
    12. Configure SSO logout for oim by using the following command:

    cd <IDM_ORACLE_HOME>/common/bin
     
    ./wlst.sh
   connect()
   addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="SITEMINDER_LOGOUT_URL", autologinuri="/obrar.cgi")
   exit()
   Note:
   The connect() call will ask for Admin server URL and WebLogic Admin username and password.

   13. Set the ssoenabled flag for Oracle Identity Manager to true. To do so:

        Login to Enterprise Manager, and open System MBean Browser.
        Open the oracle.iam:Location=<OIM_SERVER_NAME>,name=SSOConfig,type=XMLConfig.SSOConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.2.0.0 mbean.
        Set the value of ssoEnabled to true.

    Restart Admin Server and all Managed Servers in the domain.

Protect/unprotect the following Oracle Identity Manager resources on Siteminder side:

        Protect following resources:

        /identity
        /sysadmin
        /oim
        /xlWebApp
        /Nexaweb

        Unprotect the following URIs:

        /identity/faces/register
        /identity/faces/forgotpassword
        /identity/faces/trackregistration
        /identity/faces/forgotuserlogin
        /identity/faces/accountlocked
        /identity/adfAuthentication
        /identity/afr/blank.html
        /sysadmin/adfAuthentication
        /sysadmin/afr/blank.html
        /sysadmin/faces/noaccess
        /oim/afr/blank.html

        Unprotect the following resources:
        /workflowservice
        /callbackResponseService
        /spml-xsd
        /reqsvc
        /sysadmin/logout
        /identity/logout
        /identity/notification/secure
        /SchedulerService-web
        /wsm-pm
        /workflow
        /soa-infra
        /integration
        /b2b
        /sdpmessaging/userprefs-ui

    To support client-based login to Oracle Identity Manager, the smclientclasses.jar must be added to the client classpath. To set the client classpath:

        Go to the OIM_ORACLE_HOME/server/bin/ directory using the cd command.
        Open the setEnv.sh file in VI Editor.
        Add smclientclasses.jar to the CLASSPATH variable at the end. This setting ensures successful client login to Oracle Identity Manager while executing most of the client utilities present in OIM_ORACLE_HOME/server/bin.

        However, client classpath must be separately set for the Design Console login to work. To do so:

        Go to the OIM_ORACLE_HOME/designconsole directory.
        Open the classpath.sh file in VI Editor.
        Add smclientclasses.jar to the CLASSPATH variable at the end.

Validation steps Post OIM-Siteminder integration:

Validation step1:

 1) End-user login to OIM through SSO

 Pre-requisites: Create an end-user(say ENDUSER001 in OIM and ldap)

 2) Try logging in to OIM (through SSO) as end-user just created (say ENDUSER001 ) and check if the login is successful.

 Expected Output: 1. Login should be successful

 Validation step2: Verify if client based login to OIM works:

 1) To perform this step, make sure OIM Design console is installed and configured.
Try logging in to OIM Design console as xelsysadm with SSO password.

 Expected Output: Login to Design console as xelsysadm should be successful. (Assuming SiteminderAuthenticationProvider is configured properly for SSO login)

 Validation step3: Verify if Signature based Authentication works

 1. Try accessing the Scheduler service url. It should be running on OIM Managed server port
http://OIM_HOST:PORT/SchedulerService-web
2. Login as xelsysadm (providing xelsysadm's sso password)
3. If the login is successful and you can see the following details on the screen, signature login was successful:
Scheduler Current Status: STARTED
Last Error: NONE
4. If login is successful and the if screen has the following:
Scheduler Current Status: STOPPED
Click on START button on the page. If there are no errors on the page, signature login was successful. 



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)