README.html revision 4fe4e4f798a84a46e567f64ceadd3648eb0582d4
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
http-equiv="content-type">
<title>Oracle OpenSSO Integration</title>
</head>
<body>
<h1><small><span style="font-weight: bold;">OpenSSO
Integration with Oracle OpenSSO</span></small><br>
</h1>
===============================================================================<br>
<br>
This README explains the OpenSSO SSO
Integration with Oracle Access Manager (OAM) previously known as Oblix.
The
README must
be read in the context of OpenSSO Integration Document
where the use cases, possible integrations and configurations are
described in detail.<br>
<br>
This README explains the custom codes for e.g. Authentication
Modules, compilation instructions and the configuration of the
auth modules for OpenSSO context. The OpenSSO custom
authentication enables the SSO integration between legacy OAM and
OpenSSO especially when the
deployment contains OAM for protecting existing applications.<br>
<br>
1. Pre-requisites :<br>
==========<br>
<br>
1. opensso.zip - This zip file contains all
the integration souce code, configuration files and ofcourse this
README file along with regular opensso.war<br>
2. Oracle Access Manager 10g (10.1.4.0.1) - The Oracle
Access Manager must be installed and configured. For more details,
check the<br>
Oracle Access Manager Documenation. You can download
from Oracle
Web site for evaluation.<br>
3. Oracle Access Manager SDK
10g(10.1.4.0.1) - The Oracle Access Manager SDK
must be installed and configured. The SDK is required to compile and
<br>
build OpenSSO Authentication
Modules for Oracle Access Manager. <br>
4. Oracle Web Gate installed and configured.<br>
5. OpenSSO C-SDK 2.2<br>
<br>
<br>
2. Brief Description of Contents:<br>
======================<br>
<br>
The opensso/integrations directory contains source and configurations
to compile and build the custom authentication modules and other
plugins.
Check the OpenSSO integration document for your use case and
configure accordingly. This document provides instructions on how to
configure authentication modules<br>
<br>
where the source code and configurations are in place..<br>
<br>
Readme.html - This file.<br>
<br>
build.xml - This file is a build script for building <br>
<br>
config - This directory contains auth module configuration files.<br>
OblixAuthService.xml - This is OAM auth
module configuration file that must be imported into OpenSSO<br>
OblixAuthModule.xml - This file is used for auth
module
call backs for theOAM Auth module it is empty. However, the
file must be used.<br>
OblixAuth.properties - This file is a
properties file that stores i18n keys for OAM authentication
module configuration lables.<br>
<br>
lib - This directory is by default empty . However, this lib directory
must contain all the necessary libraries to compile the source
libraries. They are:<br>
jobaccess.jar (Oracle
OpenSSO SDK jar file)<br>
openfedlib.jar,
servlet .jar file (If
it's Glassfish, it is javaee.jar)<br>
<br>
source - This directory contains all the source files<br>
<br>
The above java source
files are the custom authentication module classes that would be
plugged into OpenSSO for generating OpenSSO Session by<br>
using OAM session.<br>
<br>
SAML2 Plugin Adapter for SAML service providers to do the remote
authentication to<br>
Oracle OpenSSO using OpenSSO
Session.
Essentially these java files are used for usecase2 in OpenSSO
integration
document.<br>
<br>
oamauth- This directory contains source files for OAM Auth
Scheme for OpenSSO. This is a C-based auth module and
leverages OpenSSO C-SDK for validation.<br>
implements OAM custom authentication for OpenSSO.<br>
header files that are required to compile auth scheme.<br>
Sample OpenSSO Agent Configuration file. This is required for the auth
scheme to validate OpenSSO session.<br>
<br>
<br>
3: How to build:<br>
===========<br>
<br>
1. Make sure all the Oracle Access Manager libraries and OpenSSO
libraries
present in lib directory as mentioned above.<br>
<br>
2. Use "ant" script to build the source files. A compatible
ant must be installed and configured in the PATH.<br>
<br>
should build all the source files and generates fam_oam_integration.jar
under<br>
<br>
For building OAM authentication scheme, you must customize the
makefile. Also since this is C-based auth module, it is OS dependent.<br>
<br>
1. The auth scheme files are located under
<br>
2. Download and configure OpenSSO C-SDK 2.2 version. The authn_api.c
contains a reference to AMAgent.propeties file , so modify accordingly.<br>
<br>
3. Customize makefile for your environment for e.g. gcc compile
location. Also edit the LDFLAGS to point to your OpenSSO C-SDK lib
directory.<br>
<br>
4. make command should result in authn_api.so file.<br>
<br>
4. OpenSSO Installation and Configuration with OAM AuthModule:<br>
==============================================<br>
<br>
<br>
area and is represented with a marco $WAR_DIR <br>
<br>
2. Copy
<br>
<br>
<br>
<br>
6. Deploy opensso.war onto OpenSSO web container. The deployment is
self
explanatory. Please check the web container documentation for war<br>
deployment.<br>
<br>
7. Access the deployed opensso directory <br>
<br>
8. Accessing deployed application redirects to opensso configurator.
Choose custom configuration. By default OpenSSO uses embedded directory<br>
server for configuration, however, you could choose to use existing or
a new directory server instance for configuration. <br>
<br>
Note: The OpenSSO can be configured to use various
user repository for validating the user existance, however, you could
also choose to ignore profile. <br>
<br>
9. After successful configuration, the configuration redirects to a
user login and verify your administrator credentials. <br>
<br>
5. OAM Auth module configuration:<br>
========================<br>
<br>
Now we have to load the OAM authentication module service
into Open SSO and configure for the SSO integration. The auth
module service<br>
is loaded from a OpenSSO command line utility called as "ssoadm". For
OpenSSO,
the ssoadm utitily is exposed in both console mode and browser based<br>
interfaces. Here we will use use browser based ssoadm for OpenSSO
configuration changes.<br>
<br>
1. Login into OpenSSO using amadmin<br>
<br>
2. Now access the following URL<br>
<br>
3. Choose create-service option. <br>
<br>
4. Copy and paste the xml file from
Submit<br>
This will load the auth module service into OpenSSO configuration.<br>
<br>
5. Register the auth module into the authentication core framework. <br>
<br>
Choose register-auth-module option.<br>
auth module class name.<br>
<br>
6. Now verify that the auth module is registered to the default realm.
http://<host>:<port>/opensso, click on default realm, and
click on<br>
"authentication" tab, create new AuthModule as "OblixAuth" and choose
OblixAuthModule<br>
<br>
7. Click on OblixAuth auth module<br>
<br>
8. Most of the Oblix Auth params are self explanatory. This requires
OAM SDK directory and make sure that ObAccessClient.xml
(located under $OAMSDK/<br>
OpenSSO SDK, check the Oracle Documentation<br>
<br>
<br>
<br>
6. OAM Auth Module Testing:<br>
====================<br>
<br>
The testing of OAM auth module assumes that Oracle Access Manager SDK
is already
installed and configured. <br>
<br>
<br>
2. Restart the OpenSSO web container with LD_LIBRARY_PATH set and make
sure that container is loaded with these Oblix SDK shared libs.<br>
<br>
3. Now access the Oblix protected application and login with
Oblix configured user to establish ObSessionCookie. The configuration<br>
of oblix policy and authentication schemes are outside scope of
this documentation and please check Oracle Access Manager documentation
for more <br>
information. Also, check the OpenSSO integration guide for sample
configuration.<br>
<br>
4. By default OpenSSO authentication framework looks for user profile
existance in it's known data repositories. However, you could use
ignoreProfile<br>
option if your integration does not require a user to be searched from
Oblix's user repository. Check the OpenSSO documentation for more info<br>
<br>
Admin Console -> Configuration -> Global -> Authentication
-> Core -> User Profile required : Change it to dynamic or
ignored option<br>
if the repository of Oracle Access Manager is not same as OpenSSO.<br>
<br>
5. After successful authentication at Oracle OpenSSO, access the
OpenSSO
auth module url as follows:<br>
<br>
<br>
This should provide a valid OpenSSO session.<br>
<br>
Note: Assumption here is that OAM and OpenSSO are in the same
physical domain. <br>
<br>
By default OpenSSO authentication framework looks for user profile
existance in it's known data repositories. However, you could use
ignoreProfile<br>
option if your integration does not require a user to be searched from
Oracle Access Manager's user repository. Check the OpenSSO documentation<br>
for more info about ignoreProfile option.<br>
<br>
7. Installation of OAM AuthScheme into Oracle OpenSSO:<br>
=========================================<br>
<br>
This section is for a use case where the OAM session needs to be
generated upon validating OpenSSO session. Check the integration
document for<br>
use case descriptions. The OAM Auth Schemes are exposed as C Auth
modules and this auth scheme uses OpenSSO C-SDK 2.2 version to validate<br>
OpenSSO Session.<br>
<br>
The OpenSSO Auth Scheme in OAM uses a configuration OpenSSO client side
configuration in AMAgent.properties and this must need to be customized<br>
before configuring the auth module. The build instructions specify the
location of this file.<br>
<br>
The compiled authn_api.so and other C-SDK libraries must need to be
Auth Scheme. The integration guide shows a sample screen shot how
to configure the Oracle Auth Scheme.<br>
<br>
<br>
<br>
<br>
</body>
</html>