Adding Oracle Identity Federation to an Existing Fusion Applications Deployment Part 1

Introduction

This guide is meant for existing FA customers who have deployed FA without OIF and who now wish to add this security component to the deployment to provide federated SSO to FA. Customers who have not yet begun their deployment can and should follow the Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) for the FA Release that they are deploying. The content of this article was generated using an FA Release 5 (11.1.5) environment, and it applies to FA versions 11.1.3 through 11.1.6. For those who are performing this on FA version 11.1.3 or 11.1.4, the EDG for FA version 11.1.5 should be referenced for additional information on the OIF deployment.

This article assumes that the implementer is conversant with OIF version 11.1.1.6.0, and is capable of configuring the product in the role of a federation Service Provider for a SAML 2.0 SP-initiated POST profile with an enterprise Identity Provider that is enabled for SAML 2.0.

Finally, the steps below are for a deployment on Oracle Enterprise Linux, and the steps for other operating systems will differ slightly.

Main Article

It should be noted first that this enhancement does not require any software installation – OIF is bundled in the Oracle IDM Suite, which includes OID, OVD and ODSM. The addition of OIF to the FA deployment only requires the creation and configuration of the OIF runtime from the OIF binaries that are already present.

In order to create and configure the OIF runtime, the following requirements must be met:

1. Ability to log in to the host server that the IDM components were installed on as the installer account (e.g., “oracle”)
2. Ability to run a GUI-based application on the host server console (e.g., via VNC)
3. Connection string and SYS account credentials for the IDM database(s)
4. WebLogic and OAM admin credentials for the FA IDM Domain
5. An enterprise IDP configured for SAML 2.0, along with the metadata for the IDP in an XML file available for import to the FA OIF instance
6. A person with access to the enterprise IDP who is able to configure a SAML 2.0 federation with the FA OIF instance and import the SP metadata from the FA OIF instance

Task Overview

1. Check For/Install OIF Database Schema
2. Create OIF WebLogic Cluster
3. Create OIF Runtime Instance
4. Configure OIF
5. Loopback Test
6. Import/Export Metadata for Enterprise Federation
7. Test Federated SSO with Enterprise IDP
8. Switch FA to Federated SSO

Check For/Install OIF Database Schema

The fastest way to determine if the OIF schema is present is to connect to the database (e.g., via sqlplus) and list the users. The following is an example of such a query:

[oracle@tester bin]$ ./sqlplus /nolog
SQL*Plus: Release 11.2.0.3.0 Production on Sun Jul 7 22:49:35 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
SQL> connect / as sysdba
Connected.
SQL> select * from all_users;
USERNAME                          USER_ID CREATED
—————————— ———- ———
ODSSM                                  89 24-JAN-13
ODS                                    88 24-JAN-13
SCOTT                                  83 17-SEP-11
OWBSYS                                 78 17-SEP-11
APEX_030200                            77 17-SEP-11
APEX_PUBLIC_USER                       75 17-SEP-11
FLOWS_FILES                            74 17-SEP-11
MGMT_VIEW                              73 17-SEP-11
SYSMAN                                 71 17-SEP-11
SPATIAL_CSW_ADMIN_USR                  69 17-SEP-11
SPATIAL_WFS_ADMIN_USR                  66 17-SEP-11
USERNAME                          USER_ID CREATED
—————————— ———- ———
MDDATA                                 64 17-SEP-11
OWBSYS_AUDIT                           82 17-SEP-11
OLAPSYS                                60 17-SEP-11
MDSYS                                  57 17-SEP-11
SI_INFORMTN_SCHEMA                     56 17-SEP-11
ORDPLUGINS                             55 17-SEP-11
ORDDATA                                54 17-SEP-11
ORDSYS                                 53 17-SEP-11
ANONYMOUS                              46 17-SEP-11
XDB                                    45 17-SEP-11
CTXSYS                                 43 17-SEP-11
USERNAME                          USER_ID CREATED
—————————— ———- ———
EXFSYS                                 42 17-SEP-11
XS$NULL                        2147483638 17-SEP-11
WMSYS                                  32 17-SEP-11
APPQOSSYS                              31 17-SEP-11
DBSNMP                                 30 17-SEP-11
ORACLE_OCM                             21 17-SEP-11
DIP                                    14 17-SEP-11
OUTLN                                   9 17-SEP-11
SYSTEM                                  5 17-SEP-11
SYS                                     0 17-SEP-11
EDG_SOAINFRA                           92 24-JAN-13
USERNAME                          USER_ID CREATED
—————————— ———- ———
EDG_ORASDPM                            91 24-JAN-13
EDG_IAU_VIEWER                         87 24-JAN-13
EDG_IAU_APPEND                         86 24-JAN-13
EDG_IAU                                85 24-JAN-13
EDG_MDS                                84 24-JAN-13
EDG_OAM                                90 24-JAN-13
EDG_OIM                                93 24-JAN-13
40 rows selected

Note in this example that the schema prefix in use for the IDM components is “EDG” and that the OIF schema user (EDG_OIF) is not present. If the schema is present, then the following step to install it can be skipped.

Installing the OIF Schema

The OIF database schema is installed using the FMW RCU that is included in the FA install binaries. Note that this is a GUI-based installer. The RCU is started as follows:

oif_blog_rcu_install001

 

Click Next:

oif_blog_rcu_install002

 

Select Create and click Next:

oif_blog_rcu_install003

Enter the database connection details and click Next:

oif_blog_rcu_install004

Click OK when the prerequisite checks are complete:

oif_blog_rcu_install005

Select the prefix that was used for the other IDM components (e.g., ‘EDG’), select Oracle Identity Federation, and click Next:

oif_blog_rcu_install006

Click OK when the prerequisite checks are complete:

oif_blog_rcu_install007

Enter the password for the OIF schema owner and click Next:

oif_blog_rcu_install008

Click Next:

oif_blog_rcu_install009

Click OK at the prompt:

oif_blog_rcu_install010

Click OK when the tablespaces are created:

oif_blog_rcu_install011

Click Create:

oif_blog_rcu_install012

Confirm that the final status is ‘Success’ and click Close:

oif_blog_rcu_install013

Connect to the database again and confirm that the OIF schema owner is now present:

oif_blog_rcu_install014

 

Create OIF WebLogic Cluster

For FA, the managed servers for all IDM components (OAM, OIM, SOA) are deployed as clustered servers. This section outlines the steps for adding an OIF cluster to the existing IDM domain.

Open a browser and go to the WLS Administration Console, logging in as the WLS administrator (e.g., ‘weblogic’):

fed015

Under Environment, click on Clusters:

fed016

Click on Lock and Edit, then click on New:

fed017

Enter ‘cluster_oif’ for the cluster name and click OK:

fed018

Click Activate Changes:

fed019

The Clusters page should now look like this:

fed020

 

Create OIF Runtime Instance

When the IDM Suite (OID, OVD, ODSM) is installed for FA, the OIF binaries are installed as well because they are part of that software suite. This means that one only needs to create and configure the OIF runtime instance in the IDM Domain. This is done with the config.sh utility, and care should be taken to use the correct one as there are a number of versions of config.sh under the Middleware Home. Note that config.sh is a GUI application. In this case, the one that must be run is in the bin directory under the IDM Oracle Home:

fed021

Click Next:

fed022

Select Extend Existing Domain and enter the connection details for the AdminServer of the IDM Domain and click Next:

fed023

Click Yes at the warning prompt (this is a benign error):

fed024

The Weblogic Server Directory should be pre-populated with the correct value, and this should be confirmed. The Oracle Instance Location should match the instance locations of the other IDM components (e.g., /u01/app/oracle/admin/<IDM instance name>) and this should be changed if necessary. The Oracle Instance Name should be set to ‘wls_oif1’. Make all necessary changes and click Next:

fed025

Complete the Security Updates information and click Next. This option was de-selected because this was a lab deployment:

fed026

De-select all components, and then select only Oracle Identity Federation, select Clustered, and click Next:

fed027

If a staticports.ini file has been prepared, select this and browse to the file. Otherwise, select Auto Port Configuration and click Next:

fed028

Enter a password for the default keystore, and a name for the Server ID (e.g., WLS_OIF1). Note that the Server ID is only used by the OIF application to identify servers in the cluster and is not related to the name of the OIF managed server. Click Next:

fed029

Select ‘LDAP’ for Authentication Type and User Store, and ‘RDBMS’ for Federation Store and click Next (note that the other options are disabled for a clustered installation):

fed030

Enter the following information:

LDAP Type: Select Oracle Virtual Directory
LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldaps://host:port, e.g., ldap://idstore.mycompany.com:6501
LDAP Bind DN: The account that OIF will use to connect to OVD, e.g., cn=orcladmin
LDAP Password: The password for the bind account
User Credential ID Attribute: uid
User Unique ID Attribute: uid
Person Object Class: inetOrgPerson
Base DN: The directory root of OVD, e.g., dc=mycompany,dc=com

and click Next:

fed031

Enter the following information:

LDAP Type: Select Oracle Virtual Directory
LDAP URL: The LDAP URL to connect to your LDAP store in the format: ldaps://host:port, e.g., ldap://idstore.mycompany.com:6501
LDAP Bind DN: The account that OIF will use to connect to OVD, e.g., cn=orcladmin
LDAP Password: The password for the bind account
User Credential ID Attribute: uid
User Unique ID Attribute: uid
Person Object Class: inetOrgPerson
Base DN: The directory root of OVD, e.g., dc=mycompany,dc=com

and click Next:

fed032

Enter the connection details for the OIF database and the OIF schema owner username and password and click Next:

fed033

Enter the connection details for the OIF database and the OIF schema owner username and password and click Next:

fed034

Review the installation summary and click Configure:

fed035

Confirm that all steps were successful and click Next:

fed036

Click Finish:

fed037

 

Validating the Installation

Open a browser and go to the WLS Administration Console, logging in as the WLS administrator (e.g., ‘weblogic’):

fed038

Under Environment, click on Clusters:

fed039

You should now see ‘wls_oif1’ as a member of ‘cluster_oif’:

fed040

Under Environment, click on Servers. You should now see wls_oif1 in a ‘RUNNING’ state:

fed041

Go to the EM Fusion Middleware Control Console, logging in as the WLS administrator (e.g., ‘weblogic’):

fed042

Note that, in the Fusion Middleware frame on the right, cluster_oif and wls_oif1 will now be present under the WebLogic Domain. Note also that there is a message stating ‘Targets not being monitored due to invalid configuration (1)’. This is a hyperlink — click it:

fed043

For the Identity Federation Server, click the Configure icon:

fed044

For Weblogic Monitoring User Name and Weblogic Monitoring Password, enter the username (e.g., weblogic or weblogic_idm) and password of the monitoring account and click OK:

fed045

 

Configure OIF

This section details the specific configuration required for the FA OIF instance.

Update WebLogic Configuration

In a terminal window, set the following environment variables:

DOMAIN_HOME: The domain home path, e.g., /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain
ORACLE_HOME: The IDM Oracle Home, e.g., /u01/app/oracle/product/fmw/idm
IDM_ORACLE_HOME: The IDM Oracle Home, e.g., /u01/app/oracle/product/fmw/idm

Go to $IDM_ORACLE_HOME/fed/scripts and run setOIFEnv.sh (note that this needs to be run as ‘. ./setOIFEnv.sh’):

fed046

fed047

Go to $MW_HOME/oracle_common/common/bin and start wlst.sh:

fed048

Connect to the wls_oif1 managed server as ‘weblgic’:

e.g., connect(‘weblogic’,’Welcome1′,’t3://tester.mycompany.com:7499′)

fed049

Execute the following command:

setConfigProperty(‘datastore’,’userldaphaenabled’,’true’,’boolean’)

fed050

Confirm by running the following command:

getConfigProperty(‘datastore’,’userldaphaenabled’)

fed051

Execute the following command:

getConfigProperty(‘authnengines’,’ldaphaenabled’)

fed052

If the returned value is false, execute the following command and confirm via getConfigProperty:

setConfigProperty(‘authnengines’,’ldaphaenabled’,’true’,’boolean’)

fed053

Go to $DOMAIN_HOME/config/fmwconfig/servers/wls_oif1 and delete the ‘applications’ directory:

fed054

 

Update OHS Configuration for the IDM WebTier

The OHS configuration needs to be updated so that OIF can be reached via the ‘sso’ virtual webhost (e.g., soo.mycompany.com). In a terminal window, go to the ‘moduleconf’ directory for the IDM WebTier, e.g., /u01/app/oracle/admin/web1/config/OHS/ohs1/moduleconf). Open the configuration file for the sso webhost (e.g., sso_vh.conf) in an editor:

fed055

Add the following Location block after the last Location block in this file:

# OIF configuration
<Location /fed>
SetHandler weblogic-handler
WLProxySSL OFF
WLProxySSLPassThrough OFF
WebLogicCluster OIMHOST1VHN.mycompany.com:7499
</Location>

fed056

Restart OHS so that the configuration change is loaded:

fed057

 

Set OIF Server Properties

Open a browser and go to the EM Fusion Middleware Control Console, logging in as the WLS administrator (e.g., ‘weblogic’):

fed058

Navigate to Farm_IDMDomain > OIF(11.1.1.2.0), then right-click on OIF(11.1.1.2.0) and go to Administration > Server Properties. Enter the ‘sso’ webhost for Host, and the listen port for Port and SOAP Port and click Apply:

fed059

The following confirmation will be displayed:

fed060

Right-click on OIF(11.1.1.2.0) and go to Administration > Data Stores:

fed061

Click Edit for the User Data Store:

fed062

Select ‘LDAP’ for Repository Type and enter the following information:

Connection URL(s): The LDAP URL to connect to your LDAP store in the format: ldaps://host:port, e.g., ldap://idstore.mycompany.com:6501
Bind DN: The account that OIF will use to connect to OVD, e.g., cn=orcladmin
Password: The password for the bind account
User ID Attribute: uid
User Description Attribute: uid
Person Object Class: inetOrgPerson
Base DN: The directory root of OVD, e.g., dc=mycompany,dc=com

Leave the remaining values at their default and click Test LDAP Connection:

fed063

Click OK:

fed064

Click Edit for the Federation Data Store:

fed065

Select ‘Database’ for Repository Type and enter the following information:

JNDI Name: oracle/security/fed/feddatastore

and click Test Database Connection:

fed066

Click OK:

fed067

Click Edit for the Session Data Store and Message Data Store:

fed068

Select ‘Database’ for Repository Type and enter the following information:

JNDI Name: oracle/security/fed/feddatastore

and click Test Database Connection:

fed069

Click OK:

fed070

Click Edit for the Configuration Data Store:

fed071

Select ‘Database’ for Repository Type and enter the following information:

JNDI Name: oracle/security/fed/feddatastore

and click Test Database Connection:

fed072

Click OK:

fed073

At this point, restart the OIF managed server.

Validate OIF SP Metadata

The OIF SP Metadata should now be available from both the direct WLS port (7499) and via the ‘sso’ webhost. Open a web browser and navigate to the following URL (note that this example URL should be modified to reflect the host server for the implementation):

http://tester.mycompany.com:7499/fed/sp/metadata

fed074

Now use the ‘sso’ webhost URL:

http://sso.mycompany.com:7777/fed/sp/metadata

fed075

 

Configure OIF-OAM Integration

This section details the configuration changes required to enable federated SSO into FA. In a terminal window, set the following environment variables:

DOMAIN_HOME: The domain home path, e.g., /u01/app/oracle/admin/IDMDomain/aserver/IDMDomain
ORACLE_HOME: The IDM Oracle Home, e.g., /u01/app/oracle/product/fmw/idm
IDM_ORACLE_HOME: The IDM Oracle Home, e.g., /u01/app/oracle/product/fmw/idm

Go to $IDM_ORACLE_HOME/fed/scripts and run setOIFEnv.sh (note that this needs to be run as ‘. ./setOIFEnv.sh’):

fed076

Go to $IDM_ORACLE_HOME/fed/scripts/oam and open setupOIFOAMIntegration.py in an editor:

fed077

Locate the following line (should be line 240):

setConfigProperty(“spengines”,”oam11guniqueuserid”, “cn”,”string”)

fed078

Replace “cn” with “uid” and save the file:

fed079

Run the following command (note that the syntax, while unusual, is in fact correct):

oifHost=tester.mycompany.com oifPort=7499 oamAdminHost=tester.mycompany.com oamAdminPort=7001 agentType=webgate11g ./setupOIFOAMConfig.sh

fed080

The script will prompt for the OIF admin username/password (e.g., weblogic) and the OAM username/password (e.g., oamadmin):

fed081

The script will show the following upon successful completion:

fed082

 

Configure OAM Policy for Federated SSO

Before changing the OAM policies for FA, a backup of the OAM policies should be performed. In a terminal window, go to $IAM_ORACLE_HOME/common/bin (e.g., /u01/app/oracle/product/fmw/iam/common/bin) and run setOAMWlstEnv.sh (note that it needs to be run as ‘. ./setOAMWlstEnv.sh’):

fed083

Run wlst.sh from the same directory:

fed084

Connect to the IDM Domain AdminServer with the following command (substitute real values in the following example):

connect(‘weblogic’,’Welcome1′,’t3://tester.mycompany.com:7001′)

fed085

Execute the following command:

exportPolicy(pathTempOAMPolicyFile=’/tmp/oam_policy_export.xml’)

fed086

Exit from WLST:

fed087

Open a browser and go to the OAM Administration Console, logging in as the OAM administrator (e.g., ‘oamadmin’):

fed088

Navigate to Authentication Schemes > OIFScheme and open it:

fed089

Change Challenge URL to http://sso.mycompany.com/fed/user/spoam11g and click Apply:

fed090

 

Please proceed to Part 2 of this article by clicking here.

Add Your Comment