Detached Credential Collector Configuration – OAM 11GR2

Introduction

Detached Credential Collector (DCC) has been introduced in OAM 11GR2 release. And the documentation, http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/sso.htm#AIAAG6691, explains in detail about how to deploy it in various architecture scenarios. In addition to the documentation, this blog post will help clarify the configuration steps.

Main Article

The following step presumes your deployment uses Open mode communication. It also assumes that a webgate 11G is registered with the OAM Server.

A. Enable credential operations for an existing 11G Webgate

Using the Oracle Access Management Console, find and open the page for the 11.1.2 Webgate that will function as the DCC:

  • Click on System Configuration tab
  • Click Access Manager
  • Expand the SSO Agents node
  • Double Click on OAM Agents
  • Click on Search
  • Click on the Webgate (say, the name is RREG_OAM11G)
  • Check the box beside Allow Credential Collector Operations.
  • Click Apply.

Here is the snapshot of the above configuration:

1

B. Invoke the right perl executable

Ensure that the path name of the perl executable as mentioned in the perl scripts is correct.  For example, if the Webgate is installed $MW_HOME/Oracle_OAMWebGate1, the perl scripts for DCC-based login are located in the following path:  $MW_HOME/Oracle_OAMWebGate1/webgate/ohs/oamsso-bin. In most of the cases, by default for Unix based system, the perl executable located at /usr/bin/perl. This can be verified by the command “which perl” in the OAM Server. However, the perl scripts themselves point to: /usr/local/bin/perl.

To make sure that the scripts execute correctly, there are two choices:

  • Create a symbolic link for /usr/local/bin/perl so that it points to /usr/bin/.
  • Or alter the first line of the scripts so that they points to the correct location for perl, that is, replace the line #!/usr/local/bin/perl by #!/usr/bin/perl.

C. Configure the Authentication Scheme for DCC

  • Configure a new authentication scheme as follows:
  • Click on Authentication Scheme
  • Click on + on the top to add a new Authentication Scheme
  • A page will open for the new authentication scheme and then fill up the fields as follows:
  • Name: DCC AuthScheme [It can be anything]
  • Authentication Level: 2
  • Challenge Method: FORM
  • Challenge Redirect URL: http://oam.oracleateam.com:7778 [Note: This is the URL for the OHS Server where webgate is configured for DCC]
  • Authentication Module: LDAP [If the LDAP authentication module is the authentication engine]
  • Challenge URL: /oamsso-bin/login.pl
  • Context Type: Select the blank
  • Select Apply

Here is the snapshot for the above configuration:

2

D.  Configure the Authentication Policy for the Protected Resource

Go to the Authentication Policy and make sure that you choose the “DCC AuthScheme” as the authentication scheme for the Protected Resource Policy. A typical snapshot would be as follows:

3
  

Now restart the OAM Server and test the above configuration. Create a sample page, for example, test.html, in the OHS root location. And try to access the page as http://oam.oracleateam.com:7778/test.html

This will redirect you to the following login page as shown below:

4

Note that the redirection URL is as follows:
http://oam.oracleateam.com:7778/oamsso-bin/login.pl?resource_url=http%3A%2F%2Foam.oracleateam.com%3A7778%2Ftest.html
The above URL shows that you are directed to the Detached Credential Collector.  Now if you enter the credential correctly, you should be able to access the test.html page.

Comments

  1. Ashrafuddin Mohammed says:

    After submitting credentials in the last step, the user is redirected to this page :
    http://ohs_host:ohs_port/oam/server/auth_cred_submit
    This seems to be default action URL and protected by OAM.
    But why would it not redirect to resource after authentication?
    The logs in OAM show:

    The ohs host and port has been added to host name variations for the resource app domain.

Add Your Comment