OAM
11g - BPM Integration
This blog highlights the steps required for enabling single sign on BPM components of SOA Suite It assumes that OAM 11g was already in place and was being used as the enterprise solution for single sign on.Following are the high level steps to achieve the SSO for BPM.
Prerequisites
1.
OAM, OHS and WebGate Installed and configured.
2.
WebGate registered with OAM .
Detail
Steps
Register
resources with the URL’s you want to protect.
Log into OAM Console.
Policy Configuration -> Application
Domains -> Application Domain Name-> Resources -> Open
Create – ‘New Resource’
Define following Resources, based on
the common parameters:
-
Resource
Type – HTTP
Host Identifier – WebgateHostName Can be found from Shared components->HostIdentifiers Tab.
BPM contribution Resources:-
Resource
URL
|
Protection
Level
|
Authentication
Policy
|
Authorization
Policy
|
/bpm/composer
|
Protected
|
Protected Resource Policy
|
Protected Resource Policy
|
/bpm/workspace
|
Protected
|
Protected Resource Policy
|
Protected Resource Policy
|
/integration/worklistapp
|
Protected
|
Protected Resource Policy
|
Protected Resource Policy
|
/integration/worklistapp/…/*
|
Protected
|
Protected Resource Policy
|
Protected Resource Policy
|
Once complete, you should see
following resources in the Resources Screen
Next Step is to configure an OAM Identity Asserter and OID/OVD
provider in Weblogic.
1.
Define OAM Identity Asserter in BPM Admin
a.
Lock & Edit
b.
Security Realms -> myrealm ->
Providers
c.
New
Provider
Name – OAM Identity Asserter
Type
- OAMIdentityAsserter
OK.
You will go back to the Provider List
d.
Click ‘OAM Identity Asserter’
Control Flag – REQUIRED
Move Active Types to Chosen ->
OAM_REMOTE_USER and ObSSOCookie
Save.
Click on provider specific to OAM servers and OAM servers header name.
In our case we were OID as user store hence we configured OID authenticator.
Create new identity
asserter OID Authenticator. Choose type as OIDAuthenticator. Click on provider
specific. Fill in the following details
User Base
DN:
|
cn=users,dc=dev
|
All Users
Filter:
|
(&(cn=*)(objectclass=person))
|
User From
Name Filter:
|
(&(cn=%u)(objectclass=person))
|
User
Search Scope:
|
subtree
|
User Name
Attribute:
|
cn
|
User
Object Class:
|
person
|
Group Base
DN:
|
cn=groups,dc=dev
|
All Groups
Filter:
|
(&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
|
Group From
Name Filter:
|
(|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))
|
Group
Search Scope:
|
Subtree
|
Group
Membership Searching:
|
unlimited
|
a.
Click ‘OID Authenticator’
Control Flag – SUFFICIENT
Save.
Go back to the Provider List
b.
Click ‘Reorder’
Move ‘OAM Identity Asserter’ to the
top of the list, then OID Authenticator
Activate the changes and restart the servers.
Next step would be to configure OHS server.
Add an entry in the conf files like below.Create a dns in your network load balancer or for local testing purpose add an entry in the hosts file so that soabpm.dev.org points to the OHS server.
NameVirtualHost *:7777
<VirtualHost *:7777>
ServerName soabpm.dev.org:7777
ServerAdmin ak@ak.com
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
<Location /integration/worklistapp>
SetHandler weblogic-handler
WebLogicHost BPM Server
WebLogicPort BPM server port
</Location>
</VirtualHost>
Restart OHS.
Test SSO either by accessing the url http://soabpm.dev.org:7777//integration/worklistapp
or directly access the http://ohs_server_url:7777//integration/worklistapp
It is assumed that the OAM settings like creating authentication schemes, providing a login page url,defining identity store (make sure the identity store configured in OAM is same as the ine which we configure in BPM servers) ,creating a protected authentication resource policy, protected authorization resource policy are already taken care. Or you may refer oracle documentation for these.
