Friday, June 14, 2013

BPM Single Sign on with Oracle Access Manager 11g

OAM 11g - BPM Integration

This blog highlights the steps required for enabling single sign on BPM components of SOA Suite It assumes that OAM 11g was already in place and was being used as the enterprise solution for single sign on.Following are the high level steps to achieve the SSO for BPM.

Prerequisites
1.                OAM, OHS and WebGate Installed and configured.

2.                WebGate registered with OAM .

Detail Steps
Register resources with the URL’s you want to protect.
Log into OAM Console.

Policy Configuration -> Application Domains -> Application Domain Name-> Resources -> Open


Create – ‘New Resource’

Define following Resources, based on the common parameters:
-                   Resource Type – HTTP
Host Identifier – WebgateHostName Can be found from Shared components->HostIdentifiers Tab.

BPM contribution Resources:-

Resource URL
Protection Level
Authentication Policy
Authorization Policy
/bpm/composer
Protected
Protected Resource Policy
Protected Resource Policy
/bpm/workspace
Protected
Protected Resource Policy
Protected Resource Policy
/integration/worklistapp
Protected
Protected Resource Policy
Protected Resource Policy
/integration/worklistapp/…/*
Protected
Protected Resource Policy
Protected Resource Policy



Once complete, you should see following resources in the Resources Screen




Next Step is to configure an OAM Identity Asserter and OID/OVD provider in Weblogic. 
1.                Define OAM Identity Asserter in BPM Admin
a.                Lock & Edit
b.               Security Realms -> myrealm -> Providers
c.                New  Provider
Name – OAM Identity Asserter
Type  -   OAMIdentityAsserter
OK.

You will go back to the Provider List
d.               Click ‘OAM Identity Asserter’
Control Flag – REQUIRED
Move Active Types to Chosen -> OAM_REMOTE_USER and ObSSOCookie
Save. 
Click on provider specific to OAM servers and OAM servers header name.

In our case we were OID as user store hence we configured OID authenticator.
Create new identity asserter OID Authenticator. Choose type as OIDAuthenticator. Click on provider specific. Fill in the following details





User Base DN:
cn=users,dc=dev
All Users Filter:
(&(cn=*)(objectclass=person))
User From Name Filter:
(&(cn=%u)(objectclass=person))
User Search Scope:
subtree
User Name Attribute:
cn
User Object Class:
person
Group Base DN:
cn=groups,dc=dev
All Groups Filter:
(&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
Group From Name Filter:
(|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))
Group Search Scope:
Subtree
Group Membership Searching:
unlimited

a.                Click ‘OID Authenticator’
Control Flag – SUFFICIENT
Save.
Go back to the Provider List
b.               Click ‘Reorder’
Move ‘OAM Identity Asserter’ to the top of the list, then OID Authenticator


Activate the changes and restart the servers.
Next step would be to configure OHS server.
Add an entry in the conf files like below.Create a dns in your network load balancer or for local testing purpose add an entry in the hosts file so that soabpm.dev.org points to the OHS server.
NameVirtualHost *:7777
<VirtualHost *:7777>
ServerName soabpm.dev.org:7777
ServerAdmin ak@ak.com
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
<Location /integration/worklistapp>
SetHandler weblogic-handler
WebLogicHost BPM Server
WebLogicPort BPM server port
</Location>
</VirtualHost>
Restart OHS.

Test SSO either by accessing the url http://soabpm.dev.org:7777//integration/worklistapp
or directly access the http://ohs_server_url:7777//integration/worklistapp

It is assumed that the OAM settings like creating authentication schemes, providing a login page url,defining identity store (make sure the identity store configured in OAM is same as the ine which we configure in BPM servers) ,creating a protected authentication  resource policy, protected authorization resource policy are already taken care. Or you may refer oracle documentation for these.

No comments:

Post a Comment