Oracle Access Manager 11g integration with Sharepoint 2010 using Impersonation

Note: Please wait for the Flash to load. As this is my first attempt to create a flash based blog. Bear with me for all the issues that you observe. Thank you for your patience.

Oracle Access Manager ( OAM ), Oracle Adaptive Access Manager ( OAAM ) and Oracle Identity Manager ( OIM ) Integration ( 11gR2 )

It has been very long time since I wrote anything on this blog. This time I am trying to cover up one of the most painful topics "OAM-OIM-OAAM Integration".

I have tried to take screenshots of the steps that needs to be followed. Most of them are self explanatory but I added text where ever possible.

Note: This is not Oracle's official document. You should refer to the Integration Guide provided by Oracle for production implementation. Also, there is no guarantee that information provided in this blog is error free. Also, few assumptions are made that WLS is installed and configured, required database schemas are created using correct RCU and the domain for OAM/OIM/OAAM has been created. All the three products are part of same domain.

1. Before you start your Admin Server or OAM Managed server first time. You have to execute the below mentioned commands related to OPSS security store. OIM has not yet been configured in this domain. The domain was created by selecting OIM product but the required config.sh is not executed till the steps show later.
   
   
   
   
   
2. 
   
   
3. 
   
   
4. 
   
   
5. 
   
   
6. 
   
   
7. This is exception can be ignored.
   
   
   
8.  We are going to start the integration steps. The first step is the set the required environment variables and  execute idmconfigtool with required properties files.
   
   
9. Create the properties files for each activity. We will be creating properties file for preConfig Identity Store, prepare Identity Store, OAM Configuration for integration and OIM configuration for integration.
   
   
10. Prepare Identity Store properties file.
    
    
11. OAM configuration properties file for integration.
    
    
12. 
    
    
13. OIM configuration properties file for integration.
    
    
14. Execute idmconfigtool for preconfig identity store to create required schemas in LDAP server.
    
    
15. 
    
    
    
16. Once schema extension is completed prepare identity store for OAM.
    
    
    
17. 
    
    
    
18. Once OAM is completed prepare identity store for OIM.
    
    
    
19. 
    
    
    
20. Now start the config wizard to configure OIM.
    
    
    
21. 
    
    
    
22. Provide database connection details
    
    
    
23. Provide values for keystore and the front ending URL. Also, password for xelsysadm user. Make sure you have selected "Enable LDAP Sync"
    
    
    
24. I am using OID LDAP server. Hence, I have provided required parameters for it. If you have any other LDAP server follow appropriate steps per Oracle Documentation on how to enable LDAP Sync.
    
    
    
25. 
    
    
    
26. 
    
    
    
27. 
    
    
    
28. 
    
    
    
29. Once configuration is completed successfully restart all your servers.
    
    
    
30. 
    
    
    
31. Configure the properties for POST LDAP Sync execution steps.
    
    
    
32. 
    
    
    
33. Set required environment variables.
    
    
    
34. Update XEL_HOME parameter in the file setEnv.sh.
    
    
    
35. Execute the utility LDAPConfigPostSetup.sh
    
    
    
36. Now go back to idmconfigtool. Make sure you have required environment variables set. Execute the tool for configuring OAM for integration.
    
    
    
37. 
    
    
    
38. Make sure you have required environment variables set. Execute the tool for configuring OIM for integration
    
    
    
39. 
    
    
    
40. 
    
    
    
41. Update password of IAMSuiteAgent.
    
    
    
42. Update the password of IAMSuite Agent in the WebLogic Console's Provider configuration.
    
    
    
43. Modify the SOA Composite configuration to use HTTP Port of reverse proxy web server.
    
    
    
44. 
    
    
    
45. 
    
    
    
46. 
    
    
    
47. 
    
    
    
48. 
    
    
    
49. 
    
    
    
50. 
    
    
    
51. OAM and OIM integration steps are completed. Now we are starting the OAM-OIM-OAAM integration steps. After creating a new user in OIM if you are unable to login to OAM's protected resource. Make sure that you have correct configuration in the User Identity Store. We will review it later before we try to access a protected resource.
52. 
    
53. Import the snapshot provided with OAAM. This snapshot will automatically provide required Rules, KBA, etc. related configuration.
    
    
    
54. 
    
    
    
55. 
    
    
    
56. 
    
    
    
57. 
    
    
    
58. 
    
    
    
59. Preparing for OAM and OAAM integration.
    
    
    
60. Execute the WLST command to create required Keystore file.
    
    
    
61. Execute the highlighted WLST command.
    
    
    
62. Copy the CLI directory from Oracle Home of OAAM. Edit the file oaam_cli.properties.
    
    
    
63. 
    
    
    
64. 
    
    
    
65. Set required parameters and execute setupOAMTAPIntegration.sh.
    
    
    
66. 
    
    
    
67. 
    
    
    
68. 
    
    
    
69. 
    
    
    
70. Configuration is successful restart all your servers.
    
    
    
71. Configure Challenge Parameters in OAM console for TAPScheme to include parameter "MatchLDAPAttribute=uid".
    
    
    
72. Modify System Properties in OIM to disable Challenge Questions, update the Forgot Password URL etc. in the OIM's Administration console.
    
    
    
73. 
    
    
    
74. 
    
    
    
75. 
    
    
    
76. 
    
    
    
77. 
    
    
    
78. 
    
    
    
79. Login to OAAM's Admin Console and modify parameters shown in the screenshots.
    
    
    
80. 
    
    
    
81. 
    
    
    
82. 
    
    
    
83. 
    
    
    
84. Login to EM Console and navigate to Credential configuration. Add a new Key in the OAAM's MAP. Provide xelsysadm username and password.
    
    
    
85. Login to OAM console and update the Load Balancing configuration as per your environment.
    
    
    
86. Create a new Authentication Policy to protect a resource with TAP Scheme.
    
    
87. If you notice the below mentioned error in the logs. It means that you have to manually add one attribute in OID's schema and attach it to an Objectclass in OID.
    
    
88. 
    
    
89. 
    
    
    
90. 
    
    
    
91. 
    
    
    
92. Make sure that User Identity Store created by idmconfigtool has correct parameters as shown in the screenshot. User Name Attribute should have value uid.
    
    
    
93. Login to OIM Console. Create a new user to test if the configuration is working fine or not.
    
    
    
94. Try to access a protected resource with OAAM's Authentication Scheme.
    
    
    
95. Provide Username.
    
    
    
96. Provide password and you would be redirected to change password page.
    
    
    
97. Change the current password. Once it is changed you will be redirected to configure Challenge questions for Forgot Password Scenario.
    
    
    
98. 
    
    
    
99. Select the Device configuration you would like to use.
    
    
    
100. Set required Questions and Answers.
     
     
     
101. Authentication has completed and required SSO Cookies are set.
     
     
     
102. Now we are testing the forgot password scenario.
     
     
     
103. Instead of providing the passoword. Click on Forgot your password URL.
     
     
     
104. Answer all questions.
     
     
     
105. 
     
     
     
106. 
     
     
     
107. Finally you land on password change page. Provide new Password and Confirm New password.
     
     
     
108. Now you are redirected to the protected resource.