Saturday, 7 January 2012

Oracle Adaptive Access Manager integration with Oracle Access Manager Integration and Oracle Identity Manager

This blog covers up steps required to integrate Oracle Adaptive Access Manager with Oracle Access Manager and Oracle Identity Manager. 

It is recommended that you follow/refer the Oracle Documentation before you follow any of the steps that are covered up in this blog.

There were few things that were assumed while writing this blog. It was assumed that you already had Oracle Access Manager installed and configured as per the Enterprise deployment guide. Also, before you can follow the shown screenshots you need to have Oracle Access Manager and Oracle Identity Manager integrated. Moreover, make sure that required Groups/Users for Oracle Adaptive Access Manager are created. This specific blog is for Oracle Virtual Directory as repository for Oracle Access Manager. 

The screenshots are updated with text so that you can refer to the actions that are being done on a specific view.

1. Make sure that your Oracle Adaptive Access Manager (OAAM) Admin server is up and running. First of all we will be loading up the snapshot provided with the installation. This snapshot will provide us with the required rules, questions etc for the minimum configuration of OAAM.






2. Once you have the snapshot. The next thing that you have to do is register OAAM as a TAP partner. You have to connect to the Admin Server using WLST. This needs to be done from the location Middleware_Home/Oracle_IAM/common/wlst.sh or wlst.bat. The Oracle_IAM is the Oracle Home where your IAM Suite components are installed.

3. Login to the OAM console as Admin user. Verify if the TAPScheme used for this integration is correctly updated with the required parameters.

4. The URL oamTAPAuthenticate needs to be protected with IAMSuite on port 80. You can verify this by running tester.jar tool from the location MW_home/Oracle_IAM/oam/server/tester/tester.java.

5. Next steps are covering up configuring OAAM for TAP Authentication.







6. Currently you will find that oamTAPAuthenticate URL is protected by the Protected HigherLevel Policy for easy management. I have remove it from there and created a new TAP HigherLevel Policy which will protect this URL with LDAPScheme.

7. In this case I am protecting a resource index.html deployed on OHS11g web server. There is a webgate already installed on that web server.

8. The OAM-OAAM integration is partially completed. Now we are ready for setting up the integration between OAAM-OIM. First thing that you need to do is login to OIM console as Admin user.

9. Some of the properties needs to be updated in OAAM for enabling the integration between OAM and OIM.




10. OAAM needs to have credentials of OIM Admin user to perform various activities. So, we are going to  create a key for OIM credentials in the EM Console.


11. To validate our integration steps were successful or not I have created a new user in OIM.

12. Next step would be to run the actual test against to confirm if the resource index.html protected with TAP HigherLevel Policy is being challenged with OAAM login page or not.




1 comment:

Unknown said...

Hi Yagnesh,

When I run setupOAMTapIntegration.cmd from the OAAM box to integrate it with the OAM I get this error :

C:\work\cli_oaam>setupOAMTapIntegration.cmd C:\work\cli_oaam\conf\bharosa_properties\oaam_cli.properties

Exception in thread "Main Thread" java.lang.NoClassDefFoundError: oracle/securit/jps/service/ServiceLocator at oracle.oaam.integration.asa.IntegrationUtil.managePassword(IntegrationUtil.java:354)
at oracle.oaam.integration.asa.IntegrationUtil.main(IntegrationUtil.java:426)


Any tips to help me get through this ?