Mixed authentication and authorization in UCM 11g

I recently learned that one of the side benefits of moving to the WebLogic Server architecture in UCM 11g is the ability to run in a mixed authentication and authorization model. What I mean by that is the ability to be authenticated through WebLogic Server (which has its own internal store or hooks up to LDAP/Active Directory) but have your authorization (Roles and Accounts) come from UCM.

This means that you don't have to create groups in LDAP/Active Directory and assign them to your users in order for them to inherit those Roles and Accounts in UCM. Instead, you are able to assign them directly in UCM through the User Admin applet.

In order to do this, the only requirement is that the username used for authentication in WebLogic Server must match the username defined in UCM. Then in UCM, you have that user defined either as a Local or Global user.

ChangeUser.png
When you log into UCM 11g for the first time, a user record will get added to the database which defines the user as 'external'. User information like full name and email is stored, but authentication and authorization would still be done by WebLogic Server. But all you need to do is highlight the user, click the Change button, and change them into a Local or Global user. Once you do that, then you can now do the Role and Account mapping for the user.

For a more automated way, you can use a spreadsheet like I blogged about in this previous post to quickly populate your UCM instance with the users and their account information. Again, simply make sure the username matches between LDAP/AD and UCM.

Comments:

For what it's worth this works just fine in previous versions as well. We've got a subset of users who have local accounts where their access is defined but are authorized against Active Directory. This was working in 7.5.1 and we just upgraded to 10g and its working well there also.

Posted by Josh on December 17, 2010 at 01:40 AM CST #

Hey Josh, Hmmm...when I had tried it, I wasn't able to get it working. As soon as I switched them, they no longer used LDAP for authentication. But maybe I had something misconfigured or maybe it works differently in an Active Directory environment. Glad to hear it works in previous versions as well. Thanks! -Kyle

Posted by kyle.hatlestad on December 20, 2010 at 01:09 AM CST #

Kyle, is the authorisation scheme set in UCM (and not LDAP) supported by Oracle in a production environment?
And is there any limitation in this approach in an enterprise wide deployment of UCM?

Posted by Laurent LANDREAU on September 04, 2011 at 07:51 PM CDT #

Hey Laurent,

Yes, the authorization scheme set in UCM is supported. It's the authentication piece which has to go through WebLogic Server.

I can't really think of any limitations off-hand to this approach other then maintaining the roles and accounts needs to be done directly in the application. That may or may not be a good thing depending on your corporate security setup and provisioning system.

Thanks,
Kyle

Posted by Kyle Hatlestad on September 07, 2011 at 03:28 AM CDT #

Kyle,

We are authenticating against the domain. I would like to know how many users successfully authenticated on a given day. Does Oracle UCM track such usage stats, or the last time a user successfully logged on?

I cant find anything in the Oracle database or the local windows security event log and do not have easy access to the logs on the domain controller.

Thanks

Phil

Posted by Phil on November 09, 2011 at 12:30 AM CST #

Hey Phil,

Yes, UCM has a feature called Content Tracker that can track any service call including logins. Be aware that the default is to only track content views, so additional tracking needs to be turned on. Once enabled, the logins will be recorded to the database and you can create custom reports on it. Here is the guide on Content Tracker: http://download.oracle.com/docs/cd/E21764_01/doc.1111/e10978/c10_content_tracker.htm#insertedID0

Thanks,
-Kyle

Posted by Kyle Hatlestad on November 09, 2011 at 02:35 AM CST #

Thanks for this blog post. This will definitely come in handy for some clients that want to control authentication via LDAP/AD and control authorization/permissions within WebCenter Content.

Posted by Jonathan Hult on February 26, 2013 at 04:20 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Kyle Hatlestad is a Solution Architect in the WebCenter Architecture group (A-Team) who works with WebCenter Content and other products in the WebCenter & Fusion Middleware portfolios. The WebCenter A-Team blog can be found at: https://blogs.oracle.com/ ateam_webcenter/

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today