This blog entry is about the integration of Oracle Enterprise Gateway (OEG 220.127.116.11) and Oracle Access Manager (10g or 11g). An OEG policy can easily delegate Authentication and Authorization operations to Oracle Access Manager in order to manage Single Sign On.
OAM in a nutshell
Oracle Access Manager is a state-of-the-art solution for both centralized identity management and access control, providing an integrated standards- based solution that delivers authentication, web single sign-on, access policy creation and enforcement, user self-registration and self-service, delegated administration, reporting, and auditing. Oracle Access Manager's unique coupling of access management and identity administration functionality is why it is established as the leading solution for web access management. It excels in complex, heterogeneous enterprise environments and integrates out- of-the-box with all leading directory servers, application servers, web servers, and enterprise applications. Oracle Access Manager is a component of Oracle Fusion Middleware, a well-integrated family of customer-proven software products designed to shine in the most demanding customer environments.
Oracle Access Manager helps enterprises create greater levels of business agility, ensure seamless business partner integration, and enable regulatory compliance. Oracle Access Manager's innovative, integrated architecture uniquely combines identity management and access control services to provide centralized authentication, policy-based authorizations, and auditing with rich identity administration functionality such as delegated administration and workflows. By protecting resources at the point of access and delegating authentication and authorization decisions to a central authority, Oracle Access Manager helps secure web, J2EE, and enterprise applications - such as Oracle PeopleSoft - while reducing cost, complexity, and administrative burdens.
The Request/Response flow is described in the following schema :
The setup is straightforward. Here is an overview for a setup with OAM11g.
- Install OEG11g on a 1st server
- Install OAM11g on a 2nd server :
- Install WLS without any domain
- Install OAM10g Access Manager SDK on the 1st server where OEG is running
- With OAM11g console define an AccessGate entry. The “ObAccessClient.xml” must be copied to the host where AccessManager SDK is installed, into a following location: <location where Access Manager SDK Installed>/oblix/lib
You are done this the setup.
OEG Policy Development
The 2 OEG policies described here after illustrate how to deal with OAM Authentication and Authorization retrieving a SSO token.
1. Simple OEG Policy to retrieve a SSO token
Basic OEG policy to return a SSO token after a successful Authentication/Authorization against OAM. Then the SSO token is inserted into the HTTPHeader of the response for further utilization.
2. OEG Policy able to use a SSO token for OAM Authorization
More sophisticated OEG policy able to test if the SSO token is part of the HTTP Header.
- If so, this one is used for Authorization against OAM.
- If the SSO token is missing, the Username token will be used for Authentication/Authorization againts OAM.
Then the SSO token is inserted into the HTTPHeader of the response for further utilization.
How to learn more
The OEG11g integration guide for OAM10g and OAM11g are available on OTN.
A complete How-to-guide to build these OEG Policies with an OEG/OAM10g is available here.
The same tutorial for OEG/OAM11g will be available shortly.
The OEG policies are also available
written by patrice.goutin-AT-oracle.com