Single Sign-on Setup for Demantra Using the Oracle

Access Manager (OAM) 11g

Prerequisites

• The user synchronization between Demantra and Oracle Identity Management / Oracle Virtual Directory
(OID/OVD) is an implementer task
• Ensure that an instance of the Oracle HTTP server was installed by the Oracle Identity Management
Suite 11g or Webcenter 11g. If not, download and install Oracle Webcenter 11g where the OAM11g is
installed.

Configuring Single Sign-on:

1. Configure a new Oracle HTTP Server (OHS) instance specifically to protect the Demantra
WebLogic server. For more information about configuring a new OHS component, please
follow the steps in topic "2.3.4.3 Configuring Your Components:
Oracle® Fusion Middleware Installation Guide for Oracle Web Tier 11g Release 11.1.1,
Part Number E14260-03

Please refer to below link:

http://docs.oracle.com/cd/E14571_01/doc.1111/e14260/install.htm#BABFDBDJ
2. Set up the HTTP server as a reverse proxy in front of the WebLogic server hosting the
Demantra application to validate the user session.
• Locate the file mod_wl_ohs.conf file under the path
$ORACLE_INSTANCE\config\OHS\ohs_instance_name\
Note: replace ohs_instance_name with the newly installed ohs instance name (for example, ohs1).
• Add the following lines to the file:
<Location context url for Demantra application >
SetHandler weblogic-handler
WebLogicHost weblogichostname
WebLogicPort portnumber
</Location>
• Save the file and restart the OHS server using the command:
./opmnctl restartproc ias-component=ohs1 from the directory
$ORACLE_INSTANCE/bin/.
3. Verify that the reverse proxy is working using the following URL. It should redirect you to the Demantra
login page.
http://ohs-host:ohs-port/context-url-for-Demantra-app/portal/loginpage.jsp
4. Install the new Oracle Access Manager Webgate 11g. See "Installing and Configuring Oracle
HTTP Server 11g Webgate for OAM" in Oracle Fusion Middleware Installation Guide for Oracle Identity
Management 11g Release 1 (11.1.1). for more details.

Please refer to below link:

http://docs.oracle.com/cd/E21764_01/install.1111/e12002/webgate.htm
Perform the actions listed in the following sections:
• Post-Installation Steps
• Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager
• Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager
5. In the Oracle Access Manager Administration Console, click the System Configuration tab.
6 .Navigate to Access Manager Settings.
Click the OAM Agents tab. Verify that the host name and webgate name is correct.

7. To ensure that the global logout work properly, please use the following steps:

In the Demantra webgate profile, make sure the following parameters are set
----------------------------------------
Logout URL = /logout
Logout Target URL = <NULL>
------------------------------------------

Doc References :
Please follow: Logout Does Not Actually Log The User Out When User Originally Logged Into Demantra Via
OAM (My Oracle Support Doc ID 1907936.1)

8. Configuring Demantra application server(weblogic) to setup OAMIdentityAsserter security provider

• Copy the file “oamAuthnProvider.jar” from the Middleware home

“MW_HOME\oracle_common\modules\oracle.oamprovider_11.1.1\” to the WLS server which is
hosting the Demantra application path “BEA_HOME/wlserver_10.x/server/lib/mbeantypes/”

• Locate the console-extension WAR file in the following path:

MW_HOME/modules/oracle.oamprovider_11.1.1/oamauthenticationprovider.war
 • Copy the WAR file to the following path in the WebLogic Server home Demantra application:
“WL_HOME/server/lib/console-ext/autodeploy/”
9. Specify the authentication in the web.xml file of the Demantra Application:

• Add the following lines in the web.xml file or if there is already an authentication
method specified, then change it to CLIENT-CERT.

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

• Redeploy the application and restart the WebLogic server.

10. Modifying security realm of the weblogic server to setup Identity asserter provider:

• Login to the Weblogic admin console which hosts Demantra Application

• Navigate to the path “Home >Summary of Security Realms >myrealm >Providers”
• Click on “Lock and Edit”
• Create a new Authentication provider “OAMIdentityAsserter_provider” and select the
type as “OAMIdentityAsserter”
• Click on the newly created provider and navigate to the common tab.
• In the “Control Flag” attribute select “Required” and click Save.
Resource Type Authentication Authorization
Policy Policy

• Click on the Provider specific tab and give the values as mentioned below
SSO Header Name : OAM_REMOTE_USER
Access Gate Name: <name of the webgate created in step 4>
Access Gate Password: <password given for webgate created during step 4>
if no password is given and leave this field blank
Primary Access server: <oam_server_hostname:listen_port>
Secondary Access server: <provide details if you have secondary access server>

Note: Leave other fields to their defaults if you are not sure about their usage

• Come back to the list of Providers page and click the reorder button. Order the providers
in the below given order and also verify the control flag settings
 /<demantra_context_url>/** HTTP Protected Protected
Resource Policy Resource Policy

/<demantra_context_url>/common/** HTTP Protected Protected

Resource Policy Resource Policy

/<demantra_context_url>/portal/** HTTP Protected Protected

Resource Policy Resource Policy

/<demantra_context_url>/workflow/** HTTP Protected Protected

Resource Policy Resource Policy

/<demantra_context_url>/logs/** HTTP Protected Protected

Resource Policy Resource Policy

/<demantra_context_url>/conf/** HTTP Protected Protected

Resource Policy Resource Policy

a) OAMIdentityAsserter – Control flag = REQUIRED

b) DefaultAuthenticator – Control flag = SUFFICIENT
c) DefaultIdentityAsserter

• Save the changes and Click on “Release Configuration” button. Restart the server.

11. Open the OAM console and do the following:

• Create a new Authentication Schemes (DemAuthScheme) from the Policy Configuration

tab using + symbol. Please refer to screenshot present in 12th point.
• Open the Application domain created for Demantra(wg_dem_221).
• By default the application domain creates a default resource entry (/**) that protects
all the resources. This can be kept as it is if you have configured an OHS instance and
webgate specific to Demantra and not shared with any other applications.

If you want to keep the resources prefixed with the context URL of the Demantra
application, then remove the default entry and add the below given resources to the
protected resource policy.

• Expand Authentication policies.

• Open Protected Resource Policies.
• From the Authentication Scheme drop-down box, select the scheme which protects
Demantra resources. For example: DemAuthScheme.
 • Click the Responses tab
• Add the following response:
Response name Type Value

OAM_REMOTE_USER Header $user.userid

• Apply the changes and exit console.

12. Disable http-only ssoCookie. This step is required to resolve the issue of java applets that are
not loading in OAM 11g or 10g. For more details, see My Oracle Support Note #1317110.1.
• Open DemAuthScheme under Authentication Schemes in OAM Console.
• In the Challenge Parameters text box, enter the text "ssoCookie=disablehttponly". This
parameter is case sensitive.
• Apply the changes and exit OAM console.
13. Restart the OAM server.

14.Demantra with OAM supports the following links :

Administrator Login:
http://SERVER_URL/b2b/common/prelogin.jsp?loginTo=3&redirectUrl=12&loginUrl=0&source=0&component
=COMPONENT_ID&componentowner=1

Regular Login:
http://SERVER_URL/b2b/common/prelogin.jsp?
redirectUrl=13&loginUrl=1&source=0&component=COMPONENT_ID&componentowner=1

User Management Login:

http://SERVER_URL/b2b/common/prelogin.jsp?loginTo=5&redirectUrl=15&loginUrl=5&source=0&component
=COMPONENT_ID&componentowner=1

Workflow Login:
http://SERVER_URL/b2b/common/prelogin.jsp?loginTo=4&redirectUrl=18&loginUrl=9&source=0&component
=COMPONENT_ID&componentowner=1
The above links needs to be added to customer home page as a hyper link Or can use the links directly from
browser.
The parameter component (dm,sop,etc) needs to be changed accordingly in the above links.

For Example: To access Regular login to CWB, use below:

http://host:port_number/demantra/common/prelogin.jsp?redirectUrl=13&loginUrl=1&source=0&component=dm
&componentowner=1

15. To test that you have successfully configured SSO for Demantra, login to your Demantra
Collaborator Workbench/Workflow Manager/Admin Login/User management Login page,
using the links provided in point number: 14. You will be redirected to OAM login. Once
you have provided the OAM login credentials, you will be taken to the respective page
without any user/password prompts.