SafeNet Trusted Access for Oracle Identity Manager
The application template provides the ability to enable single sign-on for users accessing the Oracle Identity Manager application through SafeNet Trusted Access. SAML settings are configured in Oracle Access Manager to access Oracle Identity Manager as a protected resource.
The following use cases can be configured for Oracle Identity Manager:
•SAML single logout (SLO)
•Just-in-Time (JIT) provisioning
Configuring SafeNet Trusted Access for Oracle Identity Manager is a three-step process:
1.Oracle Identity Manager setup
2.SafeNet Trusted Access setup
•Oracle Access Manager and Oracle Identity Manager should be installed and configured.
•Download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps given below.
Configuring Oracle Access Manager for SP-Initiated SSO requires:
•Enabling federation services
•Creating an identity provider partner
•Creating an authentication policy
Perform the following steps to enable federation services:
1.Log in to the Oracle Access Manager console as an administrator using the URL, http://<oam-host>:<oam-port>/oamconsole.
•<oam-host> is the hostname of the OAM server.
•<oam-port> is the running port number of the OAM server.
For example, http://oiam:7001/oamconsole
2.On the Oracle Access Manager console, on the top right-hand side corner, click Configuration.
3.Click on the Available Services tile.
4.Under Available Services, under Federation, in the Identity Federation row, click Enable Service.
5.On the Confirmation window, click Enable Service.
Perform the following steps to create an identity provider partner:
1.On the Oracle Access Manager console, click the Federation tab.
2.Under the Federation tile, click on the Service Provider Management link.
3.On the Service Provider Administration window, click Create Identity Provider Partner.
a.In the Name field, enter an identity provider name (for example, Safenet).
b.Ensure that the Enable Partner check box is selected.
c.Select the Default Identity Provider Partner check box.
5.Under Service Information, perform the following steps:
a.In the Service Details field, ensure that the Load from provider metadata option is selected.
b.Click Browse to search and select the Identity provider metadata file that you downloaded earlier from the SafeNet Trusted Access console.
6.Under Mapping Options, under User Mapping, perform the following steps:
a.In the User Identity Store field, select a user credential store (for example, OUDStore).
b.In the User Search Base DN field, enter the user search base distinguished name of the domain name to search for user entries. (for example, dc=example,dc=com).
c.Ensure that the Map assertion Name ID to User ID Store attribute option is selected and enter the attribute name (for example, uid) in the field.
7.Scroll up and click Save.
8.At the bottom of the window, the Advanced section is displayed. Under Advanced, ensure that the following options are selected:
•Enable global logout
•HTTP POST SSO Response Binding
9.Scroll up and click Save.
Perform the following steps to create an authentication policy:
1.On the Oracle Access Manager console, click the Application Security tab.
2.On the Access Manager tile, click on the Application Domains link.
3.On the Search Application Domains window, click Search, and then in the Search Results table, in the Name column, click the IAM Suite application domain.
4.On the IAM Suite Application Domain window, click the Authentication Policies tab, and then in the table, in the Name column, click Protected HigherLevel Policy.
5.On the Protected HigherLevel Policy window, in the Authentication Scheme field, select the authentication scheme (for example, SafenetFederationScheme) that you created in step 10 of Creating an Identity Provider Partner.
6. Click Apply.
Perform the following steps to extract X.509 Certificate from the Oracle Access Manager metadata, which will be used while configuring Oracle Identity Manager in STA:
1.On the Oracle Access Manager console, on the top right-hand side corner, click Configuration.
2.Under Settings, click View, and click Federation.
3.Under Federation Settings, under General, click on Export SAML 2.0 Metadata…
4.OAM metadata will be downloaded in the .xml format. Save it in your local machine.
5.In a text editor, open the metadata and locate the <dsig:X509Certificate> tag, copy it’s value and paste it into a text editor and perform the following steps:
a. Add the following line before the certificate value:
b.Add the following line after the certificate value:
Perform the following steps to configure Oracle Access Manager for IdP-Initiated SSO:
1.Perform all the steps as mentioned in Configuring Oracle Access Manager for SP-Initiated SSO.
2.Perform the following steps to configure the unsolicited relay state using the Weblogic Scripting tool (WLST):
a.On the OAM host, open the command prompt and run the following commands to access WLST:
Where, <WLST_Path> is <Oracle Access Manager installation directory>/common/bin
For example, cd /…./Middleware/Oracle_OIAM/common/bin
b.Run the following command to connect to the OAM server:
connect ('<username>','<password>','t3:// <oam_host>:<oam_port>')
•<username> is the user name of the Weblogic administrator.
•<password> is the password of the Weblogic administrator.
•<oam_host> is the fully qualified domain name of Oracle Access Manager.
•<oam_port> is the port number that is configured to access Oracle Access Manager.
For example, connect(‘weblogic’,’Weblogic1’,’t3://oiam:7001’)
c.Run the following command to switch to the run time context:
d.Run the following command to set the unsolicited relay state:
•<partnerName> is the name of the identity provider partner (for example, Safenet) that you set in step 4 of Creating an Identity Provider Partner.
•<propValue> is the protected resource URL that you want to access, http://<ohs hostname:port number>/identity (for example, http://ohsserverps3:7777/identity)
Perform the following steps to configure Authentication Request Signing and Just-In-Time provisioning:
1.Perform all the steps till step 2(c) as mentioned in Configuring Oracle Access Manager – IdP-Initiated SSO.
2. Run the following commands to enable Authentication Request Signing, which Oracle Access Manager sends to SafeNet Trusted Access during single sign-on (SSO):
configureSAMLBinding(partnerName="<partnerName>", partnerType="idp", binding="httppost", ssoResponseBinding="httppost")
updatePartnerProperty("<partnerName>", "idp", "sendsignedauthnrequest", "true", "boolean")
updatePartnerProperty("<partnerName>", "idp", "includecertinsignature", "true", "boolean")
Where, <partnerName> is the name of the identity provider partner (for example, Safenet) that you set in step 4 of Creating an Identity Provider Partner..
3.Run the following command to enable Just-In-Time Provisioning (optional):
After completing the first step of configuring SafeNet Trusted Access in Oracle Identity Manager, the second step is to activate the Oracle Identity Manager application in SafeNet Trusted Access by performing the following steps:
1.In the Applications pane, the Oracle Identity Manager application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Oracle Identity Manager) and proceed to the next step.
2.Under STA Setup, perform the following steps:
a.Under Account Details, in the OAM-HOSTNAME:OAM-PORT field, enter the host name and port number of the Oracle Access Manager console.
b.In OHS-HOSTNAME:OHS-PORT field, enter the host name and port number of the Oracle HTTP server.
c.Under SAML Certificates, in the Signing Certificate field, click on Upload Certificate and upload the certificate file that you saved earlier in step 7 of Obtaining Metadata and Extracting X.509 Certificate.
d.Under SAML Certificates, in the Encryption Certificate field, click Upload Certificate and upload the certificate file that you saved earlier in step 7 of Obtaining Metadata and Extracting X.509 Certificate.
e.Under User Login ID Mapping, in the NAME ID field, ensure that SAS User ID is selected.
f.Under Return Attributes, ensure that email, fname, and surname attributes are added.
3.Click Save Configuration to save the details and activate the Oracle Identity Manager application in SafeNet Trusted Access.
Navigate to the login URL of the Oracle Access Manager protected resource, http://<ohs hostname:ohs port>/identity.
For example, http://ohsserverps3:7777/identity.
You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Oracle Identity Manager console after authentication.
Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Oracle Identity Manager application icon. You should be successfully logged in to the Oracle Identity Manager console after authentication.
© 2019 SafeNet Trusted Access. Various trademarks are held by their respective owners.