Oracle® Fusion Middleware

Tutorial for Oracle Identity Management 11g Release 1 (11.1.1)
E10276-01

May 2009

Oracle Fusion Middleware Tutorial for Oracle Identity Management, 11g Release 1 (11.1.1) E10276-01 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Primary Authors: Ellen Desmond, Vinaye Misra Stephen Lee

Contributing Author: Contributors:

Sophia Maler, Olaf Stullich, Mark Wilcox

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Contents
Preface ................................................................................................................................................................. v
Audience....................................................................................................................................................... Documentation Accessibility ..................................................................................................................... Related Documents ..................................................................................................................................... Conventions ................................................................................................................................................. v v vi vi

1 Adding Users and Groups to Oracle Internet Directory
Before you Begin ...................................................................................................................................... 1-1 Adding User Entries................................................................................................................................. 1-1 Creating A Static Group and Adding Members................................................................................. 1-2

2 Modifying the Oracle Internet Directory Schema
Before you Begin ...................................................................................................................................... 2-1 Adding an Object Classes by Using Oracle Directory Services Manager .................................... 2-1

3 Setting up Oracle Internet Directory Replication
Before you Begin ...................................................................................................................................... 3-1 Setting Up an LDAP-Based Multimaster Replication Agreement ................................................. 3-1

4 Setting up Auditing of Oracle Internet Directory
Before you Begin ...................................................................................................................................... 4-1 Managing Auditing by Using Fusion Middleware Control ............................................................ 4-1

5 Creating Oracle Virtual Directory Adapters
Before you Begin ...................................................................................................................................... Creating a Local Store Adapter.............................................................................................................. Adding Entries .......................................................................................................................................... Creating an LDAP Adapter .................................................................................................................... Creating an Oracle Database Adapter .................................................................................................. Verify Adapters......................................................................................................................................... 5-1 5-1 5-2 5-2 5-3 5-5

iii

......................................................................................... 7-1 Configuring Data Stores .................................... 8-2 Executing Single Sign-On to a Provider ............. Enable and Test Synchronization.. 7-1 Integrating Oracle Identity Federation with Oracle Access Manager ............ 8-2 A Accessing Administrative Interfaces Accessing Fusion Middleware Control.................................................................................................... A-1 Accessing the Oracle WebLogic Server Administration Console........................ A-2 Index iv .......................... Set up Synchronization .......................... 7-3 8 Configuring Oracle Identity Federation for Single Sign-On to Trusted Provider Exporting Service Provider Metadata................................................................................................ 6-1 6-1 6-3 6-3 7 Configuring Wallets and Data Stores for Oracle Identity Federation Configuring a Wallet for Signing Certificates............... A-1 Accessing Oracle Directory Services Manager ........................ 8-1 Creating a Trusted Provider............................ Customize Attribute Mappings.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................6 Setting up Oracle Directory Integration Platform Synchronization and Attribute Mapping Before you Begin .........................................

oracle. Audience Oracle Fusion Middleware Tutorial for Oracle Identity Management is intended for anyone who performs administration tasks for Oracle Identity Management components. services. For this reason. The conventions for writing code require that closing braces should appear on an otherwise empty line. For more information. some screen readers may not always read a line of text that consists solely of a bracket or brace. and supporting documentation accessible to all users. Accessibility of Code Examples in Documentation Screen readers may not always correctly read the code examples in this document. Inappropriate modifications can render essential services inaccessible and might violate company protocol. use a telecommunications relay service (TRS) to call Oracle Support at 1. visit the Oracle Accessibility Program Web site at http://www. Identity Management components are integral to the correct functioning of an enterprise.Preface This book contains the tutorial exercises for Oracle Fusion Middleware Getting Started with Oracle Identity Management. Documentation Accessibility Our goal is to make Oracle products.223. Deaf/Hard of Hearing Access to Oracle Support Services To reach Oracle Support Services.com/accessibility/. and contains markup to facilitate access by the disabled community. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites. An Oracle Support Services engineer will handle technical issues and provide customer support according to the Oracle service request v . however. our documentation includes features that make information available to users of assistive technology. To that end.800.1711. and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. This documentation is available in HTML format. we recommend that you do not actually perform these exercises unless you have an isolated test system. Accessibility standards will continue to evolve over time. Accessibility of Links to External Web Sites in Documentation This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. including users that are disabled.

Information about TRS is available at http://www.1) documentation set: ■ ■ ■ ■ ■ ■ ■ Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory Oracle Fusion Middleware Integration Guide for Oracle Identity Management Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation Oracle Fusion Middleware Installation Guide for Oracle Identity Management Oracle Fusion Middleware High Availability Guide Oracle Fusion Middleware Security Guide Conventions The following text conventions are used in this document: Convention boldface italic monospace Meaning Boldface type indicates graphical user interface elements associated with an action. emphasis.gov/cgb/dro/trsphonebk. or placeholder variables for which you supply particular values.process. Related Documents For more information.html.html. text that appears on the screen. see the following documents in the Oracle Fusion Middleware 11g Release 1 (11.gov/cgb/consumerfacts/trs. Monospace type indicates commands within a paragraph.fcc. or text that you enter. Italic type indicates book titles.fcc.1. vi . and a list of phone numbers is available at http://www. or terms defined in text or the glossary. URLs. code in examples.

type the full DN of the parent entry. as described in "Accessing Oracle Directory Services Manager" on page A-1. 1.dc=com.1 1 Adding Users and Groups to Oracle Internet Directory In this exercise. 8. 10. RDN. Adding Users and Groups to Oracle Internet Directory 1-1 . search for. 6. The Add Object Class dialog box appears. 9. This returns you to the Create New Entry wizard. The Entry Properties page of the Create New Entry wizard appears. In the Add Object Class dialog box. On the toolbar. 5. select Data Browser. In the Parent of the entry field. Enter Anne Smith in the cn text box and Smith in the sn text box. 12. 2. Select cn in the Relative Distinguished Name list as the property to use as the 11. Click the Add icon next to Object Class. 7.dc=oracle. The Oracle Virtual Directory exercise requires access to an instance of Oracle Internet Directory that has at least one entry. Perform this exercise before performing the Oracle Virtual Directory exercise. the inetOrgPerson object class. Adding User Entries In this example. 3. Before you Begin You need access to an instance of Oracle Directory Services Manager and to an Oracle Internet Directory instance. 4. Access Oracle Directory Services Manager. click the Create a new entry icon. The entry is created.dc=us. Click Next. From the task selection bar. Click Next. then select. The Mandatory Properties dialog appears. we create a user and assign a password. Click OK. for example cn=users. Click Finish. you use Oracle Directory Services Manager to add a user and a group to Oracle Internet Directory. You can also click the Browse button to locate the DN of the parent for this entry.

Select cn in the Relative Distinguished Name list as the property to use as the RDN. 5. 16. The Entry Properties page of the Create New Entry: Create Like wizard appears. Click the icon under Optional Attributes to manage which optional attributes are shown. Creating A Static Group and Adding Members In this example. 3. 15. 4. Click Next. Click the Add icon next to Object Class. 6. Select the Anne Smith entry in the data tree. 10. Click Add Attributes. select userPassword. 1-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . Enter a user name in the cn text box and the user’s surname in the sn text box.dc=oracle. Enter a password in the Password text box. 2. In the All Attributes list.Creating A Static Group and Adding Members 13. Click Next. then select. as follows: 1. Select the Anne Smith entry in the data tree. Click OK. Click the Attributes tab. 17. click the Create a new entry icon. Follow steps 14-17 in the previous list of steps to assign a password for the new user.) On the toolbar above the entry click the Create a new entry line this one icon. 5. 8. Select cn in the Relative Distinguished Name list as the property to use as the RDN. 3. (You can search for it to save time. 9. 7. 7. To add a static group entry: 1.) 14. You can also click the Browse button to locate the DN of the parent for this entry. In the Parent of the entry field. 8. On the toolbar. Click Next. The entry is created. 9. A userPassword text box now appears under Optional Attributes in the Anne Smith entry. Click Finish. we create a group and add the user Anne Smith to the group. then click Move to move it into the Shown Attributes list. This returns you to the Create New Entry wizard. The Entry Properties page of the Create New Entry wizard appears. The entry is created. 2. In the Add Object Class dialog box. the groupOfNames object class. search for. Create another user. 6. 4. (You can search for it to save time. Use the same object classes and parent that you used for Anne Smith. Select the new user’s entry in the data tree. From the task selection bar. The Mandatory Properties dialog appears.dc=com.dc=us. The Add Object Class dialog box appears. select Data Browser. type the full DN of the parent entry. Enter NewGroup in the cn text box. Click Finish. Click Apply. for example cn=groups.

16. Adding Users and Groups to Oracle Internet Directory 1-3 . 15.Creating A Static Group and Adding Members 11. 14.) 12. Click Apply. Select the NewGroup entry in the data tree. 13. (You can search for it to save time. Click the Group tab. Select the DN of Anne Smith. Click the Add icon next to Members. Click OK.

Creating A Static Group and Adding Members 1-4 Oracle Fusion Middleware Tutorial for Oracle Identity Management .

In the Optional Attributes section of the page. Modifying the Oracle Internet Directory Schema 2-1 . The Add Super Object Class dialog appears. The search returns at least one object class. click the Add Super Object Class icon. 8. 4. Before you Begin You need the following information in order to perform this exercise: ■ The host and port for ODSM. Go to the Schema page. 6. The New Object Class dialog box displays the attributes of the room object class. ■ ■ ■ Adding an Object Classes by Using Oracle Directory Services Manager To add an object class: 1. Enter room into the search field and click Go.2 2 Modifying the Oracle Internet Directory Schema In this exercise. click the Add optional attributes to list icon. you use Oracle Directory Services Manager to create a new object class. which extends the object class room. 2. Leave Type set to Structural. An Object ID that is not already in use. this information will be filled in for you. called room. Whether the ODSM port is using SSL. click room in the search result and click OK. 3. 7. 5. Select room in the Object Classes panel. Access Oracle Directory Services Manager as described in "Accessing Oracle Directory Services Manager" on page A-1. Enter buildingName 9. When the search returns. conferenceRoom. The Optional Attribute Selector dialog appears. The ODSM user and password. If you are invoking ODSM from Fusion Middleware Control. Information about the object class appears in the right panel Click the Create an object class like the selected one icon. Expand the Object Classes panel on the left. Enter the name conferenceRoom and an available Object ID. In the Superclass section of the page. Enter room in the Search field and click Go.

Select buildingName in the search result and click OK. 2-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management .Adding an Object Classes by Using Oracle Directory Services Manager into the search field and click Go.

under Fusion Middleware. Access Oracle Enterprise Manager Fusion Middleware Control as described in "Accessing Fusion Middleware Control" on page A-1. you need the following prerequisites: ■ Two Oracle Internet Directory instances in separate domains. The host. we will configure a multimaster agreement between two nodes. port. 1. select the replication type: Multimaster Replication. the replication wizard fills in the replication DN. From the Oracle Enterprise Manager Fusion Middleware Control domain home page. by providing the host. 8. Log in. .) ■ Setting Up an LDAP-Based Multimaster Replication Agreement You configure a one-way. The Replicas screen displays the replication type you selected. 6. Click Next. If this Oracle Internet Directory instance is not yet configured to be part of any replication agreement. two-way. This must be unique across all the nodes. Setting up Oracle Internet Directory Replication 3-1 3. or multimaster LDAP replica by using the Replication Wizard in Oracle Enterprise Manager Fusion Middleware Control. select Administration. Click the Create icon to invoke the Replication Wizard. 7. From the Oracle Internet Directory menu. 4. Before you Begin To complete this exercise. and password. the list is blank. (If you provide the correct host. 5. port. and replication DN password. then Manage Replication. Proceed as follows. The home page for that instance of Oracle Internet Directory appears. port. In this exercise. under Identity and Access. The replication DN fills in.3 3 Setting up Oracle Internet Directory Replication In this exercise. Each instance must be registered with a WebLogic domain and have anonymous binds enabled. and replication DN password for each of the nodes. Provide the agreement name Testreplica. you use Fusion Middleware Control to set up LDAP-based multimaster replication between two Oracle Internet Directory nodes. This takes you to the Replication Agreements page. 2. select the Oracle Internet Directory component you want to use as the first node in the multimaster agreement. On the Type page.

Click Next. port. 12. Leave the default naming context. Click Next to go the Settings page. Click Next to go to the Scope page. 3-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . and replication password for the for the secondary node. In the LDAP Connection field. The Summary page displays a summary of the replication agreement you are about to create. Use the default Human Intervention Queue Schedule. 10. 13. 14. select Keep Alive. You must enter the information about the secondary host. Click Finish to create the replication agreement.Setting Up an LDAP-Based Multimaster Replication Agreement 9. 16. 15. will fill in automatically. This is the interval. Primary node will be filled in with information about the current (primary) host. Enter the host. This specifies that the replication server use same connection for performing multiple LDAP operations. 18. Leave these disabled. 17. The Username (replication DN). 11. Use the default Replication Frequency. The settings page also contains a section called Replication Server Start Details. in minutes. at which the directory replication server repeats the change application process.

8. Connect to Fusion Middleware Control as described in "Accessing Fusion Middleware Control" on page A-1. under Fusion Middleware. From the domain home page. Open the file in a text editor. 10. select Security. weblogic. Log in as the WebLogic administrator. Save the report to a file. select Custom to configure your own filters. Select the Oracle Internet Directory component to manage. 13. if necessary. you use Fusion Middleware Control to manage auditing. then Audit Policy. From the list to the right. for example. 5. 9. 4. select -eq. Managing Auditing by Using Fusion Middleware Control You use Oracle Enterprise Manager Fusion Middleware Control to manage auditing. such as Wordpad and view the audit configuration you just created. 12. The Edit Filter dialog for the filter appears. 6. Click the Add icon. To obtain a report of your current settings. 14. 3. 7.4 4 Setting up Auditing of Oracle Internet Directory In this exercise. select Initiator. Click Apply to save the changes. enter the name of the administrative user that you used when logging in. User Logins. Before you Begin You must have access to the administrative user account for the domain. Under User Sessions. expand Identity and Access. 11. 1. Click OK. From the Audit Level list. enable Failure. 2. click Export. Instances of Oracle Internet Directory are listed. From the Oracle Internet Directory menu. From the Condition list. Click the Edit Filter icon next to the Failure item you enabled. In the text box to the right. Setting up Auditing of Oracle Internet Directory 4-1 .

Managing Auditing by Using Fusion Middleware Control 4-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management .

You can use the instance from the Oracle Internet Directory tutorial. For the Oracle Virtual Directory. it already has the HR example scema that we will use in this exercise. as described in "Accessing Oracle Directory Services Manager" on page A-1. you can use the Oracle Database associated with Oracle Internet Directory. and Oracle Database. Click the Adapter tab. 2. Oracle Internet Directory. Then you create an adapter for an LDAP directory and an adapter for a database. you use Oracle Directory Services Manager to create a local store and add an entry to it. Click the Create Adapter icon and choose Local Store Adapter. d.dc=com. b. Access Oracle Directory Services Manager.5 5 Creating Oracle Virtual Directory Adapters In this exercise. Leave Template set to Default. You need to know the URL. Click Next. Enter the Adapter name LSA. An Oracle Database. as follows: 1. When an Oracle Database is installed. although you would not do that on a production system. For this exercise. On the Adapter page: a. you will need to supply the following information: – – – – Hostname Port Administrator’s name Password ■ ■ Creating a Local Store Adapter Create Local Store Adapter dc=oracle. An instance of Oracle Virtual Directory An instance of Oracle Internet Directory with some user entries. 3. c. On the Settings page: Creating Oracle Virtual Directory Adapters 5-1 . Before you Begin The prerequisites for setting up Oracle Virtual Directory adapters are as follows: ■ ■ ■ An instance of Oracle Directory Services Manager.

use a different Adapter name and a different Database File name. b. Enter the Adapter Suffix/Namespace dc=oracle. Access Oracle Directory Services Manager.dc=mydomain. Click the Data Browser tab. c. for some reason. 3. c. 3. Note: If. Browse to the LDIF file you created and click Open.dc=com. as described in "Accessing Oracle Directory Services Manager" on page A-1. 1.dc=com). Adding Entries Create an entry in the local store as follows: 1. Click the Adapter tab. On the Adapter page: a. Use the default values for the rest of the fields on the Settings page.Adding Entries a. leave the adapter template at Default. Enter data/localDB for Database File. create an LDIF file that looks like this: version: 1 dn: dc=oracle. you decide to delete the adapter and create a new one. Review the summary page and click Finish if everything looks correct. 5-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . Click the Import LDIF icon. Click Create Adapter icon and choose LDAP Since we will be connecting to an OID server. c. Creating an LDAP Adapter Create LDAP adapter as a branch cn=Users. d. 4. Enter hostname and port values for your LDAP server. Click Next. Highlight dc=oracle. Leave Use DNS for Auto Discovery set to No. 2. Enter LDAP as name Click Next. d. 5.dc=com under Client View. as described in "Accessing Oracle Directory Services Manager" on page A-1.dc=com objectclass: top objectclass: domain dc: oracle 2. 6. Access Oracle Directory Services Manager. 4. On the Connection Page: a. Click the Add Host icon. b. Using a text editor. b.

Under General Settings.dc=com under Client View to view the entries as they appear to a client.Creating an Oracle Database Adapter d. Use the default values for the rest of the fields on the page. Creating an Oracle Database Adapter Create a database adapter that maps the Oracle DB sample HR schema as a branch. Click the Create Adapter icon. on the Connection Test page. b. 8. 4. select No for Visibility so that this adapter will look like a normal branch to an LDAP client. For server proxy Bind DN and proxy password enter the admin DN (typically cn=orcladmin) and password for your LDAP server. b. Click Next. refresh and verify that the data tree from the LDAP adapter is visible. c. 7. 5. 11. Select Database from the Adapter Type list. e. Click Next. You should see Success!! Oracle Virtual Directory connected to all hosts. 4. Click Next. Click the Data Browser tab.dc=oracle. Expand ou=LDAP. On the Adapters page: 1. 3.dc=mydomain. Go to the Data Browser tab. Enter DB as adapter name Leave the Adapter Template set to Default. Browse to the Users container. f. 2. Highlight the LDAP adapter and click the Routing tab.dc=com Use the default values for the rest of the fields on the page. On the Routing tab: a. 5. Click the Refresh icon Expand the containers under Adapter Browser to view the entries. Review the Summary page. Click Apply. 10. as follows: 1. 2. a. On the Connection screen: Creating Oracle Virtual Directory Adapters 5-3 . Click Next. Access Oracle Directory Services Manager. SetPassThrough Credentials to Always. 9. The Connection screen appears. d.dc=com Set the Mapped Namespace to ou=LDAP. cn=Users. On the Data Browser page. as described in "Accessing Oracle Directory Services Manager" on page A-1. 6. e. The Adapter navigation tree appears. b. Click Finish. Expand the containers under Client View to see if they have changed. On the Name Space page: a. Click the Adapter tab. c. Set the remote base to where you wish to connect in the remote directory tree. Click the Adapter tab.dc=oracle. 3.

enter the port of your database (5521) For Database name.Creating an Oracle Database Adapter a. e. select the new Database adapter and click the Routing tab. e.dc=oracle. On the Add Mapping Attribute page: a. c. Click Finish. expand the container. For Host. Scroll down to HR. d. d. c. Click OK. On the Mapped Database Tables Page: a. select No for Visibility so that this adapter will look like a normal branch to an LDAP client. Select DB adapter criticality False so that if DB is not available OVD still responds Click Apply. 4. On the Routing page: a. 10. Click the Create a New Object Class icon. Under General Settings. Click OK. Click Next. i. enter the password. b. Click OK.EMPLOYEES. For Adapter Suffix/Namespace. Highlight the object class you just created and click the Add Mapping Attribute icon. Map the LDAP iterate givenname to HR. select the proper driver type for your database. Click Next to go to the Map Object Classes page. b. select Use Predefined Database. 6. b. On the Adapter page. Enter the LDAP attribute uid and the Database Table:Field HR. For URL type. Enter Object Class inetorgperson. g. For Database user. d. c. h. On the Map Object Classes page: a. and click EMPLOYEES. JDBC Driver Class and Database URL will fill in automatically. For Database password. b. The new DB adapter appears on the Adapter page. For Database type. such as Oracle Thin Drivers.EMPLOYEES:FIRST_NAME. 9. (welcome1) Click Next which takes you to the Mapped Database Tables page. c. 5-4 Oracle Fusion Middleware Tutorial for Oracle Identity Management . c. 5. Click Browse. Enter RDN Attribute UID. enter dapmain. 8. enter HR. 7. f. enter ou=db. b. The Map Database Tables page will now show HR.EMPLOYEES:EMAIL Leave Datatype blank.dc=com. d. enter the hostname/IP address of your database (sta00730) For Port.

click the refresh icon. one for LDAP and one for Database adapter. Creating Oracle Virtual Directory Adapters 5-5 . one for Local store. Click on each adapter to make sure that it displays the correct namespace and configuration information you set in the adapter configuration setup. Go to the Data Browser. and observer the Client View and Adapter Browser.Verify Adapters Verify Adapters You should see three adapters listed on the left side of the Adapter page.

Verify Adapters 5-6 Oracle Fusion Middleware Tutorial for Oracle Identity Management .

for example. you use Fusion Middleware Control to set up an Active Directory synchronization profile and add a customized attribute mapping. dc=domain. Then you enable and test synchronization.cn=users.dc=com. DIP1. Setting up Oracle Directory Integration Platform Synchronization and Attribute Mapping 6-1 . For example: cn=users. A container in the Oracle Internet Directory instance associated with the Oracle Directory Integration Platform instance.dc=example.dc=com. You will need to supply the following information about the server: – – – – – Hostname Port Administrator’s name Password Host container. Before you Begin The prerequisites for setting up Oracle Directory Integration Platform synchronization with Active Directory are as follows: ■ An Oracle Enterprise Manager Fusion Middleware Control environment with an Oracle Directory Integration Platform component instance. as described in "Accessing Oracle Directory Services Manager" on page A-1. An Active Directory server.dc=example. 3. Log in to the domain that is running the Oracle Directory Integration Platform instance you want to manage.6 Setting up Oracle Directory Integration Platform Synchronization and Attribute Mapping 6 In this tutorial. usuallycn=users. for example: cn=adusers. ■ ■ Set up Synchronization Perform the following steps to create a profile using Oracle Enterprise Manager Fusion Middleware Control: 1. 2. Locate and select the Oracle Directory Integration Platform instance that you want to manage. Access Oracle Directory Services Manager.

8. b. Click the Advanced tab to configure the advanced settings for the profile. Set the Scheduling Interval MM:SS: 1 Minute Maximum Number of Retries: 1 Log Level: Error 11. c. For User Name and Password. b. e. Click the Mapping tab to configure Domain and Attribute Mapping Rules. d. Use the Validate All Mapping Rules button to test your mapping rules after you create them. for example: cn=adusers. 7. For DIP-OID Container enter the DIP-OID container on the Oracle Internet Directory instance. 5. e. For Source Container enter the source container in AD. a. following values a. Click the Filtering tab to configure the filter settings for the profile. f. Do not make any changes. The profile appears. along with a confirmation that the profile was saved successfully.cn=users. The Add Domain Mapping Rule dialog box appears. It should return Test Passed. c. 6-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . f. 9. b. Click the General tab to configure the general settings for the profile. Leave the Mapping Rule box empty Click OK Keep the default set for the Attribute Mapping Rules section. Click Create in the Domain Mapping Rules section to create mapping rules for the domain or container from which objects are synchronized into Oracle Internet Directory. Do not enable SSL.Set up Synchronization 4. 6. Click OK. d. Click Test Connection. point to Administration. but not errors. for example: cn=users. Authentication Successful. You can ignore warnings. enter the administrator name and password on the Active Directory server. a. c. Enter the host and port of the Active Directory server. You can use the Lookup button or enter the values directly.dc=example. The Manage Synchronization Profiles page appears. Click the DIP Server menu. g. 10. Choose a Profile Name Select Destination for DIP-OID.dc=com.dc=com. h.dc=example. and then click Synchronization Profiles. Click Create. Click OK to return to the Manage Synchronization Profile page and create the profile. Select Active Directory for Type. The Create Synchronization Profile page appears with tabs for the various types of profile settings.

Use the Validate All Mapping Rules button to test your mapping rules after you create them. b. Click the DIP Server menu. From the Source ObjectClass drop down list select: user Select Source Attribute: Single Attribute From the Source Attribute drop down list select: telephonenumber From the DIP-OID ObjectClass drop down list select: inetorgperson From the DIP-OID Attribute drop down list select: inetorgperson From the DIP-OID Attribute type drop down list select: telephonenumber Click OK 9.Enable and Test Synchronization Customize Attribute Mappings In this exercise. Setting up Oracle Directory Integration Platform Synchronization and Attribute Mapping 6-3 . 8. 5. d. 4. Using Oracle Directory Services Manager. Enable and Test Synchronization 1. 7. 2. you will add an attribute mapping rule to the synchronization profile you created in Set up Synchronization. Click the Edit icon Verify that Profile Name is correct. and then click Synchronization Profiles. 2. 1. click Enable. point to Administration. 6. Access Oracle Enterprise Manager Fusion Middleware Control as described in "Accessing Fusion Middleware Control" on page A-1. 3. The Manage Synchronization Profiles appears. Add an entry to Active Directory and wait a few minutes. c. Click the Mapping tab In the Attribute Mapping Rules section select the Create icon In the Mapping Rule window: a. e. Click the Profile that you created in Set up Synchronization. 3. g. verify that the entry now exists in Oracle Internet Directory. f. On the Manage Synchronization Profile page. A confirmation that the profile was enabled appears.

Enable and Test Synchronization 6-4 Oracle Fusion Middleware Tutorial for Oracle Identity Management .

you use Fusion Middleware Control to manage Oracle Identity Federation. as described in "Accessing the Oracle WebLogic Server Administration Console" on page A-2. Select the Oracle Identity Federation instance in the navigation pane on the left. For Signing Key Alias. 4. 3. Access Oracle Enterprise Manager Fusion Middleware Control as described in "Accessing Fusion Middleware Control" on page A-1. 8. and click Open in the file dialog. 6. For Password. For Wallet Location. 1. enter the password that is used to encrypt the private key. Navigate to Oracle Identity Federation. Click the Update button corresponding to Wallet Properties . Click OK. For JCE Keystore Type. 9. select the PKCS#12 radio button. Log in to the WebLogic Administration Console. then Administration. The exercises include: ■ ■ ■ Configuring a Wallet for Signing Certificates Configuring Data Stores Integrating Oracle Identity Federation with Oracle Access Manager Configuring a Wallet for Signing Certificates Create a wallet for the Oracle Identity Federation server's signing certificates.Signatures. 7.7 7 Configuring Wallets and Data Stores for Oracle Identity Federation In this series of exercises. Locate the operating system file for the wallet. click Browse. enter the alias under which the private key is stored in the wallet. Configuring Wallets and Data Stores for Oracle Identity Federation 7-1 . Create a JDBC Data Source a. Configuring Data Stores In this section you will learn how to configure Oracle Identity Federation to use Oracle Database and Oracle Internet Directory as data stores. 2. Configure a database as the user data store: 1. then Security and Trust. 5.

f. d. ldap://ldap. Provide the following details: ■ For Connection URL. enter the directory to which the search for users should be confined. Navigate to Services. c. cn=orcladmin. enter the administrator password to connect to the LDAP server. . Click OK. enter the administrator account DN to use to connect to the LDAP server. and enter the database information. 5.For User ID Attribute. enter uid. 2. enter the name of the User ID column in the user table. then Data Sources. Configure an RDBMS user data store a.For Login Table. 2. d. In the User Data Store section. click Edit. then Data Stores. Select LDAP Directory from the Repository Type dropdown list. For Password. Enter the following properties: .Configuring Data Stores b. For example. b. enter the name of the user table.com:389.oif. in minutes. . Navigate to Administration. Choose a name and a JNDI name for the new data source. enter the LDAP URL to connect to the server. Navigate to Administration. c. enter the JNDI of the data source created in the WebLogic Administration Console. For User Description attribute.For User Description Attribute. then Data Stores. 4. to use when Oracle Identity Federation opens a connection to the LDAP server. Select Database from the Repository Type dropdown list. For Bind DN. Choose the WebLogic managed server where Oracle Identity Federation is deployed as the target of this data source. enter the timeout. 3. . enter the maximum number of LDAP connections that Oracle Identity Federation will simultaneously open to the LDAP server. Click New. In the User Data Store section. For example.For JNDI Name. Configure Oracle Internet Directory as the LDAP user data store: 1. For Maximum Connections. enter inetOrgPerson. For Person Object Class. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance. For Connection Wait Timeout. ■ ■ ■ ■ ■ ■ ■ ■ 7-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . enter the name of the User Description column in the user table. enter uid. e. For Base DN. click Edit. For UserID attribute. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance. then JDBC.

You can: ■ ■ Configure Oracle Access Manager as an Authentication Engine Configure Oracle Access Manager as an SP Integration Module For details. Integrating Oracle Identity Federation with Oracle Access Manager This integration enables Oracle Identity Federation to interact with Oracle Access Manager to create an authenticated user session. see Deploying Oracle Identity Federation with Oracle Access Manager in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation. Configuring Wallets and Data Stores for Oracle Identity Federation 7-3 .Integrating Oracle Identity Federation with Oracle Access Manager 6. Click OK.

Integrating Oracle Identity Federation with Oracle Access Manager 7-4 Oracle Fusion Middleware Tutorial for Oracle Identity Management .

click Save. In the file dialog box. In the Generate Metadata area of the page: ■ ■ in the Provider Type drop-down. Click Open to view the generated XML file. select SAML 2.0 8. Click the Provider Metadata tab. The exercises include: ■ ■ ■ Exporting Service Provider Metadata Creating a Trusted Provider Executing Single Sign-On to a Provider Exporting Service Provider Metadata In this exercise. 7. 11. Click Generate. Navigate to Oracle Identity Federation. 12. Under Metadata Settings: ■ ■ check the Require Signed Metadata box check the Sign Metadata box 6. you use Fusion Middleware Control to create a trusted provider in Oracle Identity Federation. Configuring Oracle Identity Federation for Single Sign-On to Trusted Provider 8-1 . Select the Oracle Identity Federation instance in the navigation pane on the left. 9. the service provider administrator exports SAML 2. Click Apply. select Service Provider in the Protocol drop-down. 10.0 metadata to a file: 1.8 8 Configuring Oracle Identity Federation for Single Sign-On to Trusted Provider In this series of exercises. Click Apply. then Security and Trust. 3. 2. Note the service provider URL in the entity ID and Location tags in the file. Access Oracle Enterprise Manager Fusion Middleware Control as described in "Accessing Fusion Middleware Control" on page A-1. 5. 4. then Administration.

3. Click OK. Provide this information on the page: 8-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . 6. In the Add Trusted Provider dialog: ■ ■ check Enable Provider select Load Metadata 7. including: ■ ■ SOAP Requests SOAP Responses 4. Open a browser window. Navigate to Oracle Identity Federation. In the browse dialog box. Service provider metadata was generated on page 8-1. Note that the newly added provider is listed in the Trusted Provider table. 9. Before You Begin This exercise assumes that: ■ ■ the IdP and SP have exchanged metadata as demonstrated in a previous exercise. The steps to perform the exercise are as follows: 1. Click Open. then Administration. 10. The Federation SSO/authentication page appears. Click Add. path of the metadata file you selected. Executing Single Sign-On to a Provider This exercise demonstrates a user performing an SP-initiated single sign-on operation using HTTP Redirect/Artifact processing. an administrator adds a new service provider to the Oracle Identity Federation server’s trusted providers. Access Oracle Enterprise Manager Fusion Middleware Control as described in "Accessing Fusion Middleware Control" on page A-1. 5. Select the XML file containing the metadata. The Federations page appears. navigate to the folder that contains the service provider metadata. Initiate an SSO flow using a URL of the form: HTTP://OIF-SP-HOST:OIF-SP-PORT/fed/user/testspsso 3. 8.Creating a Trusted Provider Creating a Trusted Provider In this exercise. Select the Oracle Identity Federation instance in the navigation pane on the left. then Federations. 1. Review key statistics for the server on the home page. Click the Browse button next to the Metadata Location field. 2. with the correct protocol version. 2. the Metadata Location field now fills in the 11. 12. the IdP administrator has added the SP to its trusted providers as demonstrated in a previous exercise. In the Add Trusted Provider dialog. 4.

6. Check Allow Federation Creation. Configuring Oracle Identity Federation for Single Sign-On to Trusted Provider 8-3 . select the IdP URL. Note the information displayed on the page. A login page appears. session start and end dates. select Artifact. Under Authentication Request Binding. Enter your username and password. Click Start SSO. and so on. A request is sent to the service provider to start single sign-on. including the User ID. select HTTP Redirect. 8.Executing Single Sign-On to a Provider ■ ■ ■ ■ From the IdP Provider ID drop-down. From the SSO Response Binding drop-down. The SSO operation completes and a results page is displayed. 7. Click Sign In. 5. 9. the IdP Provider ID.

Executing Single Sign-On to a Provider 8-4 Oracle Fusion Middleware Tutorial for Oracle Identity Management .

Accessing Oracle Directory Services Manager 1. select Directory Services Manager from the Oracle Internet Directory or Oracle Virtual Directory menu in the Oracle Internet Directory target. select an Oracle Internet Directory or an Oracle Virtual Directory component. then select the specific screen in Oracle Directory Services Manager. and Oracle Identity Federation are listed. port Accessing Administrative Interfaces A-1 . To invoke Oracle Directory Services Manager directly: Enter the following URL into your browser's address field: http://host:port/odsm ■ In the URL to access Oracle Directory Services Manager. 3. Invoke Oracle Directory Services Manager in one of the following ways: ■ To invoke Oracle Directory Services Manager from Fusion Middleware Control. under Fusion Middleware. From the domain home page. host is the name of the managed server where Oracle Directory Services Manager is running. Oracle Directory Integration Platform. Oracle Directory Services Manager displays the connection dialog for the same Oracle Internet Directory or Oracle Virtual Directory instance. Oracle Directory Services Manager. and the Oracle WebLogic Server Administration Console. Log in using the administrator’s name and password. Oracle Virtual Directory. Connect to Fusion Middleware Control.A A Accessing Administrative Interfaces This appendix explains how to access Oracle Enterprise Manager Fusion Middleware Control. The URL is of the form: https://host:port/em 2. if necessary. expand Identity and Access. This appendix contains the following sections: ■ ■ ■ Accessing Fusion Middleware Control Accessing Oracle Directory Services Manager Accessing the Oracle WebLogic Server Administration Console Accessing Fusion Middleware Control 1. Instances of Oracle Internet Directory.

from the home pages of targets such as the Administration Server or Managed Servers.url file. Enter the following URL in a browser: http://hostname:port_number The port number is the number of the Administration Server. Optionally. c. you might be presented with a certificate from the server.Accessing the Oracle WebLogic Server Administration Console is the managed server port number from the WebLogic server. Enter the server and non-SSL port for the Oracle Internet Directory or Oracle Virtual Directory instance you want to manage. If you have not previously logged in to the directory. g. Enter the user (usually cn=orcladmin) and password. Alternatively. 2. a. e. When the Oracle Directory Services Manager home page appears. The New Connection Dialog appears. the port number is 7001. Log in using the user name and password supplied during installation or another administrative user that you created. If you have previously logged into the directory. The login page is displayed 2. Accessing the Oracle WebLogic Server Administration Console 1. you can access the Administration Console from Fusion Middleware Control. Click Connect. click the entry for that directory and supply the user and password. Select the Start Page you want to go to after logging in. A-2 Oracle Fusion Middleware Tutorial for Oracle Identity Management . After manually verifying the authenticity of the server certificate. click Create a New Connection or type Ctrl+N. accept the certificate. f. By default. Select or deselect SSL Enabled. click the small arrow to the right of the label Click to connect to a directory. based on whether your Oracle Internet Directory instance is using SSL. If using an SSL port. where Fusion_Middleware_Home represents the root directory where Fusion Middleware is installed. Oracle WebLogic Server Administration Console is displayed. b. d. enter an alias name to identify this entry on the Disconnected Connections list. You can determine the exact port number by examining the $Fusion_Middleware_ Home/Oracle_Identity_Management_domain/servers/wls_ ods/data/nodemanager/wls_ods1. Connect to an Oracle Internet Directory or Oracle Virtual Directory instance with Oracle Directory Services Manager.

7-1 creating a trusted provider. 7-2 SP-initiated single sign-on. 1-2 groupOfNames object class. 7-3 Oracle Internet Directory as Oracle Identity Federation user data store. 6-1 Fusion Middleware Control . 2-1 groupOfNames. 6-3 setting up synchronization.Oracle Internet Directory managing auditing. 7-1 configuring a signing wallet. 1-1 importing for Oracle Virtual Directory. 5-2 creating Oracle Database adapters. A-1 ODSM . 8-1 database user data store. 3-1 Index-1 . 4-1 setting up replication.Directory Integration Platform customizing attribute mappings. 5-3 Oracle Identity Federation adding a service provider. 1-2 groups adding to Oracle Internet Directory. 8-1 HTTP Redirect/Artifact processing. 3-1 G group members adding to Oracle Internet Directory. 7-1 E entries adding to Oracle Internet Directory. 7-2 D database as Oracle Identity Federation user data store. 7-1 exporting SP metadata. 1-2 adding object classes to schema.Oracle Internet Directory adding group members. 5-2 F Fusion Middleware Control configuring Oracle Internet Directory replication. 5-1 creating LDAP adapters. 8-2 common configuration. A-1 Fusion Middleware Control . 7-3 Oracle Internet Directory as user data store. 3-1 connecting. 2-1 adding user entries.Index A attribute mappings customizing for Directory Integration Platform. 4-1 creating for Oracle Virtual Directory. 1-2 adding groups. 8-2 Oracle Identity Federation . 8-2 integrating with Oracle Access Manager. 5-2 local store adapters creating for Oracle Virtual Directory. 5-3 importing entries.Oracle Virtual Directory creating a local store adapter. 1-2 ODSM URL. 5-2 Oracle Access Manager as an Authentication Engine. 5-1 O object classes adding to Oracle Internet Directory schema.Oracle Access Manager integration. A-1 URL. 7-3 Oracle Database adapters creating for Oracle Virtual Directory. 1-2 R L LDAP adapters replication setting up for Oracle Internet Directory. 1-1 ODSM . 7-3 as SP Integration Module. A-1 invoking ODSM from. 6-3 auditing managing for Oracle Internet Directory.

S service provider adding for Oracle Identity Federation. 8-2 synchronization setting up for Directory Integration Platform. 8-1 SP-initiated single sign-on for Oracle Identity Federation. 8-2 SP metadata exporting for Oracle Identity Federation. 7-1 Index-2 . 6-1 W wallet configuring for Oracle Identity Federation.

Sign up to vote on this title
UsefulNot useful