I have the following customer requirement.
Oracle Portal 18.104.22.168 which is deployed on WebLogic Server 10.3.6
Oracle Access Manager 22.214.171.124.0
Oracle Internet Directory 126.96.36.199.0
The customer wants to have Single Sign On for the Oracle Portal Application. This is my understanding about the Architecture.
Oracle HTTP Server (with WebLogic Proxy Plug-in) talks to Oracle Portal
Oracle HTTP Server (the same above with WebGate) talks to Oracle Access Manager
Oracle HTTP Server has Oracle Web Cache
Oracle Access Manager talks to OID
Oracle Portal talks to OID with OID Authenticator
When I went through the Oracle Portal documents, they give steps for Oracle Portal which is deployed on Oracle Application Server but not with WebLogic.
1) Do I need to configure OID Authenticator at myrealm of WebLogic Domain (which hosts Oracle Portal) to connect to OID?
2) Is there anything more I need to do to integrate Oracle Portal with OID (Meaning running pl/sql scripts or any)?
3) Kindly advice me about the flow of Oracle HTTP Server, Oracle Web Cache, Oracle Web Gate to OAS and Oracle Portal?
Oracle Portal by default depends on Oracle Single Sign-On Server when configuring the product. In one of the config screens you will be asked to specify the OID instance which you want to wire with your Portal install. This OID instance needs to be configured with SSO. Upon successful configuration, you will be able to migrate from SSO to OAM. This is documented in the section [url http://docs.oracle.com/cd/E23943_01/upgrade.1111/e10129/upgrade_oam.htm#BAJJAHBA]Upgrading Oracle Single Sign-On Environment in the Oracle® Fusion Middleware Upgrade Guide for Oracle Identity Management. Note that you will not be able to configure Oracle Portal with OAM out of the box. You will need this SSO intermediate step.
For FMW 11g 188.8.131.52 to 184.108.40.206, there was a lengthy procedure to install SSO 10.1.4.3 with OID 11.1.1.x. The procedure was documented in chapter 11 [url http://docs.oracle.com/cd/E17904_01/install.1111/e12002/sso_das.htm#CIHEGHIG]Installing Oracle Single Sign-On and Oracle Delegated Administration Services Against Oracle Internet Directory. Unfortunately the procedure is quit error prone. You will also need additional patches as you go through this. It is not the recommended approach.
Starting from FMW 220.127.116.11, Oracle recommends their customers to install an 10g (10.1.4.3) infrastructure (OID/SSO) for new installs where SSO is needed. Unfortunately this will give you 10g OID in a 10g database (as the MRCA utility shipped with OID 10g 10.1.4.0.1 cannot be used for 11g databases). Oracle has realized this and has worked on a new approach which is currently being tested (and proven to be successful). It involves installing a 10g infrastructure in parallel to an 11g OID and copy over the relevant SSO information using the oidcmprec utility. Once this is done, Portal can be wired with the 11g database. Once this is done, you can manually configure OAM as authentication source for Oracle Portal. This procedure is not documented yet but I am planning on publishing the information on the [url http://support.oracle.com]My Oracle Support website in a few weeks time.
Regarding your questions :
<li>Do I need to configure OID Authenticator at myrealm of WebLogic Domain (which hosts Oracle Portal) to connect to OID?
Within OAM you will be creating a Datasource which points to your OID server. This datasource is used in a custom authentication plugin LDAPPLUGIN. It does not use the default LDAP plugin.
<li> Is there anything more I need to do to integrate Oracle Portal with OID (Meaning running pl/sql scripts or any)?
Your OID needs to be wired with SSO or at least it needs to be tricked into thinking it is wired to SSO. The Portal Configuration Assistant will then setup your OID automatically when you enter the the OID instance. The PFRD install guide has a [url http://docs.oracle.com/cd/E23943_01/install.1111/e10421/install_screens.htm#BABGBHAG]screen shot.
<li>Kindly advice me about the flow of Oracle HTTP Server, Oracle Web Cache, Oracle Web Gate to OAS and Oracle Portal?
Within OAM, you define a new Application Domain. This application domain is set up with an OSSO agent which will handle the communication with mod_osso (which is part of the HTTP Server). Within the new application domain, a new authentication policy is created with uses a new authentication schema with a custom authentication module LDAPPLUGIN. This custom authentication module will handle the OID authentication requests. As such, you will be creating your users in OID and not in e.g. the embedded WLS LDAP server.
Note that a few things may not be available when you use OAM with Oracle Portal 18.104.22.168 :
<li>Create User and Create Group links in the Portal Builder won't work as they need DAS functionality. This is only available when SSO is used
<li>You will not be able to use DAS to create users. Other ways (ODSM, create users through API, delegate them from an external LDAP source) will need to be used. Some customers have used OIM to get DAS like functionality
<li>Users and Group LOVs on the Access Tabs of several Portal objects (pages, templates, forms etc) will not work as they require DAS functionality. You will still be able to enter the username or groupname in the input field manually do to access management
Thanks much for your detailed explanation.
" Once this is done, you can manually configure OAM as authentication source for Oracle Portal. This procedure is not documented yet but I am planning on publishing the information on the My Oracle Support website in a few weeks time". Is it possible for you to post the steps here or email? If you provide your LinkedIn URL here, I can get my email id to you.
I came for an Oracle gig and the setup should be completed before the end of next week. Highly appreciate your help.
I am afraid that this is not possible as the whole procedure needs to go through a validation process. The last thing we want is an unvalidated install out there. Should your customer want to install his environment in a weeks time, he wil have to go with IDM 10.1.4.3 :
<li>Install Infrastructure (RDBMS 10.1/OID 10.1.4.0.1/SSO 10.1.4.0.1) from IDM 10.1.4.0.1 Installation Media
<li>Patch infrastructure from 10.1.4.0.1 to 10.1.4.3
<li>Install FMW 11g 22.214.171.124 PFRD (install 126.96.36.199 first and patch it up to 188.8.131.52)
<li>Run the configuration assistant to configure your Portal instance with OID 10.1.4.3
Support Note 1364497.1 contains more information about the strategy for SSO for new Portal installs. This will be valid until the new installation procedure has been validated.
I also have an architecture question regarding Oracle Portal 11g and dependency on OID.
Regardless of OSSO or integration with OAM, Oracle Portal 11g will continue to depend on OID. Is it a correct statement? We are thinking of moving away from OID but are tied with this Portal dependency.
Any comment would be appreciated.
Hope you had a good easter season.
Did you get a chance to put the support note at oracle support for it?
"Once this is done, you can manually configure OAM as authentication source for Oracle Portal. This procedure is not documented yet but I am planning on publishing the information on the My Oracle Support website in a few weeks time."
The document has been published to the My Oracle Support website and should be available shortly :
Doc ID [url https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1436807.1]1436807.1, "How to Perform a New Installation of Oracle Portal 11g With Oracle Access Management 11g as Single Sign-On Solution ?"
Note that this document is provided by Oracle's Support organization. Any questions about the contents or issues which arise from implementing the solution should be directed to the Support organization through a service request.