7 Replies Latest reply: May 7, 2012 9:06 AM by 934873 RSS

    authenticating test applcation in OAM is not working

    904111
      Hello OAM experts, can you please help to figure out why my test application is not getting authenticated by OAM.

      I have installed IDM for fusion application and SSO login is working for all admin consoles such as WLS, EM, OAM, OIM. I have deployed test application to OAM server itself to test the authentication of protected resources.

      Host identifier is already there which was create while configuring my IDM for fusion applications. I created new application domain , created resource for /text/*, created authentication policy and used LDAPScheme for authentication, created authorization policy and defined constraints by adding a group OAMAdministrators ( just for testing purpose). I also added response in the authentication policy.

      Then I have configured admin.conf of OHS server to redirect http://webhost1:7777/test to oam server host and port. It is getting redicted but not to the SSO login page. The URL still shows http://webhost1:7777/test and executes the test page and displays test application. It should have been redirected to SSO login page though OAM.

      At this stage I have no clue what did I miss. As I said, when I login to wls console, it gets redicted to SSO login through OAM login page and then while accessing OIM, it directly takes me to OIM application since the user has privileges and also OAM page without logging in again.

      But why my test application is not redirected to OAM authentication page ?

      Any help is grately appreciated.

      thanks

      Edited by: Jyothi on May 3, 2012 3:25 AM
        • 1. Re: authenticating test applcation in OAM is not working
          904111
          Ok. I got some green sign. OAM is authenticating me now to access test application ( I restarted the servers). However one tricky part is left. It is letting even denial group to access my test application.

          Not sure why. I will try to figure out and will get back to you.

          thanks
          • 2. Re: authenticating test applcation in OAM is not working
            934873
            Hi, I am having the same issue. I am new to all this OAM stuff. I am using OAM 11g with a 11g Webgate configured. When I try to access the OAM Console the SSO setup does work and kicks-in and redirects me to the OAM server's integrated login page. But my test application that lives on an app server installed on a separate machine is never challenged for their credentials. As the documentation says I have CLIENT-CERT defined as the auth-method in my login-config inside my applications web.xml file.

            I think I am not using the right providers. What I want is Identity Assertion and also OAM authentication (if Identity Assertion fails Authentication should kick-in and redirect to challenge login page). So I have an OAMIdentityAsserter and an OAMAUthenticator set-up in addition to the Default Weblogic Identity Asserter and Default Weblogic Authenticator.

            I have tried everything but, the login redirect never happens. If I use the DefaultAuthenticator along with OAMAuthenticator (no OAMIdentityAsserter) and define BASIC in my login-config in web.xml then the Default Weblogic Authenticator pops up a dialog box which does let me enter credentials and when I do it does make the trip to the OAM server and works flawlessly. But I don't want basic authentication and I don't want a dialogue box to pop-up. I want the OAM server to redirect me to it's built-in login page just like it does for the OAMConsole itself which is being protected by the out of the box 10g IAMSuiteAgent Webgate. Which, as you know, comes pre-installed.

            Please let me know your configuration and the providers you have set up and how you were able to make the OAM server challenge you for credentials when trying to access a protected resource/application.

            Thank You.
            • 3. Re: authenticating test applcation in OAM is not working
              904111
              Hi, I did not use webgate 11g. so, I do not have knowledge on that . I used webgate 10g as per the oracle guide http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/toc.htm#BEGIN. It has all instructions. It took some time for me to figure out the software to download for webgate 10g and its patch. May be the issue in your case is with webgate 11g itself.

              Here is a very good youTube video http://www.youtube.com/watch?v=tjBSLZBBZYY in which you can find very clear instructions on webgate 11g. Please follow this and hope it will help you. He is so clear in the setup.

              thanks.
              • 4. Re: authenticating test applcation in OAM is not working
                904111
                Aso, plese follow the guide http://docs.oracle.com/cd/E14571_01/doc.1111/e15478/intro.htm which has all info about authenticating the resources. I did follow the guide and i did not find any other useful resource.

                thanks.
                • 5. Re: authenticating test applcation in OAM is not working
                  934873
                  Thanks for your prompt reply. I had also thought the 11g Webgate I set-up might be the issue. So, I also tried using the already provided IAMSuiteAgent 10g Webgate with my test application but I get the same behavior as the 11g Webgate. I think I am missing something on the client app server and not on the OAM side of things. I think my Policies, Domain, Agent and Webgate are all set up properly and I can access them and they do work. The redirection just does not work for my test web app. I think since the Weblogic server hosting the app I want to have protected is not on the same machine as the OAM and the OHS servers (which, btw are both on the same machine).

                  I read somewhere else that you have to provide a user certificate when you are using client-cert. How and where do I get this certificate from. Did you have to do that?

                  The link you provided does not seems to have anything about setting up providers. Can you please just tell me which providers you have set-up on the app server hosting the applications that you want protected by OAM 11g? Also, please tell me their order and the JAAS flag if you can. I would really appreciate it.

                  Thank You.
                  Haris.
                  • 6. Re: authenticating test applcation in OAM is not working
                    904111
                    Are you using secured mode in webgate ? you know what I did not use secure mode. I am using open mode.

                    The providers and control flag (I hope it is JAAS flag as you requested) are :

                    OIMIDAsserter - required
                    DefauultAuthenticator - sufficient
                    OIMSignatureAuthenticator - sufficient
                    OIMAuthenticationProvider - optional
                    OVDAuthenticator -- sufficient
                    DefaultIdentityAsserter - i do not see the flag

                    No idea when they got created during the installation and configuration. The guide has 100s of steps and difficult to keep track.

                    Hope this will help you.
                    • 7. Re: authenticating test applcation in OAM is not working
                      934873
                      Jyothi,

                      That is what I wanted. Thanks a lot for taking some time out to get me this information. I will try and replicate what you have to see if it resolves my problem. Also, it would be nice if you can give me the web.xml file of one of your protected application. If you can't then it's no big deal.

                      Oh and no i m not using secure mode. I have open mode set up in my OAM Authentication schemes.

                      Thanks again.
                      Haris.