This content has been marked as final. Show 7 replies
Hi, I am having the same issue. I am new to all this OAM stuff. I am using OAM 11g with a 11g Webgate configured. When I try to access the OAM Console the SSO setup does work and kicks-in and redirects me to the OAM server's integrated login page. But my test application that lives on an app server installed on a separate machine is never challenged for their credentials. As the documentation says I have CLIENT-CERT defined as the auth-method in my login-config inside my applications web.xml file.
I think I am not using the right providers. What I want is Identity Assertion and also OAM authentication (if Identity Assertion fails Authentication should kick-in and redirect to challenge login page). So I have an OAMIdentityAsserter and an OAMAUthenticator set-up in addition to the Default Weblogic Identity Asserter and Default Weblogic Authenticator.
I have tried everything but, the login redirect never happens. If I use the DefaultAuthenticator along with OAMAuthenticator (no OAMIdentityAsserter) and define BASIC in my login-config in web.xml then the Default Weblogic Authenticator pops up a dialog box which does let me enter credentials and when I do it does make the trip to the OAM server and works flawlessly. But I don't want basic authentication and I don't want a dialogue box to pop-up. I want the OAM server to redirect me to it's built-in login page just like it does for the OAMConsole itself which is being protected by the out of the box 10g IAMSuiteAgent Webgate. Which, as you know, comes pre-installed.
Please let me know your configuration and the providers you have set up and how you were able to make the OAM server challenge you for credentials when trying to access a protected resource/application.
Hi, I did not use webgate 11g. so, I do not have knowledge on that . I used webgate 10g as per the oracle guide http://docs.oracle.com/cd/E25054_01/fusionapps.1111/e21032/toc.htm#BEGIN. It has all instructions. It took some time for me to figure out the software to download for webgate 10g and its patch. May be the issue in your case is with webgate 11g itself.
Here is a very good youTube video http://www.youtube.com/watch?v=tjBSLZBBZYY in which you can find very clear instructions on webgate 11g. Please follow this and hope it will help you. He is so clear in the setup.
Aso, plese follow the guide http://docs.oracle.com/cd/E14571_01/doc.1111/e15478/intro.htm which has all info about authenticating the resources. I did follow the guide and i did not find any other useful resource.
Thanks for your prompt reply. I had also thought the 11g Webgate I set-up might be the issue. So, I also tried using the already provided IAMSuiteAgent 10g Webgate with my test application but I get the same behavior as the 11g Webgate. I think I am missing something on the client app server and not on the OAM side of things. I think my Policies, Domain, Agent and Webgate are all set up properly and I can access them and they do work. The redirection just does not work for my test web app. I think since the Weblogic server hosting the app I want to have protected is not on the same machine as the OAM and the OHS servers (which, btw are both on the same machine).
I read somewhere else that you have to provide a user certificate when you are using client-cert. How and where do I get this certificate from. Did you have to do that?
The link you provided does not seems to have anything about setting up providers. Can you please just tell me which providers you have set-up on the app server hosting the applications that you want protected by OAM 11g? Also, please tell me their order and the JAAS flag if you can. I would really appreciate it.
Are you using secured mode in webgate ? you know what I did not use secure mode. I am using open mode.
The providers and control flag (I hope it is JAAS flag as you requested) are :
OIMIDAsserter - required
DefauultAuthenticator - sufficient
OIMSignatureAuthenticator - sufficient
OIMAuthenticationProvider - optional
OVDAuthenticator -- sufficient
DefaultIdentityAsserter - i do not see the flag
No idea when they got created during the installation and configuration. The guide has 100s of steps and difficult to keep track.
Hope this will help you.
That is what I wanted. Thanks a lot for taking some time out to get me this information. I will try and replicate what you have to see if it resolves my problem. Also, it would be nice if you can give me the web.xml file of one of your protected application. If you can't then it's no big deal.
Oh and no i m not using secure mode. I have open mode set up in my OAM Authentication schemes.