Give Feedback...
Click to add to Favorites How To Configure A Custom Login Page For OAM 11g (Doc ID 1281026.1) To BottomTo Bottom
In this Document
Goal
Solution
APPLIES TO:
Oracle Access Manager - Version 11.1.1.3.0 and later
Information in this document applies to any platform.
GOAL
How to configure an Oracle Access Manager ( OAM ) authentication scheme to use an external custom Form Login page ?
The intention of this note is to provide only an example showing how to configure an external custom login page.
A full description about how to configure authentication schemes and custom login pages can be found in the
Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager 11g Release 1 (11.1.1).
Managing Authentication Modules
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15478/shared.htm#BABEIFCE
and
Oracle Fusion Middleware Developer's Guide for Oracle Access Management 11g Release 2 (11.1.2)
4.2 Developing Custom Login Pages
http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#CHDIAFAJ
This Note does not cover how to configure a custom login page for the Detached Credential Collector (DCC) introduced with OAM 11.1.2.
Information how to configure a custom login page for the DCC could be found in the
Oracle Fusion Middleware Developer's Guide for Oracle Access Management 11g Release 2 (11.1.2) .
SOLUTION
The following requirements exist for an OAM 11g external custom login page:
Custom login pages require exactly two form fields (username and password). Oracle Access Manager supports authentication forms with two fields only.
The form action has to be: "http://oamserverhost:port/oam/server/auth_cred_submit".
The login page must submit back the "request_id" or the "OAM_REQ" value sent by OAM when redirecting to the external login page.
Please note that to test any custom authentication scheme it must be used to protect a resource of some kind, so there must be an existing application domain and policy that this authentication scheme can be applied to. Further it may be a good idea to validate the access to such a resource with one of the out-of-the-box authentication schemes prior to any customization.
Custom Login Page requirements dependent from the OAM Server "RequestCacheType" setting
During the authentication process the client browser is redirected by the OAM Server to the login page.
The OAM Server needs to store information about the client's original request to a protected resource.
The "RequestCacheType" parameter defines how this information is stored and is configured in the oam-config.xml file.
The "RequestCacheType" could be configured for the following values:
BASIC: In this mode the OAM Server stores the information in memory.
This mode could not be used in an OAM Cluster High Availability environment,
because during the authentication process, the client might be redirected to different OAM Server instances
and the information about the original request is only available in the memory of one OAM Server instance.
This mode requires the Custom Login Page to return the "request_id" value.
COOKIE: In this mode the OAM Server creates an encrypted OAM_REQ cookie to store the information.
This mode could be used in a High Availability environment.
The Custom Login Page only needs to return the username and password.
FORM: In this mode the OAM Server sends the information about the original request via a POST request using an encrypted OAM_REQ value.
This mode could be used in a High Availability environment.
The login page must return the OAM_REQ value
Example code to return the OAM_REQ parameter:
----------------------------------------------------------------------------------------
String oamReq = request.getParameter("OAM_REQ");
----------------------------------------------------------------------------------------
1. In this example a login JSP is used to be able to read the "request_id" parameter send by the OAM Server for each login request.
Caution
This sample code is provided for educational purposes only and not supported by Oracle Support Services. It has been tested internally, however, and works as documented. We do not guarantee that it will work for you, so be sure to test it in your environment before relying on it.
<%@page language="java" import="java.util.*" pageEncoding="ISO-8859-1"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.
getServerPort()+path+"/";
String reqId = request.getParameter("request_id");
%>
My JSP 'index.jsp' starting page
Custom Login JSP
Note: You have to change "oamservername" and "oamport" in the form action URL. For OAM 11.1.1.3: You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under SSO Engine settings. For OAM 11.1.1.5 and OAM 11.1.2.x : You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under System Configuration -> Access Manager Settings -> Load Balancing 2. The login JSP page could be deployed either to the same WebLogic domain where OAM Server is running or on any external Server capable to execute JSP ( for example OC4J ) . 2.1. Deploying the login.jsp to the WebLogic Domain, where OAM is running. 2.1.1. Create a war file. - create the directory "customloginpage" and the subdirectory "pages" - copy the file login.jsp containing the above example code to the directory "customloginpage/pages" - change directory to ""customloginpage" - execute the following command to create a war file: jar cvf customloginpage.war * 2.1.2. Copy the customloginpage.war file to the directory $WLS_DOMAIN/servers/AdminServer/upload 2.1.3. Deploy the war file: - Log on to the WebLogic console - Choose "Deployments" and press the "Install" button. - Choose the customloginpage.war file - Use the default "Install this deployment as an application" and press the "Next" button - Select the Admin server and all OAM managed Server and press "Next" - Accept the defaults and press the "Finish" button The war file is now deployed under the context root "/customloginpage" 2.1.4. Create an OAM authentication scheme referencing the custom login JSP page. - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. - Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: /pages/login.jsp Context Type : customWar Context Value : /customloginpage - Click the Apply button. 2.2. Installing the login JSP on an external Server 2.2.1. Install a login.jsp containing the above example code on an external Server and test the accessibility via a browser. 2.2.2 Create an OAM authentication scheme referencing the external custom login JSP page - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. 2.3. Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: URL to access the external JSP (example: http://myserver.oracle.com:80/j2ee/login.jsp) Context Type : external 2.4. Click the Apply button. Note: If you have an OAM-OIM integration any OIM links in the original login page need to be manually added to the custom login page. Troubleshooting: If you find that when modifying the custom login page and redeploying that the changes do not take effect, try removing the OAM servers cache and restarting the OAM server: 1. Shutdown oam_server1 2. Rename cache and tmp folders under $MW_HOME/user_projects/domains/base_domain/servers/oam_server1 3. Restart oam_server1 Join the IDM MOS community Forum for general IDM discussions, questions, best practices, and other valuable information
Note: You have to change "oamservername" and "oamport" in the form action URL. For OAM 11.1.1.3: You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under SSO Engine settings. For OAM 11.1.1.5 and OAM 11.1.2.x : You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under System Configuration -> Access Manager Settings -> Load Balancing 2. The login JSP page could be deployed either to the same WebLogic domain where OAM Server is running or on any external Server capable to execute JSP ( for example OC4J ) . 2.1. Deploying the login.jsp to the WebLogic Domain, where OAM is running. 2.1.1. Create a war file. - create the directory "customloginpage" and the subdirectory "pages" - copy the file login.jsp containing the above example code to the directory "customloginpage/pages" - change directory to ""customloginpage" - execute the following command to create a war file: jar cvf customloginpage.war * 2.1.2. Copy the customloginpage.war file to the directory $WLS_DOMAIN/servers/AdminServer/upload 2.1.3. Deploy the war file: - Log on to the WebLogic console - Choose "Deployments" and press the "Install" button. - Choose the customloginpage.war file - Use the default "Install this deployment as an application" and press the "Next" button - Select the Admin server and all OAM managed Server and press "Next" - Accept the defaults and press the "Finish" button The war file is now deployed under the context root "/customloginpage" 2.1.4. Create an OAM authentication scheme referencing the custom login JSP page. - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. - Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: /pages/login.jsp Context Type : customWar Context Value : /customloginpage - Click the Apply button. 2.2. Installing the login JSP on an external Server 2.2.1. Install a login.jsp containing the above example code on an external Server and test the accessibility via a browser. 2.2.2 Create an OAM authentication scheme referencing the external custom login JSP page - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. 2.3. Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: URL to access the external JSP (example: http://myserver.oracle.com:80/j2ee/login.jsp) Context Type : external 2.4. Click the Apply button. Note: If you have an OAM-OIM integration any OIM links in the original login page need to be manually added to the custom login page. Troubleshooting: If you find that when modifying the custom login page and redeploying that the changes do not take effect, try removing the OAM servers cache and restarting the OAM server: 1. Shutdown oam_server1 2. Rename cache and tmp folders under $MW_HOME/user_projects/domains/base_domain/servers/oam_server1 3. Restart oam_server1 Join the IDM MOS community Forum for general IDM discussions, questions, best practices, and other valuable information
No comments:
Post a Comment