OAM Integration with AD for Zero Sign-on

Start Here

Get in touch with a
TriCore Solutions specialist

Blog | Nov 18, 2016

OAM Integration with AD for Zero Sign-on


11g OAM has several new features and by integrating OAM with WNA we can achieve password less authentication for all the applications that are protected using latest OAM.
Introduction:

Oracle Access Manager (OAM) 11g provides Windows Native Authentication (WNA) which enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is achieved by emulating the negotiate behaviour of native Windows-to-Windows authentication services that use the Kerberos protocol. The Oracle Access Manager 11g must parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication. This is called password less authentication. In this blog I am going to explain Oracle Access Manager Integration with WNA/AD.

The image below shows the flow of a user request for WNA Authentication very briefly:

wna authentication

Image Source: OAM 11gR2: How to Configure Oracle Access Manager 11gR2 with Windows Native Authentication (WNA or SPNEGO) (Doc ID 1519562.1)

The Following Steps Outlined below Need to be performed to Configure OAM to provide WNA.

  1. Configure krb5.conf File.

Edit the krb5.conf file which is located in /etc/krb5.conf

Update the file with the following entries

Example:

[libdefaults]

default_realm = CORP.MYDOMAIN.NET

ticket_lifetime = 600

clock_skew = 600

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

permitted_enctypes = rc4-hmac 

[realms]

CORP.PBWAN.NET = {

kdc = ADServer.mydomain.net

admin_server = ADServer.mydomain.net

default_domain = CORP.MYDOMAIN.NET

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log 

[domain_realm]

corp.pbwan.net = CORP.MYDOMAIN.NET

.corp.pbwan.net = CORP.MYDOMAIN.NET

Here kdc is AD server hostname with port. 

  1. Create the Service Principal Name (SPN) and associate it with a user

We need one System user OAMADADMIN to register Microsoft Active Directory as a User-Identity Data Store in OAM. Also, run ktpass to create the service principal name and associate it with the user.

Example:

ktpass -princ  HTTP/ssoserver.mydomain.net@CORP.MYDOMAIN.NET -mapuser OAMADADMIN -pass welcome123 -crypto all -ptype KRB5_NT_PRINCIPAL -out ssoserver_mydomain_http.keytab

- HTTP/ ssoserver.mydomain.net @CORP.MYDOMAIN.NET is a principal name associated with user OAMADADMIN.

       - welcome123 is OAMADADMIN’s password. 

ssoserver _mydomain_http.keytab is the keytab file to be generated. Once the file is generated, this keytab file will be used on the Oracle Access Manager server.

Copy the newly created ssoserver _mydomain_http.keytab file to the machine on which the OAM server is running to location /etc/. 

  1. Obtain the Kerberos Ticket

You use the kinit command to obtain the master Kerberos ticket which is used for retrieving tickets for other services.
The kinit command uses the /etc/krb5.conf file; ensure that this file has the correct attributes. 

The basic syntax for kinit is given below:
kinit -V HTTP/ssoserver.mydomain.net@CORP.MYDOMAIN.NET -k -t /etc/ssoserver_mydomain_http.keytab 

  1. Configuring Oracle Access Manager for WNA

Before you can use WNA, you must define specific values for the Kerberos authentication module in the Oracle Access Manager policy configuration oam-policy.xml file.

Go to $DOMAIN_HOME/config/fmwconfig and edit /add the WNA details in oam-policy.xml.

<Setting Name="KerberosModules" Type="htf:map">

<Setting Name="6DBSE52C" Type="htf:map">

<Setting Name="principal" Type="xsd:string">HTTP/ssoserver.mydomain.net@CORP.MYDOMAIN.NET</Setting>

<Setting Name="name" Type="xsd:string">Kerberos</Setting>

<Setting Name="keytabfile" Type="xsd:string">/etc/ssoserver_mydomain_http.keytab</Setting>

<Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5.conf</Setting>

</Setting> 

  1. Configure the application domain protecting the resource to use the Kerberos authentication scheme

Login to oamconsole as weblogic user.

- On the Oracle Access Manager Console Launch pad click on Application Domains, navigation pane, expand the Application Domains node.

- Locate the desired application domain name and expand it.

- In the application domain node, expand the Authentication Policies node reveal existing policies.

- Double-click your Protected Resource Policy to display the related page.

- Authentication Scheme: Choose KerbScheme from the list.

- Click Apply and then close the confirmation window. 

  1. Modify Kerberos authentication module to point correct AD details.

Login to OAM console, Navigate to Authentication Modules/search/click Kerberos

and enter correct AD details.

Key Tab File: /etc/ssoserver_mydomain_http.keytab

Principal: HTTP/ssoserver.mydomain.net@CORP.MYDOMAIN.NET

KRB Config File: /etc/krb5.conf

oracle access management
  1. Register Microsoft Active Directory as a User-Identity Data Store:

When using Windows Native Authentication, the user credentials must reside in Microsoft Active Directory, which must be registered as the user identity store for Oracle Access Manager. 

To register Microsoft Active Directory with Oracle Access Manager take the steps below: 

- From the System Configuration tab, navigation pane, expand the Data Sources node.

- Click the User Identity Stores node, and then click the Add button in the tool bar.

- Enter required values for your Microsoft Active Directory. 

For example:

 Name: ADStore

 Store Type: AD: Microsoft Active Directory

  Prefetched Attributes: orclguid

  Location: ADServer.mydomain.net

  Principal: CN=OAMADADMIN,OU=Service Accounts,OU=Enterprise,DC=mydomain,DC=net

  Credential: ********

  User Search Base: dc=mydomain,dc=net

  Login ID Attribute: samaccountname

  User Password Attribute: userPassword

  Group Search Base  : dc=mydomain,dc=net 

  Click on Test Connection. Once tested successfully click on Apply. 

  1. Enabling the Browser to Return Kerberos Tokens:

Steps to enable Kerberos tokens in Internet Explorer:

- On a Windows host in the Active Directory domain, sign in as a domain user.

- Open the Internet Explorer browser.

- From the Tools menu, click Internet Options, click Security, click Local Intranet, click Advanced.

- On the Advanced tab, Security section, check the box beside Enable Integrated Windows Authentication, and click OK.

- Add Oracle Access Manager CC host or domain name to Local Intranet zone.

- Restart the Internet Explorer browser.

  1. Validate the OAM integration with WNA:

- Login to a Windows system in the Active Directory domain as a domain user. Ensure the Internet Explorer is enabled for Integrated Windows Authentication as per steps 8.
- Sign in to the Windows OS client using the Windows domain credentials stored in a hosted Active Directory that is registered with Oracle Access Manager.
- Start an IE browser, and enter the EBS URL so that it will try to authenticate via accessgate which is an OAM protected resource.
- Confirm that access is granted with no additional login and prompts you directly the responsibility page. 

Conclusion:
Windows native authentication allows users to log in to Web based single sign-on applications automatically using Kerberos credentials obtained when the user logs in to a Windows Domain. 11g OAM has several new features and by integrating OAM with WNA we can achieve password less authentication for all the applications that are protected using latest OAM. For any questions on the topic click below. You can also leave a comment in the field below. 

Ask Sudhakar