In this article I will share the configuration steps to get this up an running.
Step 1: Configure LDAP Authentication against Active Directory
Step 2: Configure SmartCard Authentication, Certs are stored in Active Directory
We take the following as given:
- OIM 11g with Weblogic 10.3.x configured and running
- Working LDAP Server (here Active Directory) available
- SSL for OIM / Weblogic set up
- Users from AD exist in OIM (e.g. through trusted source reconciliation)
- Users in OIM have scrambled passwords
Requirements (on AD side)
- LDAP connection user with the necessary rights in AD to do subtree searches on your users and groups container, respectively in the scope we configure below
- For LDAP in OIM to work, you need an AD Group called "oimusers", in which all users who shall be able to login to OIM need to be member. The group need to be named exactly "oimusers".
After a standard OIM / Weblogic Installation you should have something like this
Now we add an additional Authentication Provider
Name: ADAuthenticationProvider
Type: ActiveDirectoryAuthenticator
Control Flag: SUFFICIENT
LDAP Connection Information
(In a production environment you would use SSL enabled LDAP, but this configuration is not part of this article)
Principal: Your LDAP connection user
User scope configuration
User Base DN: Container where your users are found
Rest of the parameters stay default
Group scope configuration
Group Base DN: Container where your groups are found
Your "oimusers" group must be found in this container or in the subtree
Rest of the parameters stay default
Optionally you can also set Weblogic Server Debugging option for troubleshooting
If needed do the same for oim_server1 as well
Restart your AdminServer.
To confirm the debug option is properly set, you should see <Debug> <SecurityAtn> entries in your logfile.
The logfile will be found in your AdminServer log directory, in our Windows Installation this is:
C:\Oracle\Middleware\user_projects\domains\OIM_DEV\servers\AdminServer\logs\AdminServer.log
Login to your Weblogic console, navigate to "myrealm" and check the Users and Groups tabs. You should now see all your users from Active Directory within the subtree of the configured scope.
Check on Groups tab and find “oimusers” (this is a regular AD group, OIM will only accept authentication for users belonging to this object as “member”).
Notice that the embedded LDAP (DefaultAuthenticator) also has an “oimusers” group.
With that configuration step complete you should already be able to login to OIM with one of your Active Directory users.
Please note:
In our environment Active Directory is configured as a trusted source for OIM, so all the users we log in with already exist as accounts in OIM, but with unknown random passwords.
For simple LDAP login tests you can just manually create a corresponding account in OIM and give it some password. (Preferably not the same as the LDAP password, otherwise you cannot properly test)
Configure Weblogic (and OIM) Smart Card authentication against Active Directory
Add and configure an additional Authentication Provider.
Name: LDAPX509IdentityAsserter
Type: LDAPX509IdentityAsserter
Active Types Chosen: X.509 (already the default)
Type: LDAPX509IdentityAsserter
Active Types Chosen: X.509 (already the default)
Provider Specific Parameters
Host: Your LDAP Host, same as used above
Principal: Your LDAP connection user, same as used above
User Filter Attributes: The attribute in Active Directory you want to map the Smart Card attribute to. In our case we map the SmartCard Subject CN to use userPrincipalName in AD.
Certificate Attribute: userCertificate. Please note default value was userCertificate;binary. This didn't work although our Certs are save in binary in AD.
Certificate Mapping: Container where your AD users are, if in doubt, use the same as during our LDAP configuration above.
Now that we configured the new Authentication Providers we need to put them in the right order.
Host: Your LDAP Host, same as used above
Principal: Your LDAP connection user, same as used above
User Filter Attributes: The attribute in Active Directory you want to map the Smart Card attribute to. In our case we map the SmartCard Subject CN to use userPrincipalName in AD.
Certificate Attribute: userCertificate. Please note default value was userCertificate;binary. This didn't work although our Certs are save in binary in AD.
Certificate Mapping: Container where your AD users are, if in doubt, use the same as during our LDAP configuration above.
For Weblogic to request the client Certificate, in our use case from the Smart Card, the SSL Advanced Option "Two Way Client Cert Behavior" needs to be modified for each managed server you want to be able to use your Smart Card.
See here for more details.
Summary
- We created one WLS Authentication Provider for LDAP authentication
- We created one WLS Authentication Provider to act as an Identity Asserter for our Smart Card certificates
- We configured both providers to "talk" to Active Directory using LDAP to find the corresponding users and to do the authentication based on certificates from the Smart Card
- Additional steps would be to put a proper authorization setup for OIM and Weblogic in place
Please give feedback if you find this useful, or if something is missing or incorrect.
Fannie Mae is looking for Production people with OIM experience.
ReplyDeleteLocation: Reston VA
Rate: 65/Hr on W2
This position will provide 24/7 coverage for Oracle Identity Management and Oracle Identity Analytics product suite. The position will support java based identity access work flow application running on Linux and Window servers.
The position will support Weblogic middleware application cluster server configuration. Knowledge of Linux/Unix command and script is expected. Extensive knowledge of Oracle Database and SQL query is required to support the java based application.
100% production support role. Needs either past experience in OIM or OIA (both are Java applications) or manager will also consider Java developers willing to do production support (100% prod support). Ideally manager wants to hire 2 people. One person should be strong in OIM and the other strong in IOA (also called Sun Role Manager (old name for OIA). If we dont find these people, he will also take strong Java developers for these roles.
Thanks and regards,
Nina Coleman
Sr. Technical Recruiter
Technology Ventures
ncoleman@tventures.net
www.tventures.net
703-945-1758 (work)
We offer a $1000 referral bonus for every referral of yours we place successfully.
Hi - Good Post. We are doing online and classroom training's for SailPoint IAM Enthusiasts. Hope to help people who want to learn basics or advance level SailPoint IIQ working.
ReplyDeleteCheck details here http://www.itjobzone.biz/Sailpoint-training.html
Hi - Good Post. We are doing online and classroom training's for SailPoint IAM Enthusiasts. Hope to help people who want to learn basics or advance level SailPoint IIQ working.
ReplyDeleteCheck details here http://www.itjobzone.biz/Sailpoint-training.html
How I can see user in weblogic if I add user to oimuser in AD
ReplyDeleteHi,
ReplyDeleteThe above post is very nice. Thank you.
Regards,
Srikanth
Hi,
ReplyDeleteI have a requirement as below. Please suggest me if follow above steps whether will I full fill the requirement or not?
We have 2 domains exmpale, X domain and Y domain. In X domain all OIM users are created. Y users are not created in X domain but there is a trust created between X and Y. Y users are using smart card for authentication. Now How Y domain users can login to OIM.
Please let me know if any other information is required.
Your help much helpful. Thanks in advance
Regards,
Srikanth
Hello Matthias,
ReplyDeleteThanks for the post. Very good details. Worked like a charm. Good directions.
I am wondering is there any way to add a custom schema attribute to identity warehouse>Application Accounts?
When I check the UI Customization with UIConfig in IdentityIQ 7.2 document, I see only accountIconConfig examples.
Customizing identity warehouse - application accounts attributes?
Appreciate your effort for making such useful blogs and helping the community.
Many Thanks,
Ponna
Hello There,
ReplyDeleteNice tutorial! Let's keep our fingers crossed that this works. I would like to put this all to rest.
Thanks for your response Mike. I will look into the ETN. Regarding authentication question, I am not sure if that will be categorized as a product defect or not. Currently, when we enable authentication Sailpoint tutorial question and SSO, IIQ throws a warning pop-up saying authentication questions wont work when SSO is enabled. However, this is a typical forgot password management use case when IdM is protected by SSO. So, I was wondering if someone else has encountered this issue and whether there are any workarounds to get past it.
Great effort, I wish I saw it earlier.
Best Regards,
Abhiram
Hi Bro,
ReplyDeleteVery cool to see your post come up when I was searching this topic!
We are using IIQ 7.2 and configured SSO with ADFS. It is working fine when we return identity object from SSO rule. However, we have e-signatures also in our environment and that's why we enabled pass-through authentication with AD. E-signature works fine if identity name matches with one of the attributes listed in authSearchAttributes of pass-through authentication application but it throws authentication failed when identity name does not match with any of those attributes. I am guessing that is because when user tries to sign-off, user name field is automatically populated with identity name. So, based on the following article, we thought of returning link object from SSO rule instead of returning identity object. Sailpoint idm training
Very useful article, if I run into challenges along the way, I will share them here.
Muchas Gracias,
Ajeeth