Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
Mapping Roles between Oracle BPM and Oracle IDM
-
Upload
andrealmar4139 -
Category
Documents
-
view
234 -
download
0
Transcript of Mapping Roles between Oracle BPM and Oracle IDM
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
1/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Hello people, I`m here again to show you how to integrate/map the roles of Oracle
BPM into Oracle IDM (Identity Management).
First, you have to understand some concepts.
As the official documentation says, Oracle Fusion Middleware allows using differenttypes of credential and policy stores in a WebLogic domain. Domains can use stores
based on an XML file or on different types of LDAP providers. When a domain uses
an LDAP store, all policy and credential data is kept and maintained in a centralized
store. However, when using XML policy stores, the changes made on Managed
Servers are not propagated to the Administration Server unless they use the SAME
domain home.
By default Oracle WebLogic Server domains use an XML file for the policy store. The
following sections describe the steps required to change the default store to Oracle
Internet Directory LDAP for credentials or policies.
More information on the official documentation:
http://download.oracle.com/docs/cd/E17904_01/core.1111/e12036/oam.htm#B
ABFGBED
Before creating the LDAP Authenticator, first make a backup of this following files:
ORACLE_BASE/admin//aserver//config/config.xmlORACLE_BASE/admin//aserver//config/fmwconfig/jps-config.xmlORACLE_BASE/admin//aserver//config/fmwconfig/system-jazn-data.xml
Backup the boot.properties too.
Log into Weblogic Console and go to Security Realm/myrealm
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
2/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Go to Providers tab.
Note thatDefaultAuthenticatorexists here.
Click NEW to add a new provider.
Enter a name for your new provider, for example OIDAuthenticator or OIDAuth.
On Provider Type, choose OracleInternetDirectoryAuthenticator
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
3/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
It will appear on the provider screen.
Click on the newly created provider and set the control flag to SUFFICIENT.
Go to Provider Specific tab to enter the details for the LDAP server.
For example in my environment:
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
4/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Follow this table of Official Documentation:
IMPORTANT: Check this BOX
Click SAVE to Activate the Changes.
Now we have to re-order the Providers.
Go to Security Realms/myrealm/Providers TAB
And REORDER the provider as shown in the screen above:
Be sure that DefaultAuthenticator has his Control Flag set to SUFFICIENT.
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
5/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Now, RESTART the Administration Server and the Managed Servers of your SOA
environment.
Go to Security Realms/myrealm/Roles and Policies TAB.
Expand Global Roles and then expand Roles.
You will see a list of Global Roles displayed on the screen.
On the column Role Policy ofAdmin role, click on View Role Conditions.
In this screen you will associate one condition for this Admin role.
For example, in your LDAP you have a group called SOAAdministrators and an user
assigned to this group. Every user that is assigned to this group will be an
Administrator of my soa_domain.
Now, I will create a Role Condition:
Click ADD CONDITIONS
On Predicate List choose Group and click NEXT.
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
6/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
On GROUP ARGUMENT NAME put the name of your SOAAdministrator group and
click ADD.
After that, click FINISH.
You will see the newly group added to the Admin Role Conditions
If youre having trouble with this part, I suggest you to create the SOAAdministrator
group and the User assigned to this group through and ldif file.Ive faced some problems when doing this group and user creation through ODSM
(Oracle Directory Services Manager).
To create this group and the user just create 2 (TWO) ldif files:
Admin_group.ldifwhich contains the following:
dn: cn=SOAAdministrators, cn=Groups, dc=andrealmar, dc=com (obviously fill this
with your correspondent DC configuration)
displayname: SOAAdministrators
objectclass: topobjectclass: groupOfUniqueNames
objectclass: orclGroup
uniquemember: cn=weblogic_soa,cn=users, dc=andrealmar, dc=com (obviously fill
this with your correspondent DC configuration)
cn: SOAAdministrators
description: Administrators Group for the SOA Domain
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
7/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
admin_user.ldifwhich contains the following:
dn: cn=weblogic_soa, cn=Users, dc=andrealmar,dc=com
orclsamaccountname: weblogic_soa
givenname: weblogic_soa
sn: weblogic_soauserpassword: welcome1
mail: weblogic_soa
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
objectclass: inetorgperson
uid: weblogic_soa
cn: weblogic_soadescription: Admin User for the SOA Domain
So import this 2 Ldif files via LDAP Browser. Ive used the GAWOR LDAP BROWSER.
User shown on GAWOR LDAP BROWSER
Group shown on GAWOR LDAP BROWSER
Group shown on ODSM (Directory services
Manager)
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
8/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
To see if the configuration works, logout and try to login with the newly user
weblogic_soa which is now an Administrator of soa_domain.
Now, go to http://yourserver:7001/em and expand the Weblogic
Domain/soa_domain
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
9/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Go to Security / Application Roles
On Select Application Stripe to Search, select OracleBPMProcessRolesApp as shown
below:
Click on
All your BPM roles will appear, my application doesnt have any application
deployed so the only role that appears is BPMProcessAdmin.
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
10/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
To assign an OID (Oracle Internet Directory) user to this role just click on the role
name.
You can assign a Group or a User. I decide to assign an user (weblogic_soa),
previously created in this tutorial, to this role.
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
11/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Note, that weblogic_soa now appears on the Users table.
-
8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM
12/12
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)
Andre Almar http://www.andrealmar.com
Log into workspace (http://yourserver:8001/bpm/workspace) and see if your user
has the correct BPM Role assigned to him.