Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).
Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.
In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.
Unsolicited Login is used when we want to authenticate user without any request_id or resource. The page which is navigated to, upon successful authentication is not the one which was initially solicited hence the name Unsolicited Login.
Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.
Navigate to OAM Domain for your installation, under config/fmwconfig/oam-config.xml, ensure that
DirectAuthenticationServiceDescriptoris set to
It is highly recommended that, you first stop the Admin Server and OAM Cluster before you make any changes to the oam-config.xml. Further, it is sufficient to do the above changes in the oam-config.xml under the AdminServer/config/fmwconfig incrementing the Version field by 1. Once you have restarted the AdminServer and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically updated.
a. usernameb. passwordc. successurl, for example, http://machinename.mycompany.com:7778/sample-web/headers.jsp.
Code Example<form id="loginForm" name="loginForm" action="http://OAMHost:Port/oam/server/authentication" method="post" hidden="true" ><input id="username" type="text" name="username" /><input id="password" type="password" name="password" /><input id="successurl" type="text" name="successurl" value="http://chinni-pc:7777/"/><input type="submit" value="submit" /></form>You can use the above code bit in a JSP and package it within the same Custom Login Page app archive used for the Internal Portal. This will need to be re-deployed to the Weblogic Server for the functionality to work.
In case you would like to use it in an external Portal page which is an HTML or the like you can iframe the above code as a JSP.Once the credentials are validated, OAM Server redirects to the success URL after setting
OAM_IDcookie as part of HTTP redirect (HTTP response code 302).
Note – Internal Portal Login page or code does not need to be changed.
i) Login to Oracle Access Management administration console and navigate to Policy Configuration, then Application Domains.ii) Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.iii) Under Operations, de-select all operations that are not to be supported, except POST. For example, GET, DELETE.iv) Make sure that the AuthenticationPolicy for the /oamDirectAuthentication points to the same AuthenticationScheme as for the Internal Portal.If the above is not present in your OAM environment, please create it similar to the screenshots below.
Once user logs in, user will be redirected to successurl.
Below are the screenshots and summary from a POC done on OAM 126.96.36.199 with WebCenter Portal/Spaces 188.8.131.52.3 as the Success URL.
If the protected resource is accessed directly, a separate authentication method/form will be used to challenge the user.