A common requirement for many Portal clients -
Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).
Why is this not straight forward ?
Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.
In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.
This introduces the concept of Unsolicited Login -
Unsolicited Login is used when we want to
authenticate user without any request_id or resource. The page which is
navigated to, upon successful authentication is not the one which was initially
solicited hence the name Unsolicited Login.
This feature has been introduced by Oracle in
11gR2 (11.1.2.x series). Prior to 11gR2, this feature would need to be custom
built.
Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.
Navigate to OAM
Domain for your installation, under config/fmwconfig/oam-config.xml, ensure
that ServiceStatus under DirectAuthenticationServiceDescriptor is set to true. (DirectAuthenticationServiceDescriptor is under OAMServicesDescriptor).
It is highly
recommended that, you first stop the Admin Server and OAM Cluster before you
make any changes to the oam-config.xml. Further, it is sufficient to do the
above changes in the oam-config.xml under the AdminServer/config/fmwconfig
incrementing the Version field by 1. Once you have restarted the AdminServer
and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically
updated.
2. Submit
the following information to the endpoint via Custom Login Form (External
Public facing Portal Page) https://oam_host:oam_port/oam/server/authentication:
Code Example
<form id="loginForm" name="loginForm"
action="http://OAMHost:Port/oam/server/authentication" method="post"
hidden="true" >
<input
id="username" type="text" name="username"
/>
<input
id="password" type="password" name="password"
/>
<input
id="successurl" type="text" name="successurl"
value="http://chinni-pc:7777/"/>
<input
type="submit" value="submit" />
</form>
You can use the
above code bit in a JSP and package it within the same Custom Login Page app archive
used for the Internal Portal. This will need to be re-deployed to the Weblogic
Server for the functionality to work.
Once the
credentials are validated, OAM Server redirects to the success URL after
setting OAM_ID cookie
as part of HTTP redirect (HTTP response code 302).
Note – Internal Portal Login page or code does not
need to be changed.
3. To allow direct authentication only for POST, or vice-versa:
i)
Login to Oracle Access Management administration console and
navigate to Policy Configuration, then Application Domains.
ii)
Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.
iii)
Under Operations, de-select all operations
that are not to be supported, except POST. For example, GET, DELETE.
iv)
Make sure that the AuthenticationPolicy for the
/oamDirectAuthentication points to the same AuthenticationScheme as for the
Internal Portal.
If the above is
not present in your OAM environment, please create it similar to the
screenshots below.
Once user logs in, user will be redirected
to successurl.
4. The URL
pattern of the external Public facing Portal needs to be marked as ‘Unprotected’ with a
‘PublicAuthenticationPolicy’ which uses an ‘Anonymous Scheme’.
The
internal Portal would continue to be as-it-is marked ‘Protected’ with a
‘PrivateAuthenticationPolicy’ pointing to the relevant ‘LDAPScheme’.
The above
would need to be done within the appropriate ‘Application Domain’ which is used
for the Portal.
In screenshot below, /ssologin/.../* represents the URL pattern for an External public facing Portal.
Oracle Documentation
References
Screenshots from a POC on this
Below are the screenshots and summary from a POC done on OAM 11.1.2.2 with WebCenter Portal/Spaces 11.1.1.8.3 as the Success URL.
The below screenshot represents a public site with a login form. This page is not protected and is
meant to represent an external portal.
Once the user enters the required credentials and clicks
submit, they will be redirected to a protected
resource. The protected resource
shown below (WebCenter) is to reflect a protected internal portal.
Shown above, the user has successfully authenticated and has
established an SSO session with Oracle Access Manager.
If the protected resource is accessed directly, a separate
authentication method/form will be used to challenge the user.
