Wednesday, December 14, 2016

Federated SSO fails with integration of DCC webgate [Part-2]

Configure Tunneling in DCC webgate:
  • This is the key step in configuring the DCC HTTP reverse proxy
  • Login to OAM Console and navigate to Application Security -> Agents
  • Search for the agent registered for DCC Webgate operations
  • Add the following user defined parameter in the Webgate configuration.   
    • TunneledUrls=/oam,/oamfed

  • Now lets configure the policies for the required tunneled resources.
  • Go to application security -> Application domains
  • Search for the application domain associated with DCC Webgate
  • Go to authentication policies
  • Lets unprotect the following resources with anonymous authentication scheme
    • /.../*
    • /oam/.../*
    • /oamfed/.../*  
  • In order to unprotected them, create a new authentication policy as 'Public Resource policy' which requires 'Anonymous Authentication'
  • Create a new authorization policy for unprotecting the resources as shown below.

  • Now add the resources to these authentication and authorization policies. 

  • With the above step, we have finished configuration of DCC Reverse proxy setup and we can validate now.


  • Access the protected resource http://<dcc_host>:<dcc_port>/dcc/dcc.html and authenticate to the resource. Once authentication is successful, you will be landing on to the protected resource.
  • Now access the IDP Initiated URL for Salesforce application with dcc_hostname and port in it.
    • https://<DCCHost>:<DCCPort>/oamfed/idp/initiatesso?providerid=

  •  You should be SSO'd to the salesforce now without authentication anymore.

             So if you observe the URL above, /oamfed is the resource that is being served by the DCC Reverse proxy Webgate without adding any reverse proxy redirection on the webserver. This is the new tunneling introduced to enable the federated sign-on to partner applications.

Thank you for visiting. 

Federated SSO fails with integration of DCC webgate [Part-1]

In this post we are going to talk about the integration challenge that I faced by introducing DCC webgate into the architecture. 
           As described in my earlier post, DCC webgate ensures more security in handling the user credentials that are being submitted from browser client to OAM server for validation and also several other features. 
           From my earlier environment where I have some protected resources which are authenticating through the ECC based approach and integrated with applications like Salesforce through Federated Single Sign-on. Now after configuring the DCC webgate by following steps mentioned in my previous post, SSO was broken to these federated applications. This is due to the insufficient information that is required for the SSO during the federated single sign-on. So what to do now???
            There is a workaround that is provided by Oracle to achieve the Single Sign-on in this scenario. It is recommended to use "tunneling" feature on DCC webgate that is introduced from OAM 11.1..2.2 which will help the requests for federation engine in OAM to pass through the webgate. However you also need to make couple of other changes as given below to achieve this.
  • Configure a DCC webgate which is used as HTTP reverse proxy
  • Configure the OAM to use above reverse proxy as load balancer endpoint.
  • Add the tunneling parameters to DCC webgate 
           By following the above high level steps, We can enable the OAM endpoints front-ending with DCC webgate which will process the requests and enable the SSO to the partner applications.
           In my example, I will authenticate to a resource protected with DCC Webgate and access the IDP initiated SSO URL for salesforce for which I should be seamlessly SSO'd without needing to reauthenticate again.

  • OAM BP07
  • OHS
  • OAM Webgate 11.1.2
  • RHEL6    


Configure a DCC Webgate:

                It is always recommended to use a designated DCC webgate for handling this reverse proxy operations rather than using the existing oob Webgate_IDM_11g. So let's register a new webgate.
  •  Create a new 11g Webgate which will be used as DCC webgate and click on save
  • Check 'Allow credential collector opertations' and resave the webgate profile
  • Follow the steps as mentioned in my previous post on configuring the DCC webgate. 
  • Once configured, verify the authentication to make sure the DCC authentication works fine.
 Configure HTTP Reverse proxy:
  • Now update the OAM load balancer configuration to point to DCC HTTP Server
  • To configure the load balancer, Login to OAM console
  • Navigate to Configuration  -> Access Manager settings
  • Update the load balancer configuration to point DCC Webserver

To be continued in Part-2