Single Sign On for WebCenter Interaction

I have spent a little time recently setting up single sign on for WebCenter Interaction.

My environment is WebCenter Interaction 10.3 running on Oracle WebLogic Server 10.3 on Windows 2003 Server, with an Oracle HTTP Server (Apache 1.3) HTTP Proxy, Oracle Access Manager providing SSO, and Oracle Internet Directory as the LDAP Authentication Server.  The portal data store is the Oracle 11g Database (11.1.0.7).

There were a few issues, and the documentation does not reflect current versions, which meant I needed to rely on some assistance and a little bit of guessing in addition to the documentation.  As such, I though this would be a good piece of work to document to make it easier for others to repeat (and for the next time I need to do it!)

I would like to acknowledge assistance from the following people (alphabetical order): Clarence Cheah, Rory Douglas, Iyad Kloub, Ali Mukadam, Luke McQueen, Igor Polyakov, Tamer Qumhieh, Mike Wertzberger and Tanya Williams.

This post contains just the highlights – the stuff that is not in the documentation, or easy to work out.  Following this, I will post complete step by step instructions.

Oracle 11g Database Configuration Issue

There is an issue running WebCenter Interaction 10.3 with Oracle Database 11g.  It seems to be introduced when you install the WebCenter Identity Integration for LDAP module.  After doing this, the overnight jobs start to fail with an SQL error, the portal fails, and will no longer start.  Here is the query you may find in your log files when this happens:

SELECT
  MAX(CS.ACCESSLEVEL) AS ACCESSLEVEL,
  C.NAME,
  C.ISLOCALIZED,
  C.OBJECTID,
  MC2.MEMBERSHIPTYPE
FROM
  PTCOMMUNITIES C,
  PTCOMMSECURITY CS,
  PTVGROUPMEMBERSHIP GM,
  (SELECT
    MAX(MC.MEMBERSHIPTYPE) AS MEMBERSHIPTYPE,
    MC.COMMUNITYID
  FROM
    PTMYCOMMUNITIES MC,
    PTVGROUPMEMBERSHIP GM
  WHERE
    GM.GROUPID=MC.GROUPID
    AND GM.USERID=263
  GROUP BY
    MC.COMMUNITYID) MC2
  WHERE GM.GROUPID=CS.GROUPID
  AND GM.USERID=263
  AND C.OBJECTID=CS.OBJECTID
  AND C.OBJECTID=MC2.COMMUNITYID
GROUP BY
  C.NAME,
  C.ISLOCALIZED,
  C.OBJECTID,
  MC2.MEMBERSHIPTYPE
ORDER BY
  LOWER(C.NAME) ASC

This query will fail with the error “not a GROUP BY expression.”  Careful inspection of the query seems to indicate that it is fine.  I ran it on an Oracle 10g database and it did run successfully.  After some digging, it seems that the 11g query optimiser may be causing this issue, and the following database setting seems to fix it:

ALTER SYSTEM SET "_OPTIMIZER_GROUP_BY_PLACEMENT"=FALSE;

I also applied the 11.1.0.7 patch to the database.  I did not test this setting on 11.1.0.6, so can’t tell you if it will solve the issue on 11.1.0.6 too.

WebCenter Interaction Configuration

To make WebCenter Interaction work with the HTTP proxy, you need to make some changes to the configuration files located in <BEA_HOME>\alui\settings\portal:

In configuration.xml, you need to locate SystemProperties and change ServerName and HTTPPort to match your proxy server, as shown in the example:

    <component name="portal:SystemProperties" type="http://www.plumtree.com/config/component/types/portal/systemproperties">
       <!-- lines removed for brevity -->
       <setting name="ServerName">
            <value xsi:type="xsd:string">proxy.server</value>
       </setting>
       <setting name="HTTPPort">
            <value xsi:type="xsd:integer">8080</value>
       </setting>
       <!-- lines removed for brevity -->
    </component>

You also need to make a couple of changes in the portalconfig.xml file, which is located in <BEA_HOME>\alui\settings\portal.  The first change goes into the URLMapping component, shown below.  You need to set the ApplicationURL0 and the SecureApplicationURL0 to the URL of the proxy server, not the portal server.  These changes are highlighted below.  In the example, the proxy server is proxy.server:8080.

   <component name="portal:URLMapping" type="http://www.plumtree.com/config/component/types/portal/urlmapping">
        <!-- URLMapping - Entry 0 -->
        <setting name="URLFromRequest0">
            <value xsi:type="xsd:string">*</value>
        </setting>
        <setting name="ApplicationURL0">
            <value xsi:type="xsd:string">http://proxy.server:8080/portal/server.pt</value>
        </setting>
        <setting name="SecureApplicationURL0">
            <value xsi:type="xsd:string">http://proxy.server:8080/portal/server.pt</value>
        </setting>
        <clients>
            <client name="portal"/>
        </clients>
    </component>

The other change you need to make, it to turn on the SSO.  This is done in the Authentication component.  You need to set the SSO vendor (to 3 for Oracle Access Manager) and the cookie domain.  These are highlighted in the example below.

  <component name="portal:Authentication" type="http://www.plumtree.com/config/component/types/portal/authentication">
     <!-- lines removed for brevity -->
     <setting name="SSOVendor">
         <value xsi:type="xsd:integer">3</value>
     </setting>
     <setting name="CookieDomain">
         <value xsi:type="xsd:string">.server</value>
     </setting>
     <!-- lines removed for brevity -->
  </component>

Oracle Access Manager Configuration

When you set up the Policy Domain for the WebGate on the HTTP proxy, you need to make the following settings:

  • In the Resources tab, add a resource of type http with URL /portal.
  • In the Default Rules tab, create a Default Rule, with an Authentication post success action that redirects to /portal/SSOServlet and passes a HeaderVar called UID with the cn as its value.
  • Make sure your policy includes GET and POST for http.

Summary

These are key things that needed to be done to get this all working, which were not always easy to work out from the documentation.  I am working with a few of the others here to fully document the whole procedure, and will post that when it is done.

About Mark Nelson

Mark Nelson is an Architect ("IC6") in the Platform Architecture Team in Oracle Development. Mark's focus area is continuous delivery, configuration management and provisioning - making it simple to manage the configuration of complex environments and applications built with Oracle Database, Fusion Middleware and Fusion Applications, on-premise and in the cloud. Before joining the Platform Architecture team, Mark was a senior member of the A-Team since 2010, and worked in Sales Consulting at Oracle since 2006 and various roles at IBM since 1994.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

4 Responses to Single Sign On for WebCenter Interaction

  1. mannamrbabu says:

    Hi,
    Please share the OAM configurations document which provides the SSO with WCI and APEX systems.

    • markxnelson says:

      Hi,

      Thanks for your question. I have not tried this myself, however APEX (Oracle Application Express) uses a form based logon mechanism, so it should not be difficult to set up Oracle Access Manager to perform a form-based single sign on.

      Documentation on forms based authentication is available online at http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2form.htm#CFHFIGBD

      When I get an opportunity to try this out I will post the results. In the mean time, hope this helps you on your way.

      Regards, Mark Nelson

  2. Pingback: WebCenter Interaction的单点登录 « RedStack

  3. Pingback: mdlwr - A blog about oracle Middleware Techs & Products

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s