We often see customers wanting authenticate users to Oracle Access Manager (OAM) with Kerberos, and fall back to HTML forms if the Kerberos authentication fails. There's an easy way to set this up, but it's not obvious how to do it.
I'm just going to describe the flow here, but that should be enough to help you figure out how to do the actual knob turning yourself. If you run into trouble feel free to ask a question here.
- user accesses http://somemachine.mydomain.com/protected/
- OAM redirects the user to http://trustedmachine.mydomain.com/oamauthenticator/
- on trustedmachine the virtual directory /oamauthenticator/ is protected by IIS' built in Kerberos functionality, and only Kerberos. In other words you should uncheck the Basic, Digest and Anonymous checkboxes in the IIS console.
If the user's workstation is in the domain and they are signed in then their identity will be passed to IIS via Kerberos. If the user's worksation is not in the domain or something goes wrong they will be presented with the 401 error page (see below)
- the OAM WebGate will consume the identity from IIS and pass that identity to the Access Server
- the OAM Access Server will search LDAP for the user
- once the user's OAM session has been established they will be redirected back to http://somemachine.mydomain.com/protected/ along with the ObSSO cookie.
alternative flow for workstations not in a domain or if Kerberos fails:
In step 3 if the Kerberos authentication fails IIS will send the HTML file configured as the 401 page
You can create a plain HTML page that
- contains a conventional OAM login form - prompting the user for their username and password.
- submits to an URL on trustedmachine
- that URL will be associated with a conventional OAM HTML forms login authentication scheme
When the user fills in the form and hits submit:
- the credentials will be passed to the Access Server
- the Access Server will search LDAP for the user and bind to the directory to authenticate them
- if the credentials are correct the user will get an OAM session cookie
- the user will be redirected back to the original resource as in the normal flow above.