Create the Oracle AccessGate application

During this task we will create the Oracle AccessGate application, which will host the required policy.

  1. Sign in to the Access Gateway Admin UI console.
  2. Click the Applications tab.

  3. Click +Add to add a new application.

  4. Select the Oracle Access Gate option from the application menu, and click Create.

    Select header based and click create.

    The New Protected Application wizard starts and displays the Essentials pane for the application being added.

  5. In the Essentials pane specify the following:

    Field Value
    Label A name for the application.
    Public Domain A fully qualified host name such as <yourexternalname>.<your domain>.
    In the example provided, this would be access-gate.externalexample.com.
    Protected Web Resource

    The URL of the internal, protected, application.
    In the example provided, this would be access-gate.internalexample.com:<port>/<path>
    Where:

    • port - the port Oracle Access Gate is listening on for HTTP requests.
    • path - represents the path to the application.

    See also Configure load balancing.

    Group Enter the group containing the users who should have access to the application.

    Post Login URL

    Enter or modify the Post Login URL. By default this field is enabled and contains value:
    access-gate.externalexample.com/OA_HTML/AppsLogin.

    Description Optional. An appropriate description for your application.
  6. Click Next. The Application page appears.
  7. The Application pane provides a list settings particular to Oracle Access Gate.
    Confirm the following fields, modifying values as required, and click Validate.
    FieldValue
    OID DatasourceEnabled.  For more information on data sources see Administer data stores
    OID HostFully qualified host name of the OID Host.
    Default ebs-iam.internalhost.com.
    OID PortThe port used to connect to the OID host.
    Defaults 3060.
    Bind UserThe user use for OID access.
    Defaults cn=oracleuser.
    Bind User PasswordPassword for Bind User.
    BaseUser search base
    Default cn=Users,dc=domain,dc=com

    User Search Attribute

    Attribute to search OID using.
    Default CN.

    Matching Attribute

    Okta attribute used for matching.
    Default: USER_NAME.
    General examples:

    • ${ATTRIBUTE@idp]} - single IDP

    • ${ATTRIBUTE@idp[0]} - multiple IDP

    Where ATTRIBUTE is an Okta tenant attribute rather then an Access Gateway attribute.

    Similar, in concept, to matching filter in LDAP DataStores.

  8. Click Next when complete.
  9. The Attributes page provides a list of attributes that are passed into the application as header fields.
    Confirm the attributes match those required by Oracle Access Gate application.
    Datasource

    Value

    NAME
    idp

    email

    USER_NAME
    oid

    orclguid

    USER_ORCLGUID
    If required, use the Edit () icon to modify the name and other values associated with each attribute.
    Add or modify any additional required attributes. See Application attributes. for more information on attribute options.
  10. Click Next. The Policies pane appears.
  11. Leave all policies unchanged and click Done.
    See Manage application policy for more information on application policies.

Configure load balancing

Available since Access Gateway version 2022.2.3

Important Note

Important

Okta recommends that whenever possible load balancers and Access Gateway as a load balancer be implemented.
See About Access Gateway load balancing.

  1. Expand the Protected Web Resources tab.
  2. In Protected Web Resource tab enable load balancing.
    The Protected Web Resource showing load balancing enabled for this web resource.
    The Protected Web Resource tab will then expand to include a table of hostnames and weights representing the target load balancing instances, initially empty.
  3. Select a URL scheme. All added protected web resources will inherit this scheme. HTTP and HTTPS schemes are supported.
  4. [Optional] Enable and specify Host Header value.
  5. Repeat as required:
    1. Click Add protected web resource.
      A new empty row will be added to the table.
    2. Enter a fully qualified hostname:port combination.
      For example https://backendserver1.atko.com:7001.
    3. Enter a weight between 1 and 100. Enter 0 to specify a disabled host.
      Important Note

      Weights represent the percentage of requests that will be routed to this host.
      For example, two hosts of weights 2:1 would result in requests being routed ~66% to the host weighted 2 and ~33% to the host weighted 1.

    4. Click Okay to add the new host, or Cancel to cancel.
      Click edit () to modify an existing host.
      Click delete() to delete an existing host.
  6. Optional Configure health checks:
    Health checks are optional and use GET operations to confirm back and resources are functional.
    Resources deemed unhealthy are not routed new requests.

    1. Enable health checks.
      The health check slider shown in the enabled position.
    2. Click Edit to modify health check settings.
    3. Modify settings as required.
      FieldValue

      Default

      PathURI to resource used in health check./
      MethodHTTP method used.Always GET
      Status codeHTTP status code used to determine health.200
      IntervalInterval between health checks in seconds.10
      Request timeoutHealth check request timeout in seconds.1
      Healthy thresholdNumber of successful requests before a host is considered healthy.3
      Unhealthy thresholdNumber of failed requests before a host is considered unhealthy.3
    4. Click Save to save changes.
      Click Cancel to cancel changes.

Configure certificates

    Important Note

    Important

    While optional, Okta recommends that all applications include certificates.
    See About Access Gateway certificate use for general information about certificate.
    See Certificate management tasks for a general task flow for obtaining and assigning certificates.  

  1. Expand the Certificates tab.
    Note

    Note

    By default a wildcard self signed certificate is created and assigned to the application when the application is initially created.

  2. Optional. Click Generate self-signed certificate

    A self-signed certificate is created and automatically assigned to the application.
  3. Optional. Select an existing certificate from the list of provided certificates.
    Use the Search field to narrow the set of certificates by common name.
    Use the page forward (>)and backward(<) arrows to navigate through the list of available certificates.

  4. Click Next. The Attributes pane appears. See Application attributes.

    Note

    Note

    The required attributes are pre-populated, and are presented for reference.

  5. Verify the login attribute:

    Data Source Field Type Name
    IDP

    login

    Info

    Note

    The attribute in your Okta tenant that stores the PeopleSoft username. This can be a different attribute or can use Okta username mapping to create the PeopleSoft username dynamically.

    Header PUBUSER
  6. Click Done.