OIM / OID : Referential Integrity for referenced group memberships on change username

Use Case 

Change Username (typically via OIM APIs) doesn't update group memberships. When we change username, the cn of the user changes. Since the dn comprises of cn and the dc, the referenced group memberships are orphaned.

This is because, by default, "Referential Integrity" is turned OFF in OID and OIM. 

Refer Section : C.2.2 Common Name Generation for Modify User Operation

"Because the CN changed, Oracle Identity Manager attempts a modify operation (modrdn) in the directory resulting in DN change. Because of this unintended DN change, the group membership DN becomes stale resulting in the user loosing membership in that group. This subsequently results in authorization failure. This happens when referential integrity is turned off in the LDAP server, and therefore, the referenced groups are not updated when the RDN of the user changes. Therefore, referential integrity must be turned on in the target LDAP server. Otherwise, the group memberships become stale. The referential integrity issue is also applicable to roles. Groups are also members of other groups and any RDN changes must be reflected as well."

Please see table in link for scenarios when this property is not consistent in OIM and OID.

• Turn on Referential Integrity Check in OID : 

Change orclRIEnabled to 2 within cn=dsaconfig,cn=configsets,cn=oracle internet directory [Default value is 0]
http://docs.oracle.com/cd/E15586_01/oid.1111/e10029/ref_integ.htm

• In OIM, modify System property : XL.IsReferentialIntegrityEnabled to TRUE

The above will make sure change username is seamless and doesn't cause any data corruption issues. Obviously, we need to have LDAP Sync turned on between OIM and OID to make sure that this works as expected.

OAM Single-Sign-On (SSO) Deployment Architecture : Best Practice

Recently I came across couple of OAM Deployment Architectures which have been implemented and can potentially cause multiple issues - 

• Using the same OHS Instance which has a webgate deployed on it for reverse proxy to OAM Servers in addition to the target application which needs to be protected (e.g. WebCenter)
• Front-ending OAM Servers directly with an external Load Balancer(LBR) skipping the Web Server layer altogether

Ideally, OAM should be front-ended by a web server/OHS instance of it's own to 

• Allow separate streams of HTTP traffic(in addition to one for Application) 
• Scale the SSO architecture to other target applications - 
• In case the same OAM Server is used for a new application which needs to be SSO enabled as well, the standalone OHS which just services requests to OAM (and doesn't have any webgate on it) is a must!
• This would also ensure that any files needed to be cached (like javascript, css etc) for any OAM related applications can be cached at the OHS layer

(Image Courtesy : A-Team Blog) 

If we have to use a Load Balancer(LBR) to directly front-end the OAM Server instead of an intermittent OHS(probably due to cost constraints), we should have this LBR within the corporate network (in addition to an external LBR which front-ends the other OHS instance(s) for applications) and not in the DMZ to prevent the security risk of an external LBR based in the DMZ exposing the OAM located in the Application Tier directly.

Courtesy  :
1) Forum Post which was logged as few items in the A-Team blog mentioned below were not crystal clear
2) A-Team Blog

OAM 11gR2 : Single-Sign-On to an internal Portal, logging in from an external facing public Portal

A common requirement for many Portal clients -

Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).

Why is this not straight forward ?

Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.

In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for  www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.

This introduces the concept of Unsolicited Login -

Unsolicited Login is used when we want to authenticate user without any request_id or resource. The page which is navigated to, upon successful authentication is not the one which was initially solicited hence the name Unsolicited Login.

This feature has been introduced by Oracle in 11gR2 (11.1.2.x series). Prior to 11gR2, this feature would need to be custom built.

Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.

Navigate to OAM Domain for your installation, under config/fmwconfig/oam-config.xml, ensure that ServiceStatus under DirectAuthenticationServiceDescriptor is set to true. (DirectAuthenticationServiceDescriptor is under OAMServicesDescriptor).

It is highly recommended that, you first stop the Admin Server and OAM Cluster before you make any changes to the oam-config.xml. Further, it is sufficient to do the above changes in the oam-config.xml under the AdminServer/config/fmwconfig incrementing the Version field by 1. Once you have restarted the AdminServer and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically updated.

2. Submit the following information to the endpoint via Custom Login Form (External Public facing Portal Page) https://oam_host:oam_port/oam/server/authentication:

a.      username

b.      password

c.       successurl, for example, http://machinename.mycompany.com:7778/sample-web/headers.jsp.

Code Example

<form id="loginForm" name="loginForm" action="http://OAMHost:Port/oam/server/authentication" method="post" hidden="true" >

<input id="username" type="text" name="username" />

<input id="password" type="password" name="password" />

<input id="successurl" type="text" name="successurl" value="http://chinni-pc:7777/"/>

<input type="submit" value="submit" />

</form>

You can use the above code bit in a JSP and package it within the same Custom Login Page app archive used for the Internal Portal. This will need to be re-deployed to the Weblogic Server for the functionality to work.

 In case you would like to use it in an external Portal page which is an HTML or the like you can iframe the above code as a JSP.

Once the credentials are validated, OAM Server redirects to the success URL after setting OAM_ID cookie as part of HTTP redirect (HTTP response code 302).

Note – Internal Portal Login page or code does not need to be changed.

3. To allow direct authentication only for POST, or vice-versa:

i)        Login to Oracle Access Management administration console and navigate to Policy Configuration, then Application Domains.

ii)      Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.

iii)    Under Operations, de-select all operations that are not to be supported, except POST. For example, GET, DELETE.

iv)    Make sure that the AuthenticationPolicy for the /oamDirectAuthentication points to the same AuthenticationScheme as for the Internal Portal.

If the above is not present in your OAM environment, please create it similar to the screenshots below.

Once user logs in, user will be redirected to successurl.

4. The URL pattern of the external Public facing Portal needs to be marked as ‘Unprotected’ with a ‘PublicAuthenticationPolicy’ which uses an ‘Anonymous Scheme’.

The internal Portal would continue to be as-it-is marked ‘Protected’ with a ‘PrivateAuthenticationPolicy’ pointing to the relevant ‘LDAPScheme’.

The above would need to be done within the appropriate ‘Application Domain’ which is used for the Portal.

In screenshot below, /ssologin/.../* represents the URL pattern for an External public facing Portal.

Oracle Documentation References

http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#AIDEV6382

http://fusionsecurity.blogspot.com/2012/12/unsolicited-login-with-oam-11gr2.html#more

http://fusionsecurity.blogspot.com/2012/04/unsolicited-login-with-oam-11g.html 

Screenshots from a POC on this
Below are the screenshots and summary from a POC done on OAM 11.1.2.2 with WebCenter Portal/Spaces 11.1.1.8.3 as the Success URL.

The below screenshot represents a public site with a login form. This page is not protected and is meant to represent an external portal.

Once the user enters the required credentials and clicks submit, they will be redirected to a protected resource. The protected resource shown below (WebCenter) is to reflect a protected internal portal.

Shown above, the user has successfully authenticated and has established an SSO session with Oracle Access Manager.

If the protected resource is accessed directly, a separate authentication method/form will be used to challenge the user. 

OAM 11gR2/Weblogic : The important of parameters in mod_wl_ohs.conf(Web Server plugins)

Configurations of various parameters in web server plugins plays in a major part in ensuring that Single-Sign-On works fine using OAM.

Oracle Documentation -
http://docs.oracle.com/cd/E23943_01/web.1111/e14395/plugin_params.htm

This post is intended to share my experiences with certain parameters and the repercussions if you don't include them :)

WLProxyPassThrough
WLProxySSl works great if webserver is doing the SSL work. But if SSL being terminated by a load balancer then mod_wl will remove any incoming WL-Proxy-SSL and the request will reach OHS over HTTP this means that the WebLogic server won't ever get that header and so request.isSecure() will always return false. If you add that directive and set it to ON then the WebLogic plug-in will not remove any incoming WL-Proxy-SSL header. This lets WebLogic Server know that the original request was initiated over SSL.  WL-Proxy-SSL header should not be sent if the inbound traffic to the load balancer was not SSL (HTTPS).

Error Scenario : 
Once I added this parameter for under the <if weblogic_module> tag and set it to true, this issue no longer reccurred .




WLCookieName
If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the WLCookieName parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor> element.

Error Scenario :
The Webcenter Portal application I was implementing SSO using OAM for, had changed the weblogic session cookie name to a non-JSESSION ID value for some reason.
This was not giving me any issues until I was configuring "Weblogic Cluster" value(instead of "Weblogic Host") in the OHS layer pointing to the Webcenter managed servers.Once I did so,the Webcenter Portal page would not load and instead would give me a flickering page with consistently changing values of adf_ctrl.state and the page would not load up.
This issue was resolved once I added WLCookieName <cookieName> under the context root tag for the Webcenter Portal app in mod_wl_ohs.conf

This post is also relevant in this regard.

Oracle IDM 11gR2 : Integrating with MS Active Directory 2003

The latest versions of OIM and OAM 11gR2(11.1.2.x) donot support LDAP Sync or OIM-OAM Integration using Active Directory(AD) 2003 as per the 11gr2 certification matrix. 

We had a use case to support federation using OAM 11gR2 somehow with AD 2003 as the Identity Store. 

Option 1 : Using OVD

We noticed that the latest version of OVD was 11.1.1.7 which happens to support AD 2003 as per the 11gR1 FMW certification matrix .So potentially we could hook OAM with OVD as the Identity Store and still connect to Active Directory 2003, which is not directly supported!

Extending this theory we could provision to OVD from OIM which finally would create relevant user accounts in Active Directory 2003!!

Oracle confirmed this in SR # 3-9503114871(you may not be able to view it directly but can refer to this in another SR if need be).

Option 2 : Using OID and DIP

Standup OID(11.1.1.7 is the latest as of today) and sync existing users from AD 2003 using a DIP process.

Option 3 : Use IDM 11gR1

Least preferred since it's never a good idea to go back to a older release when the newer release has so much to offer and IDM 12c is in the pipeline.If none of the above can be made to work for whatever reasons, AD 2003 is definitely supported both with OIM and OAM 11gR1(11.1.1.x).

OAM 11gR2 : 500 Internal Server Error after registering new 11g Webgate

I got the error as in the subject after I had registered a new webgate , done other necessary configurations and tried to access a WebCenter Portal page which I was trying to protect.

The error in the oblog.log said - 

Request Failed for : /index.html, Resp Code : [500]

OBWebGate_AuthnAndAuthz: Cannot get message for ObAccessException_NO_AGENT_KEY

Oracle Support had a similar issue for Fusion Apps which didnot really help -

https://support.oracle.com/epmos/faces/DocumentDisplay?id=1534423.1

Finally , after using the OAM Tester , a colleague suggested to edit and re-copy Webgate related files from Output Directory of the OAM_Domain pertaining to the webgate to <OHS_Instance>/config/OHS/ohs1/webgate/config.

Hope this helps someone facing a similar issue.

Debugging SSO issues using OAM Tester

The OAM Tester is a great desktop based tool to test issues while accessing resources protected using OAM. It will help you with basic logs and categorizes on what exactly fails(authentication,authorization etc).

This is a quick way to ensure that everything works fine at the OAM layer without having to look at the logs and/or tools like Firebug or HTTPAnalyzers/Fiddler.

The port for the server connection would be 5575 which is the port for Access Manager.All the rest should be self explanatory.

Copy the following files from <ORACLE_IAM_HOME>/oam/server/tester & launch oamtest to get to this dialog.

Links from Oracle documentation -

Validating Connectivity and Policies Using the Access Tester

Validating Connectivity and Policies Using the Access Tester  (Linkfor quick install)

Thanks to my colleague Shivram Sundaram to help find this thus quickly resolving multiple issues.

Note - I was on the 11gR2 version of OAM.

Allowing unauthenticated access to Webcenter Content/UCM public documents via OAM SSO

Recently we had a requirement at a client wherein Public Documents in UCM be accessed via a SSO URL (using the OHS Port) without the user being challenged for credentials.

Sounds pretty straighforward right ? Since anyways using the default managed server port of 16200 of the Content Server , anyways those documents don't popup asking for user credentials.

Well , wasn't that simple really! Took us(myself , Sachin Saxena et al) a few days to exactly figure this out and now we have Oracle's stamp on it as well !

Following were the examples of documents which needed to be publically accessible

1)http://<host>:7778/cs/idcplg?idcService=GET_FILE&dID=1445&dDocName=DEV_COMPLOGO_31364&allowInterrupt=1

(Accessing public document  called 'DEV_COMPLOGO_31364' having Public Security group via IdcService)

2)http://<host>:7778/cs/groups/public/documents/digitalmedia/b2dv/xzmx/~edisp/dev_complogo_31364.jpg

(This has a definite URL Pattern of /cs/groups/public)

3)Also this general service/document search page needs to open up without authentication.

http://<host>:7778/cs/idcplg?IdcService=GET_DOC_PAGE

**Oracle Access Manager (OAM) basically protects URLs or definite URL parameters , it cannot go inside an end-user application and check security assigned to a resource to determine if that should be challenged for credentials.

(Example in this case is that it cannot go and check the authorization / security Group using IdcService URL for the file DEV_COMPLOG_31364)**

Hence we have only two options here -

1)Either the URL pattern /cs/groups/public can be marked as unprotected in OAM Application Domain and hence user won't be challenged when using Pattern 2 as above.

2)Create a mapping folder pattern in UCM , like pretty URL to access even webDav content)

3)You can configure the IdcService url pattern to be public via OAM. (something like http://oamserver.com/cs/idcplg as url and query parameters as IdcService=GET_FILE) .But by exposing that people can still construct url of private documents if they know the dID and bypass OAM as the pattern is public. But once they reach UCM, ucm security will deny them access as they are not authenticated/have required permissions [Courtesy : Shidharth Mishra]

References

1)Oracle SR [Closed]            2) Forums

Database Security - Enterprise User Security (EUS)

About Enterprise User Security (EUS)

• Enterprise User Security (EUS) is a way of integrating Oracle Database with LDAP compliant directory server like Oracle Internet Directory (OID) or Microsoft AD
  so that database Users , Passwords & Roles can be centrally managed in a LDAP Directory Server.
• Belongs to Database Security category of the IdM stack.

Advantages 

• Offers low costs & centralized authentication.
• Increases security & compliance.
• No data migration needed , clients continue to use existing directories.

Architecture

• Oracle Virtual Directory (OVD) has a EUS Adapter and EUS Plugins OOTB.
• The LDAP Directory (OID or AD or Novell or Sun eDirectory) needs to be setup for EUS.
• The Oracle Database/s need to be EUS enabled using NETCA & DBCA utility.
• The Database/s can be logged into using a centralized EUS User/s later.
• Kerberos authentication can be enabled to do native authentication for SQL clients like sql plus & SQL Developer.

Useful Resources 

1. EUS DataSheet with Architecture
2. Enterprise User Security Guide
3. Integrating Enterprise Security with AD
4. Oracle Whitepaper
5. Atul Kumar’s Blog
6. How To Configure EUS with OVD 11.1.1.6 and Active Directory - AD (Doc ID 1449132.1)
7. Expected Issues - How To Avoid Extending The Active Directory Schema With extendAD For OVD-OID-AD-EUS 11g Integration? (Doc ID 1159337.1)

Impersonation feature for WebCenter Spaces 11.1.1.8 with Oracle Acess Mgr(OAM) 11gR2

What is Impersonation ? 

WebCenter Portal Impersonation lets a WebCenter Portal administrator or system administrator assign impersonation rights to a group of users ("impersonators"), such as support representatives or application administrators, so that they can impersonate another Portal user and perform operations as that user ("impersonatees"). This may be useful in the following instances:

• A customer support representative may want to perform actions as another user in order to understand the issues being faced by that user
• An administrator may want to perform operations on behalf of a user
• A company executive may need to delegate someone to act on his or her behalf while away. (Source : Oracle Documentation)

Pre-requisites

1) WebCenter Spaces 11.1.1.8 +

2) Oracle Access Manager(OAM) 11.1.2 (11gR2+)

3) Setups need to be done in OAM , Webcenter Spaces application using EM , and in Oracle Internet Directory(OID) for the users (OID 11.1.1.7+)

Key Advantages -

1) Feature just needs to be configured as mentioned above . Effort is markedly less than implementing this feature in a custom manner using ADF/Web Technologies.

2) Feature once configured along with OAM can be monitored using OAM.

3) Out of the box UI are available and supported by Oracle , hence the solution is standardized.

4)Feature being a very common use case can be used to sell OAM and the Security Team has expertise in implementing it within a cpl of weeks.

Note - 

• After weeks of ado , I have got this up and running in our environments for Webcenter Spaces 11.1.1.8 which is Oracle's new way of developing webcenter portal applications.

• But for a Custom Portal Application in 11.1.1.8, though Security Taskflows for Impersonation are available in Jdeveloper , Impersonation is not currently supported (Doc ID 1606526.1) but I have an ER open with Oracle [BUG 18882638 - ENABLE IMPERSONATION FOR WEBCENTER CUSTOM FRAMEWORK APS ]

Walkthrough of this new & exciting feaute via screenshots - 

1) Screen in WC Spaces / Custom Portal Security Taskflow to select impersonators. (Validations to prevent users not been setup as Impersonators available Out of the Box).

2) Search Impersonators screen .

Only those users who have been granted Impersonator access in OID can be searched here.

3)Selected Impersonator who can be given access rights for a time duration.

4) Once Switch User Link is clicked ( as in second image above) after logging in with the 
Impersonators credentials , the Impersonator is asked to enter your credentials as under.

5) Once logged in the Impersonation session is in progress. Remember - The impersonatee's credentials were not used at all !

Click on Stop Impersonation to return back 
to the Impersonator's home page.

6) Cool feature  !! Monitor the Impersonation session as an Admin in OAM Console as below

Reference - 

http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27785/pers_impersonate.htm