Facebook

Showing posts with label policy. Show all posts
Showing posts with label policy. Show all posts

Thursday, March 29, 2018

Okta Session : How to Set Maximum Session Timeout using APIs

Quite often, an application developer would need a maximum time after which a session should be destroyed irrespective of activity. This is also called the Maximum Session Timeout.

Okta is a popular cloud based Identity and Access Management Platform used as an Identity Provider enabling secure and seamless access to all applications via any device.

As of today, there’s NO setting in the Okta UI to set Maximum Session Time
The Session Lifetime setting in the Okta GUI is for Maximum Idle Session Time.
However, there’s an option to do this via APIs using SignOn Policy APIs


We can create Policies via APIs or from GUI .. Admin -> Security -> Authentication -> SignOn Policies-> Create Policy -> Create Rules and then update the maxSessionTimeoutInMinutes using API calls as shown in the screenshot.

If you are unaware of how to get started with Okta APIs and/or to setup Postman, please check this link.

Posted by
Labels: , , , , , , , , , , , , ,

Thursday, March 26, 2015

Oracle API Gateway (OAG) : Concept & marriage with SOA & Mobile

Oracle API Gateway is a standards-based, policy-driven, standalone software security solution that provides first line of defense in Service-Oriented Architecture (SOA) environments.
It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems.
Oracle Web Services Manager(OWSM) is generally used for application security of a particular service,most customers have any use cases around DMZ or Perimeter Security for Web Services. This product serves as a part of the enterprise security solution.
This would be typically for customers needing access to web services from the internet, similar to how we access a web application. OAG can do a  lot of validations
and route the requests only once those checks have passed. This may also be a typical use case for Mobile Applications which use REST Web Services at the backend.
I have seen a strong value in this security product for all SOA and Mobile projects.
Here’s a high-level request flow :
There are many advantages that OAG can provide :
–   Authentication, Authorization (Leverages existing LDAP like AD ; existing IDM platforms for this – RSA AM, CA Site Minder, Oracle Access Mgr)
–   XML Acceleration, Throttling, Caching, Protocol translation (REST to SOAP and vice versa), Dynamic routing, SLA enforcement
–   Identity Propagation and Credential Mapping , Filter threatening content (XML Bombs, DOS Attacks, Virus)
Oracle OEMs (or Original Equipment Manufacturing) the OAG product from AxWay – AxWay’s gateway product is rebranded for Oracle as OAG, and is almost identical.
Oracle  Datasheet
Posted by
Labels: , , , , , , , , , , , , , , , , , , ,

Tuesday, February 17, 2015

How to create new Admin users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having more privileges than are needed certain admin functions having access to multiple realms on OID. 

While there is no documented way to create a second superuser for OID, like cn=orcladmin. But, a user with the same privileges as the realm Admin (cn=orcladmin,dc=<companyName,dc=com) can be created and used for the following use cases : 
  • Use in OAM Console for Identity Store credentials
  • Providing ODSM login capability to admin users to view/modify the LDAP Tree for their realm
  • Any kind of CRUD based LDAP APIs used in Java Code
  • Separate password policies can be created for these users which are different from the cn=orcladmin superuser etc.

This user can be created as follows : 
  1. Create an LDIF file with the following content
    dn: cn=myadmin,cn=Users,dc=oracle,dc=com
    givenname: myadmin
    sn: myadmin
    cn: myadmin
    uid: myadmin
    mail: myadmin@oracle.com
    objectclass: top
    objectclass: person
    objectclass: inetOrgPerson
    objectclass: orclUser
    objectclass: orclUserV2
    objectclass: organizationalPerson

  2. Run ldapadd
    ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -f <LDIF_filename>
        Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

3.  Confirm that you are able to bind successfully as the newly created user
  ldapbind -h <OID_host> -p <OID_port> -D      "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

4. Get the existing group memberships for the orcladmin user
  ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w    <password> "<DN_of_orcladmin>" "dn"

Alternatively use 'Import' feature in Data Browser tab of ODSM to import the SuperUser.ldif file attached (essentially contains the all groups to be added for a Realm Admin in LDIF format)

Reference Doc ID 454796.1

Good reads 

1) Creating read-only users in OID
2) How to unlock superuser cn=orcladmin account in OID
Posted by
Labels: , , , , , , , , , , , , , , , , , , ,

Creating Read-Only Users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :
  • LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind) 
  • Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
  • Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
  • Any kind of query only LDAP APIs used in Java Code
  • Separate password policies can be created for read-only users which are different from superusers/realm-admins
Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.
Security and Advanced tabs are not visible.


One of the ways in which the read-only users can be created is : 

  1. Create a text file (e.g., readonly.ldif) with the following:
    dn: cn=readonly, cn=Users,< subscriber domain >
    userpassword: < password >
    objectclass: top
    objectclass: person
    objectclass: organizationalPerson
    objectclass: inetorgperson
    objectclass: orcluser
    objectclass: orcluserV2
    mail: readonly
    givenname: readonly
    uid: readonly
    description: account to have readonly access
    sn: readonly
    cn: readonly

 2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif

Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .
The key is to make sure the user is not a member of any groups.

3. Check Group Memberships:

 To verify the user is NOT a member of any group, issue the following search:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"

 4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>



Reference : Doc ID 746612.1


Good read : How to unlock superuser cn=orcladmin account in OID
Posted by
Labels: , , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)