Okta Session : How to Set Maximum Session Timeout using APIs

Quite often, an application developer would need a maximum time after which a session should be destroyed irrespective of activity. This is also called the Maximum Session Timeout.

Okta is a popular cloud based Identity and Access Management Platform used as an Identity Provider enabling secure and seamless access to all applications via any device.

As of today, there’s NO setting in the Okta UI to set Maximum Session Time. 

The Session Lifetime setting in the Okta GUI is for Maximum Idle Session Time.

However, there’s an option to do this via APIs using SignOn Policy APIs. 

We can create Policies via APIs or from GUI .. Admin -> Security -> Authentication -> SignOn Policies-> Create Policy -> Create Rules and then update the maxSessionTimeoutInMinutes using API calls as shown in the screenshot.

If you are unaware of how to get started with Okta APIs and/or to setup Postman, please check this link.

Okta SAML SSO with Zoom : Error 1021 : You are not entitled to meeting service

Use Case : Setup SAML based SSO for Zoom using Okta as the IDP

Documents referred :

https://support.zoom.us/hc/en-us/articles/115005719946-Configuring-Okta-with-Zoom

Pre-requisites :

• Zoom owner or admin privileges

• Business or Education account with approved Vanity URL

• Okta admin privileges

Note :

Zoom is a Big Bang App (account needs to exist in SAML IDP) when using the vanity URL
A backdoor URL can be used : https://zoom.us/signin where users can login with their username and password

Issue : When doing SP-init (using vanity URL) or doing IDP-init (using Okta chiclet), we get the following error -

Troubleshooting Steps :

• Checked SAML response was valid using SAML Tracer in Firefox
• No errors in Okta Logs
• Verified that Username being passed in SAML assertion from Okta to Zoom existed in Zoom
• Created a custom SAML template App in Okta instead of using the App in Okta Integration Network (OIN) 

Solution :

Issue was in the Zoom SSO Configuration.

We need to change the "Default user type:" from None to either Basic or Pro on the SSO configuration page (SAML Response mapping). The SSO service is currently passing the user over but since "None" was selected, it was not assigning a user type and resulted in them not being authorized

Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.

This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)

This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 

(Leveraging existing IDM Platform)

This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).

Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 

(MDM or Mobile Device Management)

This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (11.1.2.3).

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 

(MAM or Mobile Application Management)

This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.

Image Courtesy : Oracle Document

OAM : Custom Login Page Times out after 15 mins (Prior to User Login)

Product Versions : 
OAM 11.1.2.2.0, OHS 11.1.1.7 , Webgate for OHS - 11.1.2.2, Weblogic Server 10.3.6
Single Sign On implemented with WebCenter Custom Portal & WebCenter Content 11.1.1.8
A custom login page was used instead of the OOTB Login Page provided by Oracle.

Issue Summary : 

If User stays idle on custom login page (without having logged in) for  more than 15 mins and then tries to login, he is redirected to a blue screen/error page which says 'System error, please contact your administrator'

Error Logs -

Error occurred while handling the request.

Supplemental Detail     java.lang.RuntimeException:   Authentication request Timed out. Eapsed time in min: 79560 at oracle.security.am.controller.BaseRequest.updateObjectWithCachedMap(BaseRequest.java:482)

  

Note - 
If the user logs in to the application before 15 mins, the SSO enabled application honours the timeout values:

Webgate level 'Max Session Time' = 60 mins

OAM Console - Common Settings 'Idle Timeout' = 65 mins

The user has connected to the custom authentication page but not logged in yet. So there is no user session yet. The user just idles for a while and then attempts to login and gets the error - The 'Idle Timeout' is only applicable to logged-in sessions. The timeout we are hitting is the 'Request Time Out' which is somehow hardcoded by Oracle to 15 mins.

Solution :
This is a pretty weird Oracle Bug ! Workaround is as follows :

Add a meta tag such as following one behind <head> in the custom login page.
    <meta http-equiv="refresh" content="890; URL=http://host.example.com/public/public.html">
The Http mechanism for a meta tag is described on:  http://www.w3schools.com/tags/att_meta_http_equiv.asp

The time value of 890 seconds comes from :
The idle time of 15 minutes set by OAM minus 10 seconds, that is:
         => (15*60=900)  minus (tolerance time of 10 second)
If the user stays now for 890 seconds on the custom login page, the browser will bring him back to a public page as defined with URL  (http://host.example.com/public/public.html).

References : Doc Id 1908294.1

OAM Single-Sign-On (SSO) Deployment Architecture : Best Practice

Recently I came across couple of OAM Deployment Architectures which have been implemented and can potentially cause multiple issues - 

• Using the same OHS Instance which has a webgate deployed on it for reverse proxy to OAM Servers in addition to the target application which needs to be protected (e.g. WebCenter)
• Front-ending OAM Servers directly with an external Load Balancer(LBR) skipping the Web Server layer altogether

Ideally, OAM should be front-ended by a web server/OHS instance of it's own to 

• Allow separate streams of HTTP traffic(in addition to one for Application) 
• Scale the SSO architecture to other target applications - 
• In case the same OAM Server is used for a new application which needs to be SSO enabled as well, the standalone OHS which just services requests to OAM (and doesn't have any webgate on it) is a must!
• This would also ensure that any files needed to be cached (like javascript, css etc) for any OAM related applications can be cached at the OHS layer

(Image Courtesy : A-Team Blog) 

If we have to use a Load Balancer(LBR) to directly front-end the OAM Server instead of an intermittent OHS(probably due to cost constraints), we should have this LBR within the corporate network (in addition to an external LBR which front-ends the other OHS instance(s) for applications) and not in the DMZ to prevent the security risk of an external LBR based in the DMZ exposing the OAM located in the Application Tier directly.

Courtesy  :
1) Forum Post which was logged as few items in the A-Team blog mentioned below were not crystal clear
2) A-Team Blog

UCM / Webcenter Content : Configuring an Admin User for UCM which resides in OID

UseCase :

• The default install of Webcenter Content/UCM results in weblogic as the Default Content Admin which resides in the embedded LDAP.
• In our Webcenter implementations we end up using a variety of LDAP's.
• This post details how to change the Admin user for UCM to a user residing in OID which is easier to manage and the recommended approach instead of using weblogic.

Advantages : 

• This can also be extended to use any LDAP like AD, OUD, ODSEE etc.
• Another reason why this needs to be configured is so that the UCM Console can be logged in using a OHS URL or Virtual IP which has a LDAP configured as its IdentityStore instead of having to log in via the managed server port.

Configuration Steps :

1.Create a new user called ucmadmin in OID with object classes simialr to those present for orcladmin.

2.Create a new group called ucmadmingroup in OID with object classes top and groupOfUniqueNames.

3.Assign ucmadmin as a member of the ucmadmingroup.

4.Make sure the users and groups mentioned here reside in the DN hierarchy defined in the OID Authenticator(e.g. cn=Users,dc=oracle,dc=com)

5.You also need to create the Credential Maps to grant ucmadmingroup as the administrator in UCM. Then, in UCM, we mapp the OID group ucmadmin to UCM internal roles and all accounts priveliges. All the users who belong to the ucmadmin group will be automatically granted the UCM admin roles.

- Login to Content Server as weblogic and configure credential map (http://<host>:16200/cs)
  Administration -> Credential Maps, create a new map (e.g.: called "MyOIDMap")
- Add the following mapping

ucmadmingroup ,                  admin
ucmadmingroup ,                  guest
ucmadmingroup ,                  sysmanager
ucmadmingroup ,                  refineryadmin
ucmadmingroup ,                  rmaadmin
ucmadmingroup ,                  pcmadmin
ucmadmingroup ,                  ermadmin
ucmadmingroup ,                  @#all

6.Edit the provider.hda  and add the credit map "MyOIDMap" which would be at the location -
 <UCM-Domain>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  Here is an example:

<feff><?hda version="11gR1-11.1.1.6.0-idcprod1-111219T111403" jcharset="UTF8" encoding="utf-8"?>
Properties LocalData
DefaultNetworkAccounts=#none
DefaultNetworkRoles=guest
PasswordScope=jpsuserprovider
ProviderClass=idc.provider.jps.JpsUserProvider
ProviderDescription=csJpsUserProviderDescription
ProviderName=JpsUserProvider
ProviderType=jpsuser
SourcePath=jpsuser
ProviderCredentialsMap=MyOIDMap
blDateFormat=M/d{/yy}{ h:mm[:ss]{ a}}!mAM,PM!tAmerica/Los_Angeles
pDescription=csJpsUserProviderDescription
end

7.Restart the UCM Managed Server.
 
8. Repeat the steps for the other machine if its a clustered environment.

9.After that , if you login to Content Server as ucmadmin, in the ucadmin profile, you should see something similar as the following:

 

 In the ucmadminprofile, you should see the "#all" in the Accounts fields. Otherwise, when users accessing documents in Spaces, it will fail the following error:
  User 'ucmadmin' does not have sufficient privileges to access the content account.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454012.1#aref_section310

Oracle Access Manager(OAM) & Oracle Internet Directory(OID)'s restricted use license with WebCenter Portal

A restricted use of Oracle Access Manager(OAM) & Oracle Internet Directory(OID) is allowed with WebCenter Suite Plus licensing which is one of the most common licenses available to Customers implementing a WebCenter Portal.

Thus OAM & OID can be used to provide Single Sign On (SSO) between WebCenter , UCM/Content & IPM without the client having to buy any additional licenses albeit with a few technical limitations.

In addition out of the box features like Impersonation can be leveraged easily.

On a whole this should help customers easily leverage Single-Sign-On using OAM & use Oracle's LDAP - OID when implementing a WebCenter Portal.

Source :

Oracle® Fusion Middleware Licensing Information 11g Release 1 (11.1.1)

"Oracle Access Manager(OAM) for enabling Single-Sign On (SSO) between WebCenter Portal components. Use of Oracle Access Manager to a) enable SSO for any custom services or functions or third party applications;

b) Direct Oracle Access Manager SDK calls; or c) Third party directory integration, is not allowed.

Oracle Internet Directory(OID) - The use of OID is restricted to storing credentials and policies specific to WebCenter Portal and its delivered components."

Limitations :

1) OAM & OID alongwith the WebTier would need to be installed in the same VMs as Webcenter Portal when leveraged as a part of this licensing.

This makes it slightly different from Oracle's recommended deployment Architecture for OAM.

Allowing unauthenticated access to Webcenter Content/UCM public documents via OAM SSO

Recently we had a requirement at a client wherein Public Documents in UCM be accessed via a SSO URL (using the OHS Port) without the user being challenged for credentials.

Sounds pretty straighforward right ? Since anyways using the default managed server port of 16200 of the Content Server , anyways those documents don't popup asking for user credentials.

Well , wasn't that simple really! Took us(myself , Sachin Saxena et al) a few days to exactly figure this out and now we have Oracle's stamp on it as well !

Following were the examples of documents which needed to be publically accessible

1)http://<host>:7778/cs/idcplg?idcService=GET_FILE&dID=1445&dDocName=DEV_COMPLOGO_31364&allowInterrupt=1

(Accessing public document  called 'DEV_COMPLOGO_31364' having Public Security group via IdcService)

2)http://<host>:7778/cs/groups/public/documents/digitalmedia/b2dv/xzmx/~edisp/dev_complogo_31364.jpg

(This has a definite URL Pattern of /cs/groups/public)

3)Also this general service/document search page needs to open up without authentication.

http://<host>:7778/cs/idcplg?IdcService=GET_DOC_PAGE

**Oracle Access Manager (OAM) basically protects URLs or definite URL parameters , it cannot go inside an end-user application and check security assigned to a resource to determine if that should be challenged for credentials.

(Example in this case is that it cannot go and check the authorization / security Group using IdcService URL for the file DEV_COMPLOG_31364)**

Hence we have only two options here -

1)Either the URL pattern /cs/groups/public can be marked as unprotected in OAM Application Domain and hence user won't be challenged when using Pattern 2 as above.

2)Create a mapping folder pattern in UCM , like pretty URL to access even webDav content)

3)You can configure the IdcService url pattern to be public via OAM. (something like http://oamserver.com/cs/idcplg as url and query parameters as IdcService=GET_FILE) .But by exposing that people can still construct url of private documents if they know the dID and bypass OAM as the pattern is public. But once they reach UCM, ucm security will deny them access as they are not authenticated/have required permissions [Courtesy : Shidharth Mishra]

References

1)Oracle SR [Closed]            2) Forums

Impersonation feature for WebCenter Spaces 11.1.1.8 with Oracle Acess Mgr(OAM) 11gR2

What is Impersonation ? 

WebCenter Portal Impersonation lets a WebCenter Portal administrator or system administrator assign impersonation rights to a group of users ("impersonators"), such as support representatives or application administrators, so that they can impersonate another Portal user and perform operations as that user ("impersonatees"). This may be useful in the following instances:

• A customer support representative may want to perform actions as another user in order to understand the issues being faced by that user
• An administrator may want to perform operations on behalf of a user
• A company executive may need to delegate someone to act on his or her behalf while away. (Source : Oracle Documentation)

Pre-requisites

1) WebCenter Spaces 11.1.1.8 +

2) Oracle Access Manager(OAM) 11.1.2 (11gR2+)

3) Setups need to be done in OAM , Webcenter Spaces application using EM , and in Oracle Internet Directory(OID) for the users (OID 11.1.1.7+)

Key Advantages -

1) Feature just needs to be configured as mentioned above . Effort is markedly less than implementing this feature in a custom manner using ADF/Web Technologies.

2) Feature once configured along with OAM can be monitored using OAM.

3) Out of the box UI are available and supported by Oracle , hence the solution is standardized.

4)Feature being a very common use case can be used to sell OAM and the Security Team has expertise in implementing it within a cpl of weeks.

Note - 

• After weeks of ado , I have got this up and running in our environments for Webcenter Spaces 11.1.1.8 which is Oracle's new way of developing webcenter portal applications.

• But for a Custom Portal Application in 11.1.1.8, though Security Taskflows for Impersonation are available in Jdeveloper , Impersonation is not currently supported (Doc ID 1606526.1) but I have an ER open with Oracle [BUG 18882638 - ENABLE IMPERSONATION FOR WEBCENTER CUSTOM FRAMEWORK APS ]

Walkthrough of this new & exciting feaute via screenshots - 

1) Screen in WC Spaces / Custom Portal Security Taskflow to select impersonators. (Validations to prevent users not been setup as Impersonators available Out of the Box).

2) Search Impersonators screen .

Only those users who have been granted Impersonator access in OID can be searched here.

3)Selected Impersonator who can be given access rights for a time duration.

4) Once Switch User Link is clicked ( as in second image above) after logging in with the 
Impersonators credentials , the Impersonator is asked to enter your credentials as under.

5) Once logged in the Impersonation session is in progress. Remember - The impersonatee's credentials were not used at all !

Click on Stop Impersonation to return back 
to the Impersonator's home page.

6) Cool feature  !! Monitor the Impersonation session as an Admin in OAM Console as below

Reference - 

http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27785/pers_impersonate.htm