using openam in an oracle environment
DESCRIPTION
OpenAM can be valid alternative in an Oracle stack. It can tie together Oracle 9i/10g OSSO based midtiers with newer 11g WLS fusion application tiers and even SAML based authentication.TRANSCRIPT
ITStrategic
Using OpenAM inAn Oracle environment
As SSO server
ITStrategic BIO
Who am i Kurt Van Meerbeeck
Engineer in electronics Working with Java since 1996 (jdk 1.0.2) Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)
Currently work for AXI NV/BV Oracle Partner in the Benelux area (www.axi.be/www.axi.nl) Oracle rdbms/ias
Author of DUDE Data Unloader tool (www.ora600.be)
Member of the Oaktable Network www.oaktable.net
ITStrategic A little bit of history
Internet Application Server 9i
Internet Application Server 10g
Fusion Middleware 11g / WLS
ITStrategic ORACLE IAS 10g
[ Oracle AS Components[ Middle tiers
[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
[ Webcache[ J2EE [ Forms, Reports, Disco[ Portal
ITStrategic ORACLE IAS 10g
[ Oracle AS Components[ Infrastructure
[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
[ OID – LDAP[ J2EE [ SSO server[ OCA[ Rdbms – portal, sso, oca
and other configuration & meta data
ITStrategic OSSO Workflow – not yet authenticated
INFRA.axi.be
MID.axi.beapache
Mod_osso
Mod_oc4jMod_plsql
J2ee
apache
Mod_osso
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
OIDLDAP
IASDB
http://my.company.com
Apache virtual host- Make it a SSO partner app- register it
- ptlconfig – portal- ossoreg.jar – mod_osso
- mod_osso.conf<location /app> require valid-user AuthType basic</location>
ITStrategic OSSO Workflow – not yet authenticated
INFRA.axi.be
MID.axi.beapache
Mod_osso
Mod_oc4jMod_plsql
J2ee
apache
Mod_osso
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
OIDLDAP
IASDB
http://my.company.com
NameVirtualHost *:80
<VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf</VirtualHost>
infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
Partner cookie available ?
SSO cookie ?-> Generate Redirect to logon pagehttp://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties
ITStrategic OSSO Workflow – not yet authenticated
INFRA.axi.be
MID.axi.beapache
Mod_osso
Mod_oc4jMod_plsql
J2ee
apache
Mod_osso
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
OIDLDAP
IASDB
http://my.company.com
ITStrategic OSSO Workflow – not yet authenticated
INFRA.axi.be
MID.axi.beapache
Mod_osso
Mod_oc4jMod_plsql
J2ee
apache
Mod_osso
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
OIDLDAP
IASDB
http://my.company.com
HTTP POST- Username- Password- Site-token
Check credentials in LDAP/OID
If OK- Generate SSO cookie (SSO_ID) - Generate redirect tohttp://my.company.com/osso_login_success?urlc=<sitetoken>
Generate Partner cookieGenerate redirect to the original URL (sitetoken)
ITStrategic OSSO Workflow – not yet authenticated
INFRA.axi.be
MID.axi.beapache
Mod_osso
Mod_oc4jMod_plsql
J2ee
apache
Mod_osso
Mod_oc4jMod_plsql
J2eeOc4j_security
oca
OIDLDAP
IASDB
http://my.company.com
IPASAuthInterface
SSOServerAuth
Custom Plugin
SSOX509CertAuth
SSOKerbeAuth
implements
extends
Custom Plugin
Important for integration- Custom plugins by subclassing OSSO server
ITStrategic ORACLE 11g FUSION / WEBLOGIC
[ Problem[ No infrastructure tier[ No SSO/OID/WNA
ITStrategic ORACLE 11g FUSION / WEBLOGIC
[ Premier Support for Oracle Single Sign-On 10gR3 ends on December 31, 2011
[ Limited Extended Support for Oracle Single Sign-On from January 2012 through December 2012
[ It is strongly recommended that you use this additional time to integrate your single sign-on deployment with Oracle Access Manager
ITStrategic ORACLE 11g FUSION / WEBLOGIC
Extra licenses and server
[ Oracle Access Manager
[ Oracle Weblogic Server
[ Directory Services Plus
x2 (HA?)
VmWare ?
ITStrategic ORACLE 11g FUSION / WEBLOGIC
Cheaper alternatives ?
ITStrategic ORACLE 11g FUSION / WEBLOGIC
Introducing
ITStrategic Introducing OpenAM
[ Open Source alternative
[ OpenAM (ForgeRock)
[ Based on SUN’s OpenSSO- open sourced before Oracle aqcuisition- most of OpenSSO team quit and started ForgeRock
[ Makes use of OpenDJ (based on Sun’s OpenDS) for data store
ITStrategic Concept
[ Concept for most access managers is the same
Access Manager
ID storeLDAP
AMAgent
WebApp
Server
DBServer
[ So the work is mostly the same –complex [ But not the license costs ![ And the platform support and features !
OSSO OID Mod_osso Apache1.3OC4J
OpenAM OpenDJ PolicyAgent
ITStrategic OpenAM product support
[ OpenAM server runs on• Apache Tomcat 6.x / 7.x• GlassFish v2• JBoss Enterprise Application Platform 4.x, 5.x• JBoss Application Server 7.x• Jetty 7• Oracle WLS 11g• Oracle WLS 12c
[ OpenAM policy agents• Apache 2.0, 2.2, 2.4• MS IIS 6, 7• GlassFish v2, v3• Jetty 6.1, v7• Tomcat v6• WebSphere v6.1• Weblogic v10
ITStrategic OpenAM authentication
[ Out-of-the-box• Active Directory Auth• Adaptive Risk Auth• Certificate Auth• HTTP Basic Auth• HMAC OTP Auth• JDBC Auth (example database table)• LDAP Auth• OATH Auth (OpenAuth RFC 4226/6238)• Oauth 2.0 Auth• RADIUS Auth• SecureID Auth• Windows Desktop SSO Auth• WSS Auth• Federation (SAML, SAMLv2, WS-Fed 1.1)• ….• Custom Auth plugins
ITStrategic OpenAM authorization
[ Authorization
• Policy engine• Identity membership• LDAP filter• Time• Resource/location/IP• …• Custom plugins
• Entitlements• eXtensible Access Control Markup Language (XACML)• OpenAM : policy admin & decision point (PAP/PDP)
ITStrategic OpenAM architecture
ITStrategic Integration
So how do we integratewith an
Oracle stack ?
ITStrategic Use Case
[ User Case - requirements
- integrate with legacy IAS/OSSO- Portal 10g- Forms 10g- OC4J- OBIEE 10g
- integrate with Forms 11g (FMW/WLS)- special case as Forms *needs* OID
- integrate with OBIEE 11g (FMW/WLS)
- integrate with J2EE apps (FMW/WLS)
- integrate apps in the cloud using SAMLv2
ITStrategic Use Case
OpenDJOpenAM
Linux Server (cluster)Tomcat J2EE Server
LDAP sync
OracleSSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers• Forms 10g• Portal 10g• J2EE• OBIEE 10g
Oracle 11g Weblogic• Forms 11g• J2EE• OBIEE 11g
LDAP sync
Legacy environment
New environment
LAMP in de CLOUD• SAMLv2• Service Provider
AXI OSSO-OpenAMIntegration(custom osso plugin)
SSO using Oracle SSO server
SSO using OpenAM Policy agentsSSO using SAMLv2
Custom policy plugin
J2EE Policy agent
ITStrategic Integration
1Create a HA
OpenAMServer
Architecture
ITStrategic OpenAM HA Server Architecture
snsrv615:8080 snsrv616:8080
ldap.axi.be:389Tcp loadbalancer
snsrv615:1389 snsrv616:1389
Master-master replication
Master-master replication
sso.axi.be:80http loadbalancer
ITStrategic OpenAM HA Server Architecture
[ Linux cluster- Keepalived cluster manager- RHEL of Ubuntu based
[ HAProxy loadbalancer- L4 – ldap loadbalancing- L7 – http loadbalancing
[ Apache2.2 reverse proxy - In front of tomcat- For complex solutions (like integrating osso)
[ OpenAM / Tomcat J2EE - Session failover- Multimaster replication
[ OpenDJ- Multimaster replication
ITStrategic OpenAM HA Server Architecture
OpenDJ
OpenAM OpenAM
OpenDJ
L4 LB
L7 LB
Apache2.2 RP Apache2.2 RP
HAProxy
HAProxy
Active/passive cluster
Sync config
Active/active clusterSession replication
Active/active clusterMultimaster replication
Active/passive cluster
ITStrategic Integration OSSO
2Integrate
OSSOUsing
A plugin
ITStrategic Integration OSSO
OpenDJOpenAM
Linux Server (cluster)Tomcat J2EE Server
LDAP sync
OracleSSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers• Forms 10g• Portal 10g• J2EE• OBIEE 10g
LDAP sync
Legacy environment
AXI OSSO-OpenAMIntegration(custom osso plugin)
SSO using Oracle SSO server
public class OpenAMAuth extends SSOServerAuth
IPASAuthInterface
SSOServerAuth
Custom Plugin
SSOX509CertAuth
SSOKerbeAuth
implements
extends
Custom Plugin
ITStrategic Integration OSSO
OpenDJOpenAM
Linux Server (cluster)Tomcat J2EE Server
LDAP sync
OracleSSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers• Forms 10g• Portal 10g• J2EE• OBIEE 10g
LDAP sync
Legacy environment
AXI OSSO-OpenAMIntegration(custom osso plugin)
SSO using Oracle SSO server
Authenticated
In
OSSO
*and*
OpenAM
ITStrategic Integration Forms 11g
3Integrate Forms 11g
ITStrategic Integration Forms 11g
[ Forms is *SPECIAL*
- It will check the version of OID in SSO mode !
- What if you want to get rid of OID ???
Extra LDAP queries[ RAD’s[ Root DSE orcldirectoryversion
Osso-user-dnOsso-subscriber-dn
Mod_o
sso
Form
s 11g
ITStrategic Integration Forms 11g
[ Forms is *SPECIAL*
- Forms 11g can be plugged into an OID LDAP
- What if we could mimic OID using OpenDJ
1. Recreate OID LDAP schema in OpenDJ (ldapsearch)
2. Add orcldirectoryversion to OpenDJ root DSE
3. Plugin Forms11g into OpenDJ !!!
ITStrategic Integration Forms 11g
[ Forms is *SPECIAL* but can make use of OpenAM/OpenDJ without OID
Extra LDAP queries[ RAD’s[ Root DSE orcldirectoryversion
Osso-user-dnOsso-subscriber-dn
OpenA
M Pol
icy
Agent
Form
s 11g
ITStrategic Integration OBIEE 11g
4Integrate
OBIEE 11g
ITStrategic Integration OBIEE 11g
[ OBIEE 11g runs on top of WLS
- Makes use of Oracle Platform Security Services- Switch from embedded ldap to OpenDJ (iplanetAuthenticator)- Configure http header identity asserter (Generic SSO)
- Configure OpenDJ (OBIEE groups / BIAuthor, BIAdministrators, etc)
- Deploy OpenAM J2EE Policy Agent
- Modify OIBIEE analytics war to add J2EE filter (redeploy)
- Resync identity GUID attribute with OpenDJ
- Modify RPD to use LDAP in initialisation blocks
ITStrategic Integration OBIEE 11g
OBIEE 11g / WLS
OBI
OPSSID store
Policy storeCredential
store
DefaultAuthenticator
EmbeddedLDAP
OpenAMJ2EE policy agent
(J2EE filter)
OpenDJLDAPOpenDJ
LDAP
http header id asserterGeneric SSO
OpenAM
Apache rp/ssl
IPlanetAuthenticator
1 2
3
4
6
7
5
ITStrategic Integration cloud applications
5Integrate
Cloud applications
ITStrategic Integration cloud applications
[ OpenAM supports SAMLv2 (and WS-Fed 1.1) and can act as IdP
- Agentless WEB SSO
- Cross-domain / cross-platform / cross-organisation
- Passive – all communcation through user browser- http post/redirect
- Provide the app (Service Provider) with all needed info through SAML assertions (attributes)
- displayName- Email- Application roles & rights
- Custom attribute mapper using jdbc
ITStrategic Integration cloud applications
Policy AgentsPolicy Agents Policy Agents
SAML SP
SAML based SSO
SAML Identity Provider (IdP)OpenAM clusterhttps://idp.axi.nl AXI
SAML SPSAML SP
Internal app servers
External app servers
[ At this point….
Users logged on in Portal 10g
…
can seamlessly logon to appsin the cloud using SAML !
ITStrategic What about …
Wait…What about
mobile devices?
ITStrategic Out of the box mobile app authenticatie with WS-REST
OpenDJOpenAM
Linux Server (keepalived cluster)TOMCAT J2EE Server
https://sso.axi.be
Apache 2.2 SSL/RP server
AXI public dmz
Apache 2.2 SSL/RP serverMod_security
J2EE Server
https://mobile.axi.be
(1) Authenticate /identity/authenticate?username=<uname>&password=<passwd>
(2) token.id=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
(3) Validate/identity/isTokenValid?tokenid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
(5)logout/identity/logout?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
(4) Retrieve attributes (is customer?) /identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
ITStrategic Use Case
OpenDJOpenAM
Linux Server (cluster)Tomcat J2EE Server
LDAP sync
OracleSSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers• Forms 10g• Portal 10g• J2EE• OBIEE 10g
Oracle 11g Weblogic• Forms 11g• J2EE• OBIEE 11g
LDAP sync
Legacy environment
New environment
LAMP in de CLOUD• SAMLv2• Service Provider
AXI OSSO-OpenAMIntegration(custom osso plugin)
SSO using Oracle SSO server
SSO using OpenAM Policy agentsSSO using SAMLv2
Custom policy plugin
J2EE Policy agent
REST-WS
ITStrategic Conclusion
[ Who can benefit from OpenAM• Organisations running IAS9i/10g migrating to 11g WLS• Organisations running multiple web-based apps and want to implement SSO• Organisations wanting to integratie cloud apps using SAMLv2• Organisations wanting to implement WS Security• Organisations wanting to migrate from Sun OpenSSO to ForgeRock OpenAM
[ Benefits• Proven technologie – Sun OpenSSO !• Easy to customize (auth plugin, policy plugin, saml assertion plugin etc)• Pricing
24/7 Q & A