using openam in an oracle environment

ITStrategic

Using OpenAM inAn Oracle environment

As SSO server

ITStrategic BIO

Who am i Kurt Van Meerbeeck

Engineer in electronics Working with Java since 1996 (jdk 1.0.2) Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)

Currently work for AXI NV/BV Oracle Partner in the Benelux area (www.axi.be/www.axi.nl) Oracle rdbms/ias

Author of DUDE Data Unloader tool (www.ora600.be)

Member of the Oaktable Network www.oaktable.net

ITStrategic A little bit of history

Internet Application Server 9i

Internet Application Server 10g

Fusion Middleware 11g / WLS

ITStrategic ORACLE IAS 10g

[ Oracle AS Components[ Middle tiers

[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...

[ Webcache[ J2EE [ Forms, Reports, Disco[ Portal

ITStrategic ORACLE IAS 10g

[ Oracle AS Components[ Infrastructure

[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...

[ OID – LDAP[ J2EE [ SSO server[ OCA[ Rdbms – portal, sso, oca

and other configuration & meta data

ITStrategic OSSO Workflow – not yet authenticated

INFRA.axi.be

MID.axi.beapache

Mod_osso

Mod_oc4jMod_plsql

J2ee

apache

Mod_osso

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

OIDLDAP

IASDB

http://my.company.com

Apache virtual host- Make it a SSO partner app- register it

- ptlconfig – portal- ossoreg.jar – mod_osso

- mod_osso.conf<location /app> require valid-user AuthType basic</location>


INFRA.axi.be

MID.axi.beapache

Mod_osso

Mod_oc4jMod_plsql

J2ee

apache

Mod_osso

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

OIDLDAP

IASDB


NameVirtualHost *:80

<VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf</VirtualHost>

infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>

Partner cookie available ?

SSO cookie ?-> Generate Redirect to logon pagehttp://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties


INFRA.axi.be

MID.axi.beapache

Mod_osso

Mod_oc4jMod_plsql

J2ee

apache

Mod_osso

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

OIDLDAP

IASDB



INFRA.axi.be

MID.axi.beapache

Mod_osso

Mod_oc4jMod_plsql

J2ee

apache

Mod_osso

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

OIDLDAP

IASDB


HTTP POST- Username- Password- Site-token

Check credentials in LDAP/OID

If OK- Generate SSO cookie (SSO_ID) - Generate redirect tohttp://my.company.com/osso_login_success?urlc=<sitetoken>

Generate Partner cookieGenerate redirect to the original URL (sitetoken)


INFRA.axi.be

MID.axi.beapache

Mod_osso

Mod_oc4jMod_plsql

J2ee

apache

Mod_osso

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

OIDLDAP

IASDB


IPASAuthInterface

SSOServerAuth

Custom Plugin

SSOX509CertAuth

SSOKerbeAuth

implements

extends

Custom Plugin

Important for integration- Custom plugins by subclassing OSSO server

ITStrategic ORACLE 11g FUSION / WEBLOGIC

[ Problem[ No infrastructure tier[ No SSO/OID/WNA


[ Premier Support for Oracle Single Sign-On 10gR3 ends on December 31, 2011

[ Limited Extended Support for Oracle Single Sign-On from January 2012 through December 2012

[ It is strongly recommended that you use this additional time to integrate your single sign-on deployment with Oracle Access Manager


Extra licenses and server

[ Oracle Access Manager

[ Oracle Weblogic Server

[ Directory Services Plus

x2 (HA?)

VmWare ?


Cheaper alternatives ?


Introducing

ITStrategic Introducing OpenAM

[ Open Source alternative

[ OpenAM (ForgeRock)

[ Based on SUN’s OpenSSO- open sourced before Oracle aqcuisition- most of OpenSSO team quit and started ForgeRock

[ Makes use of OpenDJ (based on Sun’s OpenDS) for data store

ITStrategic Concept

[ Concept for most access managers is the same

Access Manager

ID storeLDAP

AMAgent

WebApp

Server

DBServer

[ So the work is mostly the same –complex [ But not the license costs ![ And the platform support and features !

OSSO OID Mod_osso Apache1.3OC4J

OpenAM OpenDJ PolicyAgent

ITStrategic OpenAM product support

[ OpenAM server runs on• Apache Tomcat 6.x / 7.x• GlassFish v2• JBoss Enterprise Application Platform 4.x, 5.x• JBoss Application Server 7.x• Jetty 7• Oracle WLS 11g• Oracle WLS 12c

[ OpenAM policy agents• Apache 2.0, 2.2, 2.4• MS IIS 6, 7• GlassFish v2, v3• Jetty 6.1, v7• Tomcat v6• WebSphere v6.1• Weblogic v10

ITStrategic OpenAM authentication

[ Out-of-the-box• Active Directory Auth• Adaptive Risk Auth• Certificate Auth• HTTP Basic Auth• HMAC OTP Auth• JDBC Auth (example database table)• LDAP Auth• OATH Auth (OpenAuth RFC 4226/6238)• Oauth 2.0 Auth• RADIUS Auth• SecureID Auth• Windows Desktop SSO Auth• WSS Auth• Federation (SAML, SAMLv2, WS-Fed 1.1)• ….• Custom Auth plugins

ITStrategic OpenAM authorization

[ Authorization

• Policy engine• Identity membership• LDAP filter• Time• Resource/location/IP• …• Custom plugins

• Entitlements• eXtensible Access Control Markup Language (XACML)• OpenAM : policy admin & decision point (PAP/PDP)

ITStrategic OpenAM architecture

ITStrategic Integration

So how do we integratewith an

Oracle stack ?

ITStrategic Use Case

[ User Case - requirements

- integrate with legacy IAS/OSSO- Portal 10g- Forms 10g- OC4J- OBIEE 10g

- integrate with Forms 11g (FMW/WLS)- special case as Forms *needs* OID

- integrate with OBIEE 11g (FMW/WLS)

- integrate with J2EE apps (FMW/WLS)

- integrate apps in the cloud using SAMLv2


OpenDJOpenAM

Linux Server (cluster)Tomcat J2EE Server

LDAP sync

OracleSSO

Server

Oracle 10g Infrastructure

Oracle 10g Midtiers• Forms 10g• Portal 10g• J2EE• OBIEE 10g

Oracle 11g Weblogic• Forms 11g• J2EE• OBIEE 11g

LDAP sync

Legacy environment

New environment

LAMP in de CLOUD• SAMLv2• Service Provider

AXI OSSO-OpenAMIntegration(custom osso plugin)

SSO using Oracle SSO server

SSO using OpenAM Policy agentsSSO using SAMLv2

Custom policy plugin

J2EE Policy agent

ITStrategic Integration

1Create a HA

OpenAMServer

Architecture

ITStrategic OpenAM HA Server Architecture

snsrv615:8080 snsrv616:8080

ldap.axi.be:389Tcp loadbalancer

snsrv615:1389 snsrv616:1389

Master-master replication

Master-master replication

sso.axi.be:80http loadbalancer


[ Linux cluster- Keepalived cluster manager- RHEL of Ubuntu based

[ HAProxy loadbalancer- L4 – ldap loadbalancing- L7 – http loadbalancing

[ Apache2.2 reverse proxy - In front of tomcat- For complex solutions (like integrating osso)

[ OpenAM / Tomcat J2EE - Session failover- Multimaster replication

[ OpenDJ- Multimaster replication


OpenDJ

OpenAM OpenAM

OpenDJ

L4 LB

L7 LB

Apache2.2 RP Apache2.2 RP

HAProxy

HAProxy

Active/passive cluster

Sync config

Active/active clusterSession replication

Active/active clusterMultimaster replication

Active/passive cluster

ITStrategic Integration OSSO

2Integrate

OSSOUsing

A plugin


OpenDJOpenAM


LDAP sync

OracleSSO

Server



LDAP sync

Legacy environment



public class OpenAMAuth extends SSOServerAuth

IPASAuthInterface

SSOServerAuth

Custom Plugin

SSOX509CertAuth

SSOKerbeAuth

implements

extends

Custom Plugin


OpenDJOpenAM


LDAP sync

OracleSSO

Server



LDAP sync

Legacy environment



Authenticated

In

OSSO

*and*

OpenAM

ITStrategic Integration Forms 11g

3Integrate Forms 11g


[ Forms is *SPECIAL*

- It will check the version of OID in SSO mode !

- What if you want to get rid of OID ???

Extra LDAP queries[ RAD’s[ Root DSE orcldirectoryversion

Osso-user-dnOsso-subscriber-dn

Mod_o

sso

Form

s 11g


[ Forms is *SPECIAL*

- Forms 11g can be plugged into an OID LDAP

- What if we could mimic OID using OpenDJ

1. Recreate OID LDAP schema in OpenDJ (ldapsearch)

2. Add orcldirectoryversion to OpenDJ root DSE

3. Plugin Forms11g into OpenDJ !!!


[ Forms is *SPECIAL* but can make use of OpenAM/OpenDJ without OID

Extra LDAP queries[ RAD’s[ Root DSE orcldirectoryversion

Osso-user-dnOsso-subscriber-dn

OpenA

M Pol

icy

Agent

Form

s 11g

ITStrategic Integration OBIEE 11g

4Integrate

OBIEE 11g


[ OBIEE 11g runs on top of WLS

- Makes use of Oracle Platform Security Services- Switch from embedded ldap to OpenDJ (iplanetAuthenticator)- Configure http header identity asserter (Generic SSO)

- Configure OpenDJ (OBIEE groups / BIAuthor, BIAdministrators, etc)

- Deploy OpenAM J2EE Policy Agent

- Modify OIBIEE analytics war to add J2EE filter (redeploy)

- Resync identity GUID attribute with OpenDJ

- Modify RPD to use LDAP in initialisation blocks


OBIEE 11g / WLS

OBI

OPSSID store

Policy storeCredential

store

DefaultAuthenticator

EmbeddedLDAP

OpenAMJ2EE policy agent

(J2EE filter)

OpenDJLDAPOpenDJ

LDAP

http header id asserterGeneric SSO

OpenAM

Apache rp/ssl

IPlanetAuthenticator

1 2

3

4

6

7

5

ITStrategic Integration cloud applications

5Integrate

Cloud applications


[ OpenAM supports SAMLv2 (and WS-Fed 1.1) and can act as IdP

- Agentless WEB SSO

- Cross-domain / cross-platform / cross-organisation

- Passive – all communcation through user browser- http post/redirect

- Provide the app (Service Provider) with all needed info through SAML assertions (attributes)

- displayName- Email- Application roles & rights

- Custom attribute mapper using jdbc


Policy AgentsPolicy Agents Policy Agents

SAML SP

SAML based SSO

SAML Identity Provider (IdP)OpenAM clusterhttps://idp.axi.nl AXI

SAML SPSAML SP

Internal app servers

External app servers

[ At this point….

Users logged on in Portal 10g

…

can seamlessly logon to appsin the cloud using SAML !

ITStrategic What about …

Wait…What about

mobile devices?

ITStrategic Out of the box mobile app authenticatie with WS-REST

OpenDJOpenAM

Linux Server (keepalived cluster)TOMCAT J2EE Server

https://sso.axi.be

Apache 2.2 SSL/RP server

AXI public dmz

Apache 2.2 SSL/RP serverMod_security

J2EE Server

https://mobile.axi.be

(1) Authenticate /identity/authenticate?username=<uname>&password=<passwd>

(2) token.id=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*

(3) Validate/identity/isTokenValid?tokenid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*

(5)logout/identity/logout?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*

(4) Retrieve attributes (is customer?) /identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*


OpenDJOpenAM


LDAP sync

OracleSSO

Server



Oracle 11g Weblogic• Forms 11g• J2EE• OBIEE 11g

LDAP sync

Legacy environment

New environment

LAMP in de CLOUD• SAMLv2• Service Provider



SSO using OpenAM Policy agentsSSO using SAMLv2

Custom policy plugin

J2EE Policy agent

REST-WS

ITStrategic Conclusion

[ Who can benefit from OpenAM• Organisations running IAS9i/10g migrating to 11g WLS• Organisations running multiple web-based apps and want to implement SSO• Organisations wanting to integratie cloud apps using SAMLv2• Organisations wanting to implement WS Security• Organisations wanting to migrate from Sun OpenSSO to ForgeRock OpenAM

[ Benefits• Proven technologie – Sun OpenSSO !• Easy to customize (auth plugin, policy plugin, saml assertion plugin etc)• Pricing

24/7 Q & A

using openam in an oracle environment

Technology

osso mod

security mod

oc4j oid mod

beapachej2ee mod

conf mod

beapachej2eeimplements

apache j2ee mod

itstrategic osso workflow