Tuesday, June 29, 2010

Oracle Access Manager (OAM) and the SSO Synchronization Filter

A while back I wrote about some challenges concerning session management in an OAM/SSO enabled environment. I briefly mentioned that the WebLogic SSO Synchronization Filter can help address some of these challenges.

Today I’d like to explore the SSO Sync Filter in a little more detail. The filter is implemented as a system filter for WebLogic 11g. It works in conjunction with the OAM Identity Asserter for WebLogic. The filter is only active when the OAM Identity Asserter is configured in a security realm.

It works by comparing the value of the OAM_REMOTE_USER header set by the OAM webgate to the value of the user principal name. If they are consistent then the filter lets the request through, but if they are inconsistent then the filter invalidates the WLS/JSESSION session and redirects the user back to the same URL which should either result in a user challenge or the establishment of a new WLS session with the same identity contained in the OAM session.

Note, that the SSO Sync Filter has no knowledge of OAM policies. Its view of what is or isn’t protected is based only on the headers it sees in the request. If no OAM_REMOTE_USER header is found, then the filter assumes that the request is for an unprotected resource and just passes it through. On the other hand, resources protected by the OAM anonymous authentication scheme will be considered protected by the filter since an OAM_REMOTE_USER header should always be present for such resources and set to the value of a real authenticated user or the configured anonymous user identity.

Given the functionality described above, it should be apparent that the filter is a great aid in helping to address session synchronization issues that can occur in an OAM/SSO enabled environment including issues around single logouts and session timeouts.

The documentation for this valuable Fusion Middleware component can be found here: http://download.oracle.com/docs/cd/E15523_01/core.1111/e10043/osso.htm#CHDHDBED

In my next post, I’ll discuss how to address the issue of JSESSIONID Cookie Overriding in SSO enabled environments.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.