Tuesday, January 25, 2011

Do we have an OAM Web Gate for Microsoft .NET 4.0?

A question came in on one of the Oracle internal mailing lists with the following question:
One of their partners achieves a single sign-on with them by means of our CoreId/web gate product. Do we have a CoreID/web gate product that works with Microsoft .Net 4.0?
The short answer is that you don't need a .NET WebGate so no, there isn't one.

The long answer is a bit more complicated.

When people talk about .NET in the web world they're usually talking about ASP.NET which runs inside IIS. So the question really becomes something more like "is IIS and ASP.NET with the .NET runtime version 4.0 supported?"

The answer is that IIS is supported and the ASP.NET app can be protected by the WebGate. If that's all you need then your ASP.NET app should work just fine.

The only additional point is that ASP.NET apps sometimes (often?) expect to be run in the security context of a user. Meaning they don't get the username out of an HTTP header but instead get it by making a call back to Windows and asking for the user identity. In this case asp.net is configured with

<identity impersonate="true" />

If you want that to work then you need to use OAM's Windows Impersonation feature documented here.

Twiddle those knobs and you should be able to protect any ASP.NET app you've got lying around.

Hope this helps!

10 comments:

  1. Thanks so much for the tremendously valuable blog!

    I am interested in understanding how ASP.NET SSO integration is accomplished in OAM 11g now that impersonation is not available/supported. See http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15478/intro.htm#CHDICJIG.

    I am thinking about writing a C# HttpModule to pass headers to ASP.NET, but is a better way???

    ReplyDelete
  2. You're right - the Impersonation functionality isn't in the 11g WebGate.

    If you want to write your own code you'll need to do a bit more than passing some HTTP headers. The API you're looking for is S4U2Proxy.

    A warning: I've used that API in an ISAPI filter I wrote in C before and it was a fairly hairy chunk of code to figure out; I eventually got it working once I turned up an example somewhere on the net. Alternatively you *should* be able to do it in a .NET filter, though I've never actually done that myself.

    I've reached out to PM to see if I can get an official statement on this functionality in OAM 11g. In the meantime you can still use OAM 10g WebGates with an OAM 11g server. I'd recommend going that route for now.

    ReplyDelete
  3. Confirmed.

    PM advises that you should use the 10g WebGate with the 11g server if you want the Windows security impersonation functionality discusses above with OAM 11g.

    ReplyDelete
  4. Thanks Chris. I'm not sure I quite follow.

    In 10g, impersonation requires configuration in both the WebGate and the Access Server. In 11g, the OAM console no longer has the impersonation config options available...regardless of whether I use a 10g or 11g WebGate....I might be mistaken but I don't think an 11g IIS WebGate is available yet. I have been using 10g WebGates all along.

    Could you possibly elaborate on the method to configure a 10g WebGate impersonation under 11g Access Server? I understand pretty clearly how the IIS side is configured. My confusion is centered around how the Access Server (OAM Console) is configured in 11g since the impersonation fields that should be filled in no longer exist. See http://download.oracle.com/docs/cd/E12530_01/oam.1014/e10356/imprsn.htm#CACHHIIJ

    Thanks again for being an excellent source of information around the 11g FMW Security Products!

    ReplyDelete
  5. Hi David and Chris,
    Was just wondering if there's been any progress on how to migrate 10g impersonation functionality into 11g?

    This is a use case that I have and am currently stuck for an answer - developing a custom solution would seem to be a major step backwards and not an ides that would be well received by existing 10g customers....

    Maybe it's on the PM roadmap...?

    ReplyDelete
  6. We are actively working on getting an answer from PM and engineering and will get an update here ASAP!

    ReplyDelete
  7. We are also involved in a project where this issue has to be covered.

    Can you please confirm that in the meantime (waiting the roadmap to go on) you can still use OAM 10g WebGates with an OAM 11g server and the Outlook Web Access (OWA)will work with SSO using Out Of The Box integration?

    Thank you very much for your support

    Regards

    ReplyDelete
  8. @Paolo it is my understanding that you should be able to do that. The configuration directives are not necessarily exposed in the GUI, but in the registration process you can include those directives and they should be stored and used properly by the WebGate at runtime.

    Unfortunately I personally don't have an Exchange + IIS + OWA environment to test with. If you try it and run into trouble please let me know either here or by email.

    ReplyDelete
  9. Hi Chris,

    Do you know how do we include impersonation directives in OAM 10g webgate registration process, in an OAM 11g deployment ? We're trying to implement sharepoint integration with OAM 11g, and I understand that it is possible to do this with OAM 10g webgates.

    And one more question , Is WNA an alternative to do this integration ?
    Thank you indeed.

    Ece

    ReplyDelete
  10. Ece,

    You add them to the XML file before you run rreg. The sample input file should have the fields - look through and you'll see them.

    WNA won't help you here - The way that WNA works in OAM is that the WebGate redirects you to the OAM server to authenticate, the OAM server asks your browser for a Kerberos token, OAM consumes that Kerberos token and establishes an OAM session based on the info in it. After that the OAM server redirects you back to the WebGate and the WebGate talks to the OAM server to determine if you should have access.

    Chris

    ReplyDelete

Note: Only a member of this blog may post a comment.