Tuesday, June 26, 2012

LibOVD: when and how

LibOVD, introduced in FMW, is a java library providing virtualization capabilities over LDAP authentication providers in Oracle Fusion Middleware. It is delivered as part of OPSS (Oracle Platform Security Services), who is available as part of the portability layer (also known as JRF – Java Required Files). In other words, if you are a JDeveloper, WebCenter, SOA or IAM customer, you already have libOVD.

LibOVD provides limited virtualization capabilities when compared to its big brother OVD (Oracle Virtual Directory), who is a full-blown server implementing the LDAP protocol with far more advanced virtualization features, including OOTB support for LDAP and database backend servers, advanced configuration for adapters, out-of-box plug-ins as well as a plug-in programming model allowing for almost limitless possibilities in transforming data and connecting to external data sources.

1. When

LibOVD is primarily designed to work as an embedded component for FMW components who need to look up users and groups across distinct identity providers. If you had a chance to look at this post, you already know the User/Role API can take into account only one authentication provider.

Thursday, June 14, 2012

5 minutes or less: Indexing Attributes in OID

I’ve written this short post as just a note to myself quite some time back. Since I had to rely on it quite a couple of times, I thought it would be worth sharing it with our readers.

It may be too basic to some people, but I am sure others out there had, are having or will have issues when running searches with LDAP filters against OID (Oracle Internet Directory), especially if those filters refer to custom attributes. The information presented here is certainly available in OID Administration Guide at Managing Directory Schema chapter, but it still might be a little bit scattered.

[Update on 12/02/2013]: Starting with OID, there's an autocatalog feature that automatically indexes attributes upon a search. This is controlled by DSA-wide orclautocatalog attribute, which is enabled by default.

First and foremost: an attribute is only searchable in OID if it is indexed. This is definitely not the case of any your brand new custom attributes.

Any search containing a non-indexed attribute in the ldap filter will return something like:

Friday, June 8, 2012

Before I forget it: HowTo SAML 2.0 IdP-initiated flow in Weblogic

I’d better do it now, otherwise I will forget the details.

Quite some people think that all an IdP-initiated flow requires is the target application URL in the consumer side. This is actually nothing more than a SP-initiated flow. In this way, you’ll hit the Service Provider with no SAML Assertion, will be redirected back to the IdP for the SAML assertion and then sent back to the Service Provider.

An IdP-initiated flow actually first needs to get a hold of a SAML assertion for the authenticated user. The assertion is then submitted along with the request to the target application URL. If the Service Provider decides to accept the assertion, the user is granted access. There’s no need to come back to the IdP for the assertion.

This short post is about how to configure Weblogic SAML 2.0 for an IdP-initiated flow.

The URL to be given to the end user for an IdP initiated flow in Weblogic is:

Tuesday, June 5, 2012

Integrating OBIEE 11g into Weblogic’s SAML SSO

SAML is a way to convey identity information across systems. It is an industry-accepted standard and especially interesting when you need to propagate user information between different security domains, because it can overcome the HTTP cookie limitations in cross-domain scenarios (although there are ways to solve that with OAM today) and implement the concept of  transient federation (also known as virtual users), where the user base is not shared between partners.

I've recently came across a scenario requiring OBIEE 11g integration into SAML 2.0 SSO. The requirement was that OBIEE 11g should be able to drive its authorization decisions based on the SAML Subject as well as SAML Attribute Statements from the SAML Assertion generated by a home-built Identity Provider (IdP). This post examine what can be done (and how) in this scenario.

The exact products versions used in this demo are as follows:
  • Platform: Windows XP Server
  • Oracle Weblogic Server 10.3.5
  • Oracle Business Intelligence Enterprise Edition

Monday, June 4, 2012

Protecting a WebCenter app with OAM 11g

Last year I wrote an article on OAM and ADF Applications with Anonymous access. This week I did some work with another A-Team guy building on that previous work.

The new requirement was that the customer wanted two different portions of the app to be protected by different login pages. In other words a user would start on an unprotected page and then choose to go to "A" or "B". If you click on "A" you see one login page and then (after logging in) you see page A. If you click on B you see a different login page and then page B.

If I was doing this with plain old HTML or JSPs I would probably just put A's resources in directory /a/ and B's resources in /b/ and we'd be done. But as you know from the previous post things can get a little bit more complex when you are using ADF.

Martin is going to blog more deeply about the ADF side of the story (link to follow) and
I'm blogging about the OAM setup side.

Martin's post is now available on the A-Team's WebCenter blog.