OAM 11g - IPM Integration

Here is a post that integrates OAM 11g with IPM.  This integration is implemented on top of the OAM/UCM integration I did back in December.

 

Prerequisites

1. Install, configure and integrate UCM with OAM.  Click here for the post I did for OAM/UCM.
2. Install and configure IPM with the same OHS proxy used to proxy the UCM application.

 

High Level Steps/Checklist

1. Configure an OHS server to proxy all request to IPM (/imaging). 
2. Register a webgate with the URL’s you want to protect.
3. Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic. 
4. Validate users can access IPM with WLS Security. 
5. Install a webgate on OHS server and validate.

Notes:

Steps 2 through 4 may have been completed in the steps defined in the OAM-UCM integration.

Verifying the ‘/imaging’ URL may result in a “404 Not Found” error. This will occur if you have a webgate on the OHS server already installed and have not defined a policy to protect this URI. This is expected due to the webgate setting of ‘denyOnNotProtected’.

 

Detail Steps

1. Follow the documentation to configure OAM Access Manager 11g with Oracle IPM, Section 2.3.5: http://download.oracle.com/docs/cd/E17904_01/admin.1111/e12782/c02_security.htm#CDDFAFAC
   
   
   2.3.5 - Integrating Oracle IPM With Oracle Access Manager 11g
   

   1. OAM/Webgate have already been configured and installed.
   2. Modify the mod_wl_ohs.conf file with the forwarding URL
   • 
     <Location /imaging>
     SetHandler weblogic-handler
     WebLogicHost <hostname>
     WebLogicPort <portnumber>
     </Location>
      
   3. Use the remote registration tool oamreg as follows in section 15.2.2.2:http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/osso_b_oam11g.htm#JISEC9104
      15.2.2.2 - Provision with 11g Webgate

1. Acquire the tool
• The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
2. Created a new IPM-Request.xml. Since the same OHS server used to proxy UCM, is being used to forward/proxy the IPM app, use the same host identifier and agent name as defined for UCM. The only difference being the protected and public resources.
• <OAM11GRegRequest>
  <serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress><hostIdentifier>UCM-INT</hostIdentifier>
  
  <agentName>UCM-INT</agentName>
  <protectedResourcesList> 
  <resource>/imaging/faces</resource> 
  </protectedResourcesList>
  <publicResourcesList> 
  <resource>/imaging</resource> 
  </publicResourcesList></OAM11GRegRequest>
   
3. On the command line, execute the following:

./bin/oamreg.sh inband input/IPM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1) 

NOTE: Make sure you copy the new artifacts from the RREG output directory to the OHS webgate directory (i.e. .../Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config) and restart the OHS server.

Steps 4 and 5 from Section 2.3.5 was already completed during the UCM/OAM setup.

Trouble shooting tips:

• Cannot login via OAM – A few things to verify:
  • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
  • Make sure that the WLS provider matches the same OAM data store configuration.

Custom transformation provider for OIM GTC connector

GTC based connector is one of the most used approaches for reconciling data into OIM, specially through the use of flat files. A common issue is that some customers do not allow direct communication between OIM and the HR system (for different reasons like outsourced HR system, security constraints and others), hence a flat file is made available to OIM so that it reconcile users.

Very often, there is a need to manipulate the data to be reconciled in OIM through the GTC connector. When that is true, most of customers end up creating event handlers to manipulate reconciled data. The problem with this approach is that in OIM 11g, only 'post process' event handlers can be used to manipulate reconciliation data (and the data can only be manipulated after reconciled into OIM), and this can make some manipulations really tricky and/or cumbersome.

Scripts to ease building your Identity Management environment

One of my mottos is "why do something by hand if you can automate it in twice the time?"

So a while back I put together a bunch of scripts to do just that. They've been handed around by a few people and Warren Strange eventually had the sensible idea to put them up on GitHub along with some other useful stuff.

I can only take credit for the "installscripts" directory there, but thought I'd at least put a pointer here to the main project.

Get them at https://github.com/Oracle-IAM/Oracle-IAM-Scripts

Remember that these scripts were originally written for my own use so they may or may not be appropriate (or even work) for you.

Retrieving and Setting HTTP Headers in BPEL

The capability to retrieve and set HTTP headers in BPEL was recently added to Oracle SOA Suite 11g. Edwin Biemond has written an excellent blog post on how to use this capability.

From a security/IDM perspective, I think this feature opens up the ability to create some interesting solutions whereby identity information is added to HTTP headers by OAM (or other SSO products) in the web tier and consumed by services in the app tier. It also makes it possible to pass identity data between services in HTTP headers and thereby ignore having to modify web service requests themselves.

I’ll only add as a warning to remember that end users have the capability to add whatever HTTP headers they want to the requests they make. So, solutions should be developed with this in mind. In particular, if you are going to create a solution that depends on BPEL consuming an HTTP header created by an OAM response, you need to take steps to either ensure that this header really came from OAM (by signing or encrypting it) or take steps to ensure that all requests to BPEL really did originate by coming through the web tier with OAM.

Unsolicited login with OAM 11g

In a previous post I talked a little about protecting only a part of an application with OAM. I included this bit of text describing the use case:

But what if you want to let users access part of the app anonymously, but require them to log in to access some of the apps features? I don't know what anyone else calls this sort of flow, but I call it the shopping cart model (browse around tossing stuff in your card, then sign in to check out).

That post talked about how to support the "shopping cart" login model with OAM if you're using ADF, but what if you're trying to accomplish that with plain old HTML or something else?