In my last post I wrote about the complicated and timely process of determining all of a user’s group memberships when an LDAP namespace includes nested and dynamic group memberships. I wrote about how you can simplify and speed up getting a user’s group memberships through the use of a dynamic “member of” attribute and specifically the orclMemberOf attribute in OID.
Today I’d like to extend this discussion to WebLogic server authentications.
Wednesday, July 18, 2012
Tuesday, July 17, 2012
OIM & Connector Server
New versions of OIM connectors have been released in the
past few months(version
number is 11.1.1.x). These new releases bring
an important change to OIM connectors: they are based on the Identity Connector
Framework (IFC). The 11.1.1.5 documentation for the ICF is available at:
One of the things that ICF brings is the capability of
deploying connectors to an ‘Identity Connector Server’(but keep in mind you still need to deploy the connector to OIM as well). When using a connector
server, OIM will delegate to the connector server the execution of the provisioning
tasks. Except for the .NET based connectors (like AD and Exchange), the
connector server is an optional piece in an OIM topology and its use depends on the project requirements.
Labels:
connector,
ICF,
OIM 11g,
oim 11g academy
Friday, July 13, 2012
Oracle Identity Management 11g R2 Launch Webcast
The 11g R2 release of the Oracle Identity Management stack is upon us. The 11g R2 release greatly expands the capabilities of the stack, especially in the area of cloud and mobile environments. On Thursday, July 19 at 10am PST / 1pm EST there will be an interactive Oracle Identity Management 11g R2 launch webcast hosted by Oracle product development executives Hasan Rizvi and Amit Jasuja.
Register now for the interactive launch Webcast, and don’t miss this chance to have your questions answered by Oracle product experts.
Register now for the interactive launch Webcast, and don’t miss this chance to have your questions answered by Oracle product experts.
Thursday, July 12, 2012
Simplifying OIM 11g Series (Chapter One)
Introduction
This is the first one in a series
of posts dedicated to the design of tools that have the common goal of
simplifying or enhancing the functionality provided by OIM 11g. As more and
more customers implement OIM 11g, new challenges arise and new issues are
uncovered. OIM 11g is a very powerful platform but given the complexity of the
problems OIM tries to solve, we have to admit that the product itself is sometimes not the easiest to
implement by customers. The tools described in this series of articles have the
purpose of facilitating the implementation of advanced capabilities of OIM or
enhance some of the features of OIM making them capable of fulfilling certain
use cases that have been traditionally complex to implement (but nevertheless, always
possible).
In this article we will cover the
design of a framework that allows business users to define provisioning
processes that include approvals, sophisticated approval request routing and
advanced user interface customization capabilities. A reference implementation of this framework will be presented in subsequent posts along the series.
Overview
OIM 11g defines two types of processes: Provisioning and Approval Processes. Provisioning processes are defined in OIM’s Design Console, whereas the Approval Processes are implemented in Oracle’s SOA Suite via SOA Composites and BPEL. As you can imagine, customers now have to deal with the intricacies of BPEL and the corresponding tools set. In some cases, the customers don’t have the necessary skills set to be able to customize Approval processes to fulfill complex use cases. This tends to produce less than desired results because - if best practices are not followed properly - there is a strong chance that the end solution won’t perform as expected. Now, due to the fact that Approval processes are defined using SOA Suite artifacts, only experienced developers that understand JDeveloper will be able to implement any required customizations to the processes. Moreover, Approval Processes are the ones that are mostly associated to the business, so Business Users should be able to define the proper approval flows that make sense to their business.
So the idea here is to design a
set of tools that can be run on top the OIM 11g’s engine that will allow
business users to define provisioning processes and approval flows. In order to
achieve this, the tool kit needs to have the following:
- A set of components that will perform tasks required by the framework including:
- A Pre-Populate adapter that supports multi-value attributes.
- A SOA Composite that will execute provisioning tasks and request application roles used to provision resources (this will be explained in detail later on).
- An XML Schema to represent provisioning process definitions in XML.
- The GUI that Administrators and/or Business Users can use to define provisioning processes.
- A set of hooks where developers can implement extensibility interfaces to extend the functionality of the framework and can be deployed through the interface mentioned above.
Framework Components
The first thing to be addressed is the definition of the components in the framework. So the best way I know to start defining such components is to make a list of the tasks that are part of a provisioning operation, here they are:
- Capture User Data
- Route Approval Requests
- Provision Approved Resources
Capture User Data
In this case the method used to capture data is via forms. Whereas OIM allows for the definition of input forms these apply to resource objects that are to be provisioned. OIM has the following process to configure request based provisioning:
- Connectors define a Data Set which could potentially be customized. A data set is an XML file that contains the definition of the fields displayed in an input form including the UI element used to capture the value for the field and other metadata that indicates to whom the field is visible, the type of value it accepts and whether it is mandatory or not.
- The Data Set has to be imported into MDS to be usable for Request Based Provisioning. This is not done at the time the connector is installed, it is done afterwards. The reason for this is that Data Sets can be customized to fulfill particular requirements so it would not make sense to import a dataset by default until customers are certain that the out of the box Data Set will address their needs.
- A provisioning form is still required for entering the data for the request. This is the input form that OIM allows administrators to design and it is used for the actual resource provisioning. This form can be pre-populated with information coming from a variety of sources, including OIM’s user profile attributes. This is one of the capabilities we intend to leverage in our solution with a few tweaks.
- If the provisioning of a resource is subject to approval, then a request template configured with the proper approval process is necessary. This is also dependent on the data sets for the resources being imported to MDS.
As made evident by the
description above, OIM has a bit of a complex setup when it comes to
self-service request based provisioning. Even though the complexity is sort of
justified for the sake of flexibility and feature richness, it can easily get
out of hand. So the approach I am going to follow to simplify this
configuration is the following:
- In order to prevent administrators from having to import datasets to MDS just to be able to request a resource object I am going to use access policies in combination with out of the box roles and a customization used to manage multi-value attributes in OIM’s User profile.
- There are already out of the box request templates to self-request role assignment which don’t need importing a data set. So I intend to leverage those templates for my implementation.
- A specialized composite will be written to execute my version of a provisioning process which internally will generate requests for roles associated to each requested resource. An approval process that can be easily defined by business users through a provided user interface will be executed by a customized SOA Composite generated using OIM 11g’s command line tools (I call this composite OIM’s Composite). OIM’s Composite invokes a Web Service that generates a representation of an approval routing in XML which is read by the configuration of the participants of the composite’s Human Task. This representation is generated based on the specification of the approval process defined by the business users.
Route Approval Request
As part of any provisioning
process, approvals may be and are often required. An approval process that can
be easily defined by business users through a provided user interface will be executed
by a customized SOA Composite generated using OIM 11g’s command line tools (I
call this composite OIM’s Composite).
OIM’s Composite invokes a Web
Service that generates a representation of an approval routing in XML which is
read by the configuration of the participants of the composite’s Human Task.
This representation is generated based on the specification of the approval
process defined by the business users.
In this manner Business Users
don’t need to be experts in JDeveloper or even need a developer to implement
approval flows because these can be defined using an intuitive user interface.
These descriptors are stored on the file system so if working with a cluster of
OIM Servers they need to be available on all servers, but this requires only
copying the files and that’s it; no server restarts are necessary.
Provision Approved Resources
Since all we are doing is
leveraging OIM’s advanced capabilities for automatic provisioning this is taken
care of by the access policies and potentially a pre-populate adapter to
support multi-value attributes.
The
idea is to have a role associated to each Resource Object/IT Resource
combination so a policy can easily be defined for the automatic provisioning of
a resource object instance connected to an IT Resource target. If child forms
need to be populated the custom pre-populate adapter will take that information
from a special table (part of this framework) that extends the user profile of
OIM to support multi value attributes.
Summary
This first article describes a framework that has the goal of simplifying the use of OIM 11g's features in customer implementations. The article only covers the design of such framework, while subsequent posts will cover a reference implementation of the components described here that customers and partners can leverage to build a tool kit targeted to make OIM 11g implementations simpler.
Wednesday, July 11, 2012
Fast Group Membership Lookups in OID with the orclMemberOf Attribute
If you utilize nested and dynamic groups (and especially nested dynamic groups), then it can take a lot of effort and time to calculate all of a user’s group memberships in an LDAP directory.
First you have to search for the user and find the user’s DN. Then you have to search all your groups to figure out which groups your user is directly a member of. Then for each of those groups you have to search all your groups again to see which of those groups your user is a member of.
You have continue to search your groups with the results of each subsequent search until you reach the maximum desired level of nested memberships that you want to pursue or all the searches come back empty. All the while you have to keep yourself out of infinite loops created by repeating memberships such as when two groups are members of each other.
Many LDAP directories simplify things through a virtual “member of” attribute which is a virtual multi valued attribute containing all of the groups a user is a member of through both direct and indirect means.
It may have escaped your notice, but OID joined the party fairly recently (in 11.1.1.4 I believe) and now supports such an attribute. The attribute’s name is orclMemberOf. You can read all about the attribute here; but suffice it to say it is a dynamic multi valued attribute containing the groups to which a member belongs.
The membership includes both direct membership and indirect membership from nested groups. It also includes membership from dynamic groups and dynamic nested groups based on labeleduri.
The attribute value is computed during a search and is not stored. This means you will not see orclMemberOf populated in an LDAP data browser including ODSM. Further, the value is not returned by default in searches. You have to explicitly request it. Lastly, orclMemberOf cannot be used in a search filter.
One nice little additional feature thrown in is that the aliases of memberof and ismemberof are supported for compatibility with code written for compatibility with Active Directory and Oracle Directory Server Enterprise Edition (DSEE) / SunOne / IPlanet.
Below is a sample search with results for a specific user where I request and receive the value(s) of orclMemberOf. You will also notice that nested memberships are returned multiple times, once for each group that the user belongs to that is a member of another given group. So, watch out for that.
In a future post, I'll discuss how you can use the orclMemberOf attribute to greatly speed up authentication into WebLogic and Fusion Middleware Products such as SOA Suite and WebCenter which utilize WebLogic's security framework.
[oracle@oam1 bin]$ ./ldapsearch -h oam1.example.com -p 3060 -D cn=orcladmin -w Oracle1_g -b "cn=Users,dc=example,dc=com" -L -s sub -v "uid=tim.doyle" memberOf
ldap_open( oam1.example.com, 3060 )
filter pattern: uid=tim.doyle
returning: memberOf
filter is: (uid=tim.doyle)
dn: uid=tim.doyle,cn=users,dc=example,dc=com
memberof: cn=administrators,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=nyusers,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=nestgrp1,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=oaamcsrmanagergroup,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=oaamenvadmingroup,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=oaamruleadministratorgroup,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=product support group,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
1 matches
First you have to search for the user and find the user’s DN. Then you have to search all your groups to figure out which groups your user is directly a member of. Then for each of those groups you have to search all your groups again to see which of those groups your user is a member of.
You have continue to search your groups with the results of each subsequent search until you reach the maximum desired level of nested memberships that you want to pursue or all the searches come back empty. All the while you have to keep yourself out of infinite loops created by repeating memberships such as when two groups are members of each other.
Many LDAP directories simplify things through a virtual “member of” attribute which is a virtual multi valued attribute containing all of the groups a user is a member of through both direct and indirect means.
It may have escaped your notice, but OID joined the party fairly recently (in 11.1.1.4 I believe) and now supports such an attribute. The attribute’s name is orclMemberOf. You can read all about the attribute here; but suffice it to say it is a dynamic multi valued attribute containing the groups to which a member belongs.
The membership includes both direct membership and indirect membership from nested groups. It also includes membership from dynamic groups and dynamic nested groups based on labeleduri.
The attribute value is computed during a search and is not stored. This means you will not see orclMemberOf populated in an LDAP data browser including ODSM. Further, the value is not returned by default in searches. You have to explicitly request it. Lastly, orclMemberOf cannot be used in a search filter.
One nice little additional feature thrown in is that the aliases of memberof and ismemberof are supported for compatibility with code written for compatibility with Active Directory and Oracle Directory Server Enterprise Edition (DSEE) / SunOne / IPlanet.
Below is a sample search with results for a specific user where I request and receive the value(s) of orclMemberOf. You will also notice that nested memberships are returned multiple times, once for each group that the user belongs to that is a member of another given group. So, watch out for that.
In a future post, I'll discuss how you can use the orclMemberOf attribute to greatly speed up authentication into WebLogic and Fusion Middleware Products such as SOA Suite and WebCenter which utilize WebLogic's security framework.
[oracle@oam1 bin]$ ./ldapsearch -h oam1.example.com -p 3060 -D cn=orcladmin -w Oracle1_g -b "cn=Users,dc=example,dc=com" -L -s sub -v "uid=tim.doyle" memberOf
ldap_open( oam1.example.com, 3060 )
filter pattern: uid=tim.doyle
returning: memberOf
filter is: (uid=tim.doyle)
dn: uid=tim.doyle,cn=users,dc=example,dc=com
memberof: cn=administrators,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=nyusers,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=nestgrp1,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=oaamcsrmanagergroup,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=oaamenvadmingroup,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=oaamruleadministratorgroup,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
memberof: cn=product support group,cn=groups,dc=example,dc=com
memberof: cn=groupofgroups,cn=groups,dc=example,dc=com
1 matches
Labels:
LDAP,
LDAP Groups,
oid
Subscribe to:
Posts (Atom)