Using Oracle Identity Manager's bulk load tool is a great way to load large numbers of user records into OIM in an efficient and performant way. The standard and documented usage of the tool does not make provision for the loading of unique user passwords, though. This article describes an approach that can be used to achieve that requirement. This post is also part of the OIM 11g Academy Series.
Monday, June 17, 2013
Friday, June 14, 2013
Part 4: Kerberos Authentication, RBAC and SAML identity propagation in OAG
This post is the fourth and last post of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).
In the first post we introduced the use case and talked about the Kerberos authentication part.
In the second post we talked about Role Based Access Control.
In the third post, we described how to propagate the authenticated user through a SAML token and also covered OWSM configuration in OSB and SOA.
In this post we talk about the client, how we actually submit a Kerberos token along with our request to OAG.
In the first post, we said (verbatim):
“Perhaps the most challenging part was the test client. Supporting Kerberos was a must. Our first and natural attempt was OAG’s API Explorer (formerly OEG Service Explorer). After numerous attempts, configuration changes everywhere, we came to the the conclusion that it simply does not support the SPNEGO protocol properly. In summary, it seems that it doesn’t honor the second leg of the protocol, i.e., after receiving a “WWW-Authenticate: Negotiate” HTTP header in the response, it does not resubmit the request along with the Kerberos token. And we also did not find a way to bypass SPNEGO and submit the Kerberos token directly. The free version of SOAP UI also failed.
Fortunately, via Prasad’s blog post, we came to know a .Net-based tool called WCFStorm-lite, dead simple, that just works. However, another requirement for this exercise was to show test automation best practices. So the client tool should ideally have scripts capabilities, allowing for the client integration into an ANT build script, for example. WCFStorm-lite has some scripts capabilities, but we did not go any further in looking at them, because almost at the same time we got to know Apache CXF’s support for Kerberos.
That basically put an end to our research. What could be better than simply writing a piece of java code? At the heart of Apache CXF’s framework are what they call interceptors, which are basically web services handlers. An inbound interceptor is attached to a web service and processes the message before service invocation. An outbound interceptor is attached to a web service proxy and process the message as it leaves the client. An out-of-the-box Kerberos interceptor interfaces with the KDC, gets a Kerberos token and attaches it to the request before sending it out to the web service (in our use case, a web service exposed by OAG).”
Very well, let’s talk about how to configure a Kerberos Outbound Interceptor in Apache CXF.
In the first post we introduced the use case and talked about the Kerberos authentication part.
In the second post we talked about Role Based Access Control.
In the third post, we described how to propagate the authenticated user through a SAML token and also covered OWSM configuration in OSB and SOA.
In this post we talk about the client, how we actually submit a Kerberos token along with our request to OAG.
In the first post, we said (verbatim):
“Perhaps the most challenging part was the test client. Supporting Kerberos was a must. Our first and natural attempt was OAG’s API Explorer (formerly OEG Service Explorer). After numerous attempts, configuration changes everywhere, we came to the the conclusion that it simply does not support the SPNEGO protocol properly. In summary, it seems that it doesn’t honor the second leg of the protocol, i.e., after receiving a “WWW-Authenticate: Negotiate” HTTP header in the response, it does not resubmit the request along with the Kerberos token. And we also did not find a way to bypass SPNEGO and submit the Kerberos token directly. The free version of SOAP UI also failed.
Fortunately, via Prasad’s blog post, we came to know a .Net-based tool called WCFStorm-lite, dead simple, that just works. However, another requirement for this exercise was to show test automation best practices. So the client tool should ideally have scripts capabilities, allowing for the client integration into an ANT build script, for example. WCFStorm-lite has some scripts capabilities, but we did not go any further in looking at them, because almost at the same time we got to know Apache CXF’s support for Kerberos.
That basically put an end to our research. What could be better than simply writing a piece of java code? At the heart of Apache CXF’s framework are what they call interceptors, which are basically web services handlers. An inbound interceptor is attached to a web service and processes the message before service invocation. An outbound interceptor is attached to a web service proxy and process the message as it leaves the client. An out-of-the-box Kerberos interceptor interfaces with the KDC, gets a Kerberos token and attaches it to the request before sending it out to the web service (in our use case, a web service exposed by OAG).”
Very well, let’s talk about how to configure a Kerberos Outbound Interceptor in Apache CXF.
Labels:
apache cxf,
jaas,
kerberos,
oag
Thursday, June 13, 2013
Part 3: Kerberos Authentication, RBAC and SAML identity propagation in OAG
This post is the third one of a series by Andre Correa and Paulo Pereira on OAG (Oracle API Gateway).
In the first post we introduced the use case and talked about the Kerberos authentication part.
In the second post we talked about Role Based Access Control.
In this one we describe how to build a SAML token out of the authenticated user and sign it so it properly interoperates with an OWSM server-side policy applied to OSB proxy service. We also cover the necessary OWSM configuration in OSB and SOA. As a reminder, a typical request in our exercise flows through OTD -> OAG -> OTD -> OSB -> OTD -> SOA -> Stub server, and we're required to keep the user identity all the way up to the Stub server.
Now we're specifically talking about the third policy in our overall circuit:
'Add SAML token policy' is as simple as:
We first add the SAML token (using the Insert SAML Authentication Assertion filter), then we sign it (using the XML Signature Generation filter). Let's look at each filter in detail.
Monday, June 3, 2013
OIM 11g R2 Performance Patch
Oracle has released a set of patches to address some performance issues in OIM 11g R2 self-service interface. Information about these patches is available in the following Oracle support note:
Any customer who is running OIM or implementing OIM at this point should plan to apply the patches.
Just a reminder, the recommendation is always to start applying patches in lower environments: from DEV to PROD. Don't forget to validate the patches in one environment before proceeding to the next.
- Document 1557879.1 OIM 11gR2: Patches for Performance Issues Related to Self-service UI
Any customer who is running OIM or implementing OIM at this point should plan to apply the patches.
Just a reminder, the recommendation is always to start applying patches in lower environments: from DEV to PROD. Don't forget to validate the patches in one environment before proceeding to the next.
Subscribe to:
Posts (Atom)