Which Single Sign-On? August 21, 2008
Posted by Manpreet Johal in Identity Management.Tags: Oracle Access Manager, Oracle Enterprise Single Sign-On, Oracle Identity Management, OracleAS SSO
2 comments
In this post, I am discussing about current Single Sign-On products available from Oracle, as a part of Oracle Identity Management (IDM) Suite, and plus OracleAS Single Sign-On.
IDM Suite comprises of more than dozen products to manage end-to-end lifecycle management for user identities. There are two different products that are available in Oracle IDM Suite to provide Single Sign-On functionality for web and desktop application resources:
Oracle Access Manager (OAM) : This is a identity management solution for web applications (legacy and custom applications) and user identity administration. OAM secure applications by providing centralized authentication, authorization and auditing to enable single sign-on for enterprise web applications. It also provides delegated administration and self-registration options with approval workflows.
OAM can use any LDAP-based directory as its backend repository to store policy, configuration, workflow, user, group and organization data.
OAM supports following authentication methods:
- Basic Username/Password
- X.509 Certificates
- Smart cards
- Two Factor Tokens
- Form-based
- Custom authentication via Authentication APIs
Oracle Enterprise Single Sign-On Suite: Oracle Enterprise Single Sign-On (eSSO) provides single sign-on functionality for all the enterprise applications i.e. web based, client-server and legacy applications. Users are able to use eSSO functionality whether they are connected to corporate network, traveling, or roaming between workstations. Oracle eSSO uses any LDAP directory or any SQL database as its user profile and credential repository. It accepts primary authentication from Windows logon. It acts as a Password Manager and provides n-level of authentication.
So where does OracleAS Single Sign-On fits into current identity management solution offering? or when I can’t use OracleAS Single Sign-On?
OracleAS Single Sign-On is a single sign-on solution available for Oracle Application Server 10g applications e.g. Portal, Discoverer, Forms, Reports etc. It also provides Single Sign-On functionality for Oracle Applications 11i/R12.
OracleAS Single Sign-On (SSO) has few limitations as far as OAM and eSSO is concerned:
- It needs Oracle Internet Directory as a authentication and authorization source, whereas OAM and eSSO can use any LDAP-based directory as a backend repository.
- OracleAS SSO cannot talk directly to any other directory service e.g. Active Directory or Sun LDAP. To achieve this, Oracle Internet Directory need to integrate with 3rd party directory service. It means customers ending up with one more directory service as a part of solution, even when they don’t need it.
- It has a limited auditing capabilities.
- OracleAS SSO provides a Windows Native Authentication (WNA) option for Windows users, which allows users to login seamlessly to OracleAS SSO applications e.g. Portal, Oracle Applicatons 11i/R12 etc., once they have logged in successfully into Windows domain. However, it provide single sign-on functionality for applications, which are integrated with OracleAS SSO only. Whereas, Oracle eSSO provides single sign-on functionality for all web and desktop applications (majority of them) that are running at user’s desktop, with minimal deployment effort.
To summarize, customer should use Oracle Access Manager to provide single sign-on functionality for web applications, and Oracle Enterprise Single Sign-On Suite to provide single sign-on functionality for desktop+web applications.
Stay tuned for more discussion on Oracle Identity and Access Management technologies and deployment scenarios.
References:
Extending Oracle Identity Management to OS Users at Linux November 4, 2007
Posted by Manpreet Johal in Identity Management.add a comment
Oracle has added another component to Identity Management umbrella i.e. Oracle Authentication Services for Linux
Oracle has released preview of Oracle Authentication Services for Linux, which enables immediate cross-platform storage, management, and authentication of users using open standards, simplified deployment. This component is part of Oracle Identity Management platform, comprising underlying auditing and security features.
It consists of following major components:
- Pluggable Authentication Module (PAM): This is a standard OS module available on most Linux and Unix-based systems that support external authentication. It make use of pre-configured settings that can be customized, to avoid errors during installation.
- Oracle Internet Directory (OID): LDAP v3 directory server that leverages the security, scalability, and reliability of Oracle Database 10g to store users, groups, roles, and entitlements.
- Automation: Tool that configure both PAM and OID components, provide simplified use migration, and ensure strong default security between network endpoints.
Connectivity is performed between Linux systems and Oracle Internet Directory using secure SSL sessions. In addition to basic authentication, the integration ensures that existing user management tools and password change functionality work against the centralized directory service while at the same time centralizing password policy management and auditing of account changes.
Moreover, preview release if free, and can be downloaded at OTN.
Preview download contains:
- Oracle Internet Directory 10.1.4.2 RPM packaged for Linux. requires prior download of Oracle Database 10g Express Edition for Linux.
- Automation scripts for client side PAM configuration.
In order to migrate existing users and groups defined at OS level, you need to extract existing information into LDIF (LDAP Data Interchange Format) files using various free/open source scripts and tools available for that purpose e.g. passwd, shadow, and group information can be migrated using tools available at http://www.padl.com/OSS/MigrationTools.html
As part of Preview 2, Oracle Authentication Services for Linux also supports Active Directory via integration with Oracle Internet Directory component. By configuring External Authentication Plug-in, which is shipped with OID; Linux users can be authenticated against Active Directory.
More Information: http://www.oracle.com/technology/products/oid/oracleauthenticationservices.html
Configuring Reverse Proxy in front of OracleAS 10g SSO January 17, 2007
Posted by Manpreet Johal in Identity Management, Oracle Application Server.add a comment
OracleAS 10g Middle-Tier talks to OracleAS 10g Single Sign-On (Component of OracleAS Infrastructure), which provides a mechanism to authenticate OracleAS application users against LDAP directory store i.e. Oracle Internet Directory.
OracleAS Infrastructue consists of Oracle HTTP Server, which acts as a web listener for Single Sign-On and Delegated Administraion Services. Whenever end-users accesses the SSO protected URL (OracleAS Middle-Tier applications e.g. Portal, Wireless), request got redirected to OracleAS SSO, serving the auth page via Oracle HTTP Server. Thus, end user will get SSO Login page containing URL of Oracle HTTP Server running at OracleAS Infrastructure Services.
Sometimes business needs to hide the OracleAS Infrastructure web URL and Port for security purposes. At that time, reverse proxy came into picture. End users as well as OracleAS Middle-Tier applications will talk to Reverse Proxy URL and Port for requests, which in turn will fetch the content from OracleAS Infrastructure and service the request.
It provides enhanced security model i.e. end user and applications will be aware of Reverse Proxy URL and Port only, not the original OracleAS Infrastructure services URL.
So, let us configure a reverse proxy in front of OracleAS Infrastructure. I have used Oracle HTTP Server Standalone 10.1.2 [Based on Apache 2.0] (OracleAS 10g 10.1.2.0.2 Media – Companion CD) as a reverse proxy. Assume that my OracleAS 10g 10.1.2.0.2 Portal and Wireless installation is functional with Infrastructure on two separate nodes:
URL: http://infra.mycompany.com:7777/
OS User: oracle
Node: infra
OracleAS Middle-Tier Services Node:
URL: http://portal.mycompany.com:7777/
OS User: oracle
Node: portal
Oracle HTTP Server (Reverse Proxy) Node:
URL: http://proxy.mycompany.com:7779/
OS User: oracle
Node: proxy
Install Oracle HTTP Server Standalone 10.1.2 at nodename proxy. During installation, chose Web Services 10.1.2.0.0 as a Product and Oracle HTTP Server (based on Apache 2.0) as an Installation Type. After installation, OHS Standalone is functional at URL: http://proxy.mycompany.com:7777
1. Navigate to OHS Standalone Home/ohs/conf directory. Edit httpd.conf to add following directives in respective sections.LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.soProxyRequests Off
Order deny, allow
Allow from all
ProxyPass / http://infra.mycompany.com:7777/
ProxyPassReverse / http://infra.mycompany.com:7777/
2. Restart OHS
At this stage Oracle HTTP Server Standalone will be functional.
Now let us made changes at OracleAS Infrastructure tier
1. Navigate to $ORACLE_HOME/Apache/Apache/conf directory.
2. Edit httpd.conf to modify following directives with corresponding values:
KeepAlive off
ServerName proxy.mycompany.com
Port 7777
3. Add VirtualHost directive at end of httpd.conf file:
RewriteEngine On
RewriteOptions inherit
4. Save the httpd.conf, and update DCM Repository:
$ dcmctl updateconfig –ct ohs –v –d
5. Modify SSO Server Home URL to reverse proxy hostname and port:
$ORACLE_HOME/sso/bin/ssocfg.sh http proxy.mycompany.com 7777
6. Re-register mod_osso on SSO Middle-tier with reverse proxy hostname and port:
$ORACLE_HOME/sso/bin/ssoreg.sh
-oracle_home_path $ORACLE_HOME
-site_name inf1012.infra.mycompany.com
-config_mod_osso TRUE
-mod_osso_url http://proxy.mycompany.com:7777
7. Login to OID using OIDADMIN, and change orcldasurlbase attribute (Location: Entry Management->cn=OracleContext->cn=Products->cn=DAS->cn=OperationURLs) to reflect reverse proxy hostname and port i.e. http://proxy.mycompany.com:7777
8. Update DCM Repository:
$ dcmctl updateconfig –ct ohs –v –d
9. Restart OC4J_Security and Oracle HTTP Server at Infrastructure tier:
$ opmnctl restartproc process-type=HTTP_Server
$ opmnctl restartproc process-type=OC4J_Security
10. Verify by accessing the DAS and SSO Home using Reverse Proxy Hostname and Port:
SSO Home URL: http://proxy.mycompany.com:7777/pls/orasso
DAS URL: http://proxy.mycompany.com:7777/oiddas
11. Validate that login and logout URLs contains reverse proxy hostname and port only.
Now, let us re-configure OracleAS Middle-Tier to work with Reverse Proxy.
1. Re-register mod_osso at middle-tier:
$MID_ORACLE_HOME/sso/bin/ssoreg.sh
-site_name mid1012.portal.mycompany.com
-mod_osso_url http://portal.mycompany.com:7777
-config_mod_osso TRUE
-oracle_home_path $ORACLE_HOME
-admin_info cn=orcladmin
2. Re-register Portal with SSO Server:
$ ptlconfig -dad portal -pw -sso -host portal.mycompany.com -port 7777You need to retrieve Portal Schema password to execute the above command.
3. Clear Portal Cache
a. Stop all the middle-tier processes
b. Delete the content of following directories at Middle-Tier Home:
$ORACLE_HOME/Apache/modplsql/cache/plsql
$ORACLE_HOME/Apache/modplsql/cache/session
c. Start the middle-tier processes
d. Login to Portal as admin user, and navigate to Administration tab.
e. Click Global Settings link, and click on Cache tab.
f. Scroll down and select the checkbox Clear the entire Web Cache.
g. Click Apply, and then OK.
4. Update Cache for OID Parameters in Portal
a. Login to Portal as admin user, and navigate to Administration tab.
b. Click Global Settings link, and click on SSO/OID tab.
c. Scroll down, and select check box Refresh Cache for OID Parameters.
d. Click Apply.
e. Verify that DAS Host Name parameter in Cache for OID Parameters section is showing reverse proxy hostname and port.
5. Validate the Portal Logout link. It should contain reverse proxy hostname and port.
So, this completes our setup of Reverse Proxy in front of OracleAS Infrastructure Services.
Put Infrastructure In Place December 15, 2006
Posted by Manpreet Johal in Identity Management, Oracle Application Server.1 comment so far
OracleAS Infrastructure Services, logical component of Oracle Application Server 10g, provides security services for OracleAS Middle-Tier applications as well as external applications integrated with OracleAS Infrastructure services. OracleAS Infrastructure has evolved to a state where it can be deployed along with other Identity Management products like Microsoft AD and SunONE Directory Server.
It can be broken down into two sub-components:- Oracle Identity management: Group of applications providing authentication, authorization, policy definition, policy enforcement, entity lifecycle management for integrated applications e.g. OracleAS Portal, Oracle Database, E-Business Suite, Oracle Collaboration Suite, and third party applications.
Brief description of Identity Management Components:
o Oracle HTTP Server: It provides web-interface for Infrastructure Services e.g. Delegated Administration Service and Single Sign-On. OHS is based on Apache 1.3.31. This is not a standard Apache available at http://www.apache.org/. It does contains Oracle’s extensions to standard Apache.
o Oracle Internet Directory: At core of Oracle IDM Infrastructure, an LDAPv3 Directory Service, providing LDAP interface for storage and retrieval of applications configuration data. It stores information about Users, Groups, Network Configurations, Databases, OracleAS Products, and Access Control Lists etc. It stores that complete information in Oracle Database known as OracleAS Metadata Repository. In other words, Oracle Internet Directory is an application running on Oracle Database.
o Oracle Delegated Administration Service: This is a web-based Self Service Console to define users, groups, realms, and configuration entries for custom object classes. In other words, this is a web interface for Users Management of Users data stored in Oracle Internet Directory.
o Directory Integration: A very useful component of IDM stack. Using this you can integrate your Oracle Internet Directory with 3rd Party Directory Services like Microsoft AD, SunONE Directory etc. You can push data from OID to other directories as well as pull data from them.
o Oracle Directory Integration Provisioning Service: Alongwith its counterpart Directory Integration, DIP Service extends the integration capabilities. DIP will help you to achieve integration of Oracle E-Business Suite with Oracle Internet Directory for synchronization of Users data.
o OracleAS Single Sign-On: A gateway to OracleAS Identity Management for web-applications. It protects the web resources of Oracle Application Server like Portal, Delegated Administration Service (Partner Applications) and third-party applications like Yahoo Mail (External Applications)
o Oracle Certificate Authority: A component to generate X.509V3 certificates for OracleAS.
Oracle Metadata Repository: It contains OracleAS configuration data stored in Oracle Database 10g. Alongwith configuration data, OracleAS components Schemas also reside in Metadata Repository. But these can be installed in another database as well, provided that has been prepared for, by Metadata Repository Creation Asisstant. By default, Portal schemas are installed in Metadata Repository.
During installation of OracleAS Infrastucture, Metadata Repository will be installed in Oracle Database 10g. OracleAS component uses this database. In order to store data for custom applications, you must use a separate database known as Customer Database. It helps in more granular control on both these databases.
OracleAS Infrastructure services can be deployed independent of OracleAS Middle-tier i.e. no need to deploy complete Oracle Application Server. To leverage the centralized storage of application Users and Groups, Oracle Internet Directory can be deployed. Alongwith Single Sign-On can be used protect web resources using same centralized Users and Groups information.
In past, Oracle has done couple of acquisitions that has really extended the Identity Management offering and solutions provided by Oracle.
My focus is to first explain the base Oracle Application Server product, followed by advanced topics, integration, and extensions.
Coming Up Next:
OracleAS Middle-Tier Services
