Extending Oracle SSO

Extending the Oracle Single Sign On (SSO) Server Kurt Van Meerbeeck AXI NV/BV [email_address] www.axi.be www.axi.nl session 389

Extending Oracle SSO Server
Who am i
Kurt Van Meerbeeck
Engineer in electronics
Working with Java since 1996 (jdk 1.0.2)
Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)
Currently work for AXI NV/BV
Oracle Partner in the Benelux area ( www.axi.be/www.axi.nl )
Oracle rdbms/ias
Author of DUDE
Data Unloader tool (www.ora600.be)
Member of the Oaktable Network
www.oaktable.net

Agenda
Case study – the challenge
Customer requirements
SSO – a small recap
Components
Workflow
SSO Plugins
Solution
LAN access
Internet access using OCA certificate
Internet access using eID passport
DIY federated authentication

Presenting the case
Insurance company
800 broker offices
3000 brokers
Backoffice application
Visual Basic
Citrix
Oracle RDBMS
All business logic in PLSQL

Presenting the case Database tier Citrix Farm COM+ servers Fax Brokers Backoffice App
Proposal processing via
FAX
Company A Company C

Presenting the case Database tier COM+ servers Private Network Portima Brokers Company A Company n Company B Broker App Broker App Broker App Broker App Third party app (PORTIMA) Authentication using Office ID & suboffice ID
Proposal processing via
3th party broker app

Presenting the case
Web-enable it !!!
Technology – Internet Application Server
Oracle Portal
Oracle Webforms
Using existing PLSQL packages – business logic

Presenting the case
3 options to connect
LAN Backoffice user INTERNET broker PORTIMA broker private network internet

Presenting the case
4 ways to authenticate
LAN Backoffice user
INTERNET
Broker
eID (certificate) + pincode
OCA digital certificate+password
PORTIMA broker private network (http) Internet (https) Username+password Office ID/Suboffice ID Portima Authentication server Map portima ID to oracle ID

The challenge
Multiple complex authentication schemes
using Belgian eID
only eID pin code required
automatic logon to IAS
authentication using certificates signed by OCA
SSO password required to logon to IAS
federated authentication
private network
brokers already authenticated with our partners SSO server
map partner identity to IAS SSO identity
automatic logon to IAS
internal LAN users
SSO username/password required
internet private LAN

The challenge
Other requirements (challenges)
only develop in PLSQL
Technology : Oracle Webforms & Portal
only java / signed jar files
eID
printing
custom multiple logon screens
Holding has multiple companies
Company Look & feel
PLSQL using OWA, UTL_HTTP, & Mod_plsql
custom PLSQL APIs (for use in webforms)
Oracle Certificate Authority (OCA) (integration with openSSL)
Single Sign On Server (SSO)
Identity Management (IM) instead of OIDDAS ( dbms_ldap )

Yeah well ... and I WANT A PORSCHE

Agenda
Components
Workflow
SSO Plugins
Solution
LAN access

A small recap
Oracle AS Components
Middle tiers
OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
Webcache
J2EE
Forms, Reports, Disco
Portal

A small recap
Oracle AS Components
Infrastructure
OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...
OID – LDAP
J2EE
SSO server
OCA
Rdbms – portal, sso, oca and other configuration & meta data

Understanding the SSO Architectuur
Lots of moving parts
http redirects
SSO & Partner cookies
Token obfuscation
PLSQL API in case of Oracle Portal

SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
Apache virtual host
Make it a SSO partner app
register it
ptlconfig – portal
ossoreg.jar – mod_osso
mod_osso.conf
<location /app>
require valid-user
AuthType basic
</location>

SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com NameVirtualHost *:80 <VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf </VirtualHost> infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y> Partner cookie available ? SSO cookie ? -> Generate Redirect to logon page http://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties

HTTP POST
Username
Password
Site-token
Check credentials in LDAP/OID
If OK
Generate SSO cookie (SSO_ID)
Generate redirect to
http://my.company.com/osso_login_success?urlc=<sitetoken>
Generate Partner cookie Generate redirect to the original URL (sitetoken)

SSO workflow – already authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
Mod_osso intercepts URL
finds partner cookie on client
request continues ...

SSO workflow – already authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
Mod_osso intercepts URL
NO partner cookie on client
(there is one – but the cookie
Domain is .company.com)
http://my.other-company.com Redirect to infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
There’s already an SSO cookie (SSO_ID)
on the client – and my.other-company.com
is a partner app
Generate redirect to
http://my.other-company.com/osso_login_success?urlc=<sitetoken>
Mod_osso deobfuscates the site-token Redirects to original URL

SSO workflow - recap
Things to remember
Cookies
1 SSO cookie – infrastructure – shared
1 cookie / partner app (virtual host)
Site-token
Obfuscated in the beginning
De-obfuscated at the end
Lots of moving parts
Different technologies

SSO plugins
Out-of-the box
Default : username/password
supports X509 digital certificates
supports fallback authentication (but we don’t want that)
SSOX509CertAuth plugin
supports WNA
supports fallback authentication (but we don’t want that)
SSOKerbeAuth plugin
multilevel authentication (but we don’t need that)
<location x> requires username/password
<location y> requires digital certificate

SSO plugins
But we need more complex authentication
LAN: username/password
Private network : federated authentication
Internet : digital certificates/passwords & pincodes
SSO server allows custom plugins !

SSO plugins
Plugins mostly used for integrating
Third party authentication devices
(example RSA ClearThrust)
[ Bootstrap ID’s
[ Exchange ID tokens through HTTP
headers
[ Lookup the ID token and map it on
a Oracle SSO ID

SSO plugins – object model
Plugin can either
[ Extend SSOServerAuth class
- fallback authentication possible
[ Implement IPASAuthInterface interface
Plugin implements methods
[ authenticate(HttpServletRequest)
returns instance of IPASUserInfo
package oracle.security.sso.server.auth;
Read the user token from HTTP headers ;
No token found in HTTP headers ?
-> throw new IPASInsufficientCredException(“No EID header found)
-> fallback authentication : super.authenticate(httpservletrequest)
Decode the token to a SSO username ;
IPASUserInfo authUser = new IPASUserInfo(username);
Return authUser ; -> you’re authenticated !!!
Return new IPASUserInfo(“orcladmin”) ;
IPASAuthInterface SSOServerAuth Custom Plugin SSOX509CertAuth SSOKerbeAuth implements extends

Plugin implements methods
[ getUserCredentialPage
(HttpServletRequest,
String)
returns instance of URL
return super.getUserCredentialPage
(httpservletrequest, msg);

[ Compiling & enabling your plugin
Compiling
[ CLASSPATH : ipastoolkit.jar, servlet.jar,
ossocls.jar
[ Put it in the right place !
INFRA:$OH/j2ee/OC4J_SECURITY/
applications/sso/web/WEB-INF/lib
Enabling
[ INFRA:$OH/sso/conf/policy.properties
MediumSecurity_AuthPlugin = oracle.security.sso.server.auth. eIDSSOAuth
[ Restart SSO server
opmnctl restartproc process-type=OC4J_SECURITY

SSO plugins
SSO plugins
Authenticate users the way you want
Trust 3th party authentication
EID
PORTIMA authentication server
But it’s java
Deal with it

Agenda
Components
Workflow
SSO Plugins
Solution
LAN access

SSO custom logon screen INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB http://my.company.com apache J2ee OID LDAP PLSQL using OWA_UTIL $OH/sso/policy.properties http://infra.axi.be/pls/login_page Plsql Login_page What site do you want to enter ? ORASSO.WWSSO_UTL.unbake_site2pstore_token -> my.company.com Generate a different logon screen

SSO custom logon screen apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Plsql Login_page
Submit credentials to plsql proxy
SSO cookie, http redirect, sitetoken are proxy’d
offloading functionality from SSO plugin to PLSQL
easier integration with reverse proxies
manipulate redirects/sitetokens (Vista)

SSO custom login
LAN users – check !
Internet brokers ?
PKI
LAN Backoffice user
INTERNET
Broker

Public Key Infrastructure
A few slides on PKI ...
PKI is a collection of
services,
protocols
and
standards
supporting
public key cryptography

Public Key Infrastructure
Certificate Authorities (CA)
Request/revoke/renw certificates
Registration Authorities (RA)
Verify identities
Online repositories
LDAP
Certificate Revocation List (CRL)
List with revoked certficates
Entities
Clients, servers, applications
Public key certificate (X509, PKCS#)

Public Key Infrastructure Chain of trust PKI equivalent Root CA Ex. GlobalSign, Verisign United Nations company CA Ex. AXI CA Belgium, Netherlands ... Registration Authority (RA) City hall, police office, court house
Digital Certificate
Signing
Authentication
Driver’s license Passport

Public Key Infrastructure Chain of trust Valid ? (CRL) Example of authenticatie United Nations US Belgium Me and my passport The nice officer at JFK And his passport

Public Key Infrastructure Chain of trust Valid ? (CRL) Example of authenticatie United Nations US Belgium Flanders region Walloon region If Belgium splits in the Flanders region and Walloon Region I will be screwed if the United Nations do not recognize them

Public Key Infrastructure - eID
Belgium
The Netherlands
Germany
Austria
Italy
Portugal
Estonia
eID emerging in europe
Smartcard passport
SPECIMEN

name
first 2 Christian names
first letter of third Christian name
nationality
place and date of birth
sex
place of issue
start and end dates of validity
card number
owner’s photograph
owner’s signature
National Register Number
From a visual point of view, the information shown will be the same as on the present identity card:

Public Key Infrastructure - eID From an electronic point of view, the data on the chip is the same as the information printed on the card, plus:
address
identity and signature keys
identity and signature certificate
Certificate Service Provider
security information (chip number, etc.)
Some information is protected by a pin code

SSO integration with PKI apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page Client certificate (OCA, eID) (private/public key in keystore) Root certificate Government CA Oracle CA Server Certificate Server Certificate Root Certificate Root Certificate SSL SSL

SSO integration with PKI – SSL terminator apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA

What kind of SSL terminator to choose ???
Juniper SSL/VPN 4000 Series
Recommend by the network partner
Should be easy to configure in PKI environment
It requires no low level http proxy/reverse proxy rules
Expensive license (per session)
Encryption of cookies – url masquerading
Threw it out because
It did not work with the combo Vista/Oracle Forms/JPI 1.5.x
Too high level configuration – no low level http manipulation possible
SSO integration had to be done using HTTP POSTs of the certificate subject to our PLSQL SSO proxy
Every switch to another partner app resulted in having to logon again ( ... Euh ... That’s not SSO)
SSO integration with PKI – SSL terminator

What kind of SSL terminator to choose ???
Blue Coat reverse proxy (RP)
SSO – lots of moving parts – made the network guys dizzy
6 different consultants in 6 days
Gave up on it ...
Blue Coat can probably do it ... Just find the right people
Apache2 based RP
On ubuntu linux/HA with mod_proxy/mod_proxy_html
Very low level http manipulation possible
Mod_ssl does not support OCSP
Managed to set it up in 2 days (incl clustering)
SSO integration with PKI – SSL terminator

SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA OCA Digital certificate My.company.com Login.company.com ProxyPass /forms/ http://MID.axi.be:7782/forms/ ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_success ProxyPass /login/ http://INFRA.axi.be:7780/ ProxyPassReverse /forms/ http://MID.axi.be:7782/ ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ ProxyHTMLURLMap http://INFRA.axi.be:7780 /login <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e" </location>

SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA My.company.com Login.company.com Only need to enter SSO password Map certificate subject to SSO username

SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA OCA Digital certificate

SSO custom login
Internet brokers ?
OCA – check
EID?
LAN Backoffice user
INTERNET
Broker

SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA eID Digital certificate My.company.com Login.company.com ProxyPass /forms/ http://MID.axi.be:7782/forms/ ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_success ProxyPass /login/ http://INFRA.axi.be:7780/ ProxyPassReverse /forms/ http://MID.axi.be:7782/ ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ ProxyHTMLURLMap http://INFRA.axi.be:7780 /login <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e" </location>

SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA eID Digital certificate My.company.com Login.company.com <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e" </location>

SSO custom login
Internet brokers ?
OCA – check
EID - check
LAN Backoffice user
INTERNET
Broker

DIY federated authentication - workflow Plsql Login_page apache Apache 2.x RP Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Portima Authentication server My.private-company.com Login.private-company.com Officeid/suboffice password

DIY federated authentication - workflow Plsql Login_page apache Apache 2.x RP Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Portima Authentication server My.private-company.com Login.private-company.com Officeid/suboffice password Replaced with SAML v2 Federated Authentication In 2008 (integrated with Oracle SSO)

Architecture HTTP/S HTTP CA LB (linux vips ldirector) INFRA MID CRL HTTP HTTP SSL/RP (apache2) RP (apache2)

Solved problem ... And more
Multiple authentication schemes
Depending on physical location
Automatic logon + identity bootstrapping
DIY Federated authentication
Access control
Ex. Internet broker is not allowed to logon via a LAN connection and/or vice versa
Must change password with first logon
Multi-language support in logon page
Integration with reverse proxies
Passing/generating extra http headers for logon logic
Detection of windows Vista
Manipulate http headers (eg Vista/IE bugs)
Manipulate sitetoken to redirect to other URL
Custom plugin download pages for forms/java plugin
Multiple logon screens for different apps
Based on unbaking the site token

Questions [email_address]

http://www.ora600.be	243
http://www.slideshare.net	49
http://knitinr.blogspot.com	48
http://www.ora600.org	2
http://knitinr.blogspot.in	2
http://knitinr.blogspot.de	1
http://knitinr.blogspot.se	1
http://webcache.googleusercontent.com	1
http://www.ora600.net	1
http://74.125.95.132	1
http://knitinr.blogspot.co.uk	1

Extending Oracle SSO

by kurtvm on Dec 28, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

11 Embeds 350

Statistics

Extending Oracle SSO — Presentation Transcript