OpenAM can be valid alternative in an Oracle stack. It can tie together Oracle 9i/10g OSSO based midtiers with newer 11g WLS fusion application tiers and even SAML based authentication.
2. ITStrategic BIO
Who am i
Kurt Van Meerbeeck
Engineer in electronics
Working with Java since 1996 (jdk 1.0.2)
Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)
Currently work for AXI NV/BV
Oracle Partner in the Benelux area (www.axi.be/www.axi.nl)
Oracle rdbms/ias
Author of DUDE
Data Unloader tool (www.ora600.be)
Member of the Oaktable Network
www.oaktable.net
3. ITStrategic A little bit of history
Internet Application Server 9i
Internet Application Server 10g
Fusion Middleware 11g / WLS
5. ITStrategic ORACLE IAS 10g
[ Oracle AS
Components
[ Infrastructure
[ OHS – apache
1.3, mod_oc4j, mod_plsql,
mod_rewrite, mod_osso, ..
.
[ OID – LDAP
[ J2EE
[ SSO server
[ OCA
[ Rdbms – portal, sso, oca
and other configuration &
meta data
6. ITStrategic OSSO Workflow – not yet authenticated
MID.axi.be
apache J2ee
Mod_osso
Mod_oc4j
http://my.company.com Mod_plsql
Apache virtual host
- Make it a SSO partner app apache J2ee
- register it Oc4j_security
- ptlconfig – portal Mod_osso oca
- ossoreg.jar – mod_osso INFRA.axi.be
- mod_osso.conf Mod_oc4j OID
<location /app> Mod_plsql LDAP
require valid-user
AuthType basic
</location>
IASDB
7. ITStrategic OSSO Workflow – not yet authenticated
MID.axi.be
apache J2ee
Partner cookie available ?
Mod_osso
Mod_oc4j
http://my.company.com Mod_plsql
infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
NameVirtualHost *:80
<VirtualHost *:80>
ServerName my.company.com apache J2ee
Port 80 Oc4j_security
# Include the configuration files
# needed for mod_osso Mod_osso oca
OssoConfigFile /OH/my_comp_osso.conf
</VirtualHost> INFRA.axi.be
Mod_oc4j OID
SSO cookie ? Mod_plsql LDAP
-> Generate Redirect to logon page
http://infra.axi.be/sso/jsp/login.jsp
$OH/sso/policy.properties IASDB
8. ITStrategic OSSO Workflow – not yet authenticated
MID.axi.be
apache J2ee
Mod_osso
Mod_oc4j
http://my.company.com Mod_plsql
apache J2ee
Oc4j_security
Mod_osso oca
INFRA.axi.be
Mod_oc4j OID
Mod_plsql LDAP
IASDB
9. ITStrategic OSSO Workflow – not yet authenticated
MID.axi.be
apache J2ee
Mod_osso
Mod_oc4j
http://my.company.com Mod_plsql
HTTP POST
- Username
Generate Partner cookie
- Password
Generate redirect to the original URL
- Site-token
(sitetoken)
Check credentials in
apache J2ee
LDAP/OID Oc4j_security
Mod_osso oca
INFRA.axi.be
Mod_oc4j OID
If OK
-Generate SSO cookie (SSO_ID) Mod_plsql LDAP
-Generate redirect to
http://my.company.com/osso_login_success?urlc=<sitetoken>
IASDB
10. ITStrategic OSSO Workflow – not yet authenticated
IPASAuthInterface
MID.axi.be
apache J2ee
implements
Mod_osso
SSOServerA Custom
uth Plugin Mod_oc4j
http://my.company.com Mod_plsql
extends
SSOX509CertA SSOKerbeAuth
uth
apache J2ee
Custom Oc4j_security
Plugin Mod_osso oca
INFRA.axi.be
Mod_oc4j OID
Mod_plsql LDAP
Important for integration
- Custom plugins by subclassing OSSO server IASDB
11. ITStrategic ORACLE 11g FUSION / WEBLOGIC
[ Problem
[ No infrastructure tier
[ No SSO/OID/WNA
12. ITStrategic ORACLE 11g FUSION / WEBLOGIC
[ Premier Support for Oracle Single Sign-On 10gR3 ends on
December 31, 2011
[ Limited Extended Support for Oracle Single Sign-On from
January 2012 through December 2012
[ It is strongly recommended that you use this additional
time to integrate your single sign-on deployment with
Oracle Access Manager
13. ITStrategic ORACLE 11g FUSION / WEBLOGIC
Extra licenses and server
[ Oracle Access Manager
[ Oracle Weblogic Server
[ Directory Services Plus
16. ITStrategic Introducing OpenAM
[ Open Source alternative
[ OpenAM (ForgeRock)
[ Based on SUN’s OpenSSO
- open sourced before Oracle aqcuisition
- most of OpenSSO team quit and started ForgeRock
[ Makes use of OpenDJ (based on Sun’s OpenDS) for data store
17. ITStrategic Concept
[ Concept for most access managers is the same
Access ID store AM Web DB
Manager LDAP Agent App Server
Server
OSSO OID Mod_osso Apache1.3
OC4J
OpenAM OpenDJ Policy
Agent
[ So the work is mostly the same –complex
[ But not the license costs !
[ And the platform support and features !
23. ITStrategic Use Case
[ User Case - requirements
- integrate with legacy IAS/OSSO
- Portal 10g
- Forms 10g
- OC4J
- OBIEE 10g
- integrate with Forms 11g (FMW/WLS)
- special case as Forms *needs* OID
- integrate with OBIEE 11g (FMW/WLS)
- integrate with J2EE apps (FMW/WLS)
- integrate apps in the cloud using SAMLv2
24. ITStrategic Use Case
Legacy environment
LDAP sync
OpenAM OpenDJ
AXI
Linux Server (cluster) OSSO-OpenAM
LDAP sync
Tomcat J2EE Server Integration
(custom osso plugin) Oracle
Custom policy plugin
SSO
SSO using SAMLv2 Server
SSO using OpenAM Policy agents
Oracle 10g Infrastructure
New environment
SSO using Oracle SSO server
J2EE Policy agent
Oracle 10g Midtiers
LAMP in de CLOUD Oracle 11g Weblogic • Forms 10g
• SAMLv2 • Forms 11g • Portal 10g
• Service Provider • J2EE • J2EE
• OBIEE 11g • OBIEE 10g
33. ITStrategic Integration Forms 11g
[ Forms is *SPECIAL*
- It will check the version of OID in SSO mode !
- What if you want to get rid of OID ???
Osso-user-dn
Osso-subscriber-dn
Extra LDAP queries
[ RAD’s
[ Root DSE orcldirectoryversion
34. ITStrategic Integration Forms 11g
[ Forms is *SPECIAL*
- Forms 11g can be plugged into an OID LDAP
- What if we could mimic OID using OpenDJ
1. Recreate OID LDAP schema in OpenDJ (ldapsearch)
2. Add orcldirectoryversion to OpenDJ root DSE
3. Plugin Forms11g into OpenDJ !!!
35. ITStrategic Integration Forms 11g
[ Forms is *SPECIAL*
but can make use of OpenAM/OpenDJ without OID
Osso-user-dn
Osso-subscriber-dn
Extra LDAP queries
[ RAD’s
[ Root DSE orcldirectoryversion
40. ITStrategic Integration cloud applications
[ OpenAM supports SAMLv2 (and WS-Fed 1.1) and can act as IdP
- Agentless WEB SSO
- Cross-domain / cross-platform / cross-organisation
- Passive – all communcation through user browser
- http post/redirect
- Provide the app (Service Provider) with all needed info through SAML
assertions (attributes)
- displayName
- Email
- Application roles & rights
- Custom attribute mapper using jdbc
41. ITStrategic Integration cloud applications
[ At this point….
Users logged on in Portal 10g
Policy Agents Policy Agents Policy Agents
…
Internal app servers
can seamlessly logon to apps
in the cloud using SAML !
SAML Identity Provider (IdP)
OpenAM cluster
https://idp.axi.nl AXI
SAML based SSO
External app servers
SAML SP SAML SP SAML SP
43. ITStrategic Out of the box mobile app authenticatie with WS-REST
(5)logout
/identity/logout?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-
SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
https://sso.axi.be (1) Authenticate
/identity/authenticate?username=<uname>&password=<passwd>
Apache 2.2 SSL/RP server
AXI public dmz (2) token.id=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
https://mobile.axi.be
OpenAM OpenDJ
Linux Server (keepalived cluster) Apache 2.2 SSL/RP server
TOMCAT J2EE Server Mod_security
(3) Validate
/identity/isTokenValid?tokenid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-
SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
(4) Retrieve attributes (is customer?)
/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-
SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
J2EE Server
44. ITStrategic Use Case
REST-WS
Legacy environment
LDAP sync
OpenAM OpenDJ
AXI
Linux Server (cluster) OSSO-OpenAM
LDAP sync
Tomcat J2EE Server Integration
(custom osso plugin) Oracle
Custom policy plugin
SSO
SSO using SAMLv2 Server
SSO using OpenAM Policy agents
Oracle 10g Infrastructure
New environment
SSO using Oracle SSO server
J2EE Policy agent
Oracle 10g Midtiers
LAMP in de CLOUD Oracle 11g Weblogic • Forms 10g
• SAMLv2 • Forms 11g • Portal 10g
• Service Provider • J2EE • J2EE
• OBIEE 11g • OBIEE 10g
45. ITStrategic Conclusion
[ Who can benefit from OpenAM
• Organisations running IAS9i/10g migrating to 11g WLS
• Organisations running multiple web-based apps and want to implement SSO
• Organisations wanting to integratie cloud apps using SAMLv2
• Organisations wanting to implement WS Security
• Organisations wanting to migrate from Sun OpenSSO to ForgeRock OpenAM
[ Benefits
• Proven technologie – Sun OpenSSO !
• Easy to customize (auth plugin, policy plugin, saml assertion plugin etc)
• Pricing