D
Policy Configuration: Shared Components
and Application Domains
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Custom Resource Types
•
•
•
OAM 11g utilizes custom resource types to support nonHTTP resources.
Non-HTTP resources are used by fusion applications and
other JEE applications as a basis for AuthN and AuthZ
when communicating with the OAM server.
Some examples where custom resource types are utilized:
– Fusion applications SSO
– Custom authenticator for JEE applications (non-WebGate
scenario)
– Identity asserter for OWSM
– CredMapper for JEE applications auto login
D-2
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Custom Authenticator Use Case
1 – A user accesses the J2EE application directly because there is
no WebGate in this scenario.
2 – The application authenticates with the OAM identity
authenticator implementation in the CSS layer by passing the
username and password.
3 – To fulfill the authentication, the OAM identity authenticator
contacts OAM on a NAP channel.
4 – Upon successful authentication, the OAM identity authenticator
returns the subject to the J2EE application.
D-4
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Fusion Applications SSO Use Case
1 – A client accesses an ADF application, which is protected by an anonymous authentication. The ADF
application determines that authentication is required, so it redirects to a WebGate-protected ADF
authentication servlet.
2 – The WebGate connects to OAM for the authentication policy.
3 – If AuthN is successful, access to the ADF AuthN servlet is granted, which then redirects to the original ADF
controller application.
4 – The OAM identity asserter intercepts the request and asserts the identity of the user.
5 – This step is optional. The identity asserter may or may not contact OAM to assert the user. It can be
configured to trust the connections from the WebGate, in which case it does not need to contact OAM.
6 – The request goes back to the ADF controller application.
D-5
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Creating Custom Resources
Note:
No host ID is prefixed for custom resources; no support for virtual
hosts.
No patterns are supported for custom resource types (they are all
literals).
D-6
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Authentication Parity with OAM 10g
OAM
10g
OAM
11g
Support for SSO over protected resources within domain
YES
YES
Support for multi-level and step-up authentication
YES
YES
Custom authentication plug-in
YES
NO
Authentication step (authentication module chaining)
YES
NO
Orchestration across multiple authentication steps
YES
NO
Support for centralized Web server for credential collection
YES
YES
Support for distributed/external credential collection
YES
NO
BASIC/FORM/X.509 authentication
YES
YES
OCSP/WNA
NO
YES
EXT Authentication/CRL Support
YES
NO
Feature
D-7
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
OAM 10g Parity Items
Features Not Implemented in 11g R1
Feature
Authorization expressions
URL query string-based resource matching
Additional wildcarding support
Policies scoped to a specific HTTP operation
Chained authentication schemes
AuthN/AuthZ extensibility SPIs
User properties, mapping LDAP attributes (or other sources) into the
deployment
Referential objects (constraints, responses), used from policies in multiple
domains
D-8
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Authentication: Troubleshooting Tips
•
•
D-9
Logging – OAM11g server logs can be used for request tracing.
The logger name used by the authentication engine components
is oracle.oam.engine.authn.
WNA - HTTP trace can be used to check SPNEGO/NTLM
passed in a request (NTLM is not supported).
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Success and Failure URL
This shows an example of redirection where a more meaningful
message is returned than “File not found.”
2
Authorization fails
Web
server
1 Requests access to
OAM server
resource
AuthzFailure.html
WebGate
Content
3
D - 10
WebGate redirects to
AuthzFailure.html
We are sorry but you are
not authorized to access
this resource.
If you would like to request
access, contact
Application Administrator.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Returning Session or Cookie or HTTP Header
Variable
Authorization
succeeds
2
Web
server
1 Requests access to
OAM server
resource
5
Authorization
success
Welcome
John Smith!
D - 11
WebGate
Content
3
Set header variable
HTTP_WELCOME_CN
4
Application processes
header variable and
embeds the CN attribute in
returned page
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Validating Authentication and Authorization in an
Application Domain
•
Enter the URL for an application protected by the
registered agent.
– Confirm that the login page appears.
•
D - 13
Enter a valid username and password.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Authentication Module Features
•
Delegated Authentication Module (DAP):
–
–
–
–
D - 14
Asserts user identity by using tokens
Delegates authentication to a trusted service
OAM verifies the token provided by the service
OAM-OIF integration
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Shared Components: Authentication Schemes
•
Challenge methods:
– DAP – LDAP Module
D - 15
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Shared Components: Authentication Schemes
AuthN Scheme
AuthN Module
Challenge
Method
AuthN
Level
Anonymous
Anonymous
None
0
Basic
LDAP
Basic
1
LDAPNoPasswordValidation LDAPNoPasswordAuth Form
2
LDAP
LDAP
Form
2
Kerberos
Kerberos
WNA
2
OAAMBasic
LDAP
Form
2
OAAMAdvanced
LDAP
Form
2
OIM
LDAP
Form
1
X509
X509
X509
5
OAM 10g
LDAPNoPasswordAuth OAM 10g
2
OIF
DAP
2
D - 17
DAP
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.