OAM Identity Context
Configuring Identity Context Service Components
1. Configuring FMW
The application to be protected must be deployed in a WebLogic Server domain built on 11.1.1.PS5 with Oracle Platform Security Services (OPSS) Optach for Ps5 or OFMW PS6 or later. WebLogic Server Domain in which the application is running must be protected by the Access Manager Identity Asserter component that will validate the Identity Assertion received from Access Manager and start the process of creating the Identity Context Runtime. Acces Manager Identity Asserter must be configured to detect the token type, OAM_IDENTITY_ASSERTION.Also, the protected application working with the Identity Context Runtime directly must be granted source code grants to work with the OPSS Attribute Service.
2. Configuring OAM
2.1 Configuring Identity Assertion
Oracle recommends that you define Asserted Attributes in Access Manager Authorization policies for proper enforcement of end-to-end security between the Web and application tiers.
In addition to ensuring trust between the WebGate protecting a Web resource and the Application Server container, Identity Assertion (a SAML Session token) is used to publish the Identity Context data as SAML attributes.
Identity Assertion must be enabled and populated with Asserted Attributes as required by the business logic expecting specific attributes in the Identity Context. It is configured within the OAM Policy Responses tab and can be defined for both Authentication and Authorization policies.
2.2 Configuring Federation Attributes
Once a resource is protected by the Access Manager authentication scheme FederationScheme, Access Manager will act as the service provider and receive the SAML assertion as provided by the federation partner. After the federation single sign on (SSO) operation, the following attributes will be present in the authenticated identity's Access Manager session:
$session.attr.fed.partner (partner name)
$session.attr.fed.nameidvalue (SAML NameID Value)
$session.attr.fed.nameidformat (SAML NameID Format)
$session.attr.fed.attr (SAML Assertion received from partner)
2.3 Configuring Session Attributes
Access Manager session attributes can be used in configuring Identity Assertion by selecting oracle:idm:claims:session:attributes as the Asserted Attribute and setting the value to "attr-name=$session.attr.name" where attr-name is the name given to Identity Context attribute and name is the name of the Access Manager session attribute.
oracle:idm:claims:session:attributes with the value of authn-strength=$session.attr.authnlevel
oracle:idm:claims:session:attributes:authn-strength
2.4 Configuring Identity Store Attributes
Identity Store attributes can be used to configure an Access Manager Identity Assertion by selecting oracle:idm:claims:ids:attributes as the Asserted Attribute and setting the value to "attr-name=$user.attr.name" where attr-name is the name given to the Identity Context attribute and name is the name of the Identity Store attribute.
oracle:idm:claims:ids:attributes with the value of first-name=$user.attr.fname
oracle:idm:claims:ids:attributes:first-name
3. Configuring OAAM
3.1 Setting Up Oracle Adaptive Access Manager
oracle.oaam.idcontext.enabled = true (property)
bharosa.uio.default.registerdevice.enabled = true
oaam.uio.oam.dap_token.version=v2.1
3.2 Configuring Access Manager for OAAM Integration
Perform the following steps. Using the TAPScheme forces the user to authenticate using the OAAM authentication schemes.
Do not use OAAM Advanced or OAAM Basic.
Authentication Scheme
Name : TAPScheme
Add the following challenge parameter
TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate
3.3 Validating Identity Context Data Published by OAAM
oracle:idm:claims:risk:newdevice will be true after a login from a new device; false otherwise.
oracle:idm:claims:risk:level will have a high value after a couple of unsuccessful logins followed by a successful login. To test for this, try a few unsuccessful logins and then a successful one.
oracle:idm:claims:risk:safeforuser will have true after a user successfully answers the challenge question.
oracle:idm:claims:risk:fingerprint contains the user's device's fingerprint. By default, the fingerprint built out of HTTP header data is used; if that is not available, fingerprint data built out of Flash will be used. To test for different fingerprints, try different devices.
4. Configuring OWSM
Configure Security Policy by modifying the Identity Context supported OWSSM security policies to contain the propagate.identity.context element with a value of true
Configure the Keystore and Credential Store to sign the SAML assertion and messages: copy the updated Keystore and Credential Store to your domain_home/config/fmwconfig/ directory.
5. Configuring Oracle Entitlements Server
PepRequestFactory requestFactory =
PepRequestFactoryImpl.getPepRequestFactory();
PepRequest request = requestFactory.newPepRequest (subject,
action, resource, new HashMap<String, Object>());
PepResponse response = request.decide();
boolean isAuthorized = response.allowed();
ASSERT_IDENTITY_CONTEXT
GET_STRING_IDENTITY_CONTEXT
GET_INTEGER_IDENTITY_CONTEXT
GET_BOOLEAN_IDENTITY_CONTEXT
6. Configuring Oracle Access Management Mobile and Social
Service Provider : MobileOAMAuthentication
Attributes
Add
IDContextEnabled = true
7. Configuring Oracle Enterprise Single Sign On
As part of the Identity Context Service, Oracle Enterprise Single Sign-on (OESSO) can publish and propagate client-based Identity Context attributes. Once full integration has been configured, client-specific Identity Context attributes (as documented in Section 41.3.1, "Using the Identity Context Dictionary") will be sent by OESSO to OAM in the session initiation request together with the user credentials submitted in the access request.
After the request has been received, OESSO makes a call to an SSL-protected OAM REST API (previously configured by the OESSO Administrator and included as part of the OESSO client distribution). This API returns the OAM_ID cookie to OESSO. OESSO then propagates the valid OAM_ID cookie to the client browsers (Internet Explorer and Firefox) which enables OESSO resources to be protected and enables single sign-on (SSO) with those resources that are protected by the OAM Embedded Credential Collector. (This does not include resources that are protected by the Distributed Credential Collector.) OESSO then provides OAM credentials that are acceptable to the OAM Embedded Credential Collector as well as client context information in the payload.
8. Validating Identity Context
OAM to protect the /testidc
Use the OAM Tester to validate that the Identity Assertion is returned as an OAM_IDENTITY_ASSERTION attribute in response to the authorization request for /testidc
Perform the following to validate that WebGate is creating an HTTP header that contains the Identity Assertion.
/cgi-bin/printenv.pl script is protected by the same policy that protects the /testidc
printenv.pl ships as part of OHS and must have permission to execute. Any script to display header information can be used instead.
HTTP_OAM_IDENTITY_ASSERTION header contains a SAML token with Asserted Attributes
Access the printenv.pl to trigger a login and display the HTTP headers
--------------------------------------------------------------------------------------------------------------
1. Configuring FMW
The application to be protected must be deployed in a WebLogic Server domain built on 11.1.1.PS5 with Oracle Platform Security Services (OPSS) Optach for Ps5 or OFMW PS6 or later. WebLogic Server Domain in which the application is running must be protected by the Access Manager Identity Asserter component that will validate the Identity Assertion received from Access Manager and start the process of creating the Identity Context Runtime. Acces Manager Identity Asserter must be configured to detect the token type, OAM_IDENTITY_ASSERTION.Also, the protected application working with the Identity Context Runtime directly must be granted source code grants to work with the OPSS Attribute Service.
2. Configuring OAM
2.1 Configuring Identity Assertion
Oracle recommends that you define Asserted Attributes in Access Manager Authorization policies for proper enforcement of end-to-end security between the Web and application tiers.
In addition to ensuring trust between the WebGate protecting a Web resource and the Application Server container, Identity Assertion (a SAML Session token) is used to publish the Identity Context data as SAML attributes.
Identity Assertion must be enabled and populated with Asserted Attributes as required by the business logic expecting specific attributes in the Identity Context. It is configured within the OAM Policy Responses tab and can be defined for both Authentication and Authorization policies.
2.2 Configuring Federation Attributes
Once a resource is protected by the Access Manager authentication scheme FederationScheme, Access Manager will act as the service provider and receive the SAML assertion as provided by the federation partner. After the federation single sign on (SSO) operation, the following attributes will be present in the authenticated identity's Access Manager session:
$session.attr.fed.partner (partner name)
$session.attr.fed.nameidvalue (SAML NameID Value)
$session.attr.fed.nameidformat (SAML NameID Format)
$session.attr.fed.attr (SAML Assertion received from partner)
2.3 Configuring Session Attributes
Access Manager session attributes can be used in configuring Identity Assertion by selecting oracle:idm:claims:session:attributes as the Asserted Attribute and setting the value to "attr-name=$session.attr.name" where attr-name is the name given to Identity Context attribute and name is the name of the Access Manager session attribute.
oracle:idm:claims:session:attributes with the value of authn-strength=$session.attr.authnlevel
oracle:idm:claims:session:attributes:authn-strength
2.4 Configuring Identity Store Attributes
Identity Store attributes can be used to configure an Access Manager Identity Assertion by selecting oracle:idm:claims:ids:attributes as the Asserted Attribute and setting the value to "attr-name=$user.attr.name" where attr-name is the name given to the Identity Context attribute and name is the name of the Identity Store attribute.
oracle:idm:claims:ids:attributes with the value of first-name=$user.attr.fname
oracle:idm:claims:ids:attributes:first-name
3. Configuring OAAM
3.1 Setting Up Oracle Adaptive Access Manager
oracle.oaam.idcontext.enabled = true (property)
bharosa.uio.default.registerdevice.enabled = true
oaam.uio.oam.dap_token.version=v2.1
3.2 Configuring Access Manager for OAAM Integration
Perform the following steps. Using the TAPScheme forces the user to authenticate using the OAAM authentication schemes.
Do not use OAAM Advanced or OAAM Basic.
Authentication Scheme
Name : TAPScheme
Add the following challenge parameter
TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate
3.3 Validating Identity Context Data Published by OAAM
oracle:idm:claims:risk:newdevice will be true after a login from a new device; false otherwise.
oracle:idm:claims:risk:level will have a high value after a couple of unsuccessful logins followed by a successful login. To test for this, try a few unsuccessful logins and then a successful one.
oracle:idm:claims:risk:safeforuser will have true after a user successfully answers the challenge question.
oracle:idm:claims:risk:fingerprint contains the user's device's fingerprint. By default, the fingerprint built out of HTTP header data is used; if that is not available, fingerprint data built out of Flash will be used. To test for different fingerprints, try different devices.
4. Configuring OWSM
Configure Security Policy by modifying the Identity Context supported OWSSM security policies to contain the propagate.identity.context element with a value of true
Configure the Keystore and Credential Store to sign the SAML assertion and messages: copy the updated Keystore and Credential Store to your domain_home/config/fmwconfig/ directory.
5. Configuring Oracle Entitlements Server
PepRequestFactory requestFactory =
PepRequestFactoryImpl.getPepRequestFactory();
PepRequest request = requestFactory.newPepRequest (subject,
action, resource, new HashMap<String, Object>());
PepResponse response = request.decide();
boolean isAuthorized = response.allowed();
ASSERT_IDENTITY_CONTEXT
GET_STRING_IDENTITY_CONTEXT
GET_INTEGER_IDENTITY_CONTEXT
GET_BOOLEAN_IDENTITY_CONTEXT
6. Configuring Oracle Access Management Mobile and Social
Service Provider : MobileOAMAuthentication
Attributes
Add
IDContextEnabled = true
7. Configuring Oracle Enterprise Single Sign On
As part of the Identity Context Service, Oracle Enterprise Single Sign-on (OESSO) can publish and propagate client-based Identity Context attributes. Once full integration has been configured, client-specific Identity Context attributes (as documented in Section 41.3.1, "Using the Identity Context Dictionary") will be sent by OESSO to OAM in the session initiation request together with the user credentials submitted in the access request.
After the request has been received, OESSO makes a call to an SSL-protected OAM REST API (previously configured by the OESSO Administrator and included as part of the OESSO client distribution). This API returns the OAM_ID cookie to OESSO. OESSO then propagates the valid OAM_ID cookie to the client browsers (Internet Explorer and Firefox) which enables OESSO resources to be protected and enables single sign-on (SSO) with those resources that are protected by the OAM Embedded Credential Collector. (This does not include resources that are protected by the Distributed Credential Collector.) OESSO then provides OAM credentials that are acceptable to the OAM Embedded Credential Collector as well as client context information in the payload.
8. Validating Identity Context
OAM to protect the /testidc
Use the OAM Tester to validate that the Identity Assertion is returned as an OAM_IDENTITY_ASSERTION attribute in response to the authorization request for /testidc
Perform the following to validate that WebGate is creating an HTTP header that contains the Identity Assertion.
/cgi-bin/printenv.pl script is protected by the same policy that protects the /testidc
printenv.pl ships as part of OHS and must have permission to execute. Any script to display header information can be used instead.
HTTP_OAM_IDENTITY_ASSERTION header contains a SAML token with Asserted Attributes
Access the printenv.pl to trigger a login and display the HTTP headers
--------------------------------------------------------------------------------------------------------------
Identity Context Schema Attributes
Namespace | Attribute | Type | Virtual | Primary Publisher | Description |
---|---|---|---|---|---|
oracle:idm:claims:nameid
|
value
|
string
|
no
|
OAM
|
Indicates a unique user identifier. Access Manager currently publishes User DN
|
oracle:idm:claims:nameid
|
format
|
string
|
no
|
OAM
|
Indicates the type of user identifier. Access Manager currently publishes "urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"
|
oracle:idm:claims:nameid
|
qualifier
|
string
|
no
|
OAM
|
Indicates a logical Identity Domain to whom the user belongs. Access Manager currently publishes a logical name of the identity store, such as UserIdentityStore1.
|
oracle:idm:claims:nameid
|
spprovidedid
|
string
|
no
|
OAM
|
Indicates unique identifier that can be used by any SP to locate the user in SP's own identity store(s). Access Manager currently publishes the value of the unique id attribute as configured in a registered identity store.
|
oracle:idm:claims:client
|
firewallenabled
|
boolean
|
no
|
OESSO
|
Indicates client device has firewall enabled.
|
oracle:idm:claims:client
|
antivirusenabled
|
boolean
|
no
|
OESSO
|
Indicates client device has antivirus enabled.
|
oracle:idm:claims:client
|
fingerprint
|
string
|
no
|
OESSO, Oracle Access Management Mobile and Social (OMS)
|
Indicates fingerprint of the client device.
|
oracle:idm:claims:client
|
ostype
|
string
|
no
|
OMS
|
Indicates client device's Operating System type.
|
oracle:idm:claims:client
|
osversion
|
string
|
no
|
OMS
|
Indicates client device's operating system version.
|
oracle:idm:claims:client
|
jailbroken
|
boolean
|
no
|
OMS
|
Indicates if client device is Jailbroken (iOS) or Rooted (Android).
|
oracle:idm:claims:client
|
macaddress
|
string
|
no
|
OMS
|
Indicates client device's Ethernet (MAC) Address.
|
oracle:idm:claims:client
|
ipaddress
|
string
|
no
|
OMS
|
Indicates client device's Client IP Address.
|
oracle:idm:claims:client
|
vpnenabled
|
boolean
|
no
|
OMS
|
Indicates if client's device has VPN enabled.
|
oracle:idm:claims:client
|
geolocation
|
string
|
no
|
OMS
|
Indicates client device location's geographical coordinates in the form of "latitude,longitude.
|
oracle:idm:claims:risk
|
newdevice
|
boolean
|
no
|
OAAM
|
Indicates if the client device has been seen before. True when logging in from a device never seen before; otherwise, false.
|
oracle:idm:claims:risk
|
level
|
integer
|
no
|
OAAM
|
Indicates risk level. Level increases after unsuccessful logins.
|
oracle:idm:claims:risk
|
safeforuser
|
boolean
|
no
|
OAAM
|
Indicates if the user answered a secondary challenge question. True after the user successfully answers it; otherwise false.
|
oracle:idm:claims:risk
|
fingerprint
|
string
|
no
|
OAAM
|
Indicates device fingerprint as measured by OAAM. Different devices will leave different fingerprints; can be switched between device (obtained via Flash) fingerprint and browser (http-only) fingerprint
|
oracle:idm:claims:session
|
authnlevel
|
integer
|
no
|
OAM
|
Indicates authentication level for Access Manager
|
oracle:idm:claims:session
|
usercount
|
integer
|
no
|
OAM
|
Indicates number of sessions held by the users
|
oracle:idm:claims:session
|
appdomain
|
string
|
no
|
OAM
|
Indicates name of the Access Manager Application Domain containing policies
|
oracle:idm:claims:session
|
apppolicy
|
string
|
no
|
OAM
|
Indicates name of the Access Manager policy that allowed access
|
oracle:idm:claims:session
|
appagent
|
string
|
no
|
OAM
|
Indicates the name of the agent from which the request came to Access Manager
|
oracle:idm:claims:session
|
appclientip
|
string
|
no
|
OAM
|
Indicates the IP address of the client sending the request to Access Manager
|
oracle:idm:claims:session
|
sessionid
|
string
|
no
|
OAM
|
Indicates the Access Manager session ID
|
oracle:idm:claims:session
|
attributes
|
string
|
yes
|
OAM
|
Indicates session attributes as retrieved from the session store. For example, in Access Manager, select "oracle:idm:claims:session:attributes" as the claim name and then specify the session attribute using the following notation: "attr-name=$session.attr.name where name is the name of the attribute stored in the session. The claim will be created with the name of "oracle:idm:claims:session:attributes:attr-name" and value equal to session's nameattribute.
|
oracle:idm:claims:fed
|
partner
|
string
|
no
|
OAM--or IF?
|
Indicates partner ID as determined by Identity Federation
|
oracle:idm:claims:fed
|
nameidvalue
|
string
|
no
|
OAM--or IF?
|
Indicates user ID from a federation partner as determined by Identity Federation
|
oracle:idm:claims:fed
|
nameidformat
|
string
|
no
|
OAM--or IF?
|
Indicates format of the user ID from a federation partner as determined by Identity Federation
|
oracle:idm:claims:fed
|
attributes
|
string
|
yes
|
OAM
|
Indicates federation attribute as supplied by the partner and determined by Identity Federation. For example, in Access Manager, select "oracle:idm:claims:fed:attributes" as the claim name and then specify the federation attribute using the following notation: "attr-name=$session.attr.fed.attr.name, where name is the name of the SAML attribute in the partner's SAML assertion. The claim will be created with the name of "oracle:idm:claims:fed:attributes:attr-name" and value equal to the partner's assertion provided in the SAML's name attribute.
|
oracle:idm:claims:ids
|
attributes
|
string
|
yes
|
OAM
|
For example, in Access Manager, select "oracle:idm:claims:ids:attributes" as the claim name, and then specify the ID Store attribute using the following notation: "attr-name=$user.attr.name where name is the name of the attribute on the user profile. The claim will be created with the name of "oracle:idm:claims:ids:attributes:attr-name" and value equal to user profile's nameattribute.
|
oracle:idm:claims:tenant
|
tenantid
|
string
|
no
|
OAM
|
Currently reserved for future use. (Indicates tenant id.)
|
oracle:idm:claims:tenant
|
attributes
|
string
|
yes
|
OAM
|
Currently reserved for future use. (Indicates tenant attributes as supplied by the Publisher. The claim value is meant to contain "attr-name=attr-value". The claim will be created with the name of "oracle.idm:claims:tenant:attr-name" and value of attr-value.)
|
Comments
Post a Comment