SAML IDP with multiple inbound URLs? possible? #SAML #IDM #identity #infosec

April 30, 2012
ICAM, IdM
5 Comments

I had an interesting use case come up this morning and I am wondering if there are any “federation” products that can handle this use case.  My client would like to configure the IDP to handle different sets of users (let’s call them “internal” and “external”).  To avoid the external users from being redirected to the IDP directly it has been front-ended with a proxy (Apache HTTP) located in the DMZ.  Internal users should have access to the same same SPs … but probably don’t want the internal users getting redirected to the proxy located in the DMZ.  One of the products that I work with can only have one “server url” configured (that I know of) … do other products allow for multiple URL’s to be configured?  Would love to hear if this is actually a “problem” and if so how other vendors have implemented.  The easy solution on our part is to deploy another federation server (IDP) to handle the different users … personally I hate to keep telling the customer to deploy a new instance each time a new use case comes up.  I don’t think that scales very well.

Virtual Identity Server for Office 365 – OptimalIDM

April 30, 2012
IdM
Leave a Comment

I just got this from my friends at OptimalIDM and wanted to share this news.

OptimalIDM is formally announcing their Virtual Identity Server for Office 365 via a press release at 9:00 a.m. this morning.

VIS for Office 365 adds a ton of features and support to Office 365 such as:

  • ·         Users can exist anywhere (i.e. eDirectory)
  • ·         Complete Multi-forest support (no on-premise synch required)
  • ·         Non-routable UPN’s (domain.local) & multiple UPN suffixes support
  • ·         Two-Factor authentication
  • ·         Denial of Service prevention/Detection
  • ·         Cloud Firewall (filter data going to cloud)
  • ·         Detailed Audit logging

OptimalIDM is demonstrating this at a Lunch presentation on TUESDAY at TEC.

OIF/OAM Integration Approach #Oracle #Identity #IDM

February 27, 2012
IdM
2 Comments

When ever I need to integrate Oracle Identity Federation (OIF) and Oracle Access Manager (OAM) it always takes me a few minutes to remember which integration approach provides which capability.  I decide to make myself a cheat sheet to help remember.  If you are ever in the same boat hopefully this will help.

Implementing #OpenID with Oracle Identity Federation #Identity #OIF

February 23, 2012
ICAM, IdM, Oracle
4 Comments

I have a customer that is an Oracle Identity Management shop. They are looking to leverage OpenID to increase the ease of collaborating with internal and external partners as well as to reduce the cost of managing passwords for non-employees. They are also implementing other strategies to reduce the use of passwords in their environment, but for today I just want to talk about how to implement OpenID.

A good starting point is Warren Strange’s (Strange Brew) “Adding an OpenID Relying Party to Oracle Identity Federation (OIF)”. In this post Warren describes, in perfect detail, how to integrate OIF with Google as your Identity Provider. As Warren points out, OIF includes a test service provider integration module that you can use to validate that you have things configured correctly. You will have to change to use another Service Provider Integration Module (OSSO, OAM or Custom) to actually leverage this in production; otherwise the user will always end up on the test results page regardless of where they were attempting to get to.

The other side to the coin is adding an OpenID Identity Provider to Oracle Identity Federation. In my customer’s use case they have internal organizations that would like to consume identity information, from my customer, but they still want to remain loosely coupled. Their choice here would be to go with SAML or OpenID. They will be supporting both options.

First, make sure that you are on at least OIF 11.1.1.4.

To enable OIF as an OpenID IdP you need to log into Enterprise Manager and go to Oracle Identity Federation >> Administration >> Identity Provider. Make sure that the Identity Provider is enabled in the Common tab, Apply (if not already enabled) and then switch to the OpenID 2.0 tab. From this tab, make sure to check Enable OpenID 2.0 Protocol then at the bottom of the screen click on the box that says Create, which is next to “Generic OpenID Service Provider”. This provides configuration for service providers that are not specifically named in the Federation. Click Apply.

Next, go to Oracle Identity Federation >> Administration >> Federations. You should see to Trusted Providers already listed. The first will have a Provider-ID of “Unknown-OpenID-RP”, which was created when you created the generic provider in the step before. The second, which will be there if you followed the steps in Warren’s blog, will have a Provider-ID of “Google” (or something like that). You will need to add a provider for your IDP. Click on “Add” and the “Add Trusted Provider” screen will open. Click the radio button next to “Add Provider Manually”. Let’s assume that we are implementing this for a company called Acme, Inc.

Complete the information as shown below, and then click “OK”.

Next, highlight the Provider you just created and click on “Edit”.

In the Trusted Provider Settings tab add the Endpoint URL and the Discovery URL:

Endpoint URL: http://fed.acme.com:7777/fed/idp

Discover URL: http://fed/acme.com:7777/fed/idp

Then, click on the Oracle Identity Federation Settings tab.

To enable a setting you have to click on the little square in the circle until it turns blue and then check the box at the end of the line. You want to enable both Map User via Federated Identity and Error when User Mapping fails. Your screen should then look like this:

Click Apply.

Optionally, you can enable the Attribute Exchange by clicking “Edit” next to Attribute Mappings and Filters.

The last thing you need to confirm that your Identity Provider has a user identity store that it will authenticate against. You can do this by clicking on Oracle Identity Federation >> Administration >> Authentication Engines. The Default Authentication Engine will be set for whatever you selected during install. The default is JAAS. I changed mine to LDAP Directory. Then click on the LDAP Directory tab. Click Enable Authentication Engine and complete the requested information. Make sure you test the LDAP connection before applying.

At this point you can test using the same steps that Warren outlined in his blog post:

Go to: http://fed.acme.com:7777/fed/user/testspsso

Select ACME from the IdP Provider ID drop-down box.

Then click on Start SSO. You should be prompted by OIF’s default IDP to authenticate

and then after successfully authenticating you will have to Accept on a User Consent page and

then you will be returned to status page showing you a successful authentication.

So, those are the basic steps. There are a number of use cases that would require additional configuration. For Federal agencies implementing this for a FICAM solution you would need to look at enabling the Provider Authentication Policy Extension (PAPE) 1.0 options on the Identity Provider configuration page.

About TUMY | Technology, Inc.
TUMY | technology, inc. (TTi) provides Identity & Access Management (IAM) solutions that secure and manage digital identities and applications.
In response to growing security threats and regulatory compliance mandates (HIPAA, Sarbanes-Oxley, etc.) organizations need solutions that can be implemented quickly to identify users and their entitlements before giving access to requested resources. We specialize in vendor solutions such as ForgeRock and Oracle. Our mission is to deliver secure, robust and cost-effective solutions to our clients. Please contact us at: info “at” tumy-tech.com or 1.240.215.4825

Using sed to clean up an LDIF file for import #Oracle #Identity #UNIX

January 10, 2012
Directory Services, IdM, Linux, Oracle
2 Comments

I needed to import a group of users, into Oracle Internet Directory (OID) with attributes in a variety of backend data stores. I used Oracle Virtual Directory to virtualize the data stores into a single ldap view. I used the OVD adapter configuration to specify which attributes I wanted returned. I then exported using the export control from Apache Directory Studio. This resulted in an ldif file containing all of the records I needed with attributes. There were a few additional attributes as a result of using OVD that I now had to deal with.

I ended up with an ldif file that contained a lot of records like this:

dn: cn=Babs Jensen@ACME.GOV,ou=temp_user_load
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: 1234556677@ACME.GOV
cn: Babs.Jensen@ACME.gov
cn: Jensen, Babs
sn: Jensen
givenName: Babs
mail: BABS.JENSEN@ACME.GOV
vdejoindn: ou=acmeinfo_temp:cn=JENSEN\,BABS,ou=acmeinfo_temp
vdejoindn: AD_temp:CN=babs.jensen@ACME.GOV,OU=locations,OU=park,ou=ad_t
emp,dc=acme,dc=local
fascnDecoded: 1234567890987654321
guid: ABcdedghi1234567890
ssn: 12345678

Note: With the SED command you can make changes directly to the source file but I am creating a new target file with each change I can make so that I can always revert back if the command doesn’t work exactly the way I want it to.

I wanted to get rid of lines that don’t start with an attribute name (In my case I am free to get rid of lines that carry over into the second line … YMMV)

I also wanted to specifically wanted to get rid of all lines that start with “vdejoindn:” and there are also some vdejoindn lines that overrun onto a second line that won’t beremoved if I use sed to remove lines with the pattern matching vdejoindn:.

So, first I want to remove all lines that don’t contain a colon. This removes the overrun lines but also all blank lines.

$ sed ‘/:/!d’ input.ldif > tmp.ldif

this keeps the lines with a colon.

But now we don’t have breaks between the records

$ sed ‘s/^dn:/\n&/g’ tmp.ldif > tmp2.ldif

Ok, now I want to get rid of the lines that have “vdejoindn:”.

$ sed ‘/vdejoindn:/d’ tmp2.ldif > tmp3.ldif

Now at some point I ended up with “^M” at the end of each file … I don’t know if this is because I opened with VIM in Windows before moving to Linux … I am going to assume so but either way in this instance I want to remove these characters.

$ dos2unix tmp3.ldif > tmp4.ldif

Alright, Now, for me to import this into Oracle Internet Directory (OID) I’ll need to add the “changetype” directive. I am going to add the string “changetype: add” on a new line after each line with “ou=temp_user_load:” which is the temporary suffix I used in this export.

$ sed ‘/ou=temp_user_load/ a\changetype: add’ tmp4.ldif > tmp5.ldif

Now, should be the last step, prior to importing, is to correct the entries “DN” attribute. Essentially, we need to replace “ou=temp_user_load” with the correct suffix for where these users will be created.

$ sed ‘s/ou=temp_user_load/cn=Users,o=icam,dc=acme,dc=local/g’ tmp5.ldif > tmp6.ldif

At this point my ldif file (“tmp6.ldif”) is ready to import into my directory. You can use the ldapmodify command or since I am using OID you can use bulkload (which is recommended for large record sets).

Migrating User objects (and userpassword) in OID

January 9, 2012
IdM
Leave a Comment

Assumptions:

Legacy OID SID = infra1

New OID SID = orcl1

 

Step 1. Export All Objects from the Root realm:

 

Export the data from, the root realm, out of the legacy directory:

ldifwrite -c infra1 -b “o=xxx,c=yy” -f out.ldif

 

Remove the userpassword attribute:

sed ‘/userpassword:/d’ out.ldif > tmp.ldif

 

Replace the output file with the updated file (passwords removed)

mv temp.ldif out.ldif

 

Stop the OID process of the new OID (opmnctl stopall)

 

Use bulkload to check the schema and generate an intermediate file:

bulkload -connect=orcl -check=true -generate=true -file=out.ldif

 

Assuming there are no errors, use bulkload to load the data into the new directory.

Bulkload -connect=orcl -load=true -file=out.ldif

 

Restart the OID process of the new OID (opmnctl startall)

 

Step 2. Migrate userpassword attribute

 

Export the dn and userpassword attribute from each object that has userpassword:

ldapsearch -h hostname -port -D “cn=orcladmin” -w password -s sub -b “” “objectclass=*” dn userpassword > ./pwdout.ldif

 

Import the user passwords into the new directory

ldapmodify -h hostname -p port -D “cn=orcladmin” -w password -f ./pwdout.ldif

uh, so … what version was that again? #Oracle #Fusion #Identity #OHS

October 13, 2011
IdM
Leave a Comment

A really quick post to share something that I found this morning.  I am constantly trying to remember the exact version of OHS (Oracle HTTP Server) that is installed (Actually any Fusion Middleware component).  Sometimes I am inheriting an existing environment or validating someone else’s environment and need to baseline what is installed.

Here is how to get a list of what components are installed and their current version:

$ORACLE_HOME/OPatch/opatch lsinventory -detail

This will dump out a ton of information on the instance of OHS.

Book Review: Oracle Identity and Access Manager 11g for Administrators (Packt Publishing)

October 7, 2011
IdM
1 Comment

Oracle Identity and Access Manager 11g for Administrators Book CoverAs many of you may know, Atul Kumar, has finished writing his book “Oracle Identity and Access Manager 11g for Administrators“.  I had the pleasure of being a technical reviewer for this book.  If you know Atul or his website then you know my job was pretty easy as he is well versed and experienced with Oracle Identity Management.  I was pretty excited to finally get a hard copy of this book because, to be honest with you, I was already using this book as a reference before it was finished .  I had been having some difficulty deploying an access agent within the new 11g framework and I was able to find a very detailed explanation within Atul’s book.  I am not sure that I can give a higher compliment to an author than to say, “I was using your book before it was even printed!”.

What I like best about this book is that Atul starts out in the first chapters with a very nice, detailed, explanation of Identity Management and then builds on that explanation to introduce each component of Oracle Identity and Access Manager.  Several chapters are tied together in that they build on fundamentals explained in a previous chapter but that doesn’t mean that someone couldn’t jump into a chapter and not still receive a good understanding of those specific concepts.

I have already recommended this book to several people that are new to Oracle Identity Management as well as to some folks that have several years of Oracle Identity Management experience.  I recommend this book to anyone who is working with Oracle Identity and Access Management 11g.

Follow

Get every new post delivered to your Inbox.

Join 827 other followers