A good starting point is Warren Strange’s (Strange Brew) “Adding an OpenID Relying Party to Oracle Identity Federation (OIF)”. In this post Warren describes, in perfect detail, how to integrate OIF with Google as your Identity Provider. As Warren points out, OIF includes a test service provider integration module that you can use to validate that you have things configured correctly. You will have to change to use another Service Provider Integration Module (OSSO, OAM or Custom) to actually leverage this in production; otherwise the user will always end up on the test results page regardless of where they were attempting to get to.

The other side to the coin is adding an OpenID Identity Provider to Oracle Identity Federation. In my customer’s use case they have internal organizations that would like to consume identity information, from my customer, but they still want to remain loosely coupled. Their choice here would be to go with SAML or OpenID. They will be supporting both options.

First, make sure that you are on at least OIF 11.1.1.4.

To enable OIF as an OpenID IdP you need to log into Enterprise Manager and go to Oracle Identity Federation >> Administration >> Identity Provider. Make sure that the Identity Provider is enabled in the Common tab, Apply (if not already enabled) and then switch to the OpenID 2.0 tab. From this tab, make sure to check Enable OpenID 2.0 Protocol then at the bottom of the screen click on the box that says Create, which is next to “Generic OpenID Service Provider”. This provides configuration for service providers that are not specifically named in the Federation. Click Apply.

Next, go to Oracle Identity Federation >> Administration >> Federations. You should see to Trusted Providers already listed. The first will have a Provider-ID of “Unknown-OpenID-RP”, which was created when you created the generic provider in the step before. The second, which will be there if you followed the steps in Warren’s blog, will have a Provider-ID of “Google” (or something like that). You will need to add a provider for your IDP. Click on “Add” and the “Add Trusted Provider” screen will open. Click the radio button next to “Add Provider Manually”. Let’s assume that we are implementing this for a company called Acme, Inc.

Complete the information as shown below, and then click “OK”.

Next, highlight the Provider you just created and click on “Edit”.

In the Trusted Provider Settings tab add the Endpoint URL and the Discovery URL:

Endpoint URL: http://fed.acme.com:7777/fed/idp

Discover URL: http://fed/acme.com:7777/fed/idp

Then, click on the Oracle Identity Federation Settings tab.

To enable a setting you have to click on the little square in the circle until it turns blue and then check the box at the end of the line. You want to enable both Map User via Federated Identity and Error when User Mapping fails. Your screen should then look like this:

Click Apply.

Optionally, you can enable the Attribute Exchange by clicking “Edit” next to Attribute Mappings and Filters.

The last thing you need to confirm that your Identity Provider has a user identity store that it will authenticate against. You can do this by clicking on Oracle Identity Federation >> Administration >> Authentication Engines. The Default Authentication Engine will be set for whatever you selected during install. The default is JAAS. I changed mine to LDAP Directory. Then click on the LDAP Directory tab. Click Enable Authentication Engine and complete the requested information. Make sure you test the LDAP connection before applying.

At this point you can test using the same steps that Warren outlined in his blog post:

Go to: http://fed.acme.com:7777/fed/user/testspsso

Select ACME from the IdP Provider ID drop-down box.

Then click on Start SSO. You should be prompted by OIF’s default IDP to authenticate

and then after successfully authenticating you will have to Accept on a User Consent page and

then you will be returned to status page showing you a successful authentication.

So, those are the basic steps. There are a number of use cases that would require additional configuration. For Federal agencies implementing this for a FICAM solution you would need to look at enabling the Provider Authentication Policy Extension (PAPE) 1.0 options on the Identity Provider configuration page.

About TUMY | Technology, Inc.
TUMY | technology, inc. (TTi) provides Identity & Access Management (IAM) solutions that secure and manage digital identities and applications.
In response to growing security threats and regulatory compliance mandates (HIPAA, Sarbanes-Oxley, etc.) organizations need solutions that can be implemented quickly to identify users and their entitlements before giving access to requested resources. We specialize in vendor solutions such as ForgeRock and Oracle. Our mission is to deliver secure, robust and cost-effective solutions to our clients. Please contact us at: info “at” tumy-tech.com or 1.240.215.4825

ForgeRock:

• OpenAM

Oracle:

• Oracle Identity and Access Manager 11g for Administrators
• Designing an IAM Framework with Oracle Identity and Access Management Suite (Oracle Press)
• Effective Oracle Database 10g Security by Design

I ended up with an ldif file that contained a lot of records like this:

dn: cn=Babs Jensen@ACME.GOV,ou=temp_user_load
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: 1234556677@ACME.GOV
cn: Babs.Jensen@ACME.gov
cn: Jensen, Babs
sn: Jensen
givenName: Babs
mail: BABS.JENSEN@ACME.GOV
vdejoindn: ou=acmeinfo_temp:cn=JENSEN\,BABS,ou=acmeinfo_temp
vdejoindn: AD_temp:CN=babs.jensen@ACME.GOV,OU=locations,OU=park,ou=ad_t
emp,dc=acme,dc=local
fascnDecoded: 1234567890987654321
guid: ABcdedghi1234567890
ssn: 12345678

…

Note: With the SED command you can make changes directly to the source file but I am creating a new target file with each change I can make so that I can always revert back if the command doesn’t work exactly the way I want it to.

I wanted to get rid of lines that don’t start with an attribute name (In my case I am free to get rid of lines that carry over into the second line … YMMV)

I also wanted to specifically wanted to get rid of all lines that start with “vdejoindn:” and there are also some vdejoindn lines that overrun onto a second line that won’t beremoved if I use sed to remove lines with the pattern matching vdejoindn:.

So, first I want to remove all lines that don’t contain a colon. This removes the overrun lines but also all blank lines.

$ sed ‘/:/!d’ input.ldif > tmp.ldif

this keeps the lines with a colon.

But now we don’t have breaks between the records

$ sed ‘s/^dn:/\n&/g’ tmp.ldif > tmp2.ldif

Ok, now I want to get rid of the lines that have “vdejoindn:”.

$ sed ‘/vdejoindn:/d’ tmp2.ldif > tmp3.ldif

Now at some point I ended up with “^M” at the end of each file … I don’t know if this is because I opened with VIM in Windows before moving to Linux … I am going to assume so but either way in this instance I want to remove these characters.

$ dos2unix tmp3.ldif > tmp4.ldif

Alright, Now, for me to import this into Oracle Internet Directory (OID) I’ll need to add the “changetype” directive. I am going to add the string “changetype: add” on a new line after each line with “ou=temp_user_load:” which is the temporary suffix I used in this export.

$ sed ‘/ou=temp_user_load/ a\changetype: add’ tmp4.ldif > tmp5.ldif

Now, should be the last step, prior to importing, is to correct the entries “DN” attribute. Essentially, we need to replace “ou=temp_user_load” with the correct suffix for where these users will be created.

$ sed ‘s/ou=temp_user_load/cn=Users,o=icam,dc=acme,dc=local/g’ tmp5.ldif > tmp6.ldif

At this point my ldif file (“tmp6.ldif”) is ready to import into my directory. You can use the ldapmodify command or since I am using OID you can use bulkload (which is recommended for large record sets).

Here is how to get a list of what components are installed and their current version:

$ORACLE_HOME/OPatch/opatch lsinventory -detail

This will dump out a ton of information on the instance of OHS.

What I like best about this book is that Atul starts out in the first chapters with a very nice, detailed, explanation of Identity Management and then builds on that explanation to introduce each component of Oracle Identity and Access Manager.  Several chapters are tied together in that they build on fundamentals explained in a previous chapter but that doesn’t mean that someone couldn’t jump into a chapter and not still receive a good understanding of those specific concepts.

I have already recommended this book to several people that are new to Oracle Identity Management as well as to some folks that have several years of Oracle Identity Management experience.  I recommend this book to anyone who is working with Oracle Identity and Access Management 11g.

I was a little nervous about changing this because sometimes the port number is referenced in a lot of different places which makes changing it a little difficult to say the least.

As it turns out changing this is pretty trivial. You need to change the port referenced in the config.xml file and then in the startup and shutdown scripts. That’s it.

Step 1. Modify the config.xml file:

Open the following file: $Middleware_home/user_projects/domains/IDMDomain/config/config.xml

In the server directive, change the value from 7002 to 7001: (Make sure you catch all instances of the port)

    AdminServer
    1000
    200000
    20
    21

      AdminServer
      true
      7001

    idm.acme.com
    7001

Ok, so save those changes and then go to Step 2.

Step 2. Modify shutdown scripts:

Change to the directory that contains the startup and shutdown scripts for Weblogic:

$ cd $MIDDLEWARE_HOME/user_projects/domains/IDMDomain/bin

You will need to edit the following files: startManagedWeblogic.sh, stopWeblogic.sh and stopManagedWeblogic.sh

Look for the ADMIN_URL variable and change the port in the value (e.g., ADMIN_URL=”t3://idm.acme.com:7001″) from 7002 to 7001.

That’s it!

Now, save the changes to those to files and then restart WebLogic Admin and any managed servers.

paulmadsen

Is it within a PDPs job description to respond to queries of the form ‘I intend to do X at Y. That OK?’ with a signed ‘You can do X at Y’

4/7/11 1:40 PM

bobblakley  @paulmadsen You’ve essentially described a subject-bound capability. You can do this as a bearer token too; “the bearer can do X at Y” 4/7/11 1:47 PM

bobblakley  @bobblakley @paulmadsen (and to answer your actual question: it depends. On the PDP’s interface and semantic description) 4/7/11 1:50 PM

paulmadsen  @bobblakley thanks Bob, that’s what I expected. So PDP not necessarily constrained to y/n answers 4/7/11 2:02 PM

independentid  @paulmadsen Pre-use decisions carry the same issues as claims-based attributes. Tendency towards more information in case of need>gtr costs 4/7/11 2:17 PM

paulmadsen  @independentid you seem to be interpreting ‘claims- based’ more narrowly than I, ie that they necessarily imply capabilities/pre-use authz? 4/7/11 2:27 PM

NishantK  @paulmadsen But that’s the model that is needed to deliver on the promise of claims-based authorization, isn’t it? /cc @independentid 4/7/11 2:52 PM

paulmadsen  @NishantK I think a claim can carry (as per Hal) either a property or a capability – the latter implies the issuer does some ‘pre-authz’ 4/7/11 2:56 PM

NishantK  @paulmadsen Agreed. But to @independentid’s point, both cases precede actual use, and force sender of claim to “plan” for all possibilities 4/7/11 3:28 PM

independentid  @NishantK @paulmadsen How does sender know what decisions will be needed? Discovery – securityconstaint? Can decider decide without context? 4/7/11 3:32 PM

paulmadsen  @NishantK but with the property model, the issuer doesnt need to know the particulars of the subsequent use – like a passport 4/7/11 3:32 PM

paulmadsen  @independentid agreed. Capabilities model implies resource info made available to PAP 4/7/11 3:36 PM

independentid  @paulmadsen Kind of like the “visa”s we use to have meetings in the US? The analogy that advance decisions are like passport visas. 4/7/11 3:36 PM

paulmadsen  @independentid who issued the visa – Canada or the US? 4/7/11 3:41 PM

independentid  @paulmadsen Well, I believe since you are in Canada, the PDP is US. I know its confusing, since your US PDP is actually in Ottawa 4/7/11 3:43 PM

paulmadsen  @independentid its an exit visa Im thinking of, ie Canada saying Im allowed to leave 4/7/11 3:49 PM

NishantK  @paulmadsen Yes, property model means issuer doesn’t need to know, but also can’t know if it wants to (which is a real issue for enterprise) 4/7/11 4:28 PM

NishantK  @paulmadsen Also externalizing authZ is about RP not needing to know decision context (something they’re often bad at), leaving it to Issuer 4/7/11 4:41 PM

Steve_Lockstep @paulmadsen @brad_tumy CCW as in COM Callable Wrapper? Too tech for me I just say context usually clear to RP so design claims to match 4/7/11 5:50 PM

The following outlines the steps required to create a RootCA, generate a certificate request, sign the request and then import the signed certificate back into the JKS.

A few notes about my environment:

• These instructions were validated on Oracle Enterprise Linux (for most flavors of Linux these instructions will be the same)
• OpenSSL and Keytool were already installed on the server
• In my example everything was installed on the same server … your OpenSSL instance may be on a different server.
• OpenSSL and Keytool are available on my users $PATH … yours may not be.

So, let’s do this thing …

Configure a CA, using OpenSSL

1. Create a working directory:mkdir /opt/rootCA
2. Under /opt/rootCA make the following directories: private, certs, newcerts
   
3. Change the permissions of rootCA (and subdirectories):chmod -R 700 /opt/rootCA
   
4. From the /opt/rootCA directory, find (system wide) and make a local copy of the openssl.cnf (/opt/rootCA/openssl.cnf). You do not have to use the default configuration file that is installed with OpenSSL. In my case it was owned by root and I couldn’t change it anyway. So, I made a copy of it and was able to make the changes I needed. Note: I set all of the attributes to optional because I kept getting an error when I tried to sign the certificate that some of the required attributes were missing from the server certificate (maybe a bug??)
5. Create the CA certificate:openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

Create a keystore and private key:

keytool -genkey -alias alias -keyalg RSA -keysize 1024 -dname “server dn” -keypass keypass -keystore keystore.jks -storepass storepass

Create a certificate request (CSR) from the application server:

keytool -certreq -v -alias alias -file servername.csr -keypass keypass -storepass storepass -keystore ./keystore.jks

Sign the Certificate Requst:

1. Sign the CSRopenssl ca -config openssl.cnf -in ../Middleware/keystores/servername.csr -out newcerts/servername.pem

Import the Trusted Root CA into the servers keystore:
keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass storepass

Convert the signed cert (*.cer) into DER format (keytool preference) **

openssl x509 -outform der -in certificate.pem -out certificate.der

Import the signed cert into they server’s keystore:
keytool -import -v -alias alias-file servername.der -keystore keystore.jks -keypass keypass -storepass storepass

**Note: keytool whined that the cert was not in der format so, I used openssl to convert it.

I would love to hear feedback on these instructions and any steps that would make this easier.