D Policy Configuration: Shared Components and Application Domains Copyright © 2010, Oracle and/or its affiliates All rights reserved Custom Resource Types • • • OAM 11g utilizes custom resource types to support nonHTTP resources Non-HTTP resources are used by fusion applications and other JEE applications as a basis for AuthN and AuthZ when communicating with the OAM server Some examples where custom resource types are utilized: – Fusion applications SSO – Custom authenticator for JEE applications (non-WebGate scenario) – Identity asserter for OWSM – CredMapper for JEE applications auto login D-2 Copyright © 2010, Oracle and/or its affiliates All rights reserved Custom Authenticator Use Case – A user accesses the J2EE application directly because there is no WebGate in this scenario – The application authenticates with the OAM identity authenticator implementation in the CSS layer by passing the username and password – To fulfill the authentication, the OAM identity authenticator contacts OAM on a NAP channel – Upon successful authentication, the OAM identity authenticator returns the subject to the J2EE application D-4 Copyright © 2010, Oracle and/or its affiliates All rights reserved Fusion Applications SSO Use Case – A client accesses an ADF application, which is protected by an anonymous authentication The ADF application determines that authentication is required, so it redirects to a WebGate-protected ADF authentication servlet – The WebGate connects to OAM for the authentication policy – If AuthN is successful, access to the ADF AuthN servlet is granted, which then redirects to the original ADF controller application – The OAM identity asserter intercepts the request and asserts the identity of the user – This step is optional The identity asserter may or may not contact OAM to assert the user It can be configured to trust the connections from the WebGate, in which case it does not need to contact OAM – The request goes back to the ADF controller application D-5 Copyright © 2010, Oracle and/or its affiliates All rights reserved Creating Custom Resources Note: No host ID is prefixed for custom resources; no support for virtual hosts No patterns are supported for custom resource types (they are all literals) D-6 Copyright © 2010, Oracle and/or its affiliates All rights reserved Authentication Parity with OAM 10g OAM 10g OAM 11g Support for SSO over protected resources within domain YES YES Support for multi-level and step-up authentication YES YES Custom authentication plug-in YES NO Authentication step (authentication module chaining) YES NO Orchestration across multiple authentication steps YES NO Support for centralized Web server for credential collection YES YES Support for distributed/external credential collection YES NO BASIC/FORM/X.509 authentication YES YES OCSP/WNA NO YES EXT Authentication/CRL Support YES NO Feature D-7 Copyright © 2010, Oracle and/or its affiliates All rights reserved OAM 10g Parity Items Features Not Implemented in 11g R1 Feature Authorization expressions URL query string-based resource matching Additional wildcarding support Policies scoped to a specific HTTP operation Chained authentication schemes AuthN/AuthZ extensibility SPIs User properties, mapping LDAP attributes (or other sources) into the deployment Referential objects (constraints, responses), used from policies in multiple domains D-8 Copyright © 2010, Oracle and/or its affiliates All rights reserved Authentication: Troubleshooting Tips • • D-9 Logging – OAM11g server logs can be used for request tracing The logger name used by the authentication engine components is oracle.oam.engine.authn WNA - HTTP trace can be used to check SPNEGO/NTLM passed in a request (NTLM is not supported) Copyright © 2010, Oracle and/or its affiliates All rights reserved Success and Failure URL This shows an example of redirection where a more meaningful message is returned than “File not found.” Authorization fails Web server Requests access to OAM server resource AuthzFailure.html WebGate Content D - 10 WebGate redirects to AuthzFailure.html We are sorry but you are not authorized to access this resource If you would like to request access, contact Application Administrator Copyright © 2010, Oracle and/or its affiliates All rights reserved Returning Session or Cookie or HTTP Header Variable Authorization succeeds Web server Requests access to OAM server resource Authorization success Welcome John Smith! D - 11 WebGate Content Set header variable HTTP_WELCOME_CN Application processes header variable and embeds the CN attribute in returned page Copyright © 2010, Oracle and/or its affiliates All rights reserved Validating Authentication and Authorization in an Application Domain • Enter the URL for an application protected by the registered agent – Confirm that the login page appears • D - 13 Enter a valid username and password Copyright © 2010, Oracle and/or its affiliates All rights reserved Authentication Module Features • Delegated Authentication Module (DAP): – – – – D - 14 Asserts user identity by using tokens Delegates authentication to a trusted service OAM verifies the token provided by the service OAM-OIF integration Copyright © 2010, Oracle and/or its affiliates All rights reserved Shared Components: Authentication Schemes • Challenge methods: – DAP – LDAP Module D - 15 Copyright © 2010, Oracle and/or its affiliates All rights reserved Shared Components: Authentication Schemes AuthN Scheme AuthN Module Challenge Method AuthN Level Anonymous Anonymous None Basic LDAP Basic LDAPNoPasswordValidation LDAPNoPasswordAuth Form LDAP LDAP Form Kerberos Kerberos WNA OAAMBasic LDAP Form OAAMAdvanced LDAP Form OIM LDAP Form X509 X509 X509 OAM 10g LDAPNoPasswordAuth OAM 10g OIF DAP D - 17 DAP Copyright © 2010, Oracle and/or its affiliates All rights reserved