5 Policy Configuration: Shared Components and Application Domains Copyright © 2010, Oracle and/or its affiliates All rights reserved Objectives After completing this lesson, you should be able to: • Manage shared components – Resource types – Host identifiers – Authentication schemes • 5-2 Configure application domains Copyright © 2010, Oracle and/or its affiliates All rights reserved Road Map • • • • • • 5-3 Resource types and host identifiers Explaining access control: AuthN and AuthZ AuthN modules and AuthN schemes Understanding policy objects and policy model Managing an application domain: Resources, AuthN and AuthZ policies Pictorial representation: Application domain and policy objects Copyright © 2010, Oracle and/or its affiliates All rights reserved Shared Components: Resource Types • • • • Shared components, along with application domains, comprise policy configuration within OAM You can find them in WLS admin console > Policy Configuration > Shared Components Shared components are those elements that can be used across application domains to protect one or more resources Shared Components include: – Resource types – Host identifiers – Authentication schemes • Resource types include: – Kinds of resources include: HTTP or HTTPS (default) and custom 5-4 Copyright © 2010, Oracle and/or its affiliates All rights reserved Shared Components: Host Identifier • • Host identifiers specify where the agents reside A host can be known by multiple names – List of all addressing methods for the host • OAM agents protect all requests that match – The host identifier used in the policy (application domain) – All the addressing methods that you configured for that host • • • 5-5 A host identifier is automatically created when you register an agent by using the OAM admin console or remote registration tool – Administrators can also manually add a host identifier Administrators can apply security policies to resources based on host identifiers Each resource and host identifier combination must be unique across all application domains Copyright © 2010, Oracle and/or its affiliates All rights reserved Road Map • • • • • • 5-8 Resource types and host identifiers Explaining access control: AuthN and AuthZ AuthN modules and AuthN schemes Understanding policy objects and policy model Managing an application domain: Resources, AuthN and AuthZ policies Pictorial representation: Application domain and policy objects Copyright © 2010, Oracle and/or its affiliates All rights reserved Access Control • • • Authenticates and authorizes access to protected and public resources Is a centralized credential collector Authentication – – – – – • Anonymous Username/password (Form, Basic) WNA X.509 Authentication levels and step up Authorization – User/group – IP address – Time-based 5-9 Copyright © 2010, Oracle and/or its affiliates All rights reserved Access Control Unauthenticated Access Application Access Redirect to Central Login Page OAM Agent Application Submit Credentials Validate Session & Authorize End User Credential Collector Authentication AuthN Engine Authorize AuthZ Engine Oracle Access Manager 11g Oracle WebLogic Server - 10 Copyright © 2010, Oracle and/or its affiliates All rights reserved Authentication • • • • • • - 11 The authentication engine is driven by authentication schemes Authentication policies determine the applicable authentication scheme Each authentication scheme consists of a CHALLENGE metadata and reference to an instance of an authentication module Centralized credential collector Supported authentication module types are LDAP, X.509 and Kerberos Authentication or user mapping is performed against a primary identity provider Copyright © 2010, Oracle and/or its affiliates All rights reserved Authorization • Authorization is performed through an embedded OES engine with OAM extensions: – OAM custom resource matching – OAM constraint evaluation (IP and time) • • Policies are persisted to the database (Oracle DB) Support for user/group, IP address, and time constraints: – ALLOW jdoe for RESOURCE() — — IF ip=x.x.x.x & time=Sunday RESPOND WITH – DENY jsmith for RESOURCE() — — - 12 IF ip=x.x.x.x & time=Sunday RESPOND WITH Copyright © 2010, Oracle and/or its affiliates All rights reserved Response Flows AccessGate-based: • AuthZ: Same as for WebGate flow • AuthN: Responses are processed and returned immediately mod_osso-based: • OSSO supports the ability to set one or more arbitrary cookies in the user’s browser during authentication, done by providing an implementation of the Java IPASCustomCookieInterface Responses can replace this code (assuming the supported providers expose the data needed) - 55 Copyright © 2010, Oracle and/or its affiliates All rights reserved Response Providers • Three different providers are included, supporting the following namespaces: – request – Information on the requested resource, the client making the request, and the policy matched during evaluation (RequestValueProvider) – session – User session details (SessionValueProvider) – user – User ID, group, and attribute information (IdentityValueProvider) - 56 Copyright © 2010, Oracle and/or its affiliates All rights reserved Supported Variable Names Request information - 58 Variable name Description agent_id Name of the requesting agent client_ip IP address of the user’s browser policy_appdomain Name of the application domain holding the policy matched for the request policy_name Name of the AuthN/AuthZ policy matched for the request policy_res Resource host ID and URL pattern matched for the request res_host Requested resource’s host name res_port Requested resource’s port number res_type Requested resource’s type res_url Requested resource URL Copyright © 2010, Oracle and/or its affiliates All rights reserved Supported Variable Names Session information - 59 Variable name Description attr Reference to an arbitrary session attribute, the name of which is passed to you as a variable attribute Its value has been bound to the session by executing a session response during a previous request authn_level Current authentication level for the session authn_scheme Name of the AuthN scheme executed to achieve the current AuthN level count Session count for the user bound to this session creation Session creation time expiration Session expiration time Copyright © 2010, Oracle and/or its affiliates All rights reserved Supported Variable Names User information - 60 Variable name Description attr Reference to an arbitrary LDAP attribute, the name of which is passed to you as a variable attribute groups Comma-separated list of the user's group memberships userid The user ID Copyright © 2010, Oracle and/or its affiliates All rights reserved Authorization Constraints • These are the requirements that must be fulfilled before responding to a client's request – Evaluation of constraints determines if the authorization policy applies to the incoming request • Constraint Type: – Allow or Deny Condition • Configure Constraint based on: – IP addresses (IP4 Range) – Users or Groups (Identity) – Time periods (Temporal) • - 61 Access is allowed if there are no constraints and Use Implied Constraint is enabled (default) Copyright © 2010, Oracle and/or its affiliates All rights reserved Road Map • • • • • • - 63 Resource types and host identifiers Explaining access control: AuthN and AuthZ AuthN modules and AuthN schemes Understanding policy objects and policy model Managing an application domain: Resources, AuthN and AuthZ policies Pictorial representation: Application domain and policy objects Copyright © 2010, Oracle and/or its affiliates All rights reserved Application Domain Application domain Resource(s) Resource Resource Resource AuthN Policy N AuthZ Policy N Success & Failure URL Success & Failure URL Authentication Scheme Constraint(s) Resource(s) Resource(s) Response(s) Response(s) Resource - 64 Copyright © 2010, Oracle and/or its affiliates All rights reserved Conceptual Relationships for Policy Objects Identity Store (for LDAP Auth Module only) LDAP Provider AuthN Module Type AuthN Module App Domain AuthN Schema Host Identifier AuthN Policy AuthN Response - 65 Resource Type Resource AuthZ Policy AuthZ Response Copyright © 2010, Oracle and/or its affiliates All rights reserved Constraint Summary In this lesson, you should have learned how to: • Manage shared components – Resource type – Host identifier – Authentication schemes • - 67 Configuring application domains Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz Constraints are defined for a AuthZ policies b AuthN policies c AuthN and AuthZ policies d Resources - 68 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz Which of the following statements are true: a One or many AuthN modules are directly assigned to an AuthN policy b One AuthN scheme is assigned to an AuthN policy, which assigns the AuthN module mapped to that scheme c An AuthN module is optionally attached to an AuthN scheme based on the rules of the AuthN policy d All of the above - 69 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz The response provider or providers in OAM 11g are a Request b User c Session d All of the above - 70 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz Kerberos authentication module for WNA is supported in OAM 11g a True b False - 71 Copyright © 2010, Oracle and/or its affiliates All rights reserved Practice Overview: Protecting Resources by Using Application Domains This practice covers the following topics: • Deploy multiple applications on WLS and OHS • Single sign-on-enable the applications • Create application domains to protect the resources – AuthN policies – AuthZ policies - 72 Copyright © 2010, Oracle and/or its affiliates All rights reserved