Using OUD plugin for SAML authentication with OAM against users stored in SQLServer

Here is a practical example about how to use a custom OUD plugin to speed up deployment of an Identity Management solution for a fraction of the price compared to developing a custom connector:

The use-case is to enable SAML authentication as an IDP where some of the users are stored in a SQLServer database and some in AD (external users in DB, internal users in AD).

The customer is planning to have OAM authenticate the users and perform the role of a SAML IDP doing LDAP authentication for users stored in the database and Kerberos for the users stored in AD. In order to allow OAM to authenticate users that are stored in the database, OUD can be deployed as a RDBMS proxy thanks to the RDBMS workflow element feature, so that users stored in a database table are exposed as a LDAP tree that OAM will authenticate against.

Problem is with the password field in the database that is hashed in a specific way.

The trick is to deploy a custom OUD plugin component ahead of the RDBMS workflow element. That plugin is responsible for processing bind requests only. Upon reception of a bind request against a user stored in SQLServer, the custon plugin retrieves the user entry containing hashed password and salt, accesses the plain text password provided in the bind request, and performs the password comparison based on custom logic.

Design, dev and testing took me a couple of days, much simpler and cost effective than adding support for this new source in OAM/OIM.

ODSM Silent Install

If you plan to manage Oracle Unified Directory (OUD) with Oracle Directory Services Manager (ODSM), you must install and configure it as described in the Installation Guide. The installation process described rely on a Graphical User Interface.

Here is the equivalent procedure in silent mode so that you can incorporate it in a script or automated procedure:
To make it short, you need to install OUD as described in this post, configure an application server (WebLogic), then install the ADF framework, install ODSM and add it to a weblogic domain then start WebLogic.

#1 Weblogic installation 

– download weblogic 10.3.6 from http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html
– locate wls1036_generic.jar in the delivery
– create a input file (WEBLOGIC_silent.xml) for Weblogic install (properties in bold to be customized, assuming that you install the middleware components in /local/myinstall)

<?xml version="1.0" encoding="UTF-8"?>
<bea-installer> 
<input-fields>
<data-value name="BEAHOME" value="/local/myinstall" />
<data-value name="USER_INSTALL_DIR"  value="/local/myinstall" />
<data-value name="INSTALL_NODE_MANAGER_SERVICE"   value="no" />
<data-value name="COMPONENT_PATHS" value="WebLogic Server/Core Application Server|WebLogic Server/Administration Console|WebLogic 
Server/Configuration Wizard and Upgrade Framework|WebLogic Server/Web 2.0 HTTP Pub-Sub Server|WebLogic Server/WebLogic JDBC Drivers|WebLogic 
Server/Third Party JDBC Drivers|WebLogic Server/WebLogic Server Clients|WebLogic Server/WebLogic Web Server Plugins|WebLogic Server/UDDI 
and Xquery Support|WebLogic Server/Server Examples" />
<data-value name="LOCAL_JVMS" value="/usr/lang/JAVA/jdk7_u45/linux-x64"/>
</input-fields>
</bea-installer>

– run
wls1036_generic.jar -mode=silent -silent_xml=./WEBLOGIC_silent.xml

#2 Install ADF

– download the Oracle Application Development Framework from Oracle Technology Network (OTN) at the following location: http://www.oracle.com/technetwork/developer-tools/adf/downloads/index.html
– locate and unzip appdev.zip to target directory e.g. /local/myinstall/appdev_unzip
– create an input file (oui_install.rsp ) to install appdev (properties in bold to be customized)

[ENGINE]

#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0

[GENERIC]

#Set this to true if you wish to specify a directory where latest 
updates are downloaded. This option would use the software updates from 
the specified directory
SPECIFY_DOWNLOAD_LOCATION=false

#
SKIP_SOFTWARE_UPDATES=true

#If the Software updates are already downloaded and available on your 
local system, then specify the path to the directory where these patches 
are available and set SPECIFY_DOWNLOAD_LOCATION to true
SOFTWARE_UPDATES_DOWNLOAD_LOCATION=

#Provide the Oracle Home location. The location has to be the immediate 
child under the specified Middleware Home location. The Oracle Home 
directory name may only contain alphanumeric , hyphen (-) , dot (.) and 
underscore (_) characters, and it must begin with an alphanumeric 
character. The total length has to be less than or equal to 128 
characters. The location has to be an empty directory or a valid SOA 
Oracle Home.
ORACLE_HOME=/local/myinstall/Oracle_appdev

#Provide existing Middleware Home location.
MIDDLEWARE_HOME=/local/myinstall

#
CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0

[SYSTEM]

[APPLICATIONS]

[RELATIONSHIPS]

– install appdev (path in bold to be customized)

/local/myinstall/appdev_unzip/appdev/Disk1/runInstaller -silent -response ./oui_install.rsp -invPtrLoc /local/myinstall/appdev_unzip/oraInst.loc  -jreLoc /usr/lang/JAVA/jdk7_u45/linux-x64 -waitforcompletion

#3 Create Weblogic domain for ODSM

– Create template file (e.g create_domain.py) and customize the properties in bold.

#!/usr/bin/python
import os, sys
readTemplate(r'/local/myinstall/wlserver_10.3/common/templates/domains/wls.jar')
cd(r'/Security/base_domain/User/weblogic')
cmo.setPassword('welcome1')
cd(r'/Server/AdminServer')
cmo.setName('AdminServer')
cmo.setListenPort(7001)
cmo.setListenAddress('mylocalhost')
create('AdminServer','SSL')
cd('SSL/AdminServer')
cmo.setEnabled(true)
cmo.setListenPort(7002)
cmo.setHostnameVerificationIgnored(true)
cmo.setHostnameVerifier(None)
cmo.setTwoWaySSLEnabled(false)
writeDomain(r'/local/myinstall/WEBLOGIC_domains/ODSM')
closeTemplate()
exit()

– Run the following command to create the ODSM domain:

/local/myinstall/oracle_common/common/bin/wlst.sh /local/myinstall/create_domain.py

#4 Configure ODSM

– create template file (e.g config_odsm.py) and customize properties in bold

#!/usr/bin/python

import os, sys

readDomain('/local/myinstall/WEBLOGIC_domains/ODSM')
addTemplate(r'/local/myinstall/Oracle_OUD/common/templates/applications/oracle.odsm_11.1.1.5.0_template.jar')
updateDomain()
closeDomain()
exit()

– Run the following command:

/local/myinstall/oracle_common/common/bin/wlst.sh /local/myinstall/config_odsm.py

#5 Start Weblogic domain

/local/myinstall/WEBLOGIC_domains/ODSM/bin/startWebLogic.sh

Provisioning to OUD using the OIM connector for OUD

OIM provides an extensive list of connectors, including a connector to Oracle Unified Directory (OUD). OIM Connector for OUD is described at http://docs.oracle.com/cd/E22999_01/doc.111/e28603/toc.htm

The Lookup.LDAP.UM.ProvAttrMap lookup definition maps process form fields with OUD target system attributes. This lookup definition is used for performing user provisioning operations.

For the default user fields that you can specify or modify values during provisioning operations , see Section 1.9.2.2, “User Fields for Provisioning an OUD Target System.”

For example, the Process Form Field “Common Name” is mapped on cn on the OUD side.

Some specific Process Form Fields are mapped differently. For instance the “Login Disabled” Process Form Field is mapped to the __ENABLED__ keyword in the default mapping file. __ENABLED__ does not directly correspond to any OUD attribute. It is a keyword that is associated with an effective OUD attribute in the OUD Connector configuration, as described in http://docs.oracle.com/cd/E22999_01/doc.111/e28603/deploy_oud.htm#CEGDHHHH. The OUD attribute used to store account state is specified  by the enabledAttribute. By default, it is set to ds-pwp-account-disabled.

The same indirection mechanism apply to the NsuniqueID and Password Process Form Fields mapped to __UID__and __PASSWORD__ that are provisionned to the OUD attributes defined by uidAttribute and passwordAttribute(entryUUID and userPassword by default).

Deploying the IAM Suite and OUD with the Deployment Wizard

Identity & Access Management suite R2 PS2 (11.1.2.2.0) ships with a new deployment tool to automate the installation and configuration of products related to the IAM suite. This tool is named Oracle Identity and Access Management Deployment Wizard.

This tools automates the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD.

More details about this wizard on Idm.guru at http://idm.guru/access-governance/deploying-the-iam-suite-with-the-deployment-wizard/

Oracle Unified Directory 11g R2 PS1 released

By Sylvain Duloutre on Apr 11, 2013

Oracle Identity and Access Management 11g R2 (11.1.2.1.0) is now generally available. Media is available for download on the Oracle Software Delivery Cloud (OSDC). This includes the following products:

  • Oracle Identity and Access Management
  • Oracle Entitlements Server Security Module
  • Oracle Access Manager OHS 11g WebGates
  • Oracle Access Manager IHS 7.0 WebGates
  • Oracle Access Manager Access SDK
  • Oracle Access Manager JBoss 5 Agent
  • Oracle Unified Directory
  • Oracle Enterprise Single Sign-On
  • Oracle Access Management Mobile and Social SDK

To download OUD,go to https://edelivery.oracle.com/ , select “Oracle Fusion MiddleWare” and the target platform, select  “Oracle Fusion Middleware Identity Management 11gR2 Media Pack”  then “Oracle Unified DIrectory 11g (11.1.2.1.0)”

Documentation is avilable at http://docs.oracle.com/cd/E37116_01/index.htm

Certification Matric is available at http://www.oracle.com/technetwork/middleware/id-mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

OUD as a OAM Identity Store

Since 11gR2, OUD can be used natively as a OAM Identity Store. Select  “OUD: Oracle Unified Directory” as Store Type as described here.

As an alternate solution, you can also configure OVD as Identity Store with OAM and then configure LDAP adapter for OVD with OUD details.Configuring Identity store for OAM is documented here. Choose “OVD: Oracle Virtual Directory” as store type and provide store details as per the document. Configuring LDAP adapter for OVD is documented here. Provide your OUD details required as per the document.