Identity Cloud Services and Weblogic Federation with Virtual Users and Groups

Introduction Federation is a well-known pattern and has been discussed at length on this blog. Almost every vendor or cloud provider out there supports Federation and it’s been around for quite some time now. In this blog post, I will talk about Federation again, but this time in combination with Weblogic’s Virtual Users and Groups. […]

Configuring Oracle Public Cloud to Federate with Microsoft Azure Active Directory

Introduction Companies usually have some Identity and Access Management solution deployed on premises to manage users and roles to secure access to their corporate applications. As business move to the cloud, companies will, most likely, want to leverage the investment already made into such IAM solutions and integrate them with the new SaaS or PaaS applications that […]

OAM Federation 11.1.2.3: Performing a loopback test with WS-Federation

In a previous post I gave steps for performing a loopback test with SAML. This is where we configure OAM Federation to talk to itself, to act as both IdP and SP. This is useful in development and test environments to confirm OAM Federation is working without requiring an external server to talk to at […]

OAM Federation 11.1.2.3: Performing a Loopback Test

In this blog post I will share steps for performing a loopback test of OAM Federation 11.1.2.3. In a loopback test, we configure OAM’s SP to point to OAM’s IdP. This enables you to confirm the basic functionality of OAM Federation without requiring any external partner server. I also find it useful in plugin development […]

OAM Federation: Identity Provider & Service Provider Management

In this blog post I want to clarify a point of initial confusion some people experience with OAM Federation 11.1.2.3. If we go to the “Federation” tab of the OAM Console, we see: Now the two main objects you manage in your OAM Fed configuration are your IdP Partner definitions and your SP Partner definitions. […]

Social Federation with OAM Mobile & Social in Native iOS Applications

Introduction I’ve already posted an article about Social Federation with Mobile & Social (M&S) for web applications protected by Oracle Access Manager (OAM), showing users being authenticated against social network providers, like Google and Linkedin. My coworker Chris Johnson also blogged about using Mobile & Social in a native iOS application. In his post, user […]

Adding Oracle Identity Federation to an Existing Fusion Applications Deployment Part 1

Introduction This guide is meant for existing FA customers who have deployed FA without OIF and who now wish to add this security component to the deployment to provide federated SSO to FA. Customers who have not yet begun their deployment can and should follow the Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity […]

Adding Oracle Identity Federation to an Existing Fusion Applications Deployment Part 2

Introduction This is the second part of a two-part article. Click here to view Part 1. This guide is meant for existing FA customers who have deployed FA without OIF and who now wish to add this security component to the deployment to provide federated SSO to FA. Customers who have not yet begun their deployment […]

Enterprise Gateway (OEG) External Service Calls

I’ve had the opportunity recently to work with the Oracle Enterprise Gateway (OEG) for a DoD opportunity.For those that aren’t familiar, OEG is an OEM from Vordel.The definitive blog on Vordel is at http://xmlgateway.blogspot.com/ where our old friend Josh Bregman writes.There were a couple of patterns that emerged in my work that I wanted to post.

One pattern is the need to make an external call to a service.In my case, I needed to call to an attribute sharing service (See Chris’ blog on XASP for more details on one approach for this) and a XACML PDP.Note, OEG has an embedded PDP solution using Oracle Entitlements Server (OES) that provides a faster service, but in my case, I had to stay with the standards-based solution.This is very easy to accomplish with OEG with a 3-step circuit:

 

 

 

 

 

 

The Set Message defines the parameters of the request.In my case, I have an attribute service that takes a user DN and returns specified attributes.

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>

<SOAP-ENV:Body>

<orafed-arxs:AttributeRequest xmlns:orafed-arxs=”http://www.oracle.com/fed/ar/10gR3″ TargetIDP=”SpaceFenceIDP”>

<orafed-arxs:Subject>cn=${user.cn},ou=${user.physicalDeliveryOffice},dc=service,dc=mil</orafed-arxs:Subject>

<orafed-arxs:Attribute Name=”mail”/>

<orafed-arxs:Attribute Name=”clearance”/>

</orafed-arxs:AttributeRequest>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Notice the wildcards with ${variable}.These were attained earlier in the circuit with a “Retrieve from Directory Server” node after authentication to the Gateway.In the Policy Editor, create a policy and drag the Set Message onto the easel.Enter “text/xml” for the Content-type and optimally, import the request from a file, then save.

 

 

 

 

 

 

 

Setting the URL is very straightforward, just enter the URL and any trust certificates if necessary.

The response from the attribute service (Oracle Identity Federation in this case) is:

<SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>

<SOAP-ENV:Body>

<orafed-arxs:AttributeResponse CacheFor=”1499″ xmlns:orafed-arxs=”http://www.oracle.com/fed/ar/10gR3″>

<orafed-arxs:Status>Success</orafed-arxs:Status>

<orafed-arxs:Subject>cn=Jane Wilson,ou=CDC,dc=service,dc=mil</orafed-arxs:Subject>

<orafed-arxs:Attribute Name=”mail”>

<orafed-arxs:Value>jwilson@service.mil</orafed-arxs:Value>

</orafed-arxs:Attribute>

<orafed-arxs:Attribute Name=”businessCategory”>

<orafed-arxs:Value>Secret</orafed-arxs:Value>

</orafed-arxs:Attribute>

</orafed-arxs:AttributeResponse>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Knowing this response format will help in parsing the response in OEG.When editing “Retrieve from Message”, re-name the node appropriately and select “Add” under the attribute location.

 

 

 

 

Name the attribute (arbitrary) and select magic wand button.Browse to the response file saved on disk, and you should see the contents in the XPATH Wizard.Select the node which you wish to have returned to the gateway.

 

 

 

 

 

 

 

 

Select “Use this path” and the XPath Expression should show up in the XPath field.Select OK.Name the attribute you want to populate in the gateway and save the node.

Debugging on OEG typically consists of adding a “Trace” node to your circuit and putting the listener in DEBUG or DATA mode.This gives you the “System.out” visibility into what’s going on in the Gateway.

Thanks to Dave Roberts from Vordel for getting me over the humps and for stealing second in 2004.